Highlights:
- Despite increased momentum, federal data privacy legislation is unlikely to come to fruition in 2023.
- Instead, enterprises will need to comply with a patchwork of five upcoming state laws.
The new state laws actually have more commonalities than differences, but there are some important distinctions. - Ultimately, these laws bring the U.S. closer to the European GDPR framework, and if your organization operates globally, it’s beneficial to leverage the work that’s already been accomplished.
Regulations in 2023
The argument to make privacy and data protection an organizational imperative has never been more clear as legislative action ramps up across the country.
We’re just months away from the implementation of five new U.S. privacy laws, each with slightly varied requirements and definitions:
- California Privacy Rights Act (CPRA) — effective January 1, 2023
- Virginia Consumer Data Protection Act (VCDPA) — effective January 1, 2023
- Colorado Privacy Act (CPA) — effective July 1, 2023
- Connecticut Data Privacy Act (CTDPA) — effective July 1, 2023
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
It’s paramount that companies are in tune with these looming regulatory requirements to ensure they remain compliant and avoid hefty lawsuits and fines.
How will these regulations impact your privacy program, and what do you need to know to guarantee you’ve prepared your enterprise?
Three data privacy leaders — Harriet Pearson, Senior Counsel at Hogan Lovells, Mike Hintze, Partner at Hintze Law PLLC, and Audrey Jean, Senior Vice President of Legal and Chief Privacy Officer at AARP — recently shared their expert advice with the Data Privacy Board during a panel on privacy regulations in 2023.
Post-Mid-Term Election Insights
The Data Privacy Board panel discussion kicked off on November 9, the morning after the U.S. midterm elections, so panelists gave their predictions for what privacy legislation could look like on a national scale.
There have been several failed attempts at instating a uniform national standard around data privacy. However, in June of 2023, a bipartisan draft bill — American Data Privacy and Protection Act — was released.
If enacted into law, it would provide a national standard on what data enterprises can gather from consumers and how they can use it, as reported by Rebbeca Kern, POLITICO Tech Policy Reporter.
“The bill released Friday includes agreement between Republicans and Democrats — for the first time — on two areas that have blocked previous efforts: whether a federal privacy law can preempt state laws and whether individuals should have the right to sue companies that illegally share their data or use it in ways the law prohibits,” Rebecca wrote.
With bipartisan backing and relative business backing, Harriet said the current iteration of this bill is the clear front-runner for federal privacy legislation. Yet, the contents of the American Data Privacy and Protection act could change following the Republicans flipping the house.
“My prediction would be that the content of that front-runner bill is going to change, but there’s still significant interest on a bipartisan basis for federal legislation.”
Harriet Pearson, Senior Counsel at Hogan Lovells
In part, Harriet explained how the momentum for a more uniform standard has been fueled by the upcoming state laws and the pain they will likely cause in terms of inconsistencies and enforcement actions.
Despite this promising momentum, Harriet, Mike, and Audrey all agreed that any federal privacy action would be unlikely in 2023. Audrey added that she’s operating under this assumption at the enterprise level.
Mike agreed that the house flipping could significantly alter the dynamic. Additionally, he said, the potential for federal action has, in part, been held up by current legislation in California.
“One of the biggest issues is the preemption when we have all this state activity. There’s a lot of momentum and a lot of reason to get behind a federal bill that would bring some rationality and consistency across the country,”
Mike Hintze, Partner at Hintze Law PLLC
Mike added, “That help got held up because of mainly California making a lot of noise saying that the federal bill shouldn’t take away the rights that California has.”
Key Takeaways on Upcoming Regulations
Without uniform data privacy standards, U.S. enterprises are left to tackle a patchwork of state legislation, which is no easy task.
The looming question remains, should an enterprise enact umbrella terms and policies or attempt to set controls on a state-by-state basis? Furthermore, what are the implications of potentially providing certain protections, as required by state law, to some consumers and not others?
Audrey said at AARP, the goal is to develop frameworks and processes that are as harmonized as possible.
“I think every enterprise has to decide for themselves, which among the highest standards they’re going to make universal in their program — versus picking and choosing. I think that depends a lot on your individual situations and how much data you have in every state.”
Audrey Jean, Senior Vice President of Legal and Chief Privacy Officer at AARP
As part of this process, it’s important for enterprise data privacy leaders to understand the key commonalities and differences between these state laws.
Mike explained that Virginia, Utah, Connecticut, and Colorado share relative similarities as they were based on the same basic model proposed in Washington. He said California is a bit of an outlier but still, they all have more commonalities than differences.
As outlined by WRAL TechWire, all five new laws include the following conditions and are roughly 85% identical:
- They include broad definitions of personal information.
- They include a new definition of Sensitive Information.
- They all include effectively the same broad data subject rights.
- They require detailed privacy notices and employee training.
- They require detailed recordkeeping and have an expanded Right of Opt-Out.
- They are only enforced by their Attorneys General and preclude a private cause of action for violations of the statute.
At a high level, Mike said in terms of requirements and obligations, Connecticut and Colorado are a bit more robust while Utah is less stringent, and Virginia sits somewhere in the middle.
Mike referred to Utah as the “most business-friendly” and said, “people shouldn’t be losing sleep over Utah.”
California is often acknowledged as the strictest of the new data privacy laws, and Harriet said California’s sunsetting of the exemption for employment data is a dynamic yet to be seen in the U.S.
An article by the Am100 law firm Polsinelli states that the CPRA will eliminate the California Consumer Privacy Act’s (CCPA) exemptions that applied to the processing of employee data. Under the CPRA’s new obligations, state employers must prepare and provide a privacy notice to employees or job applicants at or before the time personal information is collected, among other requirements.
Audrey said she thinks there will be a lot of eyes on how the CRPA plays out and enterprises will certainly want to prepare their colleagues in Human Resources and employment law.
Benchmarking with Other Privacy Leaders
Ultimately, the panelists agreed that each of the five upcoming laws brings the country closer to the European regulatory framework for data privacy. As a result, Audrey and Harriet advised leaders at global companies to find the pre-existing playbooks within their institutes.
“If you have global operations and people have been dealing with this in Europe, leverage that work that’s already been done because a lot of this is similar and can be aligned with General Data Protection Regulation (GDPR), particularly on the HR side,” Harriet said.
With so much change on the horizon, it’s also beneficial to benchmark strategies with other enterprise privacy leaders. You can learn invaluable insights from leaders operating at similar enterprises among different industries, states, and nations.
The Data Privacy Board is where senior enterprise privacy leaders can receive candid peer insights in a confidential and vendor-free setting.
