U.S. Data Privacy Gains Momentum
As more and more social and economic activities move online, the importance of privacy and data protection is becoming increasingly recognised. Of equal concern is the collection, use and sharing of personal information with third parties without notice or consent of consumers. In fact, I read recently on the UNCTGAD site that 128 out of 194 countries had put in place legislation to secure the protection of data and privacy.
Even the likes of Russia and China are amending data protection laws to increase personal data subjects’ rights. Whilst the U.S. has been lagging behind other countries in terms of implementing national legislation, the picture is now beginning to take a different path at state level as legislative bodies introduce regulations on much more of a localised level. Some states such as California, Vermont, New York and Ohio have introduced data protection legislation in some form, Alabama has its Data Breach Notification Act and as recently as last month Colorado passed its new data privacy bill, giving residents the right to stop companies from collecting their data in the future. There is now a significant movement towards safeguarding data privacy and increased data protection state by state.
Perhaps spurred on by this, or maybe just regime change, but we are now seeing moves from the U.S. Federal government as well. In May President Biden published his Executive Order on improving the nation’s cybersecurity as a whole, showing how the thought process has stepped up a notch.
The reason for this is obvious. You don’t have to cast your mind too far back to be able to cite high profile cases in the press which showed us how important strong data protection rules are for society, including the very functioning of the democratic process.
These and other developments have shown that the protection of privacy, as a fundamental individual right, but also as an economic necessity, is crucial. Without consumers’ trust in the way their data is handled, our data-driven economies will not thrive.
As a practitioner working in the field of data security, I’m pleased to see data privacy and protection laws becoming more commonplace across the U.S. Data protection is the “one constant” that must be maintained across all environments. Organisations hold and are responsible for safeguarding vast amounts of data and this data must be appropriately protected, irrespective of its type or location.
With personal data protection and privacy law rapidly evolving in the United States, and with there being no single principal legislation that governs data protection at the federal level in the U.S as yet, one could be forgiven for wondering which regulations are most critical to be aware of. With that in mind, let us take a whistle-stop tour of some of the important and forthcoming laws you need to be aware of:
General Data Protection Regulation (GDPR)
Let’s start here. Though of course not a U.S. piece of legislation, GDPR is nevertheless a critical one to conform to if, as a U.S. company, you transact with the EU or the UK.
The most important data protection legislation enacted to date is the General Data Protection Regulation (GDPR). It governs the collection, use, transmission, and security of data collected from residents of any of the member countries of the European Union. The law applies to all EU residents, regardless of the location of the entity that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organisations that fail to comply with the GDPR.
GDPR’s seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. Some important requirements of GDPR include:
- Though GDPR was established in the EU, it applies to businesses all over the world. If your website collects the personal information of someone from one of the EU member states, then you’re required to comply. Otherwise, you could be faced with fines and penalties.
- Organisations are required to notify supervisory authorities and data subjects within 72 hours in the event of a data breach affecting users’ personal information in most cases.
- In a lot of cases the GDPR can require organisations to appoint a data protection officer (DPO). For example, businesses in the public body, those with large scale monitoring of individuals or processing large amounts of criminal data. This independent data protection expert is responsible for monitoring an organisation’s GDPR compliance, advising on its data protection obligations, and acting as a contact point for data subjects and the relevant supervisory authority.
California Consumer Privacy Act (CCPA)
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Virginia’s Consumer Data Protection Act (CDPA)
Virginia’s Consumer Data Protection Act (CDPA) was passed on March 2, 2021. It grants Virginia consumers rights over their data and requires companies covered by the law to comply with rules on the data they collect, how it’s treated and protected and with whom it’s shared.
The law contains some similarities to the EU General Data Protection Regulation’s provisions and the California Consumer Privacy Act. It applies to entities that do business in Virginia or sell products and services targeted to Virginia residents.
Colorado Privacy Act (CPA)
In June 2021, Colorado became the third U.S. state to pass a privacy law. The Colorado Privacy Act grants Colorado residents rights over their data and places obligations on data controllers and processors. It contains some similarities to California’s two privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), as well as Virginia’s recently passed Consumer Data Protection Act (CDPA). It even borrows some terms and ideas from the EU’s General Data Protection Regulation.
While there are similarities, such as the opt-in requirement to obtain consent from consumers before collecting sensitive data, and the adoption of some privacy-by-design principles, the significant differences are in the details.
The CPA applies to businesses that collect personal data from 100,000 Colorado residents or collect data from 25,000 Colorado residents and derive a portion of revenue from the sale of that data.
The CPA is scheduled to come into effect on July 1, 2023.
New York SHIELD Act
In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law amends New York’s existing data breach notification law and creates more data security requirements for companies that collect information on New York residents. As of March 2020, the law is fully enforceable. This law broadens the scope of consumer privacy and provides better protection for New York residents from data breaches of their personal information.
Importance of privacy policies
With the implementation of data privacy legislation continuing to sweep through countries globally, a list which now increasingly includes the U.S., awareness of the key tenets of the laws that relate to your organisation’s business practices are essential. Once you know how you are expected to protect consumer data, you can build a strategy around your people, processes and technology that ensures you comply with prevailing data privacy laws. In so doing, you are safeguarding your customers against theft, loss, or misuse of their personal information, and also protecting your organisation from the risk of hefty penalties for non-compliance.