Most security standards require a “regular review” of policies, which many companies do with an annual cadence. What could be more ho-hum and boring? But US and international regulations have changed over the last year, and that pace of change is likely to continue for at least a couple of years.
The good news? Most companies are not likely to see huge changes soon. However, there has been enough change in the past year that many of us need to make updates to stay in compliance and avoid snags in our sales pipelines.
Conducting annual reviews should be at the top of your list. I review some significant regulation changes below. Although not all may apply to your company or industry, I hope this motivates you to check that your company is conducting annual reviews, and that your policy and contract updates are keeping pace with the regulations and requirements that apply to you.
US Privacy Shield Invalidation
Edward Snowden’s revelations about the US National Security Agency’s (NSA) PRISM program in 2013 led directly to the July 2020 landmark European court decision that invalidated the US Privacy Shield. The US Privacy Shield program was set up as a US framework companies could use that was acceptable under the European Union’s (EU) General Data Protection Regulation (GDPR) privacy law. Many companies have used this framework as a basis for their security and privacy programs and relied upon it in their policies and contracts.
Snowden claimed, and it was later confirmed, that the NSA had access to several large US internet companies’ data streams. And that meant that all the protections US Privacy Shield companies put in place on their own systems could not necessarily shield their European users from the NSA dragnet placed “upstream.” The EU court specifically discussed the NSA’s large-scale data collection without notice, and determined that Privacy Shield protections were not sufficient because of inadequate oversight of the NSA.
US companies that serve European users and rely on what are called the Standard Contract Clauses instead of the Privacy Shield are in a better position, temporarily. However, both the EU and the US are working on clarifying requirements for US companies, while company attorneys are providing short-term and long-term strategies.
EU Cookie Ruling and the ePrivacy Regulation
In late 2019, the EU court made a ruling on how websites must obtain consent to place cookies on European users’ computers.
The EU laws involved are the ePrivacy Directive and the GDPR. The GDPR deals with cookie regulation when personal information is gathered. The ePrivacy Directive applies whether personal data is collected by the cookies or not.
The EU is actively working to replace the ePrivacy Directive with the ePrivacy Regulation, which will bind all EU member countries to the same law.
Advice to US companies about this ruling has varied, because the ePrivacy Directive applies to organizations located in the EU. Currently, the ePrivacy Regulation is expected to match the scope of the GDPR, applying to organizations outside the EU. It is expected to be completed in 2021 or 2022, with a transition period. The advertising industry has raised several concerns because of the potential impacts to business models. There are also potential new exemptions for obtaining cookie consent.
US State Privacy Laws
I can anticipate your sigh. California passed an amendment to the privacy law it rolled out last year, the California Consumer Protection Act (CCPA). The amendment is called the California Privacy Rights and Enforcement Act (CPRA), which goes into effect in January 2023. The CCPA gave users the ability to opt out of having their data sold. The CPRA expands this to cover sharing of data across sites where no sale occurs. It also adds scope to deal with sensitive data, profiling, and automated decision-making.
Virginia just enacted a new data privacy law in March 2021, which has similar provisions to California’s CCPA and the GDPR. At least nine other states are also considering privacy laws.
US Department of Defense CMMC Roll-out
Now we turn from privacy to security.
The United States Department of Defense (DoD) is rolling out a requirement for its primary contractors to obtain a Cybersecurity Maturity Model Certification (CMMC). This will require an assessment of their practices by a third party.
The rollout is over five years, and the DoD plans to work with 15 primary contractors in 2021. Subcontractors that work with the primary contractors will also have to obtain the certification.
The Good News
I do not cite these changes to make you tired; rather the opposite: to alert you to recent and upcoming changes in regulations and to take heart.
The laws are coalescing around similar practices. This means that for many, many businesses, the changes we need to make will build on what we have already done to comply with existing laws. What’s needed is regular attention and small changes.
For businesses that rely on ad revenue from free website content, the changes are likely to be more severe, directly impacting their business models.
Check that your company is conducting annual reviews of policies and contracts, and the regulations that impact them. This is the easiest and most direct way to stay compliant with regulation changes that impact the integrity of your sales pipeline.
For more information on any of the regulation changes I’ve discussed, I’ve included an article on each topic below.
Ensuring International Data Flows after Schrems II (Privacy Shield Invalidation topic)
ePrivacy: The EU’s Other Data Protection Rule
CCPA vs. CPRA – What Has Changed?
US State Comprehensive Privacy Law Comparison