Personal privacy is increasingly viewed as a global human right. In fact, by 2024, it is anticipated that 75% of the worldwide population will be protected by modern data privacy regulations.
Unfortunately, the United States is playing catch-up in the data privacy space compared to our neighbors in the European Union and the United Kingdom. The good news is that data privacy is becoming more strictly regulated in the U.S., and enforcement is improving across highly-regulated industries like finance and healthcare.
As a result of the new legislation, organizations may need to comply with a growing patchwork of new U.S. state regulations in 2023. Similarly, a new federal data privacy law, the American Data Privacy and Protection Act (ADPPA), has been introduced in the U.S. Congress, and it could eventually supersede existing state legislation.
Key elements of the pending and proposed legislation are explored in greater detail below. But first, let’s explore where data privacy stands today.
Growing need to respect consumers’ data privacy
Much of the new legislation originates from heightened consumer awareness of their individual privacy rights and high-profile data breaches over the past few years that have exposed U.S. consumers’ privileged information.
Today’s hybrid work environment has also introduced new risk vectors. Many organizations have become focused on the issue of maximizing productivity while employees are working remotely, which has resulted in detailed questions about employees’ daily routines and work-from-home arrangements. Questions of that nature can create their own unintended privacy impacts.
In addition, the convergence of protected health information (PHI) and personally identifiable information (PII) — including workers’ insurance claims, employees’ and patients’ health records, and compensation reports — has increased the risk of highly confidential data. To stay on top of constantly evolving data privacy regulations and applicable requirements across industries, businesses of all sizes should consider where their customer and employment data live and the prospective threats to that data.
U.S. state legislation
California was the first U.S. state to enact GDPR-style data privacy regulation with its California Consumer Privacy Act (CCPA) in 2020, but several other states have recently followed suit. Many small- to medium-sized businesses aren’t aware that new legislation goes into effect in 2023, so here’s a brief recap:
- The California Consumer Privacy Act (CCPA) will be replaced by the California Privacy Rights Act (CPRA) on Jan. 1. The Virginia Consumer Data Protection Act (VCDPA) also goes into effect on that date.
- The Colorado Privacy Act (CPA) and the Connecticut Data Privacy Act (CTDPA) go into effect on July 1.
- The Utah Consumer Privacy Act (UCPA) goes into effect on Dec. 31.
Each of these regulations has its own company size and legal requirements, so if an organization does significant business with consumers in any of these states, they should perform research immediately to determine if the regulations apply to them.
Key drivers for federal legislation
With 10% of U.S. states to be covered by data privacy legislation by the end of 2023, it’s clear there’s a growing need for federal legislation. Legislation at the federal level will help align the U.S. with other countries in the data privacy space. It will also provide suppliers and consumers with much-needed direction on how to manage private information. While it's unknown when federal legislation like the ADPPA will be enacted, it’s no longer a question of if but when it will occur.
Data is constantly evolving, and so is the legislation that safeguards it. There will be even more shifts in the near future, both domestically and overseas. This complexity and evolution are why businesses must prioritize immediate and long-term compliance obligations for handling and securing sensitive information. Big-picture, organizations cannot plan for long-term success without ensuring that data privacy requirements are met first.
Understanding how regulations apply to the company
Given the variety and number of state data privacy and protection regulations, it’s understandable that many companies struggle to understand which regulations might apply to them. In general, these regulations are focused on where consumers are located. As an example, California’s laws might apply to a company based in West Virginia that has consumers located in California.
Oftentimes, businesses require clarification about the size of the business as it relates to regulatory compliance and the belief that the company may not be subject to data protection requirements because of its size. The size of a business can be quantified in various ways, including the number of employees or the volume of annual sales. The volume of client data an organization handles is another consideration in establishing the applicability of data privacy rules. Therefore, companies should understand how each law is specifically written and how it applies to their respective business.
Now is the time to act
Companies need to act swiftly and decisively to comply with rapidly-evolving regulations. Failure to do so can result in legislation and fines for noncompliance, which is being enforced more strictly than before. Noncompliance can also tarnish brand reputation and jeopardize the trust of customers, employees and investors, which can result in lasting and devastating business impacts.