5 key data compliance regulations to know for 2022
Heightened data privacy regulations are coming. However, with so many evolving and industry-specific laws and no sole federal legislation, it can be tough to figure out what applies to your company and what doesn’t. That’s especially true if you’re trying to reduce legal spend and, like around 41% of small businesses, you don’t yet have a comprehensive data management strategy in place. But regardless of your company’s size, the longer you wait to set internal standards for data privacy, the greater your risk for noncompliance.
You need to know which data compliance regulations to follow if you want to avoid penalties and reputational damage. The data privacy laws that are already on the books form a blueprint that your company can use to inform your security policies.
1. General Data Protection Regulation (GDPR)
The GDPR is the European Union’s (EU) well-publicized answer to concerns over privacy. This law, which went into effect in 2018, gives consumers rights over their own personal data. While the GDPR only applies to companies that serve EU citizens, it’s a good idea to familiarize yourself with its regulations, even if your customers are based strictly in the United States. Because the GDPR is the most comprehensive regulation in the market, others will likely use it as a guide for their own data protection laws — which may apply to your company.
The GDPR protects personally identifiable information of customers and employees. That is a broad category that can include anything that might identify a person, like:
- Biometric data like fingerprints and facial recognition
- Identification numbers like passport numbers, tax identifiers, and national identification numbers
- IP addresses
- Telephone numbers
Punishment for noncompliance with the GDPR is a tiered system of fines. Severe or flagrant violations can lead to fines of up to 4% of the company’s global annual turnover or 20 million Euros — and you’ll have to pay the greater amount.
Several big-name companies have already faced fines for noncompliance with the GDPR. Google was one of the first to be hit with fines — $56.6 million in 2019. In 2021, Meta was fined $255 million for infractions by WhatsApp. That same year, Amazon was fined a whopping $847 million — the largest penalty so far.
2. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule
The HIPAA Privacy Rule is a U.S. federal rule protecting Americans’ personal data — in this case, medical records and personal health information. Most importantly, it lays out the responsibilities for safeguarding patient information for healthcare providers and companies that manage health plans.
That’s a crucial function, considering the stakes: Healthcare information can be used to buy fraudulent prescriptions and make fake medical insurance claims. It’s also chockfull of personal information — names, social security numbers, addresses — that can be used for identity theft. That’s incredibly attractive for bad actors — which may explain why the rate of healthcare data breaches almost doubled between 2018 and 2021.
HIPAA’s Privacy Rule also follows a tiered system for annual fines. The maximum fine possible is $1.5 million per year for each category of violation — but that level of punishment is reserved for companies that willfully neglect HIPAA rules by ignoring violations and refusing to fix problems with their privacy procedures.
HIPAA violations usually result in either the company paying its fines or agreeing to a settlement. In 2021, Excellus Health Plan (also known as Excellus BlueCross BlueShield and Univera Healthcare) agreed to a $5.1 million settlement for a massive data breach in 2015 that compromised the patient information of more than 9 million customers. Excellus Health Plan had a number of problems with their approach to security — for one, they didn’t have an adequate process in place to look for security vulnerabilities and didn’t notice the breach until 18 months after it happened.
3. Gramm-Leach-Bliley (GLB) Act
Similar to how HIPAA puts extra responsibility on healthcare organizations to protect their patients’ sensitive health information, the GLB Act mandates that financial institutions take steps to secure their data management systems because of the sensitive nature of their consumers’ information. But instead of healthcare data, this federal data protection law applies to financial institutions and financial service providers in the U.S. — banks, lenders, brokerage firms, debt collectors, and investment advisors.
Private financial information is a tempting data source for hackers because it can be used to open fraudulent credit cards, take out loans, and commit other forms of identity theft. In fact, 86% of data breaches are motivated specifically by financial gain, making it the most common reason for a bad actor to try to access private information.
Noncompliance with the GLB Act can lead to fines, and intentional violations of the law can carry criminal penalties. In 2021, mortgage analytics company Ascension settled a lawsuit that claimed they failed to secure financial information sent to a third-party vendor. It’s a stark reminder that your data privacy responsibilities can extend into your relationship with vendors as well.
4. Federal Trade Commission (FTC)
The FTC Act empowers the FTC to prosecute businesses for “unfair or deceptive acts or practices” — and that includes apps or websites that contain misleading information about privacy and security. This rule applies to all U.S. companies regardless of industry, and it guarantees a wide range of consumer protections and extends well outside of privacy.
