It’s been just over five years since the EU General Data Protection Regulator (GDPR) entered the scene as the strictest data security and privacy laws in the world. The following years had the U.S. following suit with its own approach, focusing on consumers, rather than data subjects. However, unlike the EU, consumers and companies in the U.S. shouldn’t expect a comprehensive federal bill anytime soon, but rather a continued piecemeal approach as more states begin passing their own legislation.
In a recent roundtable, we heard from data privacy specialist Gary Kibel from Davis and Gilbert, who laid out the current landscape and detailed recent developments of data privacy laws. Gary was then joined by Harry Jiang, Chief Information Security Officer at Diligent, and Florian Winterstein, CEO of Jedox, who shared their perspectives on how companies should embrace a company-wide shift towards compliance. In this piece, we will highlight the essential takeaways of these privacy laws, how they will impact companies and consumers, and how companies can best prepare for compliance.
First, let’s get the lay of the land.
Which states have already passed laws?
- So far, three states – California, Virginia, and Colorado – have passed privacy and security laws that will all be in effect by mid-2023.
- Each state has a slightly different approach to certain key definitions, resulting in varying levels of stringency.
- Florida and Washington State have both tried and failed to pass data-protection bills this spring, and New York State has a privacy bill currently working through the legislature that, if passed, would provide unprecedented rights to consumers.
Currently, the closest thing that the United States has to a privacy law that applies to every business is one line under the Federal Trade Commission Act, which states “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in affecting commerce are hereby declared unlawful.” As explained by panelist Gary Kibel, this line is what the federal government uses to arbitrate and regulate privacy policies and security breaches, as well as advertising laws.
So what are the barriers to federal legislation? Currently, lawmakers in D.C. disagree over three main elements of federal privacy law:
- Preemption: Should the regulations in a federal law override individual weaker or stricter state regulations that are currently being put into place?
- Private Right of Action: Should individuals have the ability to sue if their rights are violated, accidentally or intentionally?
- Waiting out the states: Lawmakers are wondering if states continue to develop their own legislation, is there truly a need for comprehensive federal regulations?
Compliance Overviews: What do companies need to know?
Panelist Gary Kibel provided a thorough breakdown of how these laws compare to each other and to the regulations set forth by the EU, but we’ve pulled out the key features of the laws in each state.
California Consumer Privacy Act
California set the stage with the first comprehensive consumer privacy law in the United States, with enforcement that began on July 1, 2020.
The CCPA provides new rights, only applicable to California consumers:
- Access to rights: Consumers have the right to find out what information companies have about them, to ask the company to delete it, and to opt-out of the sale of their personal information.
- Consumers can ask the purpose of collecting information, the categories, sources of gathering the information, and the categories of third parties with whom businesses have shared their information.
The CCPA defines personal information very broadly as information that identifies, describes, and can be linked or associated, directly or indirectly, with a specific consumer or household.
- Identifiers like IP addresses, email address, driver’s license, real name.
- Internet browsing history, geolocation data.
- Conclusions drawn from any of this information and these identifiers.
The law has no private right of action, meaning individuals cannot sue for violation of their privacy unless there is a security breach, in which case they can participate in a class action lawsuit. For all other violations, the state can pursue damages for both unintentional and intentional violations. The law also broadly defines “sale of data” beyond simple monetary transactions to encompass things like allowing third-party access in exchange for analytics.
California Privacy Rights Act
In November 2020, Californians voted to approve the CPRA, a ballot initiative that takes effect on January 1, 2023, but looks back at data collected starting January 1, 2022. The CPRA adds more restrictions to the regulations and amends some definitions laid out in the CCPA, including:
- Lowering the threshold for more small businesses that are beholden to these regulations.
- Changing definitions around selling and sharing personal information.
- Identifying additional data security obligations around sensitive data such as geolocation, financial data, or health information.
- Removing the cure period. In the original law, companies had 30 days to fix an alleged violation after being alerted by the Attorney General, but the CPRA removed this buffer.
Finally, the new law requires the establishment of the California Privacy Protection Agency, a standalone privacy regulator. Instead of the California Attorney General pursuing companies that violate the new laws, this agency is solely focused on enforcing regulations.
Virginia Consumer Data Protection Act
The Virginia law goes into effect on January 1, 2023, the same day as the CPRA, and takes a similar opt-out approach as the California laws to transparency, consumer access to rights and sales opt-out, and has no private right of action.
