Every company today is collecting and analyzing consumer data. It’s estimated that American companies alone spent over $19 billion in 2018 on consumer data, according to the Interactive Advertising Bureau. While this data is crucial for businesses, whether it’s verifying their identity or analyzing consumer behavior for personalized recommendations, its collection makes consumers vulnerable to identity theft and fraud — there’s a new victim of identity theft every 2 seconds.
In the past few years, data breaches like Equifax and Yahoo! have prompted consumers to increasingly scrutinize what companies do with their data, which in turn has put a spotlight on data privacy regulation.
We’ve already seen government entities at the international and state levels take action with GDPR and CCPA, but the U.S. lacks one clear federal standard. Our current laws on how data must be managed and stored are a patchwork of adjacent regulations like GLBA and HIPAA — they add some guidance on how data must be stored, but in order to protect consumers, we need baseline regulation on enforcing security measures and safeguards.
The Biden Administration has an opportunity to create these standards, which will provide clarity for businesses as well as protect consumers. GDPR set a fantastic foundation for us to learn from, and while GDPR is not perfect, businesses can expect that the U.S. framework will follow in its footsteps and start preparing now for new policies on the horizon that highlight encryption as the preferred mechanism.
Regulation expectations
Following in the footsteps of the GDPR framework, the Biden Administration is likely to enact regulation that will determine how businesses should store and manage data, enabling more rights for consumers around Data Subject Access Requests (DSARs), opt-outs, and redaction, ultimately putting consumers back in control of their data. Implementing policies aligned with the principle of least privilege to ensure data access is confined only to those who need it should be a priority for new regulation as well. This will decrease the potential for identity theft and fraud.
While solid federal baseline regulation is important, we’ll also continue to see states implement their own regulation. Illinois established the Data Transparency and Privacy Act, and California recently passed CPRA to significantly expand consumer rights around data protection. State regulation enables the entire ecosystem to evolve at a faster pace, as enacting federal regulation is a slow process. It allows for experimentation and sets a precedent that can be mimicked if it succeeds. However, the benefits of state-by-state regulation also bring new challenges in keeping up with multiple and differing laws that companies must navigate.
How to prepare
While both federal and state by state regulation will be an important step forward for consumer privacy, it will make compliance even more costly and nuanced. As companies struggle to adapt, we will see an increased number of privacy violations, and fines will only get more expensive. Companies must prepare before laws are put in place to avoid compliance issues — the right identity infrastructure is integral to success.
First and foremost, businesses must centralize their data. Storing data in many different places makes it difficult to track down and therefore hard to comply with regulations. And while data stored in one place can seem scary — what if there is a breach and hackers can access everything? — with the right security infrastructure, centralization will be key in helping comply with the regulation.
Automating the decision-making process for data management will be an important aspect of that infrastructure as well. Without humans reviewing sensitive data and fulfilling consumers’ data requests, it diminishes the risk of fraud. Both centralization and automation will enable businesses to quickly and securely manage and store data as well as execute redactions, DSARs, and opt-outs without mobilizing an entire engineering team.
Oftentimes, companies won’t have the resources or the technical expertise to create this infrastructure. At Persona, we provide that identity infrastructure, which we’ve built with privacy at its core. We enable our customers to comply with regulations from the beginning by designing our platform to limit access to sensitive data. We have a fully automated, centralized solution that acts as a “PII custodian” of sorts to protect customers from liability while having data easily accessible when necessary. Without humans reviewing end-users’ sensitive verification information, Persona ensures data access is shared with only those who need it, like access-granted employees of a given organization. We also allow customers to set custom retention and redaction policies so they can automatically redact customer data and stay compliant with the laws in place.
It’s only a matter of time before new data privacy regulation is passed. It’s an exciting step forward for consumers and businesses alike but it’s pertinent that we prepare before it’s too late.