Preparing for the Next Wave of U.S. Data Protection Regulations

essidsolutions

The California Privacy Rights Act (CPRA) has now passed. But how does it differ from the CCPA and what does it mean for U.S. businesses? In an age when consumers are winning the debate on data privacy rights, CPRA spells big changes for tech companies’ approach to data collection. Here, Zak Rubinstein, CEO and founder of 1touch.io, explains the nuts and bolts of the new game-changing privacy law and how organizations can get started on their privacy compliance program.  

The EU’s General Data Protection Regulation (GDPR) was the first of many data privacy laws passed in recent years.  Some of these laws were created to achieve reciprocity with the EU, while others were driven by consumers’ desire for privacy.

As the regulatory landscape becomes more complex, achieving and maintaining compliance with all these regulations poses a significant challenge for businesses.  While many of the new laws have similar goals, the details and requirements can vary significantly from one to another.

The Rise of State-Level Privacy Laws

The California Consumer Privacy Act (CCPA), the most famous U.S. state-level privacy law offers California residents many of the same protections as the GDPR in a state that hosts a significant percentage of tech companies. 

However, the CCPA is far from the only state-level privacy law and not even the only attempt at ensuring data privacy and security for California residents.  Understanding the U.S. regulatory landscape and how it continues to evolve is essential to ensuring compliance with new requirements.

Learn More: CCPA is Now CPRA — Here’s What’s Changed 

The New California Ballot Initiative

The CCPA began as a California ballot initiative before the state legislature took over and passed a (very different) version of the law.  The same group behind the CCPA, Californians for Consumer Privacy, has landed a new initiative on the November 2020 ballot, the California Privacy Rights Act (CPRA).

The goal of the CPRA is to build upon the foundation of the CCPA, offering additional protections to Californian consumers and changing the requirements for businesses.  The proposed law includes several consumer rights that are familiar from other privacy regulations but missing from the CCPA, including:

  • Data Correction: Data subjects have the right to require businesses to correct inaccuracies in the data collected about them 
  • Restrict Use of Sensitive Personal Data: Data subjects can limit businesses’ use of “sensitive” personal data (a special category under the CPRA) 
  • Data Minimization: Businesses are required to limit the amount of data collected and data retention periods to what is necessary 
  • Restrict Use of Precise Geolocation: Data subjects may deny the use of precise geolocation 
  • Transparency Regarding Automated Decision-Making: Companies must be transparent about how they are using data in automated decision-making processes 
  • Restrict Sharing of Data with Third Parties: Redefines the CCPA right to opt out of “selling” data to include “sharing” data as well 

Beyond providing consumers with these rights, businesses will also need to make other changes to their operations under the CPRA.  While the CPRA modifies the definitions of covered businesses (reducing the burden on small businesses), it adds responsibilities for organizations subject to the law. These include implementing data protection by design and default, maintaining records of processing activities, and, for processors of high-impact data, performing regular risk assessments and cybersecurity audits.

Learn More: From Seat Belts to CCPA: Why Regulations Don’t Kill Innovation

State-Level Laws Beyond CCPA

In recent years, Maine and Nevada have passed and signed data privacy laws, and ten other states currently have bills working their way through the legislature. An additional seven states have a task force in place or are engaging in a study.

These privacy laws can vary significantly from one state to another.  The CPRA is the most comprehensive law currently in the process, but others provide a number of different protections to their constituents.  A comparison by the International Association of Privacy Professionals (IAPP) compares the laws currently in the works based upon the eight rights they grant to consumers and eight responsibilities imposed upon businesses.

Learn More: In Privacy-First Era, MSSPs Can Push the Data Protection Envelope

Preparing for and Achieving Regulatory Compliance

The rights and requirements of the U.S. privacy regulations vary from state to state, but many of the requirements are largely a subset of the stronger regulations like the CPRA and the GDPR.  As such, organizations that are compliant with CPRA and GDPR must only make small modifications to meet the specific requirements of new laws as they are passed and go into effect.

All of these laws are designed to ensure the privacy and security of consumer data, so the first and most important step of the compliance process is for organizations to identify the scope of their data collection, storage, and usage.

You cannot properly secure or respond to consumer requests about data that you don’t know you have, and the failure to do so can result in a data breach, regulatory penalties, and/or legal suits.  Start your organization’s compliance journey by achieving the data visibility that you need.

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA