Most people are aware of the General Data Protection Regulation (GDPR) in effect in the European Union and many are aware that the United States does not have a comparable federal law. The US has some industry-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA) that applies to the healthcare industry and the Gramm-Leach-Bliley Act that applies to financial institutions, but no law that protects consumer information generally across all industries. But the lack of a general privacy law like the GDPR does not mean that US companies have no privacy obligations. In fact, companies operating in the US can have an even more complicated web of privacy laws to navigate than European companies do.
In the absence of a comprehensive federal law (and the improbability that Congress will enact one in the foreseeable future), individual states are beginning to tackle the issue on their own. California adopted the California Consumer Privacy Act (CCPA) in 2018 and California voters modified the CCPA by adopting the California Privacy Rights Act (CPRA) by ballot initiative in 2020. Virginia passed its Consumer Data Protection Act (CDPA) in March 2021. Eleven other states have one or more bills pending. Nine states have debated bills that either died in committee or were postponed. While there is not yet broad consensus on what a privacy law should include (which is why 20 states have debated – but not yet adopted – legislation), there is broad consensus that legislation is needed and discussions will undoubtedly continue in the 48 states that have not yet found an acceptable compromise.
These state laws are creating a patchwork of privacy laws that can be more challenging for businesses than a single federal law. First, when legal theories evolve at the state level, businesses that operate across state lines need to monitor the laws of all the states they touch. Second, dissimilar state laws require businesses to sort out how to apply different laws to different consumers. For example, almost every law defines “personal information” slightly differently, so a business needs to decide whether to operate under a single definition that will satisfy all states’ laws or to try to apply different standards to different states’ residents. And, because the California laws require businesses to disclose consumers’ right to opt out of sales of their personal information, companies who have California customers need to choose between extending those opt-out rights to all consumers (regardless of state of residence) or trying to explain to consumers from New York, Colorado, or any of the other 47 states that they don’t have a right to opt-out because they aren’t California residents.
There are no easy answers for businesses, particularly for smaller businesses that lack internal resources to monitor multiple states’ laws and maintain compliance policies and procedures that work across their entire geographic footprint. That said, there are a few strategies that most businesses should adopt:
- Know what personal information you are collecting, why you are collecting it, and where you keep it. These are important first steps for many reasons, including that it’s impossible to protect information – or to respond to consumer requests to update or delete information – if you don’t know what information you have or where it is. Analyzing why you are collecting the information also facilitates data minimization, where a business limits the information it collects to what it actually needs for the purposes it has disclosed to its customers and only keeps the information for so long as the business needs it. Data minimization increases customer trust and decreases the risk of loss from a security breach.
- Always consider privacy and data security when you are about to make an investment in computer equipment, software, or a new business line. These are inflection points where the cost and complexity of enhancing privacy and data security can be minimized. “Privacy by design” is much easier than “privacy by retrofit.”
Privacy policies and data security programs can – and should – have different levels of complexity, depending on the nature of your business, what information you collect, and how the information is used. But every business collects personal information in some way, shape, or form, so every business should think through the issues that are relevant to it and develop a privacy and data security strategy that fits its size and needs.
Nancy R. Wilsker is an attorney and partner at Hinckley Allen. She counsels clients broadly on operational and business issues, including matters relating to the design, implementation, and maintenance of retail banking products (including online and mobile banking programs); general regulatory compliance; marketing programs; prepaid products; payment systems; privacy policies and information security policies; dealings with supervisory agencies; cash management systems; and vendor agreements.