By Jay Cline, CIPP

Privacy and marketing professionals should be noticing something in the air. The last 12 months have produced deeper and broader privacy regulation and enforcement across the globe. This wave of activity is the most we've seen since the round of international lawmaking triggered by the 1995 EU Directive on Personal Data and the data breach notification phenomenon that began in 2005.

Technology innovations--many of them used for direct marketing--are generating much of this activity. Recently introduced proposals in the U.S. and EU, as well as actions taken in India and Korea, have signaled greater regulatory interest in smart grid technology, online privacy and location data. Lawmakers and regulators around the globe seem intent on ensuring new technologies incorporate widely accepted fair information practices.

A second driver is bureaucratic momentum. Several regulators tasked with enforcing existing data privacy laws are hitting their stride, launching more investigations and levying greater fines.

Americas region: More chefs in the privacy kitchen
Both trends are unfolding in the United States. The 2010 Dodd-Frank financial reform act created the Consumer Financial Protection Bureau. As many of the act's provisions take effect this month, the bureau's profile regulating privacy for non-depository financial institutions will increase. The Dodd-Frank Act also increased the powers of the Securities and Exchange Commission, which in April imposed its first fines for violations of its Regulation S-P Safeguard Rule for data privacy. In February, the Financial Industry Regulatory Authority  (FINRA)--which regulates securities firms--imposed its first significant privacy fine, a $600,000 levy on Lincoln Financial Securities for insufficiently protecting consumer information.

The Federal Communications Commission (FCC), which oversees the National Do Not Call Registry and regulates telemarketing in general, has also been increasingly asserting itself on data privacy. In recent months, the FCC has been examining the safeguards and implications of location-based services and marketing. At the same time, the U.S. Senate created its first body focused on privacy--the subcommittee on Privacy, Technology and the Law. The subcommittee wasted little time, holding its first hearings on the status of mobile device privacy in May.

The nation's most prominent privacy regulator, the Federal Trade Commission , has also been newly flexing its muscles. In December 2010, the FTC capped a yearlong outreach effort by issuing a landmark paper, "Protecting Consumer Privacy in an Era of Rapid Change." The paper sets out the commission's priorities for the coming several years, including online do-not-track rules and protections for location-based data. In March, the commission--which oversees enforcement of the U.S.-EU Safe Harbor agreement, the Children's Online Privacy Protection Act, CAN-SPAM Act, Gramm-Leach-Bliley Act Safeguard Rule, Health Breach Notification Rule and Red Flags Rule--showed its resolve to pursue its new set of priorities. The commission reached a settlement agreement with Google over its Google Buzz product, claiming the company misrepresented that it protected users' confidentiality. The settlement was the first time the FTC enforced substantive noncompliance with the Safe Harbor agreement.

Over the past year, the U.S. Department of Health and Human Services (HHS) has established itself as one of the nation's other leading privacy regulators. Following the implementation of the HITECH health data breach notification rule, the HHS Office for Civil Rights has stepped up its levying of fines--most notably on the University of California ($865,500 in July), Cignet ($4.3 million in February), Massachusetts General Hospital ($1 million in February) and RiteAid ($1 million in July 2010).

The Department of Education  (DOE) is also jumping into the privacy fray. The department regulates compliance with the Family Educational Rights and Privacy Act (FERPA). Largely because of a 2002 Supreme Court ruling concluding that FERPA does not create enforceable personal rights, the department has not pursued substantive enforcement actions of the act. This may be changing. In April, the DOE released a Notice of Proposed Rule Making under FERPA that would lay the groundwork for stricter protections and enforcement over student data sharing and use of student data for marketing.

Privacy regulation and enforcement at the U.S. state level has also picked up over the past year. The rise of smart grid technology has prompted several public utility commissions (PUCs) to issue rules on protecting consumer information under their purview. In May, the California Public Utility Commission adopted a proposal that would require smart grid operators to minimize data collection and only use it for the purposes collected. The Colorado and Minnesota PUCs have been following similar paths.

Health commissioners, insurance commissioners and attorneys general in a growing number of states have been initiating enforcement actions to protect the privacy of consumers in their states. Most recently, the Indiana attorney general imposed a $100,000 fine on Wellpoint for a data breach.

