Data privacy is becoming a more significant concern globally. While the United States lacks a strong federal regulation like the European Union’s GDPR, it doesn’t mean that there are no comprehensive data privacy laws in place on the state level, and many more are being considered. On top of that, several federal privacy laws apply to specific industries or types of data, such as:
- HIPPA: The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. While this legislation was sweeping and impacted many aspects of healthcare and insurance, it includes privacy and security measures. HIPAA dictates how health information must be stored and protected and who can access the data, among other provisions.
- COPPA: The children’s Online Privacy Protection Act (COPPA) was enacted in 2000 to prohibit companies from asking for personal identifying information from children 12 years of age and younger.
- GLBA: The Gramm-Leach-Bliley Act (GLBA) regulates banking and financial information by protecting nonpublic personal information, such as property records and mortgage information.
Taken together, these laws protect many aspects of personal, private, and nonpublic information. But with the increase in cybercrime experienced during 2020, many hackers took advantage of lax security brought on by operational changes required throughout the pandemic. This increase in crime has renewed the focus on strong data privacy laws.
At the federal level, the Information Transparency and Personal Data Control Act was introduced in March. It would allow consumers to access and correct data and opt-in to sharing sensitive personal information, including biometrics, financial data, geolocation data, and citizenship status, among other data points. On top of this piece of federal legislation, at least 15 states have privacy bills that their Legislatures will consider, several of which mirror the strong enforcements found in the EU’s GDPR. And some states have already taken action.
An overview of several of the state laws include:
- Oklahoma: The state is currently considering data privacy restrictions, although these regulations would only apply to companies that earn at least $10 million in annual sales, derive a quarter of their revenues from data sales, or are data brokers with at least 50,000 consumers.
- California: In 2018, the state passed the California Consumer Privacy Act to protect consumers. Businesses are restricted from selling personal information without first providing notice and an opportunity to opt out. Consumers also have the opportunity to remove certain information by request.
- North Dakota: A current proposed law restricts websites from sharing any information with third parties without the users’ consent. This bill has no provisions to remove or delete any information once consent has been granted.
- Massachusetts: This bill is similar to California’s bill but also allows consumers to sue for any violation of the proposed law, even if they have not suffered a monetary loss due to the violation.
- Maryland: Maryland’s proposed privacy law expands on the protections of California’s laws related to disclosing information to third parties to include information that is shared without any financial transaction.
Currently, only three states have privacy laws on the books – California, Nevada, and Maine. But given the number that appears in this legislative session, it seems highly likely that additional laws and restrictions will be put in place over the next several years. And while few people would argue that greater data privacy is a very beneficial thing for consumers, it does pose some challenges to companies who will have to comply with new laws.
We can see the challenges that arose when companies in the EU made changes to comply with GDPR. One of the biggest challenges was the sheer cost of complying with the new legislation. Not only will there be initial costs to set up systems to safeguard data and trigger notifications when the company has to notify consumers, but there will likely be ongoing costs with compliance. The rate of technological change means that these systems will need to be upgraded periodically as with any other piece of digital infrastructure.
With many industries currently undergoing a transformation where their operations are moving from a centralized location to a decentralized architecture, there are additional barriers to compliance. Given the scope of data in many of these bills and the strict regulations, the best way to ensure compliance is with automated systems.
A recent paper by Micro Focus identified five key principles for a robust data compliance program, including:
- The ability to identify personal information that is created, received, and shared with others.
- Securing personal data across the enterprise, including external systems, from data breaches and accidental data sharing.
- Setting up a system that responds to requests by people for data you currently have and indicates what data may be shared with whom.
- Creating procedures for producing personal information reports.
- Creating a compliant process for delegating information or having it de-identified. This process will be crucial for sorting through data that needs to be retained to comply with other laws and data that must be deleted to comply with data privacy laws.
The organization of data will be central to any strategy to maintain compliance with emerging data privacy laws. The less data you collect, the less you have to worry about securing. However, some data must be collected – and some industries require more of it. And with so many proposed data security laws currently in consideration, 2021 could become the year that meaningful privacy laws gain far more traction in the United States.
But regardless of the status of many of these state laws, data protection is crucial for modern businesses. Violations can result in expensive lawsuits or fines if they breach one of the existing laws. The best course of action for many companies will be implementing security measures and procedures sooner rather than later. This method will ensure you are prepared if any of the pending legislation gets enacted. You can stay ahead of the competitors and be ready to comply with new laws. Managed IT services at Sagacent Technologies can help guide your company through this process and understand any obligations you have.
Sagacent Technologies offers technology management and support, including proactive/preventative maintenance, onsite and offsite data back-ups, network and security audits, mobility solutions, disaster planning, and emergency business resumption services. The company serves clients of 10 to 150 employees within the Silicon Valley region.