The Evolving Data Privacy Landscape: Trends in Data Privacy Laws
In today's data-hungry world where personally identifiable information (PII) is constantly collected, processed, shared, and sold — data privacy has become a paramount concern to individuals, companies and governments. Individuals are becoming increasingly aware of the need to protect their PII. Companies are becoming aware of the risks of holding and properly securing PII, and lawmakers are responding to voters by enacting sweeping data privacy laws.
While comprehensive U.S. data privacy legislation remains elusive, individual states have taken the lead in shaping the data privacy landscape. So, what are the trends and developments in state data privacy laws, the specific rights they provide to data subjects, and most importantly, what are their implications for businesses?
Data privacy laws: An evolving landscape
The EU’s General Data Protection Regulation (GDPR) kicked off the modern data privacy era in 2018. The GDPR is a data protection and privacy regulation in EU law which, among other things, established that personal data privacy is a human right. In particular, Article 8 (1) of the Charter of Fundamental Rights of the European Union states:
- Everyone has the right to the protection of personal data concerning them.
- Such data must be processed fairly for specified purposes and based on the specific consent of the data subject concerned or some other legitimate basis laid down by law. Additionally, everyone has the right to access data collected concerning them and rectify it.
- Compliance with these rules shall be subject to control by an independent authority.
The GDPR provides a host of rights to people to query, manage, rectify and delete personal data collected by an organization. These rights can be exercised through what is commonly referred to as a Subject Access Request (SAR) or Data Subject Access Request (DSAR). The GDPR also requires companies collecting PII to perform regular Data Protection Impact Assessments (DPIAs).
Data privacy in the U.S.
The state of data privacy laws in the United States is a complex and rapidly evolving landscape. Based on the absence of federal data privacy legislation (so far), many states have taken matters into their own hands to protect the privacy rights of their residents. So far, the result is a patchwork of state data privacy laws, each with its own nuances, definitions, exemptions and requirements.
One of the most significant and far-reaching state data privacy laws to date is California’s CCPA/CPRA, which went into effect on January 1, 2020. The CCPA/CPRA set the stage for other states to follow suit, recognizing the need for comprehensive data privacy legislation. Since then, many states have proposed data privacy laws. As of the writing of this article, 10 more states have passed their own data privacy laws, including Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah and Virginia.
The new and emerging state data privacy laws are not uniform in their approach or specifics, leading to variations in their definitions, data-subject rights and legal requirements. While some states have adopted provisions similar to the CCPA/CPRA, others have introduced unique elements such as the private right of action and the need to opt-in (versus opt-out) for PII collection.
A unique requirement all data privacy laws have in common is that they are not limited to the geographic location of the data collector but rather the location of the PII data subject. This means that organizations collecting PII from Colorado residents, regardless of the state (or country) where they are based, are subject to Colorado privacy law.
For businesses operating globally, compliance will become complex as they must navigate, track and adhere to different state and country data privacy laws.
Fundamental rights and provisions in state data privacy laws
State data privacy laws aim to empower individuals with specific rights and provide guidelines for businesses on PII collection, use and sale. Each of the existing state privacy laws has explicit and varying thresholds when triggered, including corporate annual gross revenue and/or the amount of PII of state citizens they have collected.
While the specific rights provided to citizens may vary slightly, several common rights and provisions are found in these laws.
Individuals have the fundamental right to:
- Query a company if it has collected their PII
- Get a complete report on precisely what PII the company has on them
- Request information about:
- The types of PII collected
- The purposes for which PII is used
- The PII that is shared with or sold to third parties
This transparency empowers individuals to make the best-informed decisions about their data.
Another critical right is the right to PII deletion. Individuals have the right to request the unrecoverable deletion of their personal information held by businesses, subject to certain exceptions such as regulatory retention requirements or e-discovery/litigation. This right allows individuals to assert more control over their data and limit its retention beyond what is desired or necessary.
You may have noticed that I mentioned “unrecoverable deletion” versus the standard use of deletion above. The new state data privacy laws specify that a data subject may request the deletion or erasure of their PII. However, most IT personnel recognize that when a file is deleted from a computer system, it is not actually deleted. The file system only deletes the link between the file and the storage location. The data is still available and can be recovered using many file recovery programs.
On the other hand, unrecoverable data deletion (like a digital shred) is a permanent act and leaves no trace of the data behind. This differentiation is significant for businesses as these two meanings can present considerable risk and place an organization in compliance violation. The current opinion from some legal authorities and subject matter experts is that the data subject deletion request intends to remove the PII permanently.
