State Of Affairs: How State Privacy Laws Will Affect Your Business

State Of Affairs: How State Privacy Laws Will Affect Your Business

Written by Jodi Daniels of Red Clover Advisors. 

 

Wisconsin has a law on the books that any cheese labeled certified premium Grade AA must be “fine, highly pleasing and free from undesirable flavors and odors.”

 

In Washington, Bigfoot has been designated an endangered species, which means it’s illegal to kill him.

 

And in Virginia, it’s illegal to “hunt or kill any wild bird or wild animal” on Sundays—unless it’s a raccoon. Getting rid of the raccoon that has raided your trash cans for weeks? Fine. Setting rat traps on Sunday? Nope. Can’t do it.

 

States’ rights are one of the founding principles of U.S. governance and were codified in the Bill of Rights’ 10th Amendment. This idea was critical to getting the original colonies on board with the Constitution, and it makes sense. After all, Georgia isn’t famous for its cheese, so they don’t need a law for premium Grade AA labels.

 

Individual state laws are an important way to meet local needs, but if you own a business that operates in multiple states, it can also turn compliance into a major headache. This is especially true when it comes to data privacy statutes.

 

What is the difference between sectoral and omnibus privacy laws?

 

The European Union (and a few countries!) have an omnibus approach to data privacy legislation. Laws like the EU’s General Data Protection Regulation (GDPR) apply to all member states and business entities in their jurisdiction. Companies in France are under the same privacy obligations as companies in Germany, Italy, Luxembourg and Croatia.

 

The U.S., in contrast, does not have a federal consumer data privacy law that applies to all 50 states. Known as a sectoral model, this approach creates a true American melting pot of privacy laws by leaving privacy laws up to each state.

 

Five states have passed privacy legislation since 2018—California, Virginia, Colorado, Utah and Connecticut. As of May of this year, eleven other states have laws in committee, and it’s anticipated more will follow in the near future.

 

California’s statute is the most consumer-friendly, and Utah’s probably the most business-friendly, but all of these laws are at least loosely modeled on the GDPR. And the GDPR is based on well-known data privacy best practices.

 

So instead of worrying about whether or not your data management practices are compliant with a variety of state and international laws (which are constantly being amended and updated), save yourself time, money and brain power by creating a big picture, future-proofed program based on proven methodologies that provides all customers privacy—no matter where they live.

 

How can you manage your state of mind when laws are in a state of flux?

Here’s the good news for entrepreneurs: You have an amazing opportunity to build privacy best practices into your fundamental operational processes without any disruption. There are a few things you need to build a good data management program.

 

  • Transparency is everything.

You need to be able to both understand and communicate to your users what types of personal information you’re collecting, what you’re doing with it, who you’re sharing it with, what they’re doing with it and how you’re storing/protecting it. If you can’t answer these questions yet, creating a data inventory will tell you what you need to know.

 

  • Minimize your data collection.

Balancing business intelligence needs with consumer rights is critical to succeeding in the information economy, but the days of collecting as much information as possible are long gone. Instead of gathering anything and everything, work cross-functionally to figure out the specific data points your teams need to operate successfully. Minimizing your data collection reduces your risk of exposure, cuts data management costs and builds customer trust.

 

  • Align your data management practices and your published privacy policies (and write an intelligible privacy policy, for heaven’s sake).

Once you start analyzing your data management practices, you’ll probably find instances where your operations don’t match what you’ve put in your privacy policy. This is a big no-no. A privacy policy that’s easy to find, easy to understand and accurately describes how you use consumer data will keep you on the right side of the compliance coin.

 

  • Train your team.

Great policies aren’t helpful if your team can’t execute them. Incorporating regular, specific and relevant privacy training into regular staff meetings, newsletters, emails, etc., will go a long way to reduce data privacy management’s administrative load. With a culture of privacy in place, employees can become a powerful tool in your privacy toolbox.

 

  • Update and plan, then plan and update.

Consumer data privacy is still a relatively new field, which means the landscape is changing all the time. You should review policies and programs every 12 months or any time the laws you are subject to change. It’s also wise to run risk assessments and develop action plans for potential breaches. The work you put into these processes on the front end will make it easier to respond to new compliance obligations or consumer expectations and contain the damage caused by bad actors.

 

Don’t get derailed by swinging privacy states.

 

Whatever data privacy laws you’re subject to now, and whatever data privacy laws are headed in your direction, building your data and privacy management program on best practices will increase your agility, improve your operations, establish legal compliance and prove to your customers that you can be trusted with their information.

FREE News Alerts
Sign Up for our free News Alerts - All the latest articles on your chosen topics condensed into a free bi-weekly email.
Mondaq Social Media