In April, Didomi was in Washington DC to participate in the IAPP Global Privacy Summit 2022, one of the world's premier privacy and data protection conferences covering international topics around privacy, compliance, policy and strategy.
In the context of our North American expansion, we took this opportunity to present our unique product and solution offering, from our Consent Management Platform (CMP) to the Preference Management Platform (PMP), as well as the new Data Privacy Barometer and our Vendor Performance Management Platform, the recently acquired company Agnostik.
Now that the dust has settled, we want to share our biggest learnings and takeaways from the conference, and where we believe data privacy is headed in the United States in the near future.
The two biggest data privacy trends in the United States right now
In light of the IAPP panels, conferences and conversations, we’ve identified two critical trends in our industry: A change of paradigm in how the US approaches privacy, and Data Subject Access Requests (DSAR). Let’s look at each in detail.
Going beyond the “notice and consent” paradigm
This first trend we’ve observed relates to the speech from the Federal Trade Commission (FTC) Chair Lina M. Khan at the conference. In her remarks, she provided observations about the state of data collection in the United States, and how the FTC is adjusting to new market realities.
Most importantly, Ms Khan also offered broader areas of reflexion about the current frameworks in place, referencing a 2020 Harvard Business Review article about a privacy paradox in the current user privacy experience:
“We need to reassess the frameworks we presently use to assess unlawful conduct. Specifically, I am concerned that present market realities may render the “notice and consent” paradigm outdated and insufficient. Many have noted the ways that this framework seems to fall short, given both the overwhelming nature of privacy policies—and the fact that they may very well be beside the point.
At Didomi, this is something we’ve been working towards extensively, offering users a way to tie their preferences to an actual experience with our Preference Management Platform (PMP), beyond a less nuanced opt-in / opt-out dichotomy.
This statement from the FTC Chair is perfectly in line with our efforts and focus in providing privacy-first, user-oriented experiences. We believe that giving users control over their data and transparency on what they’re used for is key to a more balanced internet.
New privacy protocols are emerging
The other major trend that we’ve observed is the fact that a lot of industry actors are working on new privacy protocols, from the Global Privacy Control discussion to initiatives around a global privacy framework by the Interactive Advertising Bureau (IAB).
When it comes to Data Subject Access Requests (DSAR) for example, we’re seeing efforts from independent initiatives and projects led by industry organizations to build automation tools and protocols together, in order to improve the entire DSAR process for everyone.
For context, a DSAR is a submission from a data subject to ask a business to provide access to or permanently delete personal information of theirs that has been collected. At the moment, dealing with these requests is a painful and manual process for most businesses. These efforts would make the entire DSAR process easier, by helping everyone communicate the same way across all industry actors and vendors.
This collaborative trend is very similar to what happened in Europe with the Transparency and Consent Framework (TCF) initially. While businesses naturally first work within the limits of their own operations, the interconnected nature of the digital industry requires collaboration between players, hence the need for protocols.
As personal data gets shared across many organizations, it is close to impossible for a company to properly handle a DSAR by simply deleting the data it has on a given data subject from its data centers. Such DSAR to be fully fulfilled must be shared with third-parties which have had access to the same information. Only a clear protocol can help ensure everybody speaks the same language and understand what the DSAR actually means for their own processing activities.
Expect to hear more about new privacy protocols including DSARs in the near future.
Key takeaways from the IAPP 2022
To sum up our learnings from the conference, we’ve gathered four main takeaways that we believe will drive the data privacy industry in the US in 2022 and beyond.
#1: No federal privacy bill in sight
Despite talks of a data privacy federal law in the US, including calls by major corporations such as Google, the US currently only has local regulations, the CCPA being one of the prime examples along with privacy bills active in many states.
While a lot of actors expect a federal law similar to the General Data Protection Regulation (GDPR) in Europe to make privacy requirements consistent across the US, and despite an increasing number of influential figures stating their support for the idea, it doesn’t look like it’s coming anytime soon. We should assume that we will have to rely on state laws until at least 2024 at the earliest.
Learn more about consumer data privacy laws in the US in our comprehensive article on the topic.
#2: DSARs over opt-in
It seems that the data privacy industry in the US will be mainly focused on the topic of privacy rights in general, including Data Subject Access Request (DSAR).
While the European Union (EU) has been focusing on transparency through the concepts of opt-in and opt-out, the data privacy conversation in the United States revolves a lot more towards users rights, making sure that users are aware of those rights and actually able to exercise them.
DSARs will be critical to ensure that users requests are handled appropriately, whether we’re talking about accessing, updating or deleting their data.
Expect DSARs to be a major theme in the US.
#3: Privacy Shield replacement is on the way
During the event, some of the negotiators of the new agreement between the US and the EU shared their thoughts regarding when we should expect a new framework to replace the Privacy Shield.
While this means that there will still be uncertainties and that we’re still not sure how we should transfer data between the EU and the US in the meantime, we should expect a new framework by the end of the year.
#4: Balance between compliance and user experience is key
Going back to the speech from the FTC Chair, we’re seeing increasing signs that brands are struggling with finding the right balance between complying with consent obligations and providing customers with the least intrusive user experience.
As Didomi, this is something we’ve been working on extensively with our Preference Management Platform (PMP), providing a way for businesses to give granular privacy choices to their clients without compromising their user experience.
Based on these learnings from the IAPP, how can you prepare for the upcoming months/years and the challenges ahead?
It’s clear that the United States and North America in general is taking data privacy issues very seriously, with several state bills in the pipeline and discussions at the highest level about data transfers.
Didomi is a partner to global companies in embracing these changes and providing both businesses and customers with the best privacy experience available. Embracing customer preference management will be key in adjusting to these trends.
Didomi specializes in helping global brands strike the right balance between complying with these complex regulations and providing the best user experience for their customers. To learn more about how we can help with your compliance and preference management efforts, book a call with one of our experts today.