Nationwide Privacy Regulations are Coming: What You Need to Know, and How They Will Affect Your Organization
In an article posted this past month, we discussed Proposition 24 and the California Privacy Rights Act (CPRA) and how this changed and expanded California’s data privacy legislation. California is merely one of the first states to enact such legislation, however. The legality surrounding the cyber environment is changing nationwide as state governments are developing bills to pass similar rules and regulations. While some of the bills currently in committee may fail, looking at the consistencies between these bills and what is approved can give us a better understanding of where the United States’ cyber environment is headed from a legal standpoint.
According to the IAPP Westin Research Center, there are 16 provisions commonly appearing in comprehensive privacy statutes. The 16 common privacy provisions are broken into two categories, consumer rights and business obligations, and are listed and described below.
- Right of Access
- The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
- Right of Rectification
- The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
- Right of Deletion
- The right for a consumer to request deletion of personal information about the consumer under certain conditions.
- Right of Restriction
- The right for a consumer to restrict a business’s ability to process personal information about the consumer.
- Right of Portability
- The right for a consumer to request personal information about the consumer be disclosed in a common file format.
- Right of Opt-Out
- The right for a consumer to opt-out of the sale of personal information about the consumer to third parties.
- Right Against Automated Decision-Making
- A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
- Private Right of Action
- The right for a consumer to seek civil damages from a business for violations of a statute.
- Strict Age Opt-in for Prohibition of Sale of Information
- A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
- Notice/Transparency Option
- An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
- Data Breach Notification
- An obligation placed on a business to notify consumers and/or enforcement authorities about a privacy or security breach.
- Risk Assessments
- An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
- Prohibition on Discrimination (exercising rights)
- A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
- Purpose Limitation
- An EU General Data Protection Regulation–style restrictive structure that prohibits the collection of personal information except for a specific purpose.
- Process Limitation
- A GDPR-style restrictive structure that prohibits the processing of personal information except for a specific purpose.
- Fiduciary Duty
- An obligation imposed on a business/controller to exercise the duties of care, loyalty, and confidentiality (or similar) and act in the best interest of the consumer.
What do these provisions mean for you and your organization?
For consumers, these regulations give users more control over their private information, the right to know who has their private information, what organizations can do with it, and empowers consumers to claim compensation or other recourse that a court deems necessary. For businesses, these regulations would limit the sensitive personal information they are allowed to keep and how they can use it, require them to keep affected consumers informed in the event of a breach and hold their organizations accountable, and require organizations to conduct risk assessments or security projects/procedures to bolster their cybersecurity initiatives. All in all, these regulations aim to give consumers more power and security when it comes to their private data and hold businesses accountable for keeping consumer data safe.
These regulations do not just pertain to organizations who are selling or using consumer information for advertising purposes, legislation will affect all organizations and how they handle the growing amount of sensitive data they use day to day. Companies will be held accountable for knowing what information they have and how they are using it. If the consequences of sustaining a breach weren’t bad enough, organizations could face fines and be legally obligated to compensate exposed customers.
It’s not a matter of if, but rather when will privacy legislation be introduced across the country. Due to the state by state nature of these potential regulations, it’s essential to have a plan to comply in an efficient manner. This is where Secuvant can assist your organization by helping you navigate the ever-changing cyber environment. We can develop and implement a cybersecurity plan thats tailor-made for your organization’s specific needs and budget, regardless of your size. Implementation and compliance with new regulations won’t come overnight. Click here to learn more about Secuvant’s superior cybersecurity services, how we can benefit your organization, and to talk to a Secuvant Expert today.
Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit www.secuvant.com.
Rippy, Sarah. US State Comprehensive Privacy Law Comparison, International Association of Privacy Professionals, 14 Jan. 2021, iapp.org/resources/article/state-comparison-table/