Navigating the new U.S. data privacy regulations

Jul 21, 2023

Image via Unsplash

In an era marked by rapid technological advancements and an ever-increasing dependence on digital platforms, data privacy has emerged as a critical concern. To address these concerns, several U.S. states have implemented strict data protection regulations. Starting in July 2023, Virginia, Connecticut, Colorado and Utah will enforce fines for non-compliance with these regulations, holding businesses accountable for mishandling sensitive information.

Currently, nine states (California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee and Montana) have comprehensive data privacy laws. Additionally, around 16 states introduced privacy bills during the 2022-23 legislative cycle, covering various issues such as biometric identifiers and health data. Proposed bills in other states (e.g., Illinois, Massachusetts, Minnesota, New York, Pennsylvania) offer similar rights but may differ in implementation and enforcement.

As new regulations come into effect, it is crucial for individuals and businesses to grasp their implications fully. Understanding the scope of these regulations and their specific requirements is essential for compliance. Let's understand what these regulations entail, who they apply to and what businesses need to do to avoid penalties and reputational harm.

The upcoming data privacy regulations in VA, CT, CO and UT draw inspiration from the GDPR which are considered a global benchmark for data privacy protection and share similarities with the California Consumer Privacy Act (CCPA), one of the most comprehensive data privacy laws in the United States. Understanding the scope of these regulations is critical to creating an effective security and compliance strategy. Here's what security leaders need to know:

This includes forthcoming information on automated decision-making, cybersecurity audits and data processing risk assessments. Personnel and B2B contacts will be treated as consumers under the CCPA. Consumers can limit data collection and use, including geolocation data within 1,850 ft. Businesses must disclose data retention policies and avoid excessive retention. Data sharing for cross-context behavioral advertising can be prevented by consumers. The 30-day "cure" period for enforcement actions is removed. Penalties for mishandling children's information have tripled to $7,500 per incident, increasing non-compliance repercussions.

In order to prevent non-compliance, businesses need to proactively take measures to stay ahead of threats and violations. Here are some essential points that businesses should acquaint themselves with as the initial step towards ensuring compliance.

Having a detailed knowledge of the changing regulations enables effective implementation for businesses navigating data privacy. Additionally, it is crucial to be aware of the opportunities for remediation in the event of unintentional violations. By promptly addressing non-compliant practices within specified timeframes, businesses can minimize potential penalties and maintain strict compliance with the regulations.

Assess the potential impact of these regulations on your business operations. Identify areas where personal data is collected, stored, or shared, and evaluate whether current practices align with the new requirements. Identifying gaps will facilitate the implementation of necessary changes.

To comply with data privacy regulations in multiple states, businesses must be aware of implications in different jurisdictions. For example, if a business in Florida serves customers from Virginia, they must also meet Virginia's data privacy requirements. With privacy regulations in 22 U.S. states, businesses must conduct a thorough analysis of their customer locations to track and adhere to relevant privacy laws in each operating state.

To comply with data privacy regulations, businesses must update privacy policies, obtain explicit consent, ensure robust data security and provide accessible channels for consumers to exercise their privacy rights. Ongoing monitoring and automation are vital for tracking and reporting data privacy activities. Additionally, regular updates to applications and systems are crucial for evolving privacy requirements, despite associated costs (coding, updating app processes, etc.). Prioritizing a secure and privacy-conscious environment is essential for user trust.

The U.S. data privacy laws differ in their applicability to digital and paper records. While some laws, like HIPAA, apply to all types of records, others, such as Children’s Online Privacy Protection Act (COPPA), focuses on online data collection. California's previous laws focused on electronic data, including privacy notices and breach reporting. However, the CCPA extended its coverage to both electronic and paper records. The new US data privacy laws take inspiration from the CCPA.

Invest in people, processes and technology to strengthen security, compliance and governance. Leverage technology for automated monitoring, threat detection and incident response. Implement encryption, multi-factor authentication and secure coding practices to protect data and prevent reputational damage.

Key priorities for businesses include:

Kaus Phaltankar is Co-founder and CEO of Caveonix.