Privacy will be top of mind next year for many organizations, as five U.S. states will have new data protection laws going into effect.
These include Virginia, Colorado, Connecticut, and Utah, as well as a new California law that is expected to be more rigorous than the already existing CCPA law.
Companies who handle customer data will need to be in the know as to what these regulations require in order to ensure they are able to comply with the new laws; otherwise, they may face hefty fines.
Earlier this year, Sephora made headlines for being the first company to be fined under the CCPA law. It failed to disclose to customers that it was selling their personal information, then failed to fix the issue within the 30-day window allowed under the law. It was required to pay $1.2 million as a result.
According to Brian Hengesbaugh, data privacy expert at the law firm Baker McKenzie, these new laws are very well-written and more clear than ones in the past, but the tradeoff is some people feel they’re too simple.
“For example, they don’t really clearly articulate as many exceptions or provide as many ways for companies to think about how they actually can do the compliance,” he said.
As an example, the Virginia law includes a general provision that companies shouldn’t process sensitive personal information without obtaining consent, and there are no exceptions given to that. The GDPR includes clear limitations on the consent requirement, such as if you need the information to perform a transaction or comply with the law, he explained.
Commonality between the laws
While there are some differences between the different laws, there are also a lot of similarities.
According to Himanshu Shukla, co-founder and CEO at privacy automation company LightBeam, the new laws all follow five primary tenets:
- Are you providing notice to the user?
- Do you have consent on how to use the data?
- Are you providing access to the end user?
- How are you securing the data?
- Do you have the necessary workflows in place to implement the first four tenets?
“All the privacy laws, if you look at them, the nuances of A versus B are very minimalistic, as long as you have got a necessary framework to track the five points,” said Shukla. “Now, one can very well say that there are different data elements, people call it data elements, we call it attributes in terms of what constitutes your privacy information, that might be different for each regulation, some smaller minor changes, which come up, like saying you have the capability to handle employee data versus customer data versus vendor data separately.”
According to Hengesbaugh, California’s new CPRA law is different from the other four states in that it applies to any data about a natural person, which extends the scope beyond consumers to employees, job applications, or business-to-business contacts.
He says that in many ways, this puts California on the level of Europe with its General Data Protection Regulation (GDPR) in terms of the broad scope.
The other four state laws apply only to consumers, which Hengesbaugh defined as “individuals purchasing for personal family or household purposes.”
This difference in scope in California is forcing B2B companies to really have to figure out how they’re going to get ready and have a comprehensive privacy program to meet the requirements, Hengesbaugh explained.
Impact on software development
Shukla noted that in his experience talking with different companies, many treat privacy as a checkbox item, which is not the right way to approach it.
“If you’re gathering data from your customer, you’re truly a trustee of the data and you should handle it responsibly,” said Shukla. “And for that, you have to have the necessary checks and balances or processes in place within the organization.”
Hengesbaugh added that these privacy regulations should have an impact on how we develop software. For example, what happens when a consumer asks for access to a copy or their data or wants their data deleted entirely?
“And so these, these are all activities, maybe particularly the deletion, one that I think has caused a lot of headaches over the years, as companies have tried to grapple with different privacy laws,” said Hengesbaugh. “But you really almost need to embed privacy by design throughout the product development lifecycle. As a result, you really have to think about it kind of every step of the way.”
There are also data minimization obligations, which impacts the development process, because it’ll force developers to really think about what data they actually need to capture and how much data they’re setting themselves up to capture.
According to Hengesbaugh, many people were hoping that some of the emerging state laws would be preempted by a federal law, but nothing is in the works at the moment.
“I think we’re probably going to be left with this kind of mess for several years to come at least. And the states will probably fill in a lot more laws of different shapes and sizes as we go, just because, you know, the states are unregulated on how they regulate this stuff,” said Hengesbaugh.
Four other states already have their own new privacy laws in the committee stage: Michigan, New Jersey, Ohio, and Pennsylvania.
Hengesbaugh predicts that a high percentage of legislators — maybe 80% — would agree that this should be regulated at the federal level.
The problem is that there are lots of questions as to where to get started with that sort of wide-scale effort. Plus there are questions like how much should it cover? Should it preempt state laws or not?
“And then suddenly, you don’t have anywhere to go to get enough of a majority to actually get something adopted,” he said.
Hengesbaugh argues that people feel like if there is no preemption, then what’s the point? “You just added another set of rules we have to deal with, without solving all the underlying issues? So I think that’s where we are,” he said.
Shukla compared our current situation to back in 1996 when HIPAA was passed, which is a federal regulation around medical records that applies to the whole country. He explained that when that was passed we were in the right place as a country to get something passed universally.
“For privacy, Europe has been way more advanced while the US has been lagging behind by a big degree and hopefully something universal kicks in. That would be awesome,” said Shukla.