Though four years have elapsed since we first encountered the data privacy regulation that transformed the European market, the GDPR, even today many companies need help complying with the regulations as they have completely raised the bar in this field. It makes no difference if the company is a technology giant or a small startup, nobody is immune to data privacy regulations. Just this last year, for example, Google was fined a sum exceeding $100 million for the sixth time. Meta too was no exception and was forced to pay the second-largest fine in the history of the regulation.
All of these are clearly expected to have a profound impact over the coming year not only on US companies but on all companies operating in the continental USA, with Israeli companies of course being no exception to this.
This situation is a complete game changer – let’s take for example the Apple update – if a business that relies on an iOS app as part of its business and sales model fails to meet the requirement of deleting consumers’ personal data, it will probably be removed from the App Store (which is likely to lead to the immediate loss of its revenues).
On the other hand, apps that do comply with the requirements are likely to replace those that don't, which will clearly bolster those businesses and apps that to date have been less popular or well-known. In essence, we can regard this as a potential for significant growth, if we only learn how to adopt the correct behaviour in the ever-changing environment.
So, what can we expect in 2023 and what do Israeli companies need to know to avoid any potential damage and possibly even to flourish in the new era of data privacy?
Should the ADPPA, the federal bill whose “Duty of Loyalty” imposes a data minimization requirement, the right to refuse targeted advertising, etc., enter into force, it would establish the United States’ first comprehensive federal data privacy law and reconcile differences between state and federal requirements.
Adv. Jim Sullivan, a partner in DLA Piper's Washington, DC, Regulatory and Government Affairs practice explained that this law will completely change the rules of the game and will prevail over any state regulation in the USA such as the CCPA. It will clearly impact all companies operating in the USA.
Sullivan goes on to further explain the law's impact on companies operating in the USA by saying, “Any covered entity’s failure to comply with the ADPPA could subject it to enforcement actions by the Federal Trade Commission and state attorneys general. Starting two years after the law’s enactment, a covered entity could also face private actions in federal court from injured consumers seeking damages, injunctions, litigation costs, and attorneys’ fees. Companies really need to prepare for this eventuality in advance, whether the law is adopted or not.”
“Today, every company is a technology company and access to consumer data is critical to business continuity. The growth in data privacy laws in the United States and around the world, and developments such as the Schrems II ruling in Europe and the remote work transformation in the wake of the COVID-19 pandemic have combined to create serious risks to companies’ abilities to collect and process consumer data,” Sullivan stresses.
“To ensure ongoing business operations in this ever-shifting landscape, expert advice on preventing, mitigating, and addressing these risks has never been more essential,” claims Jim and adds, “Each new state and federal regulation introduces something else into the equation that businesses have to contend with. Thus, for example, the ADPPA would impose several duties on covered entities, including requirements to abide by data minimization principles and special protections for certain types of data, to obtain affirmative express consent before using ‘sensitive covered data,’ and to designate data privacy and security officers. It would also prohibit discrimination based on characteristics such as race, gender, or sexual orientation, and direct ‘large data holders’ to conduct algorithmic impact assessments.”
In addition to gaining the aid of data privacy experts, there are other recommended approaches to prepare for the anticipated regulatory changes, and the sooner these are adopted the better, to prevent history from repeating itself as has been and still is the case with the GDPR.
Beyond consulting with attorneys and data privacy experts, it is imperative to adapt the entire business to the shifting landscape from a technological point of view too. Of course, understanding the state of play in the changing market is the first step, while surrounding yourself with relevant experts has become an essential move, but the change is not limited to this alone. The critical stage is complying with the requirements such as the right to be forgotten, or adapting the algorithm so that it does not pass on to the consumers 'racist’ messages – and this is where the automatic technological solutions step in.
It is extremely important to understand that especially for a startup or young company operating in the US market or operating an app on iOS, any financial expenditure on data privacy might involve enormous costs. At the same time, managing the company's overall data privacy setup and complying with the regulatory requirements manually could easily cost a considerably greater amount of money, and often those young companies are not capable of coping with the enormous strain and ultimately risk heavy fines.
Written by Gal Ringel, CEO of Mine