Differences from California:
- The biggest distinction is that consumers must opt-in for companies to be allowed to process their sensitive data; this is the first opt-in requirement in the U.S.
- Narrows the definition of “consumer,” applying it only to individuals who are residents of Virginia, not people acting in an employment capacity.
- Creates a narrower definition of sale, only for monetary consideration, not the “other valuable” consideration that California includes.
- Keeps a 30-day cure period that was part of the original California legislation but was eliminated by the CPRA.
Colorado Privacy Act
The Colorado Act is fresh off the presses, signed on July 7, 2021, and going into effect on July 1, 2023. The law is essentially a mix of the Virginia and California approaches, including the sensitive data opt-in that Virginia has, and continuing the trend of no allowance for class action suits. Colorado has built in the longest cure period so far, allowing 60 days to address violations, but it’s a temporary measure only in effect until 2025.
How should companies respond?
With these overviews, we’re only just scratching the surface of the complexities of the laws, and more complications are likely to arise once new states join the ranks and begin passing their own regulations. The right company policy and attitudes toward compliance and safe- guarding customer data will not only protect businesses from exposure, but also inspire consumer confidence. So what approaches are the most effective?
Rollout Best Practices
Harry Jiang’s approach is simple: Don’t try to be all things at once. As the CISO of Diligent, the largest governance, risk, and compliance SaaS provider, he recognizes his limitations in under-standing the legal complexities of these new regulations. Ensuring the proper mix of legal guidance paired with technical expertise to develop new governance and comprehensive policies is the best way to protect your company. It’s essential to develop a policy that reflects your business model to ensure that you can deliver on the security and data-protection promises the policy makes, and to build out your legal department to be equipped to respond.
Jiang also stresses the importance of strengthening company culture and building infrastructure to focus on privacy considerations, and developing a prescriptive playbook for handling violation or breach situations:
- Define an operational approach of creating an instant review system for analysts to flag legal on potential breach or violation.
- Engage an outside firm for remediation assistance to help determine how to share information of breach or violation with the public and/or with impacted consumers.
- Regularly review the playbook to ensure that the team knows how to respond, has written statements prepared, and knows what legal firms and actions to pursue.
Florian Winterstein, CEO of Jedox, an enterprise performance management software, agreed on the importance of engaging expert legal guidance, including engaging an external third party with the sole purpose of dealing with data protection and privacy. His approach would be:
- Thoroughly audit the company’s current state of privacy regulations to clean up and identify the starting point.
- Create an internal data privacy officer role embedded in the company’s legal department and use external law firms for additional review.
- Define how your business engages with private data. Understand what is core to your business function that depends on this consumer data, so you can determine how to use this data within the proper legal framework, balancing business needs with consumer rights.
- Develop a policy, both for internal reference and external consumer awareness, that defines what information your company collects and what is being done with it.
- Document efforts, perspectives, and decisions around compliance to help protect the company in the case of a claim of violation.
Winterstein also emphasized the importance of executive buy-in, leading the way as CEO, taking privacy issues seriously, and communicating clearly and frequently with his team and his customers where his priorities lie. Some simple approaches included in his employee playbook around data collection:
- Address people on an individual basis.
- Buy data from reliable sellers.
- Differentiate opt-out functionalities by region depending on where customers are based, distinguishing where customer information came from to determine assumed consent.
Final Takeaways: Risks and Opportunities
Build scalable foundations for the future:
- Be aware that data collection is increasing and will continue to increase, as will pressure around control and ownership of the data, meaning increased legislation will follow.
- Put the work in now to develop a playbook and comprehensive policy that will both protect your business and encourage consumers to continue working with you.
- Develop structure and process that is flexible enough to continue to scale as new uses for data and regulations on usage grow.
Determine what laws apply to your company:
- Identify where your customers are and what regulations are in effect or may be soon.
- Decide if you want a blanket approach, or if you will treat customers differently based on their regions.
- Stay on top of service providers and partners you work with to ensure that you under-stand what data of yours they are collecting and processing and how that fits into your compliance program.
Ultimately, it’s likely that the next five years will see a flurry of new states passing privacy laws that will complicate compliance of companies operating across regions. Investing in solidifying the foundations of your compliance policies and ensuring both consumers and employees understand how and why their data is being used are the best ways to protect your company and your customers.