Reflections on Data Privacy in 2018 and a Look Ahead

As 2018 comes to a close, it's helpful to look back and reflect on the year in terms of data privacy. What a year. The GDPR went mainstream, shifting from a subject only discussed by privacy lawyers to a household name seemingly overnight. It even spawned a host of memes. Of course, the GDPR wasn't the only thing to happen last year regarding data privacy rights. In this post we reflect on what happened over the year and take a peek at what 2019 might have in store.

Facebook & Cambridge Analytica

In March of this year, The Guardian and The New York Times broke the story of how the personal data of nearly 87 million Facebook profiles were used by digital consultancy group Cambridge Analytica in an effort to influence the 2016 US Presidential Election. The news of the data privacy breach sent shockwaves through the privacy space and even spurred consumer outrage. The hashtag #DeleteFacebook started trending on Twitter as various outlets offered solutions and alternatives to Facebook for consumers that felt betrayed. According to a survey conducted in June by the Pew Research Center , 42% of Facebook users had stepped back from daily activity and engagement, 26% deleted the Facebook app from their phones, while 54% reported adjusting their privacy settings.

While the initial outrage has mostly subsided, the news of the breach left Facebook, and its executive team, scrambling to address concerns from policy makers and resulted in numerous inquiries by legislative bodies across the globe. Though Facebook has the resources to fend off any legal or regulatory actions, its reputation suffered a blow in 2018 and its actions can be said to be responsible for bringing the concept of " surveillance capitalism " front and center of any privacy discussion.

The initial (and continuing) impact of the GDPR

It would be a massive oversight to reflect on the year in privacy and not mention the GDPR. By now, most are anxious to forget the nightmare of frantic preparation that led up to the May deadline for the sweeping law that standardized data protection across all 28 EU countries and imposed rigid new rules on collecting and processing personally identifiable information (PII). But its impact fundamentally altered the way we do business online.

Despite having gone into law seven months ago, there are still plenty of organizations that to this day, have resorted to blocking website traffic from the EU rather than investing in compliance measures. Of course, we've written about how this approach is short-sighted given that data protection is going global , but confusion around the law and its focus is rampant. Much of this will be cleared up as case law and regulatory activity ramps up, but in the meantime there's still plenty of confusion around GDPR.

It's been predicted that the first wave of major fines will come in early 2019, with numerous DPAs wrapping up months-long investigations into data privacy violations. Earlier this year, a Portuguese hospital received (and contested) an imposed fine of 400,000 euros. Last month, one of Germany's largest online chat sites also received a fine . So, to think that GDPR ended on May 25th, particularly given the number of similar laws sprouting up around the world, is a mistake. In short, we consider the GDPR's principles of fairness, transparency, and lawfulness of data processing to be "the new norm" around the globe as countries across the world look to better protect their citizens online.

The British Airways data breach

On the heels of GDPR becoming law, UK airline company British Airways announced a sizeable data breach in September 2018, disclosing that the personal and financial information of 380,000 customers were maliciously accessed by a third-party group. This hack, attributed to the same group responsible for a similar breach of Ticketmaster, were able to take advantage of a compromised JavaScript tag on their site that they received from a third-party provider. We've written in the past about the risk that poor digital governance poses to organizations who rely on third-party scripts to help power their martech stacks. The BA case highlights the ease in which hackers can exploit these vulnerabilities in what's become a business critical marketing ecosystem.

In October, the Information Commissioner's Office (ICO), the data protection authority for the UK, announced a formal investigation into the breach with findings expected to come in 2019. ICO's decision is likely to be watched closely by the privacy community as it serves as the first major data breach in Europe since the GDPR and its sizeable fines went into effect.

What's coming next: privacy regulations in 2019

2018 proved monumental in the data privacy space with numerous high-profile cases coming to light and the GDPR coming into full-force. Not surprisingly, consumer concerns increased as a result. According to a GlobalWebIndex survey released in October, 72% of respondents in the US and UK say they're more aware of how companies collect and use their personal data than they were 12 months ago, and 70% are now more concerned about online privacy. So, what should you expect in 2019? Here are some suggestions for key areas to watch.

California Consumer Privacy Act (CCPA)

After a highly contentious debate and election cycle, California residents approved the California Consumer Privacy Act (CCPA), the first law of its kind in the United States. Modeled after the GDPR, the law provides California residents with the right to take control of their personal data online and get clear insight into how it's being used. Along with disclosure requirements and the right to object to the sale of a user's personal data, the CCPA provides California residents with the ability to request access to their data including "deletion", commonly referred to as "Right to be Forgotten."

For US-based companies that may have decided to sit-out on the GDPR, this new law will force them to go through the painstaking work necessary to ensure that opt-outs, data access, and transparency around data collection and processing become a key part of their operation. For companies that went through the stress of becoming GDPR-ready, this process should feel familiar. For those that didn't, they may face a rude-awakening. Our suggestion? Don't put it off. Ask anyone that procrastinated becoming GDPR-ready until a few months before the deadline how that worked out for them.

Updates on the ePrivacy Regulation (ePR)

Harmonizing the patchwork of data privacy requirements created by the ePrivacy Directive remains a major goal for regulators in the EU. The updated law was originally supposed to go into effect alongside the GDPR in May of this year. In retrospect, you can imagine the chaos of having ePR and GDPR go into effect at the same time. On the other hand, it may have alleviated some of the confusion caused by the GDPR, particularly as it relates to consent to the use of cookies.

So, what's the latest on the ePrivacy Regulation? The latest draft of the regulation removed the requirements for browser-based consent, added additional clarity around the use and collection of metadata, and hints towards the possibility of making it lawful for organizations to make access to their website conditional on a user's consent to cookie-based tracking. This particular item is likely to be hotly debated as privacy advocates feel this runs afoul of the GDPR's definition of consent as "freely given." Despite these differences, it's likely that the ePrivacy Regulation will be finalized in 2019 with a target implementation date of 2020. This, of course means that many organizations will need to follow the proceedings closely so they don't get caught off-guard.

Revisiting GDPR - again

Regulators in the EU have suggested that decisions, fines, and recommendations are likely to start flowing into the market in the early part of 2019. These decisions will provide guidance and clarity on aspects of the law that are considered ambiguous and perhaps move any laggards in the market to take the law seriously, particularly as those fines materialize and are publicized. For those confident in their GDPR-readiness, there could very well be action that causes them to rethink that, like the recent CNIL decision against adtech provider, Vectuary.

The first flow of decisions will likely send a chill across corporate privacy teams as they look to ensure that they're not on the receiving end of one of these letters. So, while GDPR may feel very "2018", it's likely to rear its head again throughout 2019 (and possibly beyond) as regulators look to flex their muscles.

Written by: Gabe Morazan and William Littman