This year, consumer privacy regulations are scheduled to go into force in five states in the United States.
The passage of legislation in Colorado, Connecticut, Utah, and Virginia, as well as a major amendment to the California Consumer Privacy Act that went into effect in 2020, was prompted by consumer demand for greater control over the personal data that companies collect, trade, and sell in the wake of decades of data breaches and high-profile information sharing.
Jenny Holmes, deputy leader of the cybersecurity and privacy unit at the law firm Nixon Peabody, remarked, "Privacy is a hot-button issue and one consumers are really in tune with. "It’s new and under the spotlight, so it adds pressure on companies."
Yet, some businesses view data privacy compliance as an opportunity.
Myriah Jaworski, a member at the law firm Clark Hill, stated, "Businesses have a compelling interest in addressing privacy" due to the goodwill it conveys. She stated that in a competitive world, great compliance can set you apart from other organizations in your industry.
Congress has failed to enact a comprehensive federal data privacy law; thus, states have taken matters into their own hands. The outcome in 2023 is a patchwork of five laws with varying implementation dates, grace periods for companies, and enforcement regimes—a headache for even the most seasoned compliance departments.
Cobun Zweifel-Keegan, managing director of the International Association of Privacy Professionals, stated, "It’s spreading in the states like wildfire (and) more laws are likely be passed this year,," possibly in Florida, Massachusetts, New York, and Washington. "It’s not in companies’ best interest to ignore privacy, even if they are not operating in the five states now."
"It will prove continuously difficult to keep track of all the new laws," Holmes continued. "Some companies have decided to give privacy rights to all consumers, a preemptive strike against all the laws."
Complicating matters is the fact that the exact provisions of the laws will not be known until the states write rules to implement the laws. Zweifel-Keegan highlighted that California, whose amended law took effect on January 1st, and Colorado, whose law will take effect on July 1st, are in the last phases of rulemaking.
It is too soon to tell what state attorneys general will be most interested in enforcing, he said.
The California statute is unique in that it permits customers and employees alleging injury to sue firms directly for data breaches. An independent agency of the state oversees the law. The other four bills simply grant privacy rights to customers, and enforcement and lawsuits will be handled solely by state attorneys general.
Zweifel-Keegan stated on the laws: "They’re really obligations on companies to respect requests about personal data by consumers." With the General Data Protection Regulation, privacy rights for Europeans "became a matter of compliance" in 2018, and now American consumers seek the same safeguards.
Under the legislation, "sensitive" personal information requires specific handling. However, state laws define sensitive differently.
The regulations have varying criteria for when they apply, but are primarily directed at major businesses with between 50,000 and 100,000 clients in the state. Andrew Clearwater, chief trust architect and privacy expert at software provider OneTrust, remarked that they emphasize user access to data, correcting data, deleting data, and allowing consumers to opt out of having their data gathered and retained.
"Consumer privacy rights are the underlying concern these laws address well," he stated.
Consider the following best practices for firms facing compliance with various state privacy laws:
Data mapping: Holmes said that any organization should establish a data map if it has not already done so, analyzing the data it collects, has collected, and from whom. It should also be determined where the data is stored and who else, including contractors, may have access to it, she advised.
"You want to look at the data you have and the regulations that apply," Jaworski added.
Clearwater suggested basing a privacy program on reputable standards, such as the National Institute of Standards and Technology's (NIST) privacy framework or the International Organization for Standardization/International Electrotechnical Commission's privacy standard, which is undergoing revision.
A benefit of basing your privacy program on these standards is that regulators frequently contribute to their creation. Clearwater stated that an organization would incorporate the privacy standards that authorities consider to be the most essential.
According to Jaworski, regulators are amenable if you tell them, "Regulators are receptive if you tell them, 'We have this NIST-based privacy program in place.' It’s a great way to demonstrate how you prioritize privacy."
Purging old data: Companies may learn through data mapping that they have been "hanging onto" old data for years, as Jaworski put it. Determine what you no longer require and eliminate it. Keeping it increases a company's susceptibility to hacks and "potentially opens [it] up to exposure under data privacy laws," she said.
Vendors: It is essential to evaluate how you share data with third parties and their respective policies. Jaworski proposed sending a questionnaire to all vendors in order to collect thorough information about how they manage personal data, what cybersecurity controls they have in place, and whether they have cyber insurance.
"The main idea is you need to know as an organization how you are sharing personal information with other entities and you need to have contracts in place with them," covering data return, deletion, and other matters, Jaworski said.
Handling requests: Businesses must respond to consumer queries on their personal information. Kristen Mathews, a partner in the global privacy and data security division of the law firm Morrison Foerster, suggested constructing a decision tree for the individuals who would be processing requests for personal data, including instructions on how deletions and corrections should be handled and by whom.
Because"they don’t have to write responses fresh each time," a hard task is made more efficient by the usage of response letter templates for all possible types of personal data requests, as stated by Mathews.
Once the basics of a program are in place, Clearwater advised creating and scheduling trainings for all workers anticipated to interface with privacy requests "to make sure your company behaves as you intend."
Like with any compliance initiatives, you should document your privacy policies and practices.
By fLEXI tEAM