In 1890, Samuel D. Warren and Louis Brandeis published an article in the Harvard Law Review called “The Right to Privacy.” They defined privacy as the “right to be left alone.” Since then, the US legal tradition has focused on the right to solitude—which is essentially the right to be left alone. For more than two centuries, that right protected people’s material rights like protection against warrantless search and seizure.
Yet, with the rise of the internet, a new set of privacy concerns emerged as people conversed, shared information, and shopped online. Personal data became widely available as individuals increasingly inhabited the digital world. Suddenly, people and governments worldwide were facing unprecedented questions, like, “How do you protect people’s digital privacy,” and, “Do we even have the right to be left alone online in the first place?”
Below, I offer an overview of key moments in the history of digital privacy regulations to show how Europe and the United States have answered these questions since the 1990s. I also explain how this history sheds light on the future of digital privacy. How far does the right to be left alone extend, and how will organizations need to rise to the challenge to make sure that right is being fulfilled?
The History of Privacy Regulations
Worldwide, Europe is a leader when it comes to implementing privacy regulations. In large part, this may be due to the fact that their legal tradition doesn’t revolve around the right to solitude but instead focuses on informational self-determination, which grants the individual the authority to decide for themselves what personal information is divulged. In other words, consumers have more individual control over their information.
In 1995, the European Data Protection Directive (EDPD) was created to regulate the processing of personal data within the European Union. With so much data being processed by organizations, this directive sought to outline how data should be processed and used. Each individual country still had the power to develop their own specifications, provided that, at a bare minimum, they codified the EDPD’s provisions into law. These individual regulations proved challenging to many international companies and multi-brand organizations in Europe because each country had different specifics.
The European Union adopted the Directive on Privacy and Electronic Communication (ePrivacy Directive) in 2002. Designed as a complement to the EDPD, this directive specifically covered the electronic communication sector and established requirements for the accessing of information from users, granting users additional rights in the process. This directive established a duty to warn users when there’s a risk of a virus or malware attack, and article 5 recognized the usefulness of cookies that are strictly necessary for the delivery of service that is requested by the user.
Seven years later, the United States proposed its first major privacy regulation—the Personal Data Privacy and Security Act of 2009— but the bill did not pass. Unlike the EU, which began with EU-wide privacy legislation, the United States’ data protection laws have been broken up by state. This was the closest it has come to a unifying federal legislation that protects personal data. The Personal Data and Privacy and Security Act would have required all private and government entities that handle data to implement specific risk assessment and vulnerability testing measures, including controlling access to data, detecting and logging unauthorized access, and protecting data while in transit.
Meanwhile, regulation in Europe continued apace. In 2014, the Court of Justice ruled that European law gives people the right to ask search engines like Google to remove results for queries that include their name. This is known as the right to be forgotten. In the United States, this right still is not recognized, but it is worth asking whether the country might implement a similar policy in the future.
In 2016, after four years of deliberation, the General Data Protection Regulation (GDPR) was approved by the EU Parliament. This regulation superseded the EDPD and unified the 27 national data protection regulation systems in the EU, improved corporate data transfer rules in the EU, and allowed greater user control over personal identifying data. It is considered to be the most comprehensive data privacy law to date, including the following requirements: right to be forgotten, affirmative consent, timely breach notifications, plain language for service agreements, and fines of up to 4 percent of an organization’s worldwide annual turnover if violations are found.
Organizations were given a two-year grace period to update their security measures and protocols to implement the GDPR, so the law was formally implemented in 2018. That same year, the California Consumer Privacy Act (CCPA) was enacted in California, and so far, it is the most comprehensive privacy law in the history of the United States. The law provides California residents with the right to know what personal information is collected about them, whether it’s being sold or disclosed and to whom, the right to access personal data, the right to say no to the sale of personal information, and the right to request businesses to delete their personal information.
These privacy rights for Californians have been further clarified and extended with the passing of the California Privacy Rights Act (CPRA) in November 2020. The expanded provisions go into effect in 2023 and provide further protections for Californians such as the right to be forgotten and the right to say no to the sharing of personal information. Importantly, the CPRA also establishes a new Data Protection Authority tasked with enforcing the requirements.
Since GDPR and CCPA are two major pieces of regulation that have been raised, we’ve put together a separate article to outline and compare them across key principles.
The Future of Data Privacy Regulations
In the United States, CCPA/CPRA is setting the precedent for similar data regulations in other US states. It may even be a blueprint for the US to implement a federal legislation similar to the GDPR. So far, Nevada, Washington, and New York have all introduced bills for privacy regulations with provisions similar to CCPA.
Ultimately, state-specific regulations aren’t ideal for businesses, especially those with an e-commerce presence, because their services aren’t state-specific. Imagine a company like Macy’s. They have to treat the digital information of their consumer differently, depending on whether the consumer lives in California or Ohio. This situation will only grow more complicated as more states add their own regulations. The patchwork system of laws in the United States has presented many obstacles for businesses, especially those with widespread operations, and there is momentum gaining for a federal privacy law.
While the United States and the rest of the world has been slower than Europe to implement data privacy regulations, it seems clear that European-style regulations are on the horizon, and similar policies will likely be enacted across the globe in the coming years. Already, 60 jurisdictions worldwide have enacted privacy data protection laws following the GDPR, and India is expected to implement a privacy law in 2021. According to Gartner, “By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations,” up from 10% in January 2020.
So, what does this mean for American organizations? For one, as we see an uptick in regulations, we see a similar rise in lawsuits. In 2021, it is predicted that employee privacy lawsuits will multiply, which means that companies will have to implement privacy by design when processing employee personal data. As precedents are being set, companies will need to err on the side of caution or be prepared to handle privacy-related lawsuits.
Secondly, in order to find solutions to these new privacy needs, developers are creating software to automate data privacy. You can expect the trend of data privacy automation to continue and for a number of solutions to become available as data privacy regulations expand.
It’s Time to Evaluate
Now that you understand what has happened in the realm of privacy regulation and how these policies are likely to play out in the future, it’s time to consider what might be required from your organization.
What is the state of your data? How easy or difficult would it be for your organization to begin complying with these changes if they were implemented in the near future? What solutions do you have in place, and are all your downstream systems, such as marketing automation, retargeting, and loyalty programs positioned to properly adapt to these changes? Or will you have to fully re-architect how your solutions are structured and what your processes look like?
Don’t wait until these changes are upon you. Whether you love or hate these regulations, the writing is on the wall. Seize the opportunity to get a head start and prepare your organization for the future.