Additionally, many state data privacy laws include opt-out mechanisms, which allow individuals to opt out of collecting or selling their personal information to third parties. This control over the commercial use of personal data will enable individuals to protect their privacy and limit unwanted data sharing. In many state laws, “opt-in” consent is required to use and sell PII from children.
Transparency requirements are also a significant aspect of state data privacy laws. Businesses must provide clear and accessible privacy policies (usually posted prominently on their web pages) that explain their data collection and processing practices and how to submit a DSAR. This transparency helps individuals understand how their data is used and if they consent to such practices.
Non-discrimination provisions are another important element. State laws often prohibit businesses from discriminating against individuals who exercise their privacy rights. Companies are prohibited from denying goods, services, or discounts or providing a different level or quality of service based on an individual's exercise of their privacy rights.
Data security and breach notification requirements are also commonly addressed in state data privacy laws. Businesses are expected to implement reasonable security measures to protect PII from unauthorized access, use or disclosure. However, using the term reasonable security measures in many laws does not go far enough in setting industry standards for data security. Data security practices such as zero-trust design, data encryption and multifactor authentication (MFA) are all established technologies and standard security measures, which should be incorporated into all state privacy laws.
Many of the state privacy laws also include breach notification requirements. For example, in the event of a data breach, businesses are typically required to quickly notify affected individuals and relevant authorities when the breach is recognized, allowing individuals to take necessary steps to protect themselves.
Implications for business
The passage of a growing number of state data privacy laws has significant and far-reaching implications for businesses.
All businesses that collect PII face growing risk and complexity because each state's privacy law is slightly different. Each varies in definitions, exclusions, opt-in versus opt-out requirements, and other topics. These differences ensure there is no high-water mark privacy law that, if met, ensures all other privacy laws are also met. Compliance with these laws requires a thorough understanding of the specific requirements and an ongoing commitment to privacy protection. Failure to comply with data privacy laws can result in severe consequences, including substantial fines, legal actions and reputational damage.
Businesses must adapt their data collection and processing practices to align with the rights and provisions outlined in each state law. This may involve implementing robust data management systems, updating privacy policies including AI capabilities, and establishing procedures for responding to individual rights requests. Compliance also extends to third-party relationships, as businesses must ensure that their vendors and partners adhere to the same privacy standards.
Moreover, privacy by design and impact assessments have become essential business practices. By integrating privacy considerations into the design and development of new products and services from the outset, companies can proactively address data privacy concerns and minimize the risk of non-compliance.
A positive element for organizations to follow is the likelihood of the passage of a federal data privacy law, the American Data Privacy and Protection Act (ADPPA). The ADPPA is a proposed federal online privacy bill that aims to regulate how organizations keep and use consumer data. If enacted into law, it would regulate how organizations keep and use consumer data by providing consumers with foundational data privacy rights, creating robust oversight mechanisms and establishing meaningful enforcement.
The ADPPA has made it further along the federal legislative process than any other data privacy regulation in the U.S. However, it currently includes a preemption provision that would preempt all the existing and future state privacy laws. This provision would go a long way in simplifying corporate privacy law compliance, ensuring that organizations would only have one data privacy law to comply with.
The data privacy information management inflection point
The landscape for state and federal data privacy laws continues to evolve, driven by the growing awareness of individual citizens and the importance of protecting PII. As more states consider or enact their own data privacy legislation, businesses must stay abreast of these trends to ensure compliance and maintain consumer trust.
This patchwork of privacy laws and the specific data subject rights under these laws may cause companies to rethink how they capture information within their operations. A prime example of the growing complications is the data subject’s right to query and delete their PII. The privacy laws state that if there is no regulatory or legal (e-discovery) requirement to keep an individual’s PII, it must be deleted. The implication is that all individual’s PII must be deleted – no matter where in the organization it is stored.
In most organizations, PII can be shared and stored on many devices, including employee laptops, file shares, cloud accounts, etc. How many organizations feel confident that they have found and deleted all copies of an individual’s PII? The implication is that organizations will be forced into managing and indexing all data in an enterprise, including that data stored locally on employee devices. This inflection point will be a massive expansion of the information management requirement.
By understanding the rights provided by each state law and embracing data privacy-conscious practices and information management practices, businesses will be able to navigate the complexities and risks of the data privacy landscape while prioritizing protecting individuals' personal information.
Share this post!
Smarsh Blog
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.
Ready to enable compliant productivity?
Join the 6,500+ customers using Smarsh to drive their business forward.
Subscribe to the Smarsh Blog Digest
Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.
Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.
FOLLOW US