How to Deal with the ‘Patchwork’ of State-Level Privacy Laws in the US
Privacy & Compliance | September 01, 2023
The enactment of the General Data Protection Regulation (GDPR) in Europe in 2018 and the California Consumer Privacy Act of 2018 (‘CCPA’) started a domino effect for state privacy laws in the United States.
Now, The California Privacy Rights Act (CPRA) has extended and amended many of the CCPA’s provisions, and ten other states – Colorado, Connecticut, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia – have passed comprehensive privacy laws.
Three of those states – Colorado, Connecticut, and Virginia – have already begun enforcement of their privacy laws, and five more–Iowa, Montana, Oregon, Tennessee, Texas, and Utah– will have laws in effect by 2025.
In California, enforcement of the CCPA is already in full swing. In August 2022, California’s Attorney General announced a $1.2 million settlement with makeup retailer Sephora based on consent and privacy-related CCPA violations. To date, there have been over 270 CCPA-related legal actions filed, according to research from multinational law firm Perkins Coie.
Without an overarching federal privacy law in place, this complex patchwork of state privacy laws has created a complicated compliance environment for businesses and privacy professionals operating in the US.
And, as more states enact privacy laws, not only are digital privacy best practices becoming the law, but transparency and privacy are also increasingly expected by consumers. To build trust, businesses must clearly and honestly communicate why they collect consumer data. Anything less could damage customer relationships. In fact, in a survey of 1,000 American consumers, 71% said they would stop doing business with a company if it gave away sensitive data without permission.
To succeed in such a complex compliance environment, organizations must be keenly aware of, and be able to operationalize, the varying requirements to achieve broad compliance while still meeting business goals. In this blog, we’ll outline how business can approach the emerging patchwork of state-level privacy laws by prioritizing commonalities to maintain broad complaince.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
Dealing with the ‘Patchwork’ of State Privacy Laws
A lot of noise has been made about the ‘patchwork’ approach of privacy legislation in the U.S.
Detractors say that the lack of a guiding federal law has given way to a mess of state-level regulations that make compliance onerous, inefficient, and confusing.
And they’re right. Multinational, national, and even regional businesses in the U.S. face a unique challenge in dealing with multiple overlapping and sometimes contradictory privacy laws. But it’s not an insurmountable challenge.
Even without a unifying federal privacy law in place, state-level privacy laws have a lot in common.
All of the eleven state laws passed at the time of writing follow the same formula to determine applicability, and the majority of them, to varying extents, protect the same consumer rights: the rights to access, to delete, to correct, to data portability, and to opt-out.
That’s because every state-level law passed since 2021 has simply followed (and iterated on) the groundwork laid by the California Consumer Protection Act (CCPA) and Virginia Consumer Data Protection Act (VCDPA), which themselves borrowed heavily from the EU’s General Data Protection Regulation (GDPR). In fact, the most recent raft of laws from Iowa, Indiana, Montana, Tennessee, and Texas all lifted language directly from the VCDPA. Some of them even borrowed its naming convention.
So while the U.S. may not have an overarching privacy regime, at least the patchwork of privacy laws makes a somewhat coherent design.
That means that, with careful planning, it’s possible to create a compliance program that is both broad enough to meet the majority of state-level requirements and flexible enough to accommodate future laws.
The first step in managing compliance is to determine what, exactly, you need to comply with. Is a broad approach necessary? If so, how broad? Or if it would be better to address compliance at the state level?
Stakeholders, be they compliance officers, legal personnel, security, or marketing teams, should start by determining which laws actually apply to them according to the scope and compliance thresholds of each law. Once a business hits one or multiple thresholds for compliance, it should then determine its obligations under applicable laws, and the extent to which those obligations vary.
By understanding the commonalities and differences between applicable state privacy laws businesses can then determine whether they need to create a compliance program for each applicable state or if a comprehensive approach is possible.
As a rule of thumb, when taking the comprehensive approach, it’s best to plan for the strictest applicable law to ensure broad compliance–unless you are capable of providing different consent and privacy experiences for different locations. For example, a business that serves Utah, Nevada, Arizona, and California would be best off following California’s stricter privacy guidelines.
Once the applicable laws have been identified and a compliance approach has been determined, the next step is to address the most obvious and enforceable components of the law: consumer rights.
Addressing Consumer Rights
As noted above, U.S. state privacy laws generally offer a similar set of rights to consumers, with some variation on the extent of requirements. Likewise, all 10 state-level privacy laws share similar requirements for the communication and execution of those rights, namely privacy notices, opt-out links, and consent banners.
The purpose of these privacy notices is to transparently communicate an organization’s privacy practices, such as how consumers’ personal information is collected, used, and shared. These notices must be shared at the time of data collection and must also detail how consumers can exercise their privacy rights.
Consent management is a particularly visible aspect of compliance. All 11 state-level privacy laws give consumers the right to opt out of data sales, and many extend the right to opt-out to profiling, automated decision-making, and data sharing. Where sensitive personal data is concerned, eight of the ten laws require affirmative, opt-in consent for profiling. To enable this right, businesses must provide a conspicuous opt-out method like a “Do Not Sell or Share My Personal Information” link or a consent banner.
