Strategies For Developing A Multistate Privacy Compliance Program

This practice note provides chief privacy officers and other privacy professionals guidance on how to build a privacy program that complies with evolving state privacy law obligations. While no two privacy laws are necessarily the same, the laws currently passed at the state level-as well as pending proposals-share key principles. This chapter will identify those principles in the existing state privacy laws and will give privacy professionals a framework for building a forward-looking program that is designed to withstand changes in the U.S. privacy landscape.

Privacy compliance obligations are rapidly evolving in the United States, particularly at the state level. California started the trend of comprehensive state privacy laws in the U.S., and has since been joined by Virginia, Colorado, Utah, and Connecticut, with more states likely to follow in the absence of a federal law. States are also actively regulating categories of information they view to be especially sensitive from a privacy or data security perspective, including biometrics, health information, and genetic data, with laws tailored to those specific types of data.

This evolution of privacy law comes at a time when almost every business or legal entity processes personal information in some capacity. Between consumers, employees, customers, and others, companies of all kinds collect, use, and share personal information in the ordinary course of business. These new comprehensive state privacy laws are creating compliance obligations for entities that have traditionally fallen outside the purview of privacy regulation in the U.S. Entities that were regulated under existing state laws are now grappling with how the old laws intersect with the new, and how best to comply with sometimes seemingly inconsistent obligations. In addition, for companies that engage in the selling of personal information, targeted advertising, or the processing of what is considered to be "sensitive" personal information, the onus to comply with these new comprehensive laws is significant, as the laws currently passed at the state level specifically focus on these use cases.

For a visual comparison of state comprehensive privacy laws, see Consumer Data Privacy: State Law Comparison Charts and the Consumer Data Privacy topic in our State Law Comparison Tool. For guidance on specific state consumer privacy laws, see California Consumer Privacy Compliance (CCPA and CPRA), Colorado Privacy Act (CPA) Compliance, Connecticut Data Privacy Act (CTDPA) Compliance, Utah Consumer Privacy Act (UCPA) Compliance, and Virginia Consumer Data Protection Act (VCDPA) Compliance.

U.S. State Privacy Law Landscape

Privacy law in the United States is regulated at both the state and federal levels. Historically, federal privacy law has focused on specific industries and types of data, such as the Gramm-Leach-Bliley Act (GLBA) for financial institutions, the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry, and the Children's Online Privacy Protection Act (COPPA) for online services that collect personal information from children under the age of 13.

Privacy laws at the state level, meanwhile, have historically focused on addressing specific areas of concern. For example, Illinois, Texas, and Washington have each passed some version of a biometric information privacy law, which requires businesses that collect face IDs, thumbprints, and other biometric identifiers to comply with certain notice and consent requirements. A number of states have passed laws regulating other categories of sensitive information, such as health information (e.g., California and Texas), genetic information (e.g., California, Utah, and Florida), and social security numbers. California and Vermont have also passed specific laws regulating data brokers (entities that buy and sell consumer personal data).

In recent years, some states have attempted to fill the gap left by a lack of a federal data privacy standard by passing their own versions of comprehensive privacy laws. Instead of regulating specific industries or specific categories of information, these comprehensive privacy laws attempt to regulate the data collection activities of all businesses that process the personal information of residents within a specific state (subject to certain exceptions). The California Consumer Privacy Act (CCPA), which passed in 2018 and went into effect in 2020, was the first of these comprehensive state laws. California has since amended the CCPA with the California Privacy Rights Act (CPRA), effective on January 1, 2023. See Cal. Civ. Code § 1798.100 et seq. Additionally, four more states-Virginia, Colorado, Utah, and Connecticut-will join California in 2023 with their own comprehensive privacy laws. See Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq.; Colorado Privacy Act, Colo. Rev. Stat. §§ 6-1-1301 through 6-1-1313; Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.; and Connecticut Data Privacy Act, 2022 Ct. S.B. 6.

This guidance focuses on the compliance requirements of the comprehensive privacy laws in California, Virginia, Colorado, Utah, and Connecticut. Although these laws create new obligations for businesses operating in each of these states, they share common principles that businesses can leverage to build forward-thinking, flexible compliance programs. This should be a priority for businesses (and those in charge of implementing privacy programs) because of the prospect for a federal privacy law and the fact that over 20 states proposed their own version of a comprehensive privacy law in 2022. The principles discussed are designed to help organizations build a privacy program that complies with present state requirements and puts them on good footing to address future requirements.

Building a Privacy Program

Building a privacy program involves asking questions that will help you to determine the best way to achieve the needs and goals of the organization and laying the proper foundation.

Key Questions
Before building a privacy program, you should consider several questions that will help you prepare a program that is best-suited to your needs.

What Are the Goals for Your Privacy Program?
The answer to this question may be as simple as "I want to comply with my legal obligations," but it may go beyond that, and honestly answering this question will provide you with a better scope for the type of program you want to build. If the answer is solely that you wish to comply with your legal obligations, then you may not want to go beyond what the law requires. You can look for opportunities to leverage preexisting frameworks to minimize costs. For example, if you already took steps to comply with the CCPA, you may be able to adapt some of those same compliance steps for Virginia, Colorado, Utah, and Connecticut residents.

If, however, privacy is a selling point for your business or an issue that your customers care deeply about, you may want to take the most conservative and privacy-protective approach, applying it to all personal information you collect. In certain circumstances, this may also be the most efficient course of action because you would be taking the same approach to all of the personal data your entity holds. For example, you may choose to provide individual data privacy rights to consumers from everywhere in the United States (including those from states that do not have privacy laws). This approach may have the benefit of making privacy a competitive advantage for your business and be easier to administer.

Click here to continue reading . . .

Originally published by Lexis Nexis on the 12^th of January, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.