Many thought the day would never come, but spurred by the tightening of existing regulations and the introduction of new ones around privacy and data protection, the internet is finally cleaning up its act. Driven by growing concerns about how personal data is being collected and used, as well as rapid advancements in AI and cybersecurity threats, online businesses can no longer afford to remain ignorant of this regulatory wave. Read on to discover exactly how these changes will affect the digital landscape, and what they mean for your business.
While some might argue that, as with any burgeoning industry, it was only a matter of time before regulators caught up with online business, it is possible to identify some key accelerants:
User concerns regarding online privacy and data protection have been growing for some time. This is partly due to increasing digital literacy arising from the ever expanding availability of electronic goods, online socialization and work during the pandemic, and the emergence of digital native generations such as Gen Z.
Data use scandals such as that which surrounded Cambridge Analytica and Facebook have added significantly to these concerns, as have the increased prevalence of phishing scams, which have grown more advanced and frequently rely on PII data secured through leaks and attacks.
The rapid advancement of AI has caused widespread fear about how this technology might transform society – or even end it. These concerns range from the potential to generate huge amounts of misinformation online, replace musicians and artists, or override nuclear security systems and cause WWIII. It’s important to remember that AI has been around for a long time, and it’s largely its increased visibility in mainstream applications such as ChatGPT driving this current panic.
Cybersecurity concerns are on the rise, following a huge surge of cyber attacks. Large scale attacks increased by 125% between 2020 and 2021, and a further 38% the following year. This is mostly due to the massive adoption of cloud computing technologies, expanding the attack surfaces for the vast majority of companies – particularly those that do business online.
While huge amounts of data regulation is emerging around the globe, some of it is highly influential, while some will only apply in certain, specialized industries and situations. Below, we break down the bits you need to know about.
Designed to protect personal data breaches on both micro and macro levels, the EU’s GDPR and California’s CCPA are the two largest data privacy regulations and have each been in operation for several years (2018 and 2020, respectively). However, they are now being enforced more strictly than ever, with several businesses facing huge penalties last year. For example, the Irish Data Protection Commission issued a historic fine of €1.2bn ($1.3bn) to Meta for inadequate protection of PII, while in the US, huge businesses such as Google ($93m), Amazon ($25m), Microsoft ($20m) and Edmondo ($6m) all agreed to settle CCPA violations for vast sums.
Along with secure handling of PII data, GDPR requires explicit user consent for the collection of data through third party cookies. Companies are also required to provide clear and comprehensive information about data use and to make it simple to opt-out of cookies. CCPA, on the other hand, requires that companies inform users about cookie use and provide an ‘opt-out’ option. These laws are driving factors behind the mass abandonment of third party cookies by all major browsers, and the introduction of Google’s Privacy Sandbox in efforts to replace them.
In efforts to meet demand for a wide scale data privacy law resembling GDPR, US federal legislators have drafted a bill called the ADPPA (American Data Privacy and Protection Act), described by the Library of Congress as “establish[ing] requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual”.
However, supporters of this bill have so far been unable to have it enacted in law, leading many states to pass their own “mini CCPAs” as a supplementary measure. Twelve states (California, Colorado, Connecticut, Utah, Virginia, Indiana, Tennessee, Delaware, Iowa, Texas, Montana, and Oregon) have passed comprehensive consumer privacy laws, with six others having implemented bills that sit inactive. Taking their lead from CCPA, many of these states will likely begin to issue large penalties for data misuse in the near future.
Intended to ensure the safe and ethical use and development of AI, the EU AI Act features specific requirements around testing, documentation, transparency, and notification duties, and will likely be enacted this April or May. The act provides legal certainty around AI investments while minimizing consumer risks. This is partly achieved through stiff penalties that can reach $35m or 7% of annual turnover.
As well as measures such as banning certain technologies, limiting high-risk use cases, and mandating stress testing and transparency for the most advanced programs, the EU AI Act demands that some companies design either an ‘AI Act compliance program’ or an ‘AI ethical risk/responsible AI program’, depending on their specific requirements surrounding AI.
The tightening regulations around data collection and AI mean that the laissez faire culture that once surrounded online data collection has come to an abrupt end. Going forward, collecting and processing PII data will become much more restricted, presenting challenges for digital businesses that rely on converting and retaining online customers.
However, as third-party data becomes harder to harness, first-party data will become ever more valuable as an affordable, ethical, and futureproof means of understanding and engaging customers. For instance, various solutions now combine machine learning techniques with huge stores of anonymous data, enabling companies to achieve real-time personalization, tailored promotions, cyberattack response, and other features that previously relied on third party data.
While the rapid influx of data privacy and AI accountability regulations creates new obstacles for online business, forward-thinking companies will seize the opportunity to turn legal obligations into brand differentiators. Rather than struggle to make third party cookies work in an online environment that increasingly rejects them, by committing to transparent first party data use, businesses can earn consumer trust and loyalty. There is a new frontier for data collection, and it’s ethical, anonymous, and highly effective.
