Data privacy remains a trending topic amongst U.S. state lawmakers. To protect personal and sensitive information in the digital age, extra safeguards are necessary, and lawmakers are prioritizing privacy so there will be penalties for data mishandling. Recently, the U.S. is investing in privacy protection more than in the past and there are a lot of big developments on the horizon, both at the state and federal level. In addition to more states exploring laws that increase protection for personal data, there are other policy changes and laws that organizations should monitor. Here are five important privacy updates for U.S. organizations or those located elsewhere but doing business with the country.
State Privacy Laws: Two states enacted new privacy laws this year – Utah’s Cybersecurity Affirmative Defense Act that provides organizations with a safe harbor for data breach notification in limited circumstances and Virginia’s broad Consumer Data Protection Act, which becomes effective in January 2023. The California Privacy Rights Act will also become effective in January 2023. This ballot-approved law expands on the already strict California Consumer Protection Act to make California’s data privacy framework even more in line with the EU’s General Data Protection Regulation (GDPR). Additionally, Colorado will be the third state to pass a comprehensive data privacy law on par with California and Virginia that provides expanded rights to consumers, pending Governor approval. The broad Colorado Privacy Act does not allow for a private right of action, directs the Attorney General to make rules to help with compliance efforts, and creates a universal opt-out mechanism for consumers.
There are also bills currently pending in six other states, offering varying levels of consumer protection. For example, in Illinois the proposed law is more comprehensive while in Rhode Island there is a narrower bill on the table where website operators would need to make disclosures about personal data collection. There have also been numerous other dead bills introduced throughout the country that did not make it this year. These will likely resurface with changes during the 2022 or 2023 legislative sessions.
Federal Privacy Legislation: There is still no comprehensive federal data privacy law in the works. While the federal government regulates data privacy through various other avenues (like healthcare and credit reporting legislation or Federal Trade Commission enforcement), the world is waiting to see how the U.S. will respond to the trending consumer privacy concerns and how federal legislation will compare. With several states passing or attempting to enact their own comprehensive data privacy laws and the same trend materializing globally, it is only a matter of time before Congress joins the party.
Data Brokers: Recently, Nevada broadened their privacy law pertaining to the sale of personal data to third-parties. Now, consumers can also opt out of these sales to data brokers. As such, organizations need to update policies and processes involving data brokers to ensure compliance when the amendment takes effect this October. A couple other states have also specifically addressed data brokers in their privacy frameworks so it will be interesting to see if this trend spreads nationwide.
Moves by the Biden Administration: An executive order passed that provides guidelines for government agencies to follow in order to better protect sensitive data from foreign adversaries. An advisory committee was also assembled to help create a shared research infrastructure that focuses on the increased use of artificial intelligence. These are just two key developments by the new administration that affirm the notion that data privacy is becoming increasingly important to everyone in the digital age.
Global Influence: Many privacy laws abroad affect organizations in the U.S. that conduct business globally and collect data of consumers located in other countries. As such, it is important to stay informed about when privacy laws are enacted or amended. One thing to watch for is Canada’s proposed privacy law that, if adopted, would focus on giving consumers control over their data and promote improved transparency regarding how organizations use data containing personal identifiers. If Canada’s privacy landscape becomes stricter, this will definitely influence many U.S. organizations doing business in Canada.
Additionally, monitoring GDPR developments should be a top priority as this has proved to be the most influential global privacy law to date. Recently, there were alterations to the standard contractual clauses for international data transfers that organizations must review and adapt to ensure compliance moving forward.
Organizations affected by these privacy developments need to prepare accordingly and keep an eye out for new laws, both in the U.S. and abroad, that will influence internal operations. Besides monitoring new developments, some ways to be proactive include amending information governance plans, implementing new privacy programs, increasing data security safeguards, creating or expanding internal compliance roles, offering employee training, and auditing relevant processes. All of this will help organizations reduce risk, keep data safe, and remain compliant as new obligations continue to emerge.
For more information on global privacy laws, please read Singapore Makes Significant Changes to Data Privacy Legislation.