Privacy Predictions for 2022

Finalizing the latest – always well-attended – biannual Spokes Technology Privacy Conference, held December 7-8, 2021, WireWheel CEO and Founder Justin Antonipillai brought together leading privacy professionals to offer their privacy predictions for 2022.

The panelists obliged Antonipillai, often humorously. But more than a good-natured placing of bets, predictions can offer insights into what is top of mind for those who grapple with privacy in practice, theory, and importantly, in their efforts to position their brands, clients, and their thinking, for the future.

This diverse panel included:

• Jocelyn Aqua, Governance, Privacy and Ethics Leader, PWC;
• Stacey Gray, Senior Counsel, Future of Privacy Forum;
• Andy Dale, General Counsel & Chief Privacy Officer, Alyce, and
• Omer Tene, Partner, Goodwin (formerly IAPP VP and Chief Knowledge Officer)

The round-robin style session can be viewed here.¹

Privacy Predictions Round 1: Quick hits

Stacey Gray: In 2022, we will not see a federal comprehensive data protection law passed in the U.S.

Andy Dale: There will be multiple privacy tech IPOs and more privacy tech vendors will enter the space. There will be some consolidation and M&A as well.

Jocelyn Aqua: This is the year that India will have a national data protection law. (Even though every year they think they’re going to, this is the year I think they are.) Between that and China…it will impact  a lot of companies that have offsites – or do business with –both of those countries.

Omer Tene: The biggest privacy penalty next year is going to come from the United States. And, if you want to hear whether it’s going to be from the FTC, a State Attorney General, a California agency, or from a BIPA class action, wait for my second prediction.

Justin Antonipillai: In 2022 will have our first in Federal Chief Privacy Officer in the United States.

Privacy Predictions Round 2: Some bold predictions

Cookies are dead when they’re truly, actually, really, finally, totally, dead.

—Andy Dale, Alyce

Stacey Gray: Apple will release iOS 16 and it will deprecate the IDFA and ban behavioral advertising – only for third-party apps. (I threw that one out there to be provocative.) I’m not sure about it, but I do think we’ll see interesting iOS 16 updates.

Andy Dale: Google will further delay cookie deprecation. There are parts of the ecosystem that are not ready yet. We’ve had this conversation with lots of different people, and I believe cookies are dead when they’re truly, actually, really, finally, totally, dead. And I just don’t see that yet.

We can talk about the GDPR and how the GDPR brought different kinds of data into the definition of personal data, but at the end of the day, it is a device ID it isn’t personal in the same way.

Jocelyn Aqua: There’s going to be more churn in the EU between the ePrivacy Directive (which hopefully will be regulation at some point), all the market and digital services, and especially the data governance act, where I think the data transfer mechanism will be for non-PII where there is going to be adequacy needs.

There’s going to be lots of other swirls over the next year that we’re still trying to flesh out what that will mean.

I think data governance is moving ahead, it looks like ePrivacy regulation is moving ahead, and AI regulation is getting a lot of traction making companies nervous in the United States. There’s a lot to think about, and a lot of impact extra-territorially for the U.S.

Omer Tene: I may be proven wrong within a couple of weeks, but I say Israel is going to be the first country to lose its adequacy decision.

Israel was deemed adequate about a decade ago. At the time we worked with the government on the application, and we made certain commitments that we haven’t delivered on, and [since then] the requirements were also tightened via Schrems I and II.

When we negotiated adequacy, the government access issue wasn’t even considered, certainly not front and center, like it is today. And as you know, much like the United States, Israel has a very robust national security apparatus where these issues do come up.

Justin Antonipillai: My second prediction is that California will be the first state to be declared adequate under the EU policy. They’re not going to complete the finding in 2022 but here’s how we get there:

1. You can be a region and found adequate (it doesn’t need to be a country).
2. I have confidence that the Europeans and the U.S. are going to reach a new privacy shield so that will have an adequacy finding as to the U.S.
3. This U.S.-EU transfer mechanism will enable California to seek adequacy because the national security issues will not be on the table.
4. California will have a very strong argument between CCPA and CPRA that they’re an adequate regime.

In that case, I retract my last prediction! If California is adequate, Israel is double adequate! jokes Tene.

Gray, striking a more serious tone, opines that just on the merits, the CCPA and CPRA are not great models. They’re not very strong laws. They lack individual redress for most cases, all of them related to privacy.

Final 2022 Predictions

Now it’s the Metaverse.

—Omer Tene, Goodwin

Stacey Gray: I think we will see five or more additional States passing comprehensive data protection laws. But I don’t think any of them will significantly diverge from current frameworks or include a private right of action.

1. Maryland
2. Oklahoma
3. Ohio
4. New Jersey, and wild cards
5. Alaska and Florida

Andy Dale: My current customer DPA [data processing agreement] with SCCs attached as exhibits is 38 pages. In 2022 it will go up.

Jocelyn Aqua: There’s been a lot of activity in the SEC for cyber security, the CFPB is making so many inquiries; I think there’s just going to be a lot of enforcement or decisions – all privacy adjacent or directly on privacy – that will impact our companies.

The inquiries are from so many different organizations and federal government agencies, All of them ask about AI, data brokers; actions against big tech; focused on privacy for disadvantaged people; lots of movement, even if there’s no federal privacy law. And it’s not just data breaches. It’s data misuse and lack of transparency. Both here and in Europe.

Omer Tene: The buzzwords of the day, in our field changes every couple of years. Big data was the theme about a decade ago; then Cloud; then Ai; now it’s the Metaverse.

[With tongue firmly planted in cheek, Tene predicts that] at some point in 2022 the most popular application in the metaverse will be an immersive privacy policy where you can step into the privacy policy, engage with the standard contracts and the DPA and Andy Dale’s “38 pages” and fall asleep calmly.

Andy Dale: There is a need for innovation at the point of collection. And at the point of meeting the consumer. There’s very little innovation in that conversation with the consumer…I do think there’s a lot of room for innovation in how companies talk to consumers about privacy.

“I really hope that in 2022 we have some of that: Beyond the scope of the CCPA asking you to make the privacy policy more readable or more accessible.”

Justin Antonipillai: There’s going to be a big Supreme Court decision this year or big CERT granted in the following year that effectively guts the ability of the FTC to enforce privacy laws under unfairness authority. I think even before the current makeup of the Court it was very skeptical of unfairness authority: There have been a number of decisions undermining it.

It will put Congress into a position where they either have to grant actual enforcement authority for something in privacy or block the FTC from doing it.

Watch the entire SPOKES session

¹ Quotation marks have been omitted and comments lightly edited for readability.