A quick recap of state privacy laws
One of the confusing things for business owners in the U.S. is that there is not one comprehensive federal data privacy law for all types of data.
At the federal level, sectoral privacy laws like HIPAA, GLBA, FERPA, and others hold sway. Most state privacy laws are grounded in the principles of the GDPR, which was one of the first overarching modern data privacy laws, and because of its geographic sweep (it’s the law in all EU Member States, currently 27 countries), it is considered by many to be the baseline for privacy compliance.
Here are the state-level comprehensive cross-industry data privacy protection laws that currently exist in the U.S.:
- California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Indiana Consumer Data Protection Act (INCDPA)
- Iowa Consumer Data Protection Act (ICDPA)
- Tennessee Information Protection Act (TIPA)
- Texas Data Privacy & Security Act (TDPSA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Montana Consumer Data Privacy Act (MCDPA)
- Oregon Consumer Privacy Act (OCPA)
- Delaware Data Privacy ACT (DDPA)
California was the first state to pass a comprehensive privacy law, the California Consumer Privacy Act (CCPA), which was later amended by the California Privacy Rights Act (CPRA). The CCPA is largely modeled on the GDPR, and, even though it was the first of its kind in the U.S., it’s considered one of the most stringent state privacy laws.
Another complicating factor is that the state data privacy laws do not apply only to businesses located within the state.Rather, the state privacy laws are written so that, in addition to businesses that physically operate in the state, any business that targets customers in that state and processes data about residents in the state– even if they have no physical presence in the state – must comply with the law.
Is your head spinning yet?
If it isn’t, consider the fact that compliance thresholds vary significantly among the different state laws. For example:
- Under California’s CCPA, a business is covered by the law if it processes personal data about California residents, is a for-profit organization, and meets any of the following three criteria: (1) it generates annual gross revenue greater than $25 million, (2) on an annual basis, it buys, receives, sells, or shares the personal information of more than 100,000 consumers, households, or devices for commercial purposes, or (3) it derives 50%t or more of its annual revenues from selling personal information.
- In Oregon, businesses that process data about more than 100,000 state residents OR process data about at least 25,000 Oregon consumers and derive more than 25% of gross revenue from the sale of personal data have to abide by the OCPA. Oregon, like Colorado, includes non-profit organizations.
- In Montana, businesses that process data about at least 50,000 state residents OR process data about at least 25,000 Montana consumers and derive more than 25% of gross revenue from the sale of personal data are subject to the MCDPA
- In Texas, there are no volume thresholds to determine if a business is subject to the law. Instead, the criteria are: a business that conducts business in the state, or produces a product or service consumed by residents of the state, and processes or engages in the sale of personal data and is not a small business (as defined by the U.S. Small Business Administration) is responsible for complying with the law.
Each state law has its own variation on privacy requirements
Privacy is complicated. You probably know that already. But privacy could become exponentially more complicated with new state laws. Taken as a whole, there are a lot of similarities among the laws…but there’s just enough difference to keep businesses on their toes. Take the following examples to heart:
Exemptions vary by state
Some states have opted to exempt organizations who need to comply with other privacy laws such as HIPAA, GLBA, FCRA, while other states say just the data covered by certain privacy laws is exempt. California and Oregon do not provide entity level exemptions.
Some states are using different models for consent to collect sensitive data
While some of the earlier state privacy laws – namely, California, Iowa, and Utah – required only notice and the right to opt out of collection and use of sensitive personal data, the newer state laws (including Montana, Iowa, Tennessee, Texas, and Indiana) are taking a different route. These states have embraced the notice and consent model.
Not all rights are created the same
Across the board, there are a handful of individual rights that the state laws almost uniformly extend: the right to ask what personal information a company processes about them and request a copy of it (often in an electronic format), the right to request correction of inaccurate data, deletion of data, and various opt-out rights (such as the right to opt out of sale of personal data, or the use of personal data for targeted advertising and profiling).
Two examples of differences amongst the state laws are Oregon and Iowa. In Oregon, in addition to the above, individuals also have the right to request a list of specific third parties to which a business disclosed personal data about the consumer. Under Iowa’s law, the list of rights is shorter and individuals are not given the legal right to correct inaccurate data or opt out of the processing of personal data for targeted advertising or profiling.
