Data privacy — what it is and what you need to know

Understanding data privacy in 2023 is both a matter of regulatory compliance and an essential best practice. Failure to ensure data privacy poses significant risks to your organization and the individual customers and end users you serve.

Data privacy has become an increasingly hot issue among consumers and governments — both of which have begun to raise concerns over historically opaque practices that often allowed for the widespread sharing of information with third parties. For organizations looking to boost their reputation and build consumer trust, this wave of discontent represents a major opportunity. To seize it, commit now to empowering your audiences with easy control over what happens with their personal details.

This article will demonstrate how with a better understanding of data privacy you can not only achieve regulatory compliance and optimize your data usage, but strengthen your brand and reputation by protecting the trust of your individual users.

Specifically, it will explain:

• What data privacy is
• Why data privacy is important
• Data privacy vs. data security
• Some of the most important data privacy laws and regulations
• Critical challenges to data privacy for businesses and individuals
• Take action to ensure data privacy

What is data privacy?

Data privacy refers to the ethical and legal handling of individuals’ personal information and emphasizes gaining users’ consent before accessing or sharing their data.

The two primary types of data include personally identifiable information (PII), which can be used to locate, contact, or otherwise identify an individual, and non-PII such as cookies and device IDs, which cannot. PII can further be broken down into two categories:

• Non-sensitive PII. This is personally identifiable information that is already part of the public record.
• Sensitive PII. This is information that is not otherwise available through a phone book, online directory, or other widely available source.

Closely related topics include data management — or the secure and cost-effective collection, storage, and use of data — as well as data sovereignty. Simply put, data sovereignty dictates that data is subject to the laws of the country where an organization collects it. Finally, data integrity relates to the quality of the data an organization collects and, as with data management, how well it stores it.

Why is data privacy important?

Data privacy is critical for reputation management and brand integrity, with adverse customer experiences associated with data breaches greatly tarnishing a brand and negatively impacting business performance.

Data breaches, meanwhile, can compromise intellectual property and confidential correspondence, as well as expose customers to criminal victimization including fraud and harassment. By outlining and applying best practices around keeping data private and secure, organizations are better able to protect their business assets from outside threats.

Finally, organizations that fail to take data privacy seriously are far more likely to find themselves hit with costly penalties or mired in lengthy lawsuits — a risk that will only grow as governments around the world add more and more laws to the books regarding the issue.

Data privacy vs. data security

Unlike data privacy, with its focus on the protection and use of individuals’ personal information, data security is concerned with how well an organization protects all its data. The two, therefore, are intrinsically linked, both requiring robust technical safeguards.

Data privacy, however, goes one step further to imply an additional layer of legal expertise to ensure compliance with ever-changing laws and regulations. Another difference lies in who is responsible for deciding what happens to the data. In the case of data privacy, users are ideally given the option to determine what information an organization can use and how. When it comes to data security, however, organizations are the ones in charge.

Far more difficult to measure is the cost to an organization’s reputation when either data privacy or data security measures fall short. As threats continue to proliferate, those organizations that invest in both are most likely to save money and face with their customers.

Some of the most important data privacy laws and regulations

Currently, no single legal definition of “data privacy” exists. In its place are a range of laws and regulations that govern data privacy practices, including:

Fair Information Practices — the foundation of data privacy regulation

The Fair Information Practices, also known as the Fair Information Practice Principles (FIPPs), were created by the Organization for Economic Cooperation and Development (OECD) in 1980 and agreed upon by a number of countries.

There are eight principles that, taken together, represent a framework designed to increase transparency and accountability when it comes to the collection of personal data and serve as the foundation for the laws and regulations to emerge on the subject.

Understanding the current data privacy regulatory environment

Among the most influential data protection laws is the General Data Protection Regulation (GDPR). Enacted by the European Union in 2018, it lays out a list of requirements for data controllers and processors, including the use and testing of security measures and informing appropriate authorities within 72 hours of a breach.

Critically, the GDPR also assigns fines in the case of violations, up to €20 million or 4% of the business’s worldwide annual revenue, whichever is higher.

The United Kingdom’s own version of GDPR, known as the Data Protection Act, passed in 2018, specifies stronger legal protections for any information relating to race, genetics, religious beliefs, sex life and orientation, and other similarly sensitive topics.

