It’s been less than two and a half years since the California Consumer Privacy Act, also known as CCPA, went into effect, but the influence of that signature legislation is already incalculable. Like General Data Privacy Regulation (GDPR), the European mandate that came before it, this set of wide-ranging regulations has fundamentally changed the conversation on data privacy and reset the clock on what government can and should do to protect consumers’ personal information.
Since then, every company doing business in California or with Californians had to change many operating practices. And in a state that big, it’s also no surprise that a few have faced legal actions and consequences, mostly violations of PII (personally identifiable information) restrictions. But in terms of public attention, it’s also surprising how the issue has faded from headlines. It’s as if the law was passed, (most) companies did things differently, and the problem was solved.
Let’s understand the reality of the environment. Any kind of compliance, particularly any kind around data privacy, is not a static phenomenon. There are always new data channels and formats requiring new processes and technologies to ensure ongoing compliance. There are always new digital threats created and initiated by cybercriminals to undermine existing defenses and policies. And of course, there are often new government regulations forcing companies to do things differently.
Even CCPA won’t be CCPA much longer—when 2024 arrives, it’ll be CPRA, or the California Privacy Rights Act, which encompasses its predecessor while establishing more stringent measures (and enforcement bodies to make sure they stick). However, there are even bigger changes on the horizon, and they potentially affect every company doing business in every state.
No, there isn’t a federal mandate on the way—in fact, if and when that arrives, it might be a relief. Instead, there’s a veritable tsunami of regulations coming at the state level, CCPA-like but with regional flavors. Knowing what each state requires, and how that’s different from other states, is likely to be a potential nightmare. As a result, organizations not at least researching for various mandates coming down the pike may face massive headaches down the line.
By our count, legislators in at least 27 states around the country have forwarded data privacy bills for debate in just the past few months. By 2024, it’s likely that almost every state will have its own version passed into law. This is getting little to no attention in the business world, and yet it requires serious effort to ensure compliance. Businesses getting prepared now are barely ahead of the curve; those that put it off till the laws hit the market will have to scramble to keep up.
Remember, generic preparations alone won’t suffice—despite plenty of overlap, some states have unique provisions that will require custom efforts. And perhaps most importantly, the regional implications only go so far: These laws regulate state data-subject PII without regard for where the company doing the data collecting happens to be located. In that sense, every state law has national or even global reach.
Also, the fact that many of the laws contain similar language doesn’t necessarily bring comfort. It may even end up causing similar levels of confusion.
For example, the original CCPA statute enjoins businesses to “implement reasonable security procedures and practices appropriate to the nature of the personal information.” The latest New York state bill tells controllers to “maintain reasonable safeguards” and adopt “reasonable administrative, technical and physical safeguards.” The Virginia Consumer Data Protection Act (VCDPA), the 2021 Minnesota privacy bill and the Utah statute all call for “reasonable administrative, technical, and physical data security practices.”
The similarities are, well, reasonable, and entirely understandable. No entity wants to reinvent the wheel, and there’s no real problem with legislators borrowing from each other. But we’re in largely uncharted territory here: Is there any guarantee that every state Attorney General will define “reasonable security practices” the same way? And if not, wouldn’t it help to have more specific requirements?
Ongoing conversations with lawmakers in different states reveals that most wanted to ensure that the first iteration of these laws didn’t have too many technical barriers that cause difficulty in developing compliance protocols. Another reason, which usually goes unsaid, is that the more specific it is, the harder it will be to get passed; between reasonable and prescriptive, it’s usually no contest.
To be sure, many of the common provisions do set particular standards. For example, they uniformly grant consumers the right to access their personal data, make corrections as necessary, and delete it as they wish. In one surely popular clause, they can opt out of the processing of personal data for targeted advertising. There are also specific definitions of terms such as ‘data collector’ and ‘data processor,’ boundaries around PII, and exclusions/exemptions for particular businesses. These are all worthy provisions, and organizations would be well advised to incorporate these into their operating practices even before the laws arrive.
And finally, there are some provisions that are like ticking timebombs. Consider data subject access request, or DSAR. This gives every consumer the right to ask a business about the PII it holds on that consumer—confirmation that such data is indeed being held, how it’s being used, whether and how it’s being sold, and a lot more. Consumers don’t even have to say why they want this report, and there’s often a tight deadline involved.
Organizations failing to comply will be hit with steep fines—for example, $20,000 for particular violations of Colorado’s law, CPA. But ensuring compliance can be almost as painful and expensive. According to one estimate, the average company facing 142 DSARs a month last spent $1,400 responding to each request. And remember, these laws haven’t generated much attention with the public, which makes these requests relatively unusual. When the new privacy laws enter the zeitgeist, the number of DSARs could spike—and that would take a massive bite out of the bottom line.
In sum, there’s considerable uncertainty ahead—we know there are many laws coming, but we don’t know which provisions will apply where—and that necessitates diligent preparation now. In the digital era, personal information can be used, misused and abused with ease; consumers want and have a right to expect data protection, and state governments will win support for putting such laws in place. We’re not going to have a uniform, established nationwide set of laws anytime soon. Instead, we’ll get a patchwork quilt of state-level mandates with varying degrees of enforcement.
The only way forward is not to question the need for more compliance but to ensure it. New technologies to consolidate all PII into centralized and secure repositories to make the data easier to find and extract—the obvious first step—are now available, and the processes to do this right are being developed and implemented at forward-thinking institutions. What’s needed is the will to step up and do the right thing.