Highlights:
- Moving into 2023, the U.S. will see five new state privacy laws in California, Utah, Colorado, Virginia, and Connecticut.
- Communicating with key enterprise counterparts — particularly HR and Employment Law — is essential in the wake of impending legislation.
- Take advantage of cure periods permitted by certain state laws and be prepared to remedy issues quickly in the event you are identified by a regulator.
- Rather than focusing on the nuances of each state regulation, focus on creating policies that are as harmonized as possible.
- Perfect compliance is not an achievable goal — prioritize what’s most impactful and visible.
The evolving regulatory landscape
It’s clear that data privacy should be top of mind for large enterprises as consumers grow increasingly concerned about how companies collect, store, and use their personal information.
A 2022 McKinsey study found that today, consumers are choosing where to spend their dollars based on how well companies protect their data. Consumers value trust and security just as much as price and quality.
With this increased focus on privacy comes an impending wave of U.S. legislation. In the absence of a comprehensive federal law, moving into 2023, we will see five new state privacy laws in California, Virginia, Utah, Colorado, and Connecticut.
In an article for Forbes, Wendy Batchelder, Senior Vice President of Global Data Governance and Chief Data Officer of Trust at Salesforce, said that while these regulations are necessary, they also make the job of a data privacy leader that much more difficult.
She wrote, ”We have to strictly ensure that our companies are compliant with multiple jurisdictions and prove to our customers that we’re doing what we need to do to protect information. Navigating the differences is tricky and will only become harder.”
What can data privacy professionals do to tackle these challenges and protect their enterprises from potential risk in the form of heavy fines and reputational harm?
Three industry experts — Harriet Pearson, Senior Counsel at Hogan Lovells, Mike Hintze, Partner at Hintze Law PLLC, and Audrey Jean, Senior Vice President of Legal and Chief Privacy Officer at AARP — sat down with the Data Privacy Board for a panel discussion on preparing for regulations in 2023.
Together they highlighted five valuable considerations for senior privacy leaders.
1. Engage with key enterprise partners
To be effective, a data privacy program can’t exist in a silo, and it’s imperative that leaders engage with their enterprise partners ahead of impending regulations.
Audrey stated it’s important to communicate with your counterparts in Human Resources and Employment Law to not only ensure they’re ready to fulfill data rights requests, but to also help them prepare for what she called “mischief” behind those requests.
Under the new regulations, enterprises must offer consumers the right to access, delete, correct, port, and opt out of the sale of their personally identifiable information, per an SHRM article. In California, these rights are extended to employees and job applicants.
SHRM states, “Businesses must understand where consumer data, sensitive data, and regulated employee/HR data is stored; be able to access and account for that data, and respond substantively to requests for the data.”
Mike echoed Audrey’s point and urged privacy leaders to talk to their employment lawyers because the interplay between data protection and employment law can be “complicated and fraught with challenges.”
“It is a known fact that as these access rights and data portability rights came into effect in Europe, that former employees often use it as an end run around discovery because they plan on suing you,” Mike said.
Harriet — who previously served as IBM’s Vice President of HR — agreed with these statements.
She said while there’s every reason to be transparent with employees — and good organizations are — it’s also important to be able to justify why some pieces of information should remain confidential such as performance reviews, employee handbooks, and other leadership development tools.
“I think the vocabulary of the privacy folks and the HR folks coming together is going to be really key,”
Harriet Pearson, Senior Counsel at Hogan Lovells
2. Take advantage of cure periods
During the Data Privacy Board panel, Harriet also highlighted the topic of cure periods — the time in which a breaching party must cure a breach or defect.
She said, “Each of these laws has some ability to take advantage of a cure period, which I find fascinating.”
Harriet added that these cure periods are not something she’s seen available in European law, but it’s something U.S. privacy leaders should learn how to use to their benefit.
If your enterprise is identified by a regulator then Harriet advised leaders not to waste precious time contemplating how to act.
“Take advantage of that time to cure. Get rid of the action and be ready to react as you would for a breach notification,” she said.
Mike pointed out that while this cure period is sunsetting in California, it will remain among the other state laws.
Furthermore, Mike said even when there isn’t a formal cure period, you’re often able to work with regulators in the event you’ve made a genuine mistake that you’re committed to remedying in a timely manner.
“Take advantage of what the law gives you, but also think carefully about how you want to engage with these agencies and be cooperative and responsive.”
Mike Hintze, Partner at Hintze Law PLLC
Don’t undervalue your level of responsiveness and communication with regulators. Mike pointed out that a lack of response and cooperation can set a bad tone that doesn’t serve scrutinized organizations well.
3. Lean towards simplicity and harmonization
It’s true that the five upcoming state privacy laws have more commonalities than differences.
Still, there are slight variations to consider between the state laws and other jurisdictions.
As Audrey put it, “There are slight nuances everywhere.”
She added that unfortunately, at most enterprises there is simply not enough privacy counsel staff to take an especially precise approach to policy. Instead, she suggested the overall goal should be to develop frameworks that are as harmonized as possible.
“I think it’s probably quite common that people are trying to do as much of a one-size-fits-all approach where they can and act with good faith and clean up as they go along.”
Audrey Jean, Senior Vice President of Legal and Chief Privacy Officer at AARP
Audrey shared there are bound to be a number of technical differences that are not fully captured on day one, but the goal is to move the organization toward a more privacy-respecting culture.
Mike also added that attempting to tackle the complexities of each state law could actually lead to error. He advised leaders to have an open dialogue with key stakeholders to determine the approach that balances risk with a legitimate business need for data.
4. Focus on prioritization
Branching off the idea of moving the enterprise to become more privacy-focused, the panelists pointed out that perfect compliance is an unattainable goal.
Harriet said, “You could keep working till the cows come home, and there’s going to be data left unmapped. There are going to be contracts that have not yet been swept into your third-party vendor program.”
There are other concerns like cybersecurity issues or data breaches that will, at times, need to take precedence. As a result, Harriet said that enterprise-wide there needs to be both an assessment and appetite for risk assumption.
In the case that an attorney general does come knocking, Harriet told leaders they should be thinking about how to illustrate that the enterprise is acting in good faith. In part, this is achieved by having a Chief Privacy Officer in place who commands respect within the organization and a commitment from senior officials by issuing statements, policies, and education around privacy.
“It’s really important to have that narrative,” Harriet said.
“Show that there’s been attention in these areas and a lack of perfection is not going to be as big of an issue.”
Harriet Pearson, Senior Counsel at Hogan Lovells
There are also certain procedures that are more impactful and visible than others, according to Mike, who said those should be high on the priority list.
“There are interns in the California AGs office right now — they’re just going around the internet reading privacy notices and looking for privacy statements and privacy policies that don’t have the right California magic words in them. And they’re making a list.”
5. Learn from your peers
Hopefully, your enterprise never has to learn what happens when you’re contacted by a regulator — but many will.
Harriet suggested learning from those experiences whether by seeking outside counsel or advice from other enterprises who have been through it.
Peer advice is always an invaluable tool, particularly when you’re facing an evolving regulatory landscape.
The Data Privacy Board is where senior-level privacy leaders at large enterprises can get unbiased peer insights in a confidential and vendor-free environment.