Where Data Privacy Regulation Is Headed And How To Prepare
By Steve Britt and Sarah Hutchins
Data privacy laws and regulations are now developing at a rapid rate. While prevalent in other parts of the world for decades, California brought data privacy to our shores in 2018 with the California Consumer Privacy Act (CCPA), which became effective in 2020. The CCPA imposes significant requirements on many businesses holding the personal information of California residents. Other states have followed suit, including Virginia and Colorado this year. Lawmakers in the Carolinas and over 10 other states have introduced their own sweeping data privacy bills this year, and Congress held many hearings on various bills last year.
A review of these bills reveals about an 85% match in key provisions impacting businesses. In other words, an overall framework for data privacy in the U.S. is settling among the states. Even though some South Carolina businesses may not fall under comprehensive data privacy regulation yet, they should consider proactive steps now that will pay dividends later.
How States Have Reacted to CCPA
When Virginia jumped to the head of the data privacy line this year, it gave us that critical second data point about how these state laws are going to roll out. Until then, the question has been whether the new laws would be modeled on the CCPA or take a different path. For example, would states accept the CCPA’s exclusion of nonprofits and set revenue thresholds for covered entities, or would they adopt some of the GDPR provisions that California ignored, like data protection assessments? So far, Virginia and other states have done some of both, though they have largely followed California’s lead.
However, Virginia enacted some key differences from the CCPA that were quite business friendly. For example, Virginia doubled the CCPA’s 50,000 consumer threshold for coverage of the new law (since raised to 100,000 in 2023) and excluded employees and business-to-business contacts from the definition of “consumer.” This lets a lot of smaller companies pass under the 100,000-consumer bridge. It also excluded the CCPA’s annual revenue threshold, which keeps the focus on the number of consumers served. On the other hand, Virginia picks up GDPR’s data privacy assessment requirement, though it is more narrow than GDPR’s version.
Colorado was the second state this year to pass a comprehensive statute, and it takes its cues from Virginia as well.
Beyond Virginia and Colorado, we have also studied many of the new laws that were introduced and, in some cases, moved very close to passage. States that were active this year included Florida, Washington state, Connecticut, New York, Minnesota, Oklahoma and Utah. Likewise, new bills were introduced in South Carolina and North Carolina, though they have not progressed in this year’s session.
Consistent Threads Across the Bills
As noted above, a review of the bills shows overwhelming consistency in their key provisions. A few examples follow:
Every one of the bills requires detailed new privacy notices that describe the categories of personal information that is collected, how it is collected, the purpose of the collection and the third parties it is shared with.
They all grant virtually identical new data rights to the people whose data a business collects. These include the right of data subjects to know what data a company has collected on them, the purpose of the collection, what third parties it has been shared with, and sometimes the right to require that the data be deleted.
They all put similar restrictions on how data that is shared with third parties can be used by such companies.
Most of them either condition the sharing of personal information on affirmative opt-in permission or permit an opt-out of such sharing, sometimes requiring placement of an electronic button on the data collector’s home page to implement such choice.
All provide for enforcement by the state’s attorney general, and some provide for either a limited or a more general private cause of action for certain data breaches or other statutory violations.
Most impose data security standards and assess statutory damages for data breaches or other privacy violations that will greatly increase the costs businesses face with such events.
Most follow California’s choice of excusing nonprofits and excluding data covered by other federal laws (such as HIPAA, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act). Colorado appears to be an exception to that rule.
So where do businesses go from here? Our #1 recommendation is to act now. Don’t wait for another law to pass. Use the available time to start putting into place the elements of a data management program. The benefit of starting now is you can be more thoughtful, more thorough, and stretch your budget. With good planning, the tasks you take first will dovetail into processes you must implement later.
It all begins with an assessment of your network, your business model, and your data collection, use, and storage practices. If you have suffered a data breach, you have already had the shock of an initial forensic report.
A data privacy assessment is similar. It is best conducted as an enterprise-wide review without the mad rush of a data breach or government investigation. Every department that touches personal information should be involved, as each has a unique understanding of how the business utilizes data.
These assessments will also present unique data configuration challenges since a business must be able to locate, tag, track, recover, and delete individual user records. A business must also build work-flow processes in anticipation of data rights requests. Under these new laws, those requests will trigger response due dates, a verification process (to ensure the requesters are who they say they are) and a justification for the action taken.
Failing to meet these requirements can directly lead to government enforcement actions.
It is important to have experienced data privacy counsel involved in this process. You will want to update your privacy notices (which must reflect how the business actually operates) since those are publicly available to regulators and consumers alike. If not updated, they can signal your ignorance of these new data privacy laws. You should do that early even as you implement the corresponding business processes in the background.
Another reason these steps are wise is because data breach laws are being amended to expand their data security requirements, requiring such things as written information security programs and vendor due diligence.
Simply put, there is no doubt that data privacy liability is increasing. Now is the time to act and, just as with data breaches, an ounce of data privacy preparation is worth more than a pound of cure.