The Basics: What Most Data Privacy Laws Include
The EU’s GDPR took effect in 2018, transforming Europe’s data privacy framework and inspiring other jurisdictions to pass similar laws. California’s CCPA passed the same year, bringing new privacy standards to the U.S. Today, 12 states have enacted “comprehensive” privacy laws, and many others have tightened regulation over specific sectors.
“Comprehensive privacy law”
A comprehensive privacy law applies across all business sectors. They often carve out certain tightly regulated or smaller businesses, but they impact millions of companies of almost every type.
Comprehensive privacy laws provide new rights for consumers, which businesses must honor. They hold companies responsible for the data they collect, even after it’s been shared with a third party. And they restrict how businesses use and store personal data.
Consumers now have rights over their personal data
Whether it’s complying to a stronger law such as Virginia’s VCDPA, or one of the less strict laws such as Utah’s UCPA, requires comprehensive oversight of how your company collects and uses personal data. Oversight is an essential starting point, and you can’t do any of this without knowing how and why you process data.
Privacy laws require you to provide access to personal data on request, delete the data under certain conditions, and ensure your vendors meet strong privacy standards.
Consent for persona data use & Cookies
A key philosophical difference between the GDPR and U.S. state-level regulations is around consent. In the U.S. there’s a culture of opting-out of data being used, as opposed to people opting-in to companies using their data in the EU. In other words, the assumption is that companies can access people’s data until they’re told “No,” whereas in the EU companies can’t collect people’s data until given explicit permission. This is why you regularly come across cookie banners when surfing the web—GDPR requires that websites get consent upfront to track you, whereas in the U.S. you’ve opted-in by visiting the site.
Most US privacy laws focus on “the right to opt out”—you can likely continue doing most of the stuff you’re already doing with data, but you might need to offer people a choice about it.For example, rather than requesting consent via a cookie banner, you might need to provide a way to let people opt out of certain cookies. And you might need to configure your website to recognize a “universal opt-out signal” from people’s browsers.The exception is “sensitive data”, which includes information about people’s race, health, religion, and precise location (plus other characteristics). Many new US privacy laws require that you request “opt-in” consent before collecting, using, or sharing sensitive data.
Do we really have to worry about these new privacy laws?
Don’t worry about privacy—embrace it.
The tide has turned. More and more US states, along with other jurisdictions worldwide, are toughening privacy regulations. Now is the time to get on board.
Yes, state Attorneys General have new powers. California even has a new regulator, the California Privacy Protection Agency (CCPA). And we’re seeing more and more class-action privacy lawsuits. Businesses that fail to act could face legal issues under these new laws.But there are better reasons to embrace privacy, like increased efficiency, improved customer trust, and the ability to grow your business
Commonalities Between State-Level Data Privacy Laws
Although the other state-level laws don’t go quite as far as the CCPA—and not nearly as far as the GDPR—these state-level privacy laws tend to have a similar baseline of provisions. Knowing how each law impacts your business practices is crucial, but you can use these areas of overlap to build the foundation of a broadly compliant data privacy program.
“Although many state laws don’t go quite as far as the CCPA—and not nearly as far as the GDPR—these state-level privacy laws tend to have a similar baseline of provisions.”
Foundational Pillars to Most Privacy Laws
The law applies to organizations that access data from many consumers.
Generally speaking, state data privacy laws only apply to organizations that process data from a large number of state residents— referred to as “consumers.”
Typically, protections extend to cover data that can identify a person.
The laws tend to apply to the same type of consumer data, which they refer to
as “Personal Data” or “Personal Information.” Although a very broad definition,
it usually encompasses information that identifies, relates to, describes, or is capable of being associated with a specific consumer.
Require organizations to clearly disclose their privacy practices.
These laws all require organizations to create a notice outlining their privacy practices and provide it to consumers before the organization collects their data.
At the very least, these notices require a basic explanation of the types of data an organization collects and what the organization does with that data—and some states may require more robust notices.
Give consumers the right to access, delete or to not sell their data.
Every state grants its residents the right to make certain requests that affect what an organization does with their data—also known as “Data Subject Requests. (DSARs)” While these rights aren’t all the same among states, every state allows consumers to (1) know what data an organization has collected about them, (2) direct an organization to delete that data (subject to certain exceptions), (3) direct an organization not to sell their data, and (4) direct an organization not to use their data for targeted advertising.
The TL:DR to State-Level Data Privacy Regulations
Making sure your data privacy program aligns with the requirements at the heart of the current slate of state privacy laws is a great start. But, unfortunately, the work doesn’t end there. There is a growing discordance among the states privacy bills. We now have California with its own model, Colorado, Connecticut, Delaware, and Virginia substantively aligned on most major items, and Utah and Iowa in a third camp. Then you have the other states with their own distinct flavors.
Several laws also have other aspects that make them unique—whether it’s by offering protections for a particular type of personal information, requiring companies to put certain measures in place, or granting consumers a mechanism by which to enforce their data privacy rights.