For most businesses, these requirements make up the two most highly visible areas of compliance, and as such, they attract a much higher level of scrutiny–from both regulators and consumers–than back-end governance workflows.
For example, in 2022, a CCPA enforcement action related to opt-out requests resulted in a $1.2 million settlement. In Europe, insufficient fulfillment of information obligations, i.e. privacy notice violations, have resulted in 150 GDPR fines, and consent-related issues are attached to over 495 fines.
Operational Considerations and Business Requirements
In addition to consumer rights, state-level privacy laws like the CPRA, VCDPA, and CPA also saddle businesses with a variety of operational requirements aimed at increasing security and facilitating consumer rights. Common requirements include data minimization, retention, and purpose limitation standards, as well as data security requirements and Data Protection Assessments (DPAs), also known as Privacy Impact Assessments (PIA).
While less visible than consent banners and privacy notices, these requirements are nonetheless essential for a successful compliance program. Though not a legal requirement under U.S. state privacy laws, data discovery and mapping will help with identifying sensitive data, meeting data minimization and purpose limitation requirements, managing third-party risk, and responding to security incidents.
On the other hand, DPAs are required by all state privacy laws, except in Iowa and Utah, and are an integral part of adhering to state privacy laws and should not be underestimated. These assessments help organizations gauge the level of risk that specific data processing activities could pose to consumer privacy. They’re vital not only for compliance but also for establishing and maintaining trust in an organization’s ability to handle personal information responsibly.
These assessments require careful consideration of the context of data processing, the relationship between the controller and the consumer, and the consumer’s reasonable expectations. In most jurisdictions, relevant DPAs must be disclosed in the event of an investigation, and failure to produce robust DPAs could lead to regulatory penalties.
Compliance as a Constant Effort
Privacy law has rapidly become one of the most dynamic areas of legal and regulatory concern for businesses operating in the United States, one which has created new challenges and opportunities for businesses, regulators, consumers, and legislators alike.
In this intricate framework of state-level regulations, compliance isn’t a one-and-done endeavor. Rather, it’s a continual commitment—an ongoing effort that requires vigilance, flexibility, and consistent attention to shifts in legislation and changes in technology. This endeavor doesn’t merely sit with your legal or compliance teams; it requires active buy-in and understanding from every sector of your organization, from the C-suite to marketing.
In an environment where state laws can change rapidly, with new ones appearing and existing ones being updated, staying informed is not merely an advantage—it’s a necessity. Understanding the commonalities and differences among the various laws and using tools like our State Privacy Law Comparison Chart can assist organizations in maintaining an informed overview and adapting to changes swiftly.
Flexibility is equally important. With some states pushing for more stringent consumer privacy rights and others leaning towards a more balanced approach between business interests and privacy rights, organizations must be ready to adjust their data management practices on a state-by-state basis. This need for adaptability extends to technology investments too, as businesses turn to consent management and workflow tools to assist them in managing their compliance duties effectively and efficiently.
Finally, the role of organizational buy-in cannot be overstated. A truly privacy-first business model requires the active involvement of the entire organization, not just the compliance team or IT department. All stakeholders, from leadership to customer service, need to understand the importance of privacy compliance and its role in maintaining consumer trust and business reputation.
As privacy laws continue to evolve and proliferate at the state level in the United States, so too will the need for businesses to evolve their privacy strategies. This guide, we hope, provides a useful roadmap for navigating the complex patchwork of US state-level privacy laws and maintaining a privacy-first approach in a rapidly evolving environment. As we move forward into 2024 and beyond, we invite you to join us in keeping a keen eye on the privacy horizon, adapting with flexibility, and championing privacy within your organizations.
Enabling Compliance with CHEQ Privacy
The CPRA, GDPR, and other regulations have made privacy a top compliance priority. Today, most websites use cookie banners to register consumer consent for tracking and data collection. But most cookie banners merely record user consent, without enforcing or logging user preferences, creating a compliance gap that may leave businesses open to costly fines.
With over 70 billion consents served, CHEQ Privacy helps you close the compliance gap and make privacy easy with best-in-class client-side preference enforcement features, helping you maintain marketing agility and avoid costly fines.
Enforce privacy in real-time
Automatically block and allow tracking technologies based on consent, without relying on APIs or third-party integrations, retaining marketing agility and regulatory compliance without the need to change workflows or implementations.
Stop data leakage and prove compliance with data governance
Maintain organized consent records and avoid accidentally collecting PII or other sensitive data patterns in approved technologies and maintain compliance regardless of missteps by employees or external partners.
Monitor third-party technologies
Monitor and control all tags on your site with intelligent categorization of third-party technologies. Ensure that privacy choice enforcement is not only applied to direct website services but all services utilized by proxy.
Easy setup and integration
One line of code enables seamless privacy compliance, with no changes to live martech implementations and easy integration into existing privacy workflows.
Ready to secure your customer privacy and compliance? Get started with a demo today.