Data privacy is an ongoing hot topic. Since the European Union’s General Data Privacy Regulation (GDPR) became effective in 2018, many nations have followed suit and passed or proposed laws providing consumers with more control over their data. While the U.S. is trailing behind with no comprehensive national privacy law in the works, states are forging their own path. In 2018, California passed a state privacy law with features similar to the GDPR that became effective last January. Predictably, other states have been working on their own privacy laws. As more individual states create privacy policies, it is crucial that organization stay apprised of developments. While managing compliance obligations can seem like a daunting task, planning ahead and creating solid policies can simplify the process.
State Privacy Laws – Similarities and Differences
As the first state to take a stance on consumer privacy, the California Consumer Privacy Act (CCPA) has been groundbreaking in the U.S. and started making waves once it became enforceable. While the CCPA was already fairly strict, voters passed ballot initiative (referred to as the California Privacy Rights Act – CPRA) that more closely mirrors the GDPR and is slated to become a new law on Jan. 1, 2023. In March, Virginia became the next state to pass a consumer privacy law and it also will become effective on Jan. 1, 2023. After introducing privacy bills that failed in 2020, Florida and Washington tried again to pass new consumer privacy bills and they are currently pending. New York’s governor also proposed a comprehensive privacy law as part of the state’s budget. But these are not the only states with pending privacy bills; 18 other states have introduced legislation. Some will make it, some will fail, and some will try again like Florida and Washington. But one thing that is for sure is that this list will only continue to expand.
California, Virginia, and the other pending bills all share a common theme of transparency by providing consumers with a large amount of control over their personal information. This includes the ability to access data that organizations store, ask why and how they intend to use the information, data modification, data deletion, and the right to opt out of sales involving personal information. Additionally, many privacy laws will impact organizations outside state borders as they only need to be doing business in the specific state or target that state’s residents to fall under the laws’ enforcement.
However, organizations must keep in mind that each new state privacy framework has distinguishing features. Organizations that would be subject to one or more of the laws need to understand these differences. For example, one major difference between California and Virginia’s law is that the Virginia law does not allow for a private right of action. Instead, the attorney general will solely handle enforcement. If passed as proposed, many other bills like New York and Florida would follow California and allow for a private right of action. An important clause to monitor is whether current or future bills will follow California in limiting civil suits to instances where data breaches actually occur or if any states expand on this right.
The ability to file a civil suit is just one of the key differences, but organizations should also pay attention to other categories under each applicable state privacy framework. This includes the definitions of personal information, exemptions, similarities to the GDPR, required disclosures, application of laws to employee data, caps on damages, and required security controls. Even organizations only doing business in California need to keep track of how the new CPRA will modify existing obligations when it becomes effective in 2023. An important change found in this new California law is the creation of a subset of personal information referred to as “sensitive personal information”, which more closely mirrors the GDPR including things like religion and biometric information. The Virginia law actually discusses sensitive data as well and goes a step further by requiring that controllers get opt-in consent from consumers to process this category of data. Additionally, in 2023, the CPRA will get rid of the 30 day right to cure that gave violating organizations time to fix their non-compliance. Virginia’s law and several other state bills currently include the right to cure, so it will be noteworthy to see if any other states progress to California’s new level in this regard.
Tips for Compliance
With multiple new state privacy laws emerging, how do organizations keep up with compliance? Because there are already a handful of state privacy laws in the works, organizations must keep track of all the differences for the states in which they target consumers. It is no longer California versus the rest of the country and without a federal standard in place, compliance can become tricky. Organizations need to take steps to understand their compliance obligations, protect sensitive information, minimize risk, and account for variances between relevant laws. Here are a few pointers to consider when thinking about data privacy and developing internal policies:
Closely monitor all applicable privacy law developments: Since Virginia and other potential state privacy laws contain many similarities to the California statutes, organizations that recently updated their policies and practices to comply with the CCPA should not have to make any major changes or additions if they end up falling under the reach of other state privacy laws. However, keeping track of the ways each law differs is still a best practice. For example, say an organization is already subject to the CCPA and falls under the reach of the Virginia law and New York if it passes. One way understand and control compliance obligations would be to keep a chart detailing similarities, additional obligations, and any conflicting directives. This will help organizations determine when they can treat a consumer request relating to California and other state data the same and when additional controls are necessary. Organizations that created a privacy program modeled after the CCPA will also need to make tweaks before the new California law becomes effective in 2023.
Create new internal compliance roles: To help manage data privacy obligations under several laws, it might be time to expand current employee roles or consider hiring professionals dedicated solely to compliance. The compliance team can keep track of new developments in the states, federally, and internationally so nothing is missed. They can also update policies and procedures accordingly, review current data controls to determine where security gaps may exists, handle incoming consumer requests, issue appropriate disclosures, coordinate with the IT department, vet vendors to ensure they implement sufficient security procedures, and create training opportunities for employees.
Implement a stricter privacy program: For larger organizations with a national or global presence, it is wise to create stricter privacy policies and practices to avoid major revisions as new laws emerge. This will help promote compliance across the board and require little to no change in data handling as new state laws are passed. Keep in mind this will also require more oversight and training. However, organizations with smaller operations and are only subject to one or two laws might not need significant overhauls.
It is safe to say that the U.S. consumer privacy landscape will look completely different over the next five years. Managing compliance with several states can be less burdensome if organizations are proactive and observant. Also, continue to wait for the creation of a comprehensive federal privacy law, which may finally materialize in response to the flood of new and proposed of state privacy legislation.