Across the Atlantic, an alphabet soup of American laws regulates data use and protection. These include:

• Health Insurance Portability and Accountability Act (HIPAA). Passed in 1996, HIPAA standardized the protection of sensitive patient health information across the United States.
• Fair Credit Reporting Act (FCRA). The FCRA was originally published in 1970 to protect information collected by credit reporting agencies, medical information companies, and tenant screening services.
• Gramm-Leach-Bliley Act (GLBA). Also known as the Financial Services Modernization Act of 1999, the GLBA required financial institutions to explain their information-sharing practices to customers and to add safeguards to their data.
• Electronic Communications Privacy Act (ECPA). Prior to the ECPA, there were no laws explicitly outlawing the interception of digital and electronic communications — only those over “hard” telephone lines. This law changed that, with violators facing up to five years in prison and up to $250,000 in fines.
• Video Privacy Protection Act (VPPA). Passed in 1988, the VPPA makes it illegal to disclose a person’s video rental history. It lay dormant for years until 2007 when lawyers began to apply the law to data collected by digital streaming services such as Hulu and Netflix. In 2013, President Barack Obama signed an amendment allowing video rental companies to share users’ rental histories on social media with the consent of the customer.
• Children’s Online Privacy Protection Act (COPPA). This 1998 law requires websites to seek parental consent prior to collecting information on children 13 years of age or younger.

Individual states have also passed their own laws regarding privacy, the most influential of which are the 2018 California Consumer Privacy Act (CCPA) and its 2020 amendment, the California Privacy Rights Act (CPRA).

The earlier piece of legislation granted individuals, among other things, the right to know and delete any information a business collects on them, as well as opt out of the sale of their information. The later law added to this list the right to correct inaccurate information and to limit the use and disclosure of any sensitive personal details collected about them. Other states to pursue similar laws include Colorado, Connecticut, New York, Utah, and Virginia.

How such laws impact an organization depends, of course, on its aims and business model. Understanding which regulations are most relevant to your own organization will help prevent costly missteps. The same is true for the many evolving challenges to data privacy today.

Critical challenges to data privacy for businesses and individuals

While businesses and individuals both face similar data privacy threats, businesses shoulder additional layers of risk and responsibility when it comes to protecting sensitive information.

Key challenges individuals face when it comes to data privacy include:

• Lack of transparency about how their data is being collected and managed. Even as a growing number of regulations aim to cast light on this area, much remains opaque to the individual user.
• Lack of control over personal data once it has been collected. A quick “accept” on a website or app can lead to unintended and unclear consequences for users, as well as few options to reverse course should they no longer wish for their data to be shared.
• Lack of privacy in their user behavior. From seeking romantic partners to names and cures for health problems, once private endeavors now leave detailed and trackable electronic trails.
• Vulnerability to cybercrimes such as fraud. Banking, healthcare, taxes, credit monitoring — all these highly sensitive activities, once performed in person and through physical documents, have moved online. In doing so, they have increased the odds that malicious actors will access the personal data contained within them.

Some of the data privacy challenges that organizations face include:

• Failure to prioritize data privacy. Investing in data privacy is only one of many competing concerns for today’s top decision-makers, and one that rarely delivers an instant boost to a company’s bottom line.
• Poor data visibility and data management. Many organizations are drowning in data, with much of it siloed between teams, making it difficult to manage and secure properly and efficiently.
• The complexity of infrastructure management, including devices, Internet of Things (IoT), and access controls. As threats proliferate and grow in their sophistication, so too do the tools to combat them.
• The complexity of the regulatory environment. Laws and regulations that prioritize individual rights place an extra legal burden on organizations.
• The vulnerability to cybercrimes and attacks. According to a 2022 IBM report, top breach sources include phishing, compromised business email, vulnerability in third-party software, and stolen or compromised credentials. Of all the industries the report examined, healthcare was hit hardest by data breaches, with the average breach costing just over $10 million.
• Lack of transparency and poor communication about data collection practices. Ultimately, the burden is on an organization to inform its users clearly and in a timely fashion about the use of their data.

Data security is big business, especially in the US, where the average cost of a data breach is $9.4 million, roughly twice that of the global average, according to that same IBM report.

Fortunately, organizations are not helpless in the face of such attacks. The study found that those entities which operated a fully deployed AI and automation program were able to identify and patch up breaches an average of 28 days faster, saving millions of dollars in the process. Even partially deployed artificial intelligence and automation programs proved highly effective, allowing organizations with them to fare far better than those without.

Take action to ensure data privacy

Data privacy presents significant challenges to organizations in areas including regulatory compliance, business asset management, and brand integrity. Safeguard your customers’ information and your reputation by implementing best practices, such as installing malware, implementing a clear data usage policy, and limiting access to sensitive information to those employees who truly need it.

Finally, as the IBM report indicates, enlisting the help of an automated solution is what ultimately sets organizations apart when it comes to mitigating risk, as well as the impact of breaches should they occur.

Adobe Experience Platform lets you monitor and respond to your customers’ data access and delete requests under relevant privacy laws, including CCPA and GDPR.

Watch an overview video to see how Experience Platform can help you ingest, store, and analyze customer data responsibly and according to all the latest regulations.

Get a free demo of Adobe Experience Platform.