Add data privacy laws to the list of trends whose adoption accelerated during the past few years. In 2018, a grand total of two privacy bills were introduced in U.S. statehouses, according to data shared by the International Association of Privacy Professionals (IAPP). The next year, 16 privacy bills were introduced – followed by 25 in 2020. This year 29 privacy bills have been proposed in a total of 23 states. Some states, such as New York (four) and Minnesota (two), have more than one initiative advancing through the legislative process.
“In the U.S., privacy laws are driven by states,” notes Shared Assessments, Senior Advisor, Nasser Fattah. “This likely will be the case in the near future. Thus, we should anticipate more state-driven privacy laws, as well as more amendments to existing privacy laws.”
Following the EU’s adoption of its General Data Protection Regulation in 2016 (the law took effect in 2018), it was widely expected that the U.S. would follow suit with its own federal data privacy law. That did not occur in the past five years and those expectations have dimmed for now. That leaves states as the primary arbiter of data privacy in the U.S. Although only three states – California, Colorado, and Virginia — currently have comprehensive data privacy laws on the books, most states have various data privacy rules and requirements in force in addition to those many legislative proposals working through committees.
For example, Massachusetts’ 2019 Breach Notification Law requires organizations that own or license personal information of Massachusetts residents to quickly notify the Office of Consumer Affairs and Business Regulation and the Office of Attorney General after discovering that a cybersecurity lapse has exposed personal data. “When it comes to data breach notification, the Massachusetts law is the granddaddy of them all,” notes Shared Assessments, Vice President, Tom Garrubba.
Unfortunately for corporate data privacy groups and third party risk management (TPRM) programs, this state-by-state regulatory dynamic is not at all conducive to compliance efficiency. The three comprehensive state-level data privacy laws diverge in many ways, and Fattah expects that trend to continue in 2022. “We should expect new state data privacy laws to differ from each other,” he notes. “These differences can range from subtle to stark contrasts.” For example, the California Consumer Privacy Act (CCPA) Act and the Virginia Consumer Data Protection Act (VCDPA) both have right-to-deletion and privacy notice requirements, yet Fatah points out that the two laws differ markedly in their private right of action stipulations and enforcement penalties.
Given these compliance challenges, Garrubba and Fattah identify several proactive actions TPRM programs and practitioners can take to limit the uncertainty surrounding data privacy regulations in the U.S., including:
1. Stay Informed
Keep posted on which data privacy bills are likely to become laws. The IAPP’s privacy legislation tracker is helpful to that end.
2. Get Legal Assistance
“This might sound a bit basic, but talk to your legal counsel,” Garrubba says. “Data privacy is not something you want to play around with. I’ve heard chief risk officers indicate say they fear a data privacy breach more than an information security breach. An information security breach is certainly a problem, but the damage is usually limited to an organization’s proprietary information. When a privacy breach occurs, everybody’s ears perk up and the first thing that comes to mind is that customer data was compromised.”
3. Close the Gap
Once an organization identifies which state-level privacy laws apply to its business activities, Fattah recommends conducting a gap analysis to understand which compliance measures are needed but not currently in place – and what it will cost to get those processes deployed vs. accepting the risk of neglecting to do so.
4. Make Stringent Requirements Your Standard
Leading data privacy groups often maintain a large spreadsheet, or deploy a more advanced compliance application, populated with all of the privacy regulations and requirements they must adhere to in each relevant state and country. They also tend to make the most stringent stipulations on their compliance standards, Garrubba explains. For example, if three different privacy regulations require breach notification within 72 hours, one week, and 10 days, the organization will make a 72-hour breach notification a standard practice. That approach also helps streamline compliance, Fattah notes.
5. Read GDPR
“Take a close look at the GDPR,” Garrubba suggests. “A lot of other countries have employed similar approaches, at least in some form or fashion.” Some states, like California, have done the same thing, Fattah points out. “We’ve seen GDPR influence privacy laws in other countries, such as Brazil and India,” he adds. “It also influenced CCPA, and we anticipate GDPR to be the model that forthcoming domestic and international laws will replicate.”