Five ways to stay compliant with US data privacy regulations

New data obligations have come into force in the US. Here’s what you need to do.

As we embark on a digital future where apps, social media platforms, search engines and other websites can access and store our data, it is more important than ever to respect individual data rights. Since the EU General Data Protection Regulation (GDPR) came to fruition, approximately 120 countries have adopted regulations to ensure an adequate level of data protection.  

Following suit, at the start of 2023, two new privacy regulations came into effect in the United States (US).

  • The California Privacy Rights Act (CPRA) – an amendment to the California Privacy Act (CCPA).
  • The Virginia Consumer Data Protection Act (VCDPA).

Throughout this year, several new data obligations will come into force.

  • On July 1, 2023, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) will be published.
  • On December 31, 2023, the Utah Consumer Privacy Act (UCPA) will be effective.
  • On January 1, 2025, the Iowa Consumer Data Protection Act (ICDPA) will be live.
  • Indiana has passed a data privacy law and is waiting for the Governor’s signature. Once signed, Indiana will be the seventh state to enact data privacy legislation.

Many more states are in the process of joining the bandwagon and will implement state-level, GDPR-inspired data privacy obligations. Currently, in addition to the seven states, there are 18 states actively working on comprehensive privacy regulations. This will affect how corporations collect, store and use personal data from individuals and aim to ensure increased transparency and control over personal data, which is essential as privacy concerns are on the rise.

How is the US data privacy landscape changing?

In the past, corporations have collected individual data without express permission, thus, the US took steps to regulate how this information is used to mitigate risk and harm. There are regulations on a federal level for different industries including the Graham-Leach-Bliley Act (GBLA) for financial services, the Health Insurance Portability and Accountability Act (HIPAA) for the medical sectors, Family Educational Rights and Privacy Act (FERPA) for education and Children’s Online Privacy Protection Act (COPPA) for children.

The European Union (EU) had a different stance on personal data. The GDPR established data privacy as a human right, where individuals can choose what happens with their information. Following the EU’s rights-based framework, the US’s new state laws in California, Colorado and so forth also differ between the data controller and data processor. The processor is the company (eg usually third parties) that processes data on behalf of the controller, whereas the controller has the right to choose how and where their data is processed. For example, when a bank collects clients’ data when they open a bank account, the third party that stores, digitises and catalogs the information on behalf of the bank, is the data processor.

The state-level data privacy laws in California, Colorado, Connecticut, Utah, and Virginia all comprise similarities to the GDPR and focus on individual rights to data. Each obligation is different and should be assessed carefully to ensure full compliance.

California Privacy Rights Act (CPRA)The CPRA established various individual rights inspired by the GDPR. It also created a state agency with obligations similar to the EU’s data protection agencies. If a firm is found to be non-compliant, it is liable for a penalty of $2,500 per violation or $7,500 for every intentional violation.
Virginia Consumer Data Privacy Act (VCDPA)Sharing similarities with California’s CPRA and additional obligations that reflect the GDPR, the VCDPA applies to those that do business in Virginia or cater products and services to those residing in Virginia. It provides customers with the right to access, correct, delete and opt out of personal data use.
Colorado Privacy Act (CPA)The CPA adapts terminology from the GDPR and shares similarities with the CPRA. Colorado was the following state after Virginia to introduce data privacy regulations. Comparable to Virginia’s law, the CPA applies to firms operating in Colorado or supplying products or services to those living in Colorado.  
Connecticut Data Privacy Act (CTDPA)Connecticut’s data privacy regulation is most similar to Colorado’s CPA, providing Connecticut residents with specific rights over their personal data and establishing certain obligations and privacy protection standards for data controllers processing data.
Utah Consumer Privacy Act (UCPA)Following in the footsteps of Colorado, Utah developed its data privacy law known as the UCPA on 24 March 2022. Compared to Virginia’s VCDPA and Colorado’s CPA, Utah’s UCPA provides fewer data privacy rights and contains provisions that are more beneficial to businesses.
Iowa Consumer Data Protection Act (ICDPA)As the sixth state to pass a comprehensive privacy law, it features similar elements from the Connecticut, Utah, Virginia, Colorado and California regulations. The main differences include Iowa’s definition of “personal data” and “sensitive data.”

A roadmap to data privacy compliance

Navigating and managing emerging data laws can be a daunting task. Here are several steps firms can take to ensure compliance:

1. Understand the regulations

This is a no-brainer. Corporations need to understand which regulations apply to them and which elements of the said obligation are relevant, in particular, which state-level regulations could be applicable to your business. Manually doing this can be tricky as it is easy to miss something. Using regulatory change management software is ideal for identifying relevant data privacy regulations and filtering out hundreds of pages to ensure quick, easy, and reliable compliance.

2. Ensure there is clarity around roles and responsibilities

Choose a nominated person responsible for looking after data privacy, this could be someone in IT such as the Chief Information Officer as well as compliance team member input. The UK is currently working on passing a GDPR Bill that recommends a “senior responsible individual.” As part of this step, firms should consider an audit to identify gaps in privacy regulatory frameworks, think of clear steps on how to address these risks and who is in charge of each step. The audit should include a review of how data is currently collected, stored and used and whether these breach any data laws. Using regulatory intelligence can ensure that compliance gaps are identified in real time, providing compliance teams and nominated persons with ample time to address issues promptly.

3. Update existing privacy frameworks

Once the compliance team are aware of the gaps in data privacy regulations, they can move on to the next step of implementing these changes to current privacy policies. This ensures compliance and avoids hefty fines from regulators.

4. Implement continuous monitoring of emerging data privacy regulations

As we enter further into the digital age, there will bound to be new or changing data privacy obligations at the state and federal levels. Therefore, compliance is not a one-time job or a box-ticking exercise. It is an ongoing process and requires constant monitoring to identify risks quickly. To manage data privacy laws effectively, regulatory change management software uses artificial intelligence, machine learning and horizon scanning abilities to anticipate emerging regulatory changes, ensuring your firm stays ahead of new state or federal-level privacy obligations.

5. Provide employee training and awareness

After the GDPR was implemented, firms provided data privacy training at work. This included logging off when one was not at their computer or not writing down any personal details of a customer as these could cause a GDPR breach. By providing training at US firms, employees will be more aware of their roles and responsibilities to adhere to privacy regulations and help the firm to also be compliant.

CUBE comment

The data landscape is constantly changing and evolving. With change comes more regulatory oversight and obligations. Continuous monitoring of data privacy developments is needed. It is great to see the US protecting consumer data, however, they do remain fragmented and at a state level. There have been various attempts at federal data privacy regulation, the American Data Privacy and Protection Act (ADPPA) has come the closest to being the most comprehensive. Currently, the ADPPA is still in the draft stage, but once approved it will affect all the state laws.

As more data privacy regulations develop, there will be greater oversight and scrutiny to ensure firms act correctly and abide by these laws. Compliance should not be an afterthought.

First published by CUBE and reproduced with their permission. CUBE is the market leader in Automated Regulatory Intelligence. Our global regulatory content, AI-powered technology and purpose built infrastructure is transforming the way compliance gets done. To find out more please click here.