Cybersecurity firm Merudata has issued their "top 10" list of privacy concerns for 2023.
- The California Privacy Rights Act (CPRA) is effective 1/1/23 expanding on the California Consumer Privacy Act (CCPA).
- The Virginia Consumer Data Protection Act is effective 1/1/23.
- The Digital Markets Act became effective in the European Union 11/1/22. It applies to "gatekeeper" online platforms.
- The Digital Services Act applies in the EU to all providers of digital services.
- Personal health information is not only subject to HIPAA but additional state and proposed federal laws.
- California has passed the Age-Appropriate Design Code Act with higher standards for children's data than the Children's Online Privacy Protection Act.
- Business-to-business exemptions under the CCPA end 1/1/23.
- Geolocation data is considered sensitive personal information in California and other states.
- Biometric data is regulated by the GDPR, HIPAAA and the Illinois Biometric Information Privacy Act (BIPA).
- Algorithmic bias affects artificial intelligence by amplifying biases embedded in data (in other words, bias in, bias out).
Merudata's post at https://www.merudata.com/single-post/privacy-recap-2022-top-10-things-to-look-out-for includes recommendations for dealing with each of these issues. Since some apply in multiple cases, here is a summary:
- Have the required tools and resources to deal with data subject requests.
- Review data sharing with third parties.
- Ensure consumers have options to limit the sharing or sale of personal information.
- Delete personal information when no longer needed.
- Conduct data protection assessments when processing personal data.
- Obtain prior consent from users when collecting or processing sensitive personal data.
- Maintain transparency about how you share and sell personal data.
- Have tools and resources when courts or authorities point out illegal content.
- Have mechanisms for reporting and taking action on illegal content.
- Monitor advertising based on sensitive data and/or targeting minors.
- Conduct regular assessments of systemic risks.
- Study relevant regulations applicable in your jurisdiction.
- Obtain parental consent, with right to review, when collecting children's personal information.
- Encrypt personal data during transmission.
- Have a clear privacy policy.
- Make sure data in artificial intelligence is accurate and diverse.