Best practices for navigating changing U.S. data privacy landscape

The passage of legislation in Colorado, Connecticut, Utah, and Virginia, plus a major amendment to the California Consumer Privacy Act that took effect in 2020, was driven by consumer demand for more control over the personal data companies collect, trade, and sell following decades of data breaches and high-profile information sharing.

“Privacy is a hot-button issue and one consumers are really in tune with,” said Jenny Holmes, deputy leader of the cybersecurity and privacy team at law firm Nixon Peabody. “It’s new and under the spotlight, so it adds pressure on companies.”

And yet, some companies see data privacy compliance as an opportunity.

“Businesses have a compelling interest in addressing privacy” for the goodwill it shows, said Myriah Jaworski, member at law firm Clark Hill. In a competitive environment, strong compliance can set you apart from other similar businesses, she said.

Congress has so far failed to pass a comprehensive federal data privacy law, so states have taken matters into their own hands. The result in 2023 is a patchwork of five laws with different enactment dates, grace periods for companies, and enforcement regimes—a challenge for even the most experienced compliance departments.

“It will prove continuously difficult to keep track of all the new laws. Some companies have decided to give privacy rights to all consumers, a preemptive strike against all the laws.”

Jenny Holmes, Deputy Leader, Cybersecurity & Privacy, Nixon Peabody

“It’s spreading in the states like wildfire (and) more laws are likely be passed this year,” possibly in Florida, Massachusetts, New York, and Washington, said Cobun Zweifel-Keegan, managing director at the International Association of Privacy Professionals. “It’s not in companies’ best interest to ignore privacy, even if they are not operating in the five states now.”

“It will prove continuously difficult to keep track of all the new laws,” added Holmes. “Some companies have decided to give privacy rights to all consumers, a preemptive strike against all the laws.”

Complicating matters, the precise requirements of the laws won’t be known until the states draft rules to carry out the legislation. California, whose updated law took effect Jan. 1, and Colorado, set to take effect July 1, are in the final stages of rulemaking, Zweifel-Keegan noted.

It’s “early days to predict what the state (attorneys general) will be most interested in enforcing,” he said.

California’s law stands apart from the rest because it allows customers and employees alleging harm to sue companies directly concerning data breaches. The law is overseen by an independent state agency. The other four laws give privacy rights to consumers only, and enforcement and lawsuits will be handled exclusively by the state AGs.

“They’re really obligations on companies to respect requests about personal data by consumers,” Zweifel-Keegan said of the laws. Privacy rights for Europeans “became a matter of compliance” in 2018 under the General Data Protection Regulation, and now U.S. consumers want those protections, too.

“Sensitive” personal data requires special handling under the laws. But how each state law defines sensitive varies.

The laws impose different thresholds for when they apply but generally are aimed at large companies with 50,000 to 100,000 customers in the state. They focus on consumer access to data, correcting data, deleting data, and allowing consumers to opt out of having their data collected and retained, noted Andrew Clearwater, chief trust architect and privacy expert at software provider OneTrust.

“Consumer privacy rights are the underlying concern these laws address well,” he said.

For businesses confronting compliance with these state privacy laws, consider the following best practices:

Data mapping: If your company hasn’t already created a data map—looking at what data it is collecting, has collected, and from whom—it should, Holmes said. Learn where the data is being stored and who else might have access to it, including contractors, she said.

“You want to look at the data you have and the regulations that apply,” Jaworski said.

Clearwater recommended basing a privacy program on respected standards, like the privacy framework from the National Institute of Standards and Technology (NIST) or the International Organization for Standardization/International Electrotechnical Commission’s privacy standard, which is under revision.

A benefit of shaping your privacy program around such standards is that regulators often participate in their writing. Your company would be building into it the privacy protections regulators believe are most important, Clearwater said.

“Regulators are receptive if you tell them, ‘We have this NIST-based privacy program in place,’” said Jaworski. “It’s a great way to demonstrate how you prioritize privacy.”

Purging old data: When data mapping, companies might discover they have old data they’ve been “hanging onto for years,” Jaworski said. Find out what you no longer need to keep and delete it. Holding onto it compounds a company’s vulnerability to cyberattacks and “potentially opens [it] up to exposure under data privacy laws,” she said.

Vendors: It’s crucial to consider how you are sharing data with third parties and what their policies are. Jaworski suggested sending all vendors a questionnaire to obtain detailed information about how they handle personal data, what cybersecurity controls they have in place, and whether they have cyber insurance.

“The main idea is you need to know as an organization how you are sharing personal information with other entities and you need to have contracts in place with them,” regarding returning data, deletion, and more, Jaworski said.

Handling requests: Companies must address consumer requests about their personal data. Kristen Mathews, a partner in law firm Morrison Foerster’s global privacy and data security group, recommended creating a decision tree for the persons who will be handling personal data requests, including instructions for how requests for deletions or corrections should be handled and by whom.

Drafting template response letters for all the different kinds of personal data requests you might receive makes a laborious task more efficient because “they don’t have to write responses fresh each time,” Mathews said.

Once the basics of a program are in place, create and schedule trainings for all personnel expected to interact with privacy requests, “to make sure your company behaves as you intend,” Clearwater said.

As with all compliance programs, get your privacy policies and practices down in writing, Clearwater said, adding, “That’s a lot!”