Eye on Privacy: 2014: The Year of Unintended Consequences
Usually, at the beginning of the year, I try to look at what marketers might expect from Congress in the coming year. For 2014, I’m taking a different approach. This year, I’m looking at the less obvious actions—the ones we don’t expect to have an impact on us—and examining the unintended consequences that will, in fact, impact our businesses. Here are some areas that you shouldn’t ignore:
• The “California Effect,” coined by U.C. Berkley Prof. Paul Schwartz, is California’s ability to set Internet policy that propagates through the U.S. and the world. Whether your business is located in California or not, what California does will impact how you do business on the Internet. The state’s recent Do Not Track rule has important implications for all websites beyond simply responding to a new browser signal, and it will have to be dealt with even though debate continues at a national level.
• The globalization of data protection standards and safe harbor response has impact beyond how U.S. companies will handle data on non- U.S. citizens. While we wait and watch to see what will happen in the E.U. and how that will affect U.S.-E.U. Safe Harbor rules, other countries have enacted data protection laws that will require U.S. companies who wish to receive PII on their citizens to obtain consent before collecting data, limit use based on notification, give notice before transferring data to a 3rd party, and create new hurdles to transferring out of countries not covered by Safe Harbor. Will global companies based in the U.S. provide greater rights to a citizen of Kazakhstan than to a citizen of the U.S.?
• While lawsuits based on perceived privacy violations and security mishaps are struggling to show harm, new HIPAA rules take harm out of the equation. Rather than having to show harm, the new HIPAA rules define a data breach as any unauthorized acquisition, access, use or disclosure of the data. Companies that process protected health information (PHI) know that the only way to protect against a breach of PHI is to encrypt the data, limit access and monitor all data transfers. Will companies conclude that PHI is their only data liability, or will they begin to migrate other data to this level of security?