With the release of the European Union’s draft European Data Protection Regulation in 2012, the modern understanding of consumer privacy regulations first began to take shape. The regulation proposed the ability of EU citizens to request their personal information be removed and delinked from search engine results. This reflected a turning point in consumer privacy laws – one that is continuing to evolve in our always-connected, mobile-first digital environment.
Beginning with this regulation out of the EU, consumer privacy laws have increasingly veered towards enabling greater agency for consumers in how their data is collected, stored, managed, used, and shared. This draft regulation became the progenitor of the General Data Protection Regulation (GDPR), one of the world’s largest and most sweeping reforms in consumer data privacy. With the passing of GDPR in 2018, global brands were forced to reshape how they engaged with shoppers and consumers – or be willing to pay up. Just last year, Amazon reported fines of €746 million ($888 million in USD) related to GDPR infractions in their July 2021 earnings report.
Following the release of GDPR, regulatory agencies across the globe began enacting or fast-tracking their own data privacy laws. Stateside, California took the lead with the debut of the California Consumer Privacy Act (CCPA), passed in September 2018 and effective on January 1st, 2020, which mirrored many of the same principles of the EU’s GDPR with small differences in scope, how data is defined as personal, how individuals can opt-out or opt-in, etc. While CCPA compliance remains a challenge for many businesses in the U.S. – with potentially 90% of companies found to be out of compliance – new laws are already underway in several states across the country, hastening the need to prioritize data privacy for many consumer-facing businesses.
Keep an Eye on These States’ Consumer Privacy Laws
Shortly following CCPA’s drafting, states across the country began making headway on their own consumer privacy regulations. In some form or fashion, nearly every state in the country currently has a data privacy law in development, with a few states nearing or already passing the draft regulations into law.
Already, California, Virginia, Colorado, Utah, and Connecticut have signed their own data privacy regulations into law. So far, California’s CCPA is the only law to have gone into effect with the remaining 4 states’ laws going into effect over the next 12-18 months.
Signed into Law
|Colorado Privacy Act||July 8, 2021||July 1, 2023|
|Connecticut Data Privacy Act||May 10, 2022||July 1, 2023|
|Utah Consumer Privacy Act||March 24, 2022||December 31, 2023|
|Virginia Consumer Data Protection Act||March 2, 2021||January 1, 2023|
Each law has varying similarities and nuances in scope, enforcement, and definition but largely carry similar overarching characteristics with the goal of enabling greater transparency and agency for consumers. This is also the case for laws currently in development for several other U.S. states. Below, there are just two notable examples of the dozens of draft regulations making their way through state legislatures regarding consumer privacy.
While several attempts have been made to enact privacy laws in the past, the recent iteration of the Massachusetts Information and Privacy and Security Act is gaining support more than previous privacy laws. If passed, the law would become the most comprehensive and strict privacy law in the U.S. This law provides broader accommodations for enforcement and a private right to action. As currently written, the law is the closest to GDPR in the U.S.
Nebraska’s proposed legislation is notable in that it adopts the Uniform Personal Data Protection Act (USDPA), a model law intended to help states seeking to enact their own privacy law. Drafted by the Uniform Law Commission, the draft legislation differs from others in that it’s somewhat looser in interpretation and provides fewer defined penalties for businesses out of compliance. In fact, the legislation goes as far as to allow businesses to use personal data without consent so long as there is “compatible data practice”.
What Should Businesses Do to Prepare for New Consumer Privacy Regulations?
Preparing for the wide range of consumer privacy regulations currently in flight across dozens of state houses first requires a thorough understanding of the laws themselves, but also, an understanding of your own data collection, practices, and processes.
It’s critical to understand exactly what your business is collecting, how it travels across and outside of your business, and what levers are in place for accessing and removing it when necessary. In our digital world, any given business can have dozens, if not hundreds or thousands, of data collection points. Given the variations state by state, businesses can risk exposure to significant liability without a deep understanding of their data universe.
With this understanding, businesses will then need strong data management and data governance policies in place to ensure continuous and sustainable adherence to evolving regulations. Given the far-reaching nature of digital business, almost any organization operating in the United States will have some degree of compliance to manage with regard to consumer privacy regulations. To learn more about how Clarkston has helped businesses manage compliance challenges with regards to consumer privacy, contact us today.