The Quilted Landscape of US Consumer Data Privacy

The Quilted Landscape of US Consumer Data Privacy
Author: Robin Lyons, Principal, IT Audit Professional Practices, ISACA
Date Published: 13 August 2020

Consumers are aware of data trade-offs. Creation of a customer account can make online shopping checkout faster; setting up a free social media account can make connecting with others easier. These conveniences are available often in exchange for data that entities use to better understand consumers. Interestingly, consumers appear to place high value on these conveniences as they continue to adopt convenience despite a low level of trust for how their data is used and safeguarded. A 2020 global survey, part of PwC’s Consumer Intelligence Series, concluded that 85% of global consumers wish “there were more companies I could trust with my data.”

Given the lack of trust and perceived lack of choice reflected in this survey item, it is not surprising that consumers are searching for solutions. In the United States, federal regulations may address data privacy by industry or by data type. There is not, however, a single, comprehensive federal consumer data privacy initiative. Yet. So, at this time, states have taken the lead in addressing consumer data privacy. Of the state initiatives in place,  the California Consumer Privacy Act (CCPA), in particular, has captured the attention of audit and assurance practitioners. Why is that? In addition to granting consumers several ‘rights-to’ (e.g. right to know what personal information is being collected), the CCPA has a hefty list of other requirements that require assurance over operations. And though the CCPA focuses on the data of California consumers, organizations anywhere in the world may need to be compliant with it.

This assurance relates partly to the CCPA requirements themselves but also to continuous changes at the state level. While the US states of Maine, Nevada and California have already passed laws, 15 other states have consumer data privacy laws in committee and five states have identified task forces to address consumer data privacy. As new state laws are adopted, entities are challenged not just by those applicable states’ requirements but also with finalization of the requirements and their enforcement dates.

This “moving target” of potentially evolving expectations and enforcement dates presents a challenge for even the best compliance programs. For audit and assurance practitioners in particular, all of this ultimately begs the question of how to lend assurance in the current landscape. Focusing on the following may help:

  • Maintain awareness of changes in technology or processes that affect compliance efforts. For example, upon adoption of artificial intelligence, consideration should be given to how a requirement for notice and consent can continue to be met.
  • Acknowledge that compliance with multiple frameworks may create compliance “fatigue” among stakeholders. Be prepared to respond to questions about why compliance requirements are different (or the same) and how the entity is taking a holistic view of data privacy, not a legislation by legislation, siloed approach.
  • Stay current on data flows and where affected data resides. For example, under the CCPA, a consumer’s request for deletion of personal information may be waived if the information is necessary for scientific, historical or statistical research in the public interest. Data classification or data taxonomy that supports data attributes at this level is essential for effective compliance.
  • Collaborate with stakeholders on possible risk scenarios and plans of action for each scenario. Develop and maintain a risk register of those risks that may jeopardize compliance.
  • Continue to follow change management best practices, although the implementation schedule may be accelerated.
  • If the worst happens, ensure incident management plans are in place that are appropriate, tested and include provisions for reacting to a data breach that impacts consumers.

Currently, there is activity at the federal level to address consumer data privacy such as the Consumer Online Privacy Rights Act (COPRA) and the Consumer Data Privacy and Security Act of 2020. Until legislation is passed at the US federal level, however, audit and assurance practitioners are part of an evolving consumer data privacy landscape. The recommendations above may help practitioners provide assurance in that landscape until a more comprehensive, federal approach has been finalized.

Editor’s note: For additional privacy resources from ISACA, see the CCPA Audit Program and learn more about ISACA’s new Certified Data Privacy Solutions Engineer (CDPSE) certification.