More privacy regulation is also developing in Canada and Latin America, although these parts of the Americas region have not yet seen a trend toward the imposition of fines for privacy violations. In December, Canada passed its long-awaited anti-spam law, which comes into effect this summer for companies conducting e-mail marketing in the country. This month, Peru also adopted its first national data protection law. In April 2010, Mexico similarly passed its national data protection law and created one of the most well-financed and staffed data protection authorities (DPAs) in the world. Indeed, an IAPP survey of DPAs worldwide, to be released later this year, will reveal that Mexico tops all other DPAs surveyed with a $38 million (USD) annual budget, followed by Italy ($35 million), the UK ($32 million), Canada ($25 million) and Spain ($22 million).

Europe: Turning a new page on privacy
The European Union has encountered over the years two main critiques of its privacy regime: that it hasn't kept pace with technological change and that member state enforcement has been generally light. These critiques have started to lose force over the past year, as Europe enters a new era of data protection oversight.

Last November, the European Commission issued a proposal for modernizing the 1995 Data Protection Directive. The proposal would usher in a sweeping set of changes, including stricter rules on data retention and breach notification and harmonized enforcement. In May, EU member states also passed the deadline for implementing enhancements to the EU Privacy and Electronic Communications Directive. The enhancements included far-reaching changes to how websites administer and gather consent for placing cookies on user computers. The UK and the Netherlands were two of the first member states to codify the new restrictions. According to analysts, new EU cookie laws will have a tremendous effect internationally. This development follows a significant decision from the EU Article 29 Working party defining mobile device location data as personal data.

Over the past year, Europe also continued its global leadership on the data protection docket. At the 32nd Annual International Conference of Data Protection and Privacy Commissioners in Jerusalem, EU delegates were instrumental in continuing to promote a global agreement on data privacy.

A handful of EU member states also imposed significant fines over the past year. According to the 2011 IAPP benchmarking survey of data protection authorities to be released at the 33rd Annual  International Conference of Data Protection and Privacy Commissioners in Mexico City, European DPAs collected more than $31 million in fees in the past year. Just three member states--Spain, Italy and the UK--accounted for nearly all of this amount, however. In April, the French DPA, CNIL, warned businesses and individuals of its plans to increase compliance inspections and enforcement of cross-border data transfer practices, particularly by companies enrolled in the U.S.-EU Safe Harbor Program.

Asia: laying foundations
The IAPP's landmark paper "A Call For Agility" identified the Asia-Pacific region as the next frontier awaiting a privacy makeover. The past year may have seen the opening act. In April, India adopted its first comprehensive privacy framework, the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules. The rules amend the Information Technology Act of 2000 and broadly require prior consent for collection of personal data within the country. In May, Korea published draft regulations of its Personal Information Protection Act (PIPA), scheduled to become effective in September. The country's most far-reaching privacy law to date restricts the collection, use and retention of personal data. The law also ties together previous data protection laws covering telecommunications into a comprehensive framework governing "personal information" and its handlers.

What does the rising tide of privacy regulation and enforcement portend for marketing and privacy professionals?

For marketers, there will be a growing premium on those who develop expertise on data privacy regulations and Privacy by Design. They will need this expertise to steer their clients through the maze of acceptable and prohibited uses of personal data. Look for more marketers pursuing the Certified Information Privacy Professional designation.

For privacy professionals, the spread of privacy regulation across new countries and sectors will create new opportunities for specialists with niche experience and expertise. Heightened enforcement actions should increase the overall demand for privacy expertise and, particularly, for experience managing regulatory investigations.

Jay Cline, CIPP, is president of Minnesota Privacy Consultants, the winner of the 2010 Privacy Innovation Award for Small Organizations.

Read more by Jay Cline:

Broadening definitions of personal data portend greater scope of concern for privacy offices
GMAC: Navigating EU approval for advanced biometrics
IBM's Privacy Strategy: Trust Enables Innovation
Privacy and the Pharma Chain of Trust
Xcel Energy: Building privacy into the smart grid
Creating a privacy gameplan for your social media strategy
Privacy Consent Glossary
Opt In Or Opt Out For Global Direct Marketing?
Ubiquitous Identification Series: Will Other Countries Join the Canadian Debate Over the Privacy of Public Records?
Best Buy: Using Privacy Awareness to Build Customer Centricity 


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities. Early Bird ends TODAY.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»