Privacy law compliance in the United States today demands resilience, flexibility, and responsiveness. To date, the U.S. Congress has failed to enact broadly applicable privacy standards to govern companies uniformly nationwide. Seeking to fill the gaps in existing privacy regulation, the states are rapidly taking action, with one state in particular, California, leading the charge with a continually expanding set of privacy-related requirements to protect individuals residing in the state. California’s initiatives have triggered other states to follow suit. In just the past two years, four other states enacted new consumer data privacy laws, all of which are scheduled to take effect in 2023. However, each state’s version of consumer privacy law differs in various ways from the others, and businesses will face an ongoing challenge in juggling privacy obligations under multiple regimes.
Adding to the complexity of the states’ different privacy law frameworks, the Federal Trade Commission (FTC), which has broad jurisdiction over for-profit companies operating in the U.S., initiated a potentially far-reaching rulemaking process to address what it perceives to be major gaps in privacy and security protections for consumers. At the same time, the Department of Health and Human Services, which regulates a wide range of entities in the healthcare sector with respect to the privacy and security of protected health information, is poised to amend its privacy regulations. Further, the Securities and Exchange Commission (SEC), which regulates publicly traded companies, proposed new cybersecurity rules, while the federal banking agencies issued new rules for financial institutions and their services providers for notifications of cybersecurity incidents.
For companies doing business in the U.S., this multifaceted privacy law environment can seem daunting. As is the case with most major challenges, a framework for formulating fundamental principles can help make compliance and data strategy more manageable. With limited resources to invest, keeping a realistic focus on significant risks, rather than getting mired in the minutia of detailed requirements, can also prove beneficial. The paragraphs below suggest a conceptual roadmap for streamlining privacy efforts.
Common state law requirements
The five states that enacted broadly applicable consumer privacy laws – California, Colorado, Connecticut, Utah, and Virginia – have all embraced certain fundamental privacy principles and concepts, including many that are at the core of the European Union General Data Protection Regulation (GDPR) (discussed in Section II below). This trend is likely to continue in additional states.
Fueled by concerns that consumers lack knowledge of, and tools to control, how their personal data are being captured (particularly online), used and shared, the five states’ laws all contain provisions requiring:
- Consumers be given notice (descriptions of what data is collected, and why, and who it is shared with)
- Privacy rights (some control over the use, disclosure and retention of their personal information and means to access and amend)
- Companies to implement privacy by design (ensuring privacy is considered up front and for specified purposes)
- Purpose limitations (forcing companies to collect and use data in accordance with a set of appropriate and lawful purposes)
- Security (protection of personal data)
- That companies are accountable (through enforcement and complaint mechanisms, documentation requirements, and oversight and auditing requirements)
These same principles are the backbone not only of the GDPR, but also of U.S. federal regulations governing the banking industry, healthcare industry, and industries handling children’s information, among others. They thus serve as a reliable framework for designing a privacy program even while the legal goalposts and guardrails for that framework are still under construction.
Following these principles will go a long way in protecting against complaints from individuals or regulators. Key practical steps to implement these principles include:
- Adopting a clear, publicly available privacy notice that describes the companies’ data practices and individuals’ privacy rights
- Making that notice available to individuals before collecting their personal information (wherever collection occurs)
- Adhering, without exception, to the statements in that notice, including to respect people’s privacy rights
- Engaging in privacy by design to ensure the ethical collection and use of data (in line with lawful purposes)
- Making third-party recipients of data accountable to follow your statements about data use
- Ensuring an internal privacy program that documents compliance efforts and risk determinations and allows for monitoring and auditing of same
- Maximizing the protection of data in accordance with its sensitivity and the threats thereto
New complexities under the state laws as of 2023
Although the five U.S. states’ broad consumer protection laws have fundamental similarities, the scope of California’s law, the California Consumer Privacy Act (CCPA), is notably more expansive than the laws of the other four states due to the expiration of the law’s previous exemptions for personal information about employees and business-to-business (B2B) contacts (such as customer representatives and vendor contacts). Further, the California Privacy Protection Agency, which was established as a new CCPA administrative and enforcement authority in 2020, recently issued detailed draft regulations implementing the amendments to the CCPA adopted pursuant to the California Privacy Rights Act of 2020 (CPRA). Businesses subject to the CCPA will have significant work to do to ensure compliance with those regulations, the enforcement of which is scheduled to commence in the third quarter of 2023.
As noted, until January 1, 2023, the CCPA exempted from most of its requirements personal information about employees and B2B contacts. Until late August 2022, it was widely anticipated that the California legislature would extend these exemptions. Given these expectations, and because all of the other four states’ consumer privacy laws contain permanent exemptions for such information, many companies have designed their privacy programs specifically to protect the personal information of consumers with whom they deal on a personal or household basis. Adjusting to the CCPA’s new scope covering employee and B2B contact information as well will be a challenge for these companies.
In addition, both under the new CCPA regulations and other states’ privacy regimes, businesses will need to grapple with restrictions on, among other things:
- Uses and disclosures of “sensitive personal data” (as defined in varying ways)
- “Sales” of personal data
- Sharing of personal data, including online tracking information, for certain advertising purposes
- Collection of personal information of minors
The specifics of these restrictions, and the requirements for implementing methods for consumers to opt-in or -out of these types of processing of personal information, may be similar across certain states, and can be handled in a uniform manner, but they will not be uniform across all states. Again, this underscores the need for a flexible posture with a focus on areas of highest risk.
2023 prediction
As noted, in recent years the U.S. Congress has considered but failed to pass various forms of federal privacy legislation. The new Congress taking over in 2023 is not likely to put a significantly new face on the prospects for passage of federal privacy legislation. Regulated entities therefore would do well to focus on the trends in the states, as well as the anticipated FTC rulemaking and the agency’s ongoing privacy enforcement actions under Section 5 of the FTC Act.
For the full 2023 Top 10 Trends in Risk and Compliance eBook: