In January 2023, TrustArc Privacy Intelligence noted in our 2023 Data Privacy Law Predictions and Trends it was too early to tell if this would be the year the United States ‘finally gains an all-encompassing federal law governing data protection and privacy like the European Union’s broad-reaching GDPR’.
Now, at almost year’s end, while we still don’t have a US National Data Privacy law, we’ve seen a lot more activity to update privacy laws state by state.
Meaghan McCluskey, former Associate General Counsel of Research at TrustArc, recently spoke about how and why these US privacy laws are evolving in an EM360 podcast with Richard Stiennon, Chief Research Analyst at IT-Harvest, titled “TrustArc: The Evolution of Privacy Laws”.
Data Privacy Laws: How We Got Here
Privacy isn’t a new concept by any means, though the data-hungry commercial internet has certainly helped make more people aware of the value – and risks – associated with their personal information.
You can trace the current developments in privacy rights at least as far back as December 1948, post-World World II, when the United Nations General Assembly adopted the Universal Declaration of Human Rights. Article 12 of the Declaration states:
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
In the European Union the laws about privacy have clearly evolved from a human rights perspective and culminated with the EU General Data Protection Regulation (GDPR), which focuses on consumer protection from intrusions (or interference) into personal privacy.
The GDPR set the bar globally for data privacy protection laws and we’re now seeing many of the same data privacy principles being adopted in US state privacy laws.
Key data privacy principles include making sure your organization:
- Collects data for a clear, stated purpose.
- Only collects personal information that is necessary for the stated purpose.
- Does not store the data for longer than is needed by the organization to achieve the stated purpose.
- Secures the data properly against unauthorized access, misuse or theft.
- Complies with all applicable data privacy regulations in the jurisdictions in which it interacts with customers.
Generally, if you follow best practices for data privacy you should be on track for compliance with the privacy laws that apply to your business.
TrustArc’s Quick Guide to US State-by-State Privacy Laws
In the next three years, the following 13 US states will enforce their own comprehensive state privacy laws (listed in alphabetical order): California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia.
Privacy Compliance Challenges Across US State Lines (and internationally)
Many of the recently passed US state privacy laws follow the lead of the California Consumer Privacy Act regulations (2019) to protect individual rights such as:
- Right to know what personal data a company collects, why it is collected, how it is used, and whether it is shared and/or sold.
- Right to access personal information held by a company.
- Right to delete and/or correct records of personal data held by a company.
- Right to opt-out (or opt-in) of sale and/or sharing of personal data.
- Right to opt-out of consumer profiling/advertising targeting.
- Right not to be discriminated against for exercising privacy rights.
There are some common challenges with privacy compliance which we’re seeing appear more frequently as more US states enact data privacy laws. We’ve listed some examples below.
Cookie Preference / Consent Banners / Opt-Outs
In California, the CPRA amendments under CCPA require businesses to conspicuously display clear and easy-to-understand notices at or before the point of data collection. These notices must explain how and why personal data is collected and give individuals easy-to-use mechanisms to exercise their rights to control their personal information, such as “Do Not Sell My Personal Information”, “Opt-out”, “Accept only necessary cookies” and “Reject all cookies”.
Some businesses are implementing cookie and consent mechanisms well, though we see plenty that are not so well implemented.
Recommendation: TrustArc Cookie Consent Manager helps businesses grow consumer trust and achieve cookie compliance with privacy laws worldwide, including GDPR.
Data Subject Access Requests
Every data privacy regulation introduced so far – whether overseas or one of the 13 US state privacy laws – includes three strong personal information privacy rights related to how and why a business collects and processes data:
- Right to know
- Right to access
- Right to delete
A related fourth privacy right – the right to correct inaccuracies in records of personal information – is also protected in 11 of the 13 US state privacy laws passed (California, Colorado, Connecticut, Delaware, Florida, Indiana, Montana, Oregon, Tennessee, Texas, and Virginia); but this right hasn’t been included in the state privacy laws passed for Iowa and Utah.
Data subject access requests (DSARs) allow individuals to exercise some privacy rights, though the challenges for some businesses are:
- Maintaining accurate records of the personal data, categories of information, processes, access permissions, how it is secured and every location (from points of collection to processing and every third party it was shared or sold).
- Ensuring DSARs are correctly managed downstream with multiple partners and third parties. DSARs are especially challenging to execute if records aren’t up to date.
- Lack of alignment across the business about what kind of information is considered personal data. For example, some people are unaware that IP addresses of people visiting a website are a type of personal data.
Recommendation: TrustArc Individual Rights Manager automates and scales data subject request fulfillment in compliance with global regulatory requirements.
Managing Organization-Wide Compliance With US State Privacy Laws
While an important role of the privacy office is to maintain awareness of privacy policies and processes, if they’re siloed from the rest of the business, they won’t have good insight into any new issues involving the collection and use of data.
So it’s vital the privacy office is involved in every business decision around personal data – for example, whenever new technologies, marketing methods or new ventures are being considered – to ensure business-wide compliance with all relevant existing privacy laws.
Recommendation: TrustArc PrivacyCentral automates and streamlines effective privacy program compliance across different jurisdictions, standards, and laws – removing any duplicative work that overlaps. Audit your privacy efficacy, accountability, and governance with on-demand benchmarking, attestation, and stakeholder reporting.