The FTC typically issues fines to companies that don’t comply with its regulations. And it continues to levy those fines until the problem is fixed. Companies may agree to a settlement to sort the issue out like Zoom did in 2020 after the FTC alleged that the company published misleading information on its website about the security and encryption of its software. As part of the agreement, Zoom had to agree to improve its security, start a program to manage vulnerabilities, and offer more safeguards like multi-factor authentication to its users.
5. California Consumer Privacy Act (CCPA)
The CCPA guarantees rights over personal data — but only for California residents. Under the CCPA (and the California Privacy Rights Act, which will further expand the rule when it goes into effect in 2023), residents have the right to:
- Know what information a company collects and how it’s used
- Opt-out or opt-in to the sale of their data
- Delete the information that has been collected
- Correct inaccurate records
- Limit the usage of their information
- Sue a company for a data breach
In most cases, the California Attorney General deals with violations of the CCPA. The state issues fines based on a tiered system, or they may call for civil penalties for noncompliance. However, residents can also sue a company directly if their information is exposed during a data breach, though those cases are rare. Companies even outside of California may choose to follow the regulations in the CCPA for the same reasons they might adopt GDPR standards: This law is likely to become a template for other states that want to protect residents’ privacy.
In 2021 (the first year the CCPA was on the books), 10 unnamed companies ran up against the regulation and had to take steps to reach compliance, like updating their terms of service and privacy policies and providing users with a clear way to opt out of sharing their information.
What’s next for data compliance regulations?
We can expect to see more data compliance and information security rules across the U.S. as individual states pass their own mandates. We may eventually see federal regulations in this area — something that pro-privacy advocates have been requesting for years. Currently, 15 states have bills in progress, while three states (Virginia, Colorado, and Utah) have legislation that will go into effect in 2023. And countries outside of the EU are also looking at similar consumer protections.
Virginia Consumer Data Protection Act (CDPA)
Once it goes into effect on January 1, 2023, the Virginia CDPA will protect the privacy rights of Virginia residents. This law is similar to the CCPA: It grants consumers rights to personal data and requires companies to provide opt-outs and meet other privacy regulations. Noncompliance will lead to fines of up to $7,500 per violation.
Colorado Privacy Act (CPA)
The CPA is another new consumer protection law that grants Colorado residents rights over their data. It goes into effect on July 1, 2023. It also follows the blueprint laid out in the CCPA: Residents must have the choice to opt out of data collection, and they have a right to know what information a company has on file for them. Noncompliance will lead to fines, but companies can take advantage of a temporary 60-day cure period to fix any violations.
Utah Consumer Privacy Act (UCPA)
The UCPA goes into effect on December 31, 2023. This rule offers companies a bit more leeway than other states; it’s only applicable to businesses that target Utah residents, have annual revenue of at least $25 million, and meet certain thresholds for data collection and processing. Noncompliance fines can reach up to $7,500 per violation, but companies will have 30 days to fix the problems before facing consequences.
Data privacy is also becoming a priority in international markets. China, the United Arab Emirates, and South Africa all passed privacy legislation in 2021, and it’s likely that other countries will follow suit. The U.S. and EU have agreed to a preliminary deal that spells out how American companies can store the personal data of Europeans.
Worldwide, governments are trending toward stiffer compliance standards for consumer data privacy protection. If your product or operations have weak points that might expose sensitive data, now is the time to shore those up.
Fill data security gaps in your product
Regardless of the hefty fines and serious damage to your brand’s reputation, beefing up your cybersecurity and data protection capabilities is a core component of risk management for your company. The sooner you take steps internally to secure gaps in your product, the sooner you can protect your bottom line.
Start by helping your product team make sure that your product complies with any relevant data privacy regulations and protects customer data. It’s a good idea to comply with the state rules in California, Colorado, Virginia, and Utah, even if your business isn’t based there. If even one of your customers is in one of those locations, you need to take steps to protect their privacy. You can also future-proof your company by adhering to stricter compliance requirements like those in the GDPR, even if you’re not required to meet them.
It’s not a bad idea to work with IT during this time as well to make sure that your internal security measures are strong enough to prevent a data breach. Keep risk manageable by understanding the basics of data privacy compliance.