In recent years, data privacy has become a critical concern for individuals, businesses, and governments alike. Several U.S. states have enacted or proposed comprehensive data protection laws to safeguard consumer rights and regulate data handling practices. Let’s explore some key developments:
Existing State Data Privacy Laws California Privacy Rights Act (CPRA)
The CPRA, which builds upon the California Consumer Privacy Act (CCPA), grants consumers several essential rights:
• Access: Consumers can request access to their personal data held by businesses.
• Deletion: They have the right to request deletion of their data.
• Opt-Out: Consumers can opt out of targeted advertising and the sale of their data to
third parties.
Colorado Privacy Act (CPA)
The CPA, effective from 2023, empowers consumers with similar rights:
• Access and Deletion: Consumers can access and delete their personal data.
• Opt-Out: They can opt out of data processing for targeted advertising.
Connecticut Data Privacy Act (CDPA)
The CDPA, also enacted in 2023, provides:
• Opt-Out: Consumers can opt out of the sale of their personal data.
• Access and Correction: They have the right to access and correct their data.
Utah Consumer Privacy Act (UCPA)
The UCPA, effective from 2023, emphasizes:
• Opt-Out: Consumers can opt out of targeted advertising.
• Access and Deletion: They can access and delete their data.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA, enacted in 2023, grants consumers:
• Access and Deletion: The right to access and delete their personal data.
• Opt-Out: They can opt out of targeted advertising.
Data Privacy Laws Coming Soon
Four New State Data Privacy Laws are slated to go into effect before the end of 2024.
• Florida – July 1st
• Oregon – July 1st
• Texas – July 1st
• Montana – October 1st
Once the specific regulations are in place, we will provide the rights granted to consumers by each.
Where Is Data Being Collected?
We, as consumers, offer up our data in a variety of ways often on a daily basis. Some data collection channels are as follows:
• Websites and Apps: When you browse websites or use mobile apps, data is collected through cookies, forms, and interactions.
• IoT Devices: Smart devices, wearables, and home assistants collect data.
• Social Media: Platforms like Facebook, Twitter, and Instagram gather user information.
• Financial Institutions: Banks, credit card companies, and lenders collect financial data.
• Healthcare Providers: Medical records and health apps store sensitive health data.
Navigating the Evolving Landscape of Data Privacy Laws
Here are some essential steps to prepare:
1. Cultivate Trust with Customers:
o Consistently communicate with customers about how their data is being used. o Explain in common-sense terms the purpose behind data collection and the benefits for them.
o Transparency builds trust and ensures compliance.
2. Focus on Extracting Insights, Not Personal Identifiable Information (PII):
o Shift the focus from raw data to meaningful insights.
o Anonymize or aggregate data to protect individual identities.
o Prioritize data analysis that drives business value without compromising privacy.
3. Collaboration Between CIOs and CDOs:
o Chief Information Officers (CIOs) and Chief Data Officers (CDOs) should work
together.
o Facilitate the flow of insights from consented data.
o The common objective: maximize insight while respecting privacy.
4. Navigate Uncertain Opt-Out Requirements:
o Understand the specific opt-out provisions in each state’s privacy law. o Develop clear processes for handling consumer requests to opt out.
o Ensure compliance with opt-out preferences.
5. Develop a Data Governance Program:
o Establish robust data governance policies and procedures.
o Efficiently respond to consumer requests related to data access, deletion, and correction.
o Regularly review and update data governance practices.
6. Manage Risks with Third-Party Vendors:
o Evaluate the data practices of vendors and partners.
o Ensure they comply with privacy laws.
o Mitigate risks associated with data sharing and processing.