Consent management rights vary
States laws like VCDPA, CTDPA, and UCPA don’t have specific requirements as to how opt-out options need to be presented, whereas laws like CCPA/CPRA or CPA require links on a business’ website. There are additional requirements such as what disclosures need to take place in the privacy notice. What is consistent is regulators want it to be easy for an individual to opt-out so don’t bury it in multiple layers.
Long story short? There are a lot of details, so working with a privacy professional to help untangle exactly what your business needs to do is your best bet to avoid confusion.
In every state, data privacy violations will affect your bottom line
Each state has its own process for addressing data privacy violations, but data privacy problems in any state will cost your business money.
On a state government level, every state has financial penalties for businesses found to be in violation of data privacy laws. If a business is found in violation of a state’s privacy laws, the fines vary as well.
- California’s attorney general can levy fines of up to $7,500 for each violation, and private citizens can also pursue civil action against companies for violations or data breaches.
- Virginia issues fines from $1,000-$5,000 per violation, and courts can order additional relief to the plaintiffs
- Utah’s attorney general can fine businesses $7,500 per violation, but private citizens can’t pursue further penalties
Privacy consequences aren’t limited to fines and fees
Beyond state civil penalties, privacy violations can also have devastating consequences when it comes to consumer trust.
81% of consumers believe the way a company treats their personal data reflects the way they view them as a customer. And 33% have ended relationships with companies over their use of consumer data.
Companies that lose consumer trust lose business. People don’t want to spend money with companies they don’t trust, and they definitely don’t want to share their personal data with them.
A less positive brand reputation can also make it more difficult to recruit your ideal employees, because of public perception. Most job seekers look up prospective companies to understand the culture, and the last thing a company wants is for an ideal candidate to look up a company and see a front page news story on data privacy violations.
It’s all about best practices
Because the United States is seeing more and more privacy laws each year, businesses that only attempt to adhere to the letter of the law in each individual circumstance will find themselves spending inordinate time, money, and resources to skate by on a moving target of “good enough.”
Instead, businesses that create a proactive privacy program that align with industry best practices with privacy regulations are much more likely to save time and stress down the road due to compliance issues.
How to build a privacy program based on industry best practices
Building a new privacy program, either from the ground up or from an old system of record, can be an overwhelming task. To prevent combat privacy fatigue, there are a number of practices you can implement to support long-term success.
Identify which laws apply to your business now, or could in the future
While there are more state privacy laws than ever, there are also a number of states with proposals for future data privacy legislation. Spend time figuring out where you may be liable in the future, especially if your business grows, so you can build a policy designed to address any potential issues down the line.
Clean house
Spring cleaning isn’t just for your home. Most data protection laws require that businesses only collect the minimum amount of data based on established goals, so there’s no holding on to things for a later date.
The best way to understand the data you already have is through a data inventory to track what data you have and how it interacts with your system.
Data inventories help your business understand:
- What data you have in your system
- Where your data is stored
- How your data is used
- With whom data is shared
A thorough data inventory will also help your team analyze data workflows, establish data oversight and accountability, and clarify privacy policies with vendors.
Update your internal privacy policies and external privacy notices
Your privacy policy and privacy notice are two vital privacy documents, and in order to comply with new data privacy laws, you’ve got to keep them up to date. However, these are distinct and nuanced documents—and laypeople understandably get them confused sometimes. Here’s a quick overview of the differences.
Internal Privacy Policy: a company’s internal documentation detailing how it collects, handles, stores, shares, and protects data and personal information. The audience for this documentation is employees and other users, such as third-party auditors.
External Privacy Notice: a company’s external communication regarding its privacy policy, which explains how the organization collects, uses, stores, and shares personal information. A privacy notice should be posted everywhere personal information is collected. Industry best practice typically recommends linking to it in the footer of your website, but this isn’t the sum total of where you should list it. Depending on your business, you may include in your emails, receipts, even at a physical location of a brick-and-mortar store if you have a loyalty program or offer an email opt-in receipt.
Bring in an expert
Data privacy compliance is a moving target, which can be overwhelming for companies, even if they have existing privacy programs. As states continue to pass new privacy laws, businesses that fail to enact best practices may face risk and liability down the road.
But you don’t have to tackle your data privacy approach alone. A privacy expert can help demystify data privacy so you can navigate the changing landscape of data privacy with confidence.
Red Clover Advisors is equipped to build an agile, sustainable privacy policy for your business based on your unique needs. Contact us today to get started with a free consultation.