With more and more U.S. states creating their own data privacy laws, it’s been harder to keep track of the changes. Which states are introducing new laws? How does this affect businesses handling data? Jodi Daniels from Red Clover Advisors returns to discuss with Sabrina Serafin recent updates and what to look for in the coming months.
Listen now using the player below or download for later. (If you cannot see the player, please accept our Privacy Policy below and refresh).
Culture of Compliance was recently named #1 in “Top 25 Regulatory Compliance Podcasts You Must Follow in 2020” by Feedspot.
Follow Culture of Compliance on iTunes, Google Podcasts, Spotify or wherever you listen to podcasts.
Culture of Compliance | U.S. Data Privacy Laws: Where Are We Now?
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance Practice. Today, we’re talking to Jodi Daniels, Founder and CEO of Red Clover Advisors, a data privacy advisory service that specializes in GDPR, US privacy laws, and other aspects of data strategy.
Jodi, welcome back to the podcast.
Jodi Daniels It’s so great to be here and thanks for having me.
Sabrina Jodi, you were on the podcast a couple of years ago talking about GDPR, and that’s the European Union’s General Data Protection Regulation that caused many American companies to update their privacy policies and procedures. Since then, we’ve seen a trend in the United States passing laws implementing a variety of privacy regulations, we’re interested to hear more about recent developments.
Jodi, could you give us some background about what concerns inspired the states to work on their own legislation?
Jodi Sure. It’s a couple for a couple different things, and I think most people would say it harkens back to the Facebook Cambridge Analytica scandal and that was back in 2018, when the State of California decided to be the first state to pass privacy legislation. It was aimed at giving individuals control over their personal data and also to be better informed, because California already has privacy laws that exist that are actually what prompted many American companies today to even have a privacy notice. We’ve kind of become familiar with them, the privacy notice in the footer. This new law was really all about strengthening what those disclosures needed to be, and to really offer strong consumer choice. So, individuals understood what was happening and had control.
I think the other thing that’s important to understand is we’re in the midst of a digital transformation. Every company is in the data business these days, and the Facebook Cambridge Analytica situation was really all about a company collecting data on an individual, creating a profile, and then sharing and ultimately selling that data to yet another company for them to then use for other companies to ultimately profile people for whatever message they wanted to send. The individual didn’t understand what was going on, if we understand the digital transformation, the digital advertising that’s happening and the lack of control, that is what is prompting states to follow California’s lead.
Sabrina For listeners who are not familiar, can you give us some highlights of the California law and what they put into place?
Jodi Yes. The California law is called the California Consumer Privacy Act, CCPA, and it was passed June 2018 and became effective and enforceable in 2020. It has a variety of requirements, but the highlights are that it makes the company have to have a privacy notice with a variety of very specific disclosures. It has to be honest, transparent, and what data it’s collecting, using, and sharing. The other big part of it is the sharing piece, what type of data is a company sharing to third parties? Kind of unique twist to the CCPA, is sharing, then has this other definition called selling, and a company could be deemed selling data, even if it wasn’t a monetary consideration, so it could be for other valuable consideration. In sum, a company has to figure out all the data that has, who it is sharing it with and could that other party use it for some other purpose? If it does, it could be considered a sale of data.
The other big piece to the California law is it gives individuals choices. I could ask you to tell me what kind of data you have, I could ask a company to delete the data that it has on me in certain situations. The last piece, is who does the CCPA apply to? It applies to any company who has earned more than $25 million of global revenue, or processes more than 50,000 data points, basically personal data points on individuals, or earns more than 50% of its revenue from the sale of data. You just have to meet one of those, and you’re trying to serve a California customer. You don’t have to be based in California, you just have to have California customers. So, those are the qualifications to have to comply with the California law.
Sabrina So, looking beyond California, what are the other states considering? Are they similar?
Jodi it’s kind of interesting because people will say there’s that copycat of CCPA, and I actually first mentioned CCPA because that’s what we have in place now. First, it’s important to actually talk about California because in the November 2020 election voters passed another law and it’s called CPRA, the Consumer Privacy Rights Act. It has a long list of other requirements and it brings it a little bit closer to GDPR. Imagine a chart, with CCPA at the bottom left, we’ve kind of inched our way up.
There are other states that are copying CCPA, there are other states that are going further up towards GDPR, but not exactly GDPR. An example of that would be Washington State, Virginia is another one that is actually very close to passing. Washington has its third year back, and Virginia came in this year and it’s already passed the House. It’s expected to have a high chance of passing the Senate, and the governor’s already said he wants to sign the bill.
Sabrina Jodi, is the proposed Virginia legislation similar to CCPA?
Jodi The Virginia law, it’s a little different. It kind of changes the threshold, but it has a very broad definition of personal data. It brings out some of the phrasing that people familiar with GDPR might be used to, things like controller or processor, it requires consent to process sensitive data. Now, that is a true statement in the CPRA, the new California law that I just mentioned that was passed, and that law will take effect in 2023; January 1, 2023. Virginia takes into account biometric data, and there’s additional consumer rights that people have and then there’s also the requirement to do data protection assessments.
For example, if a company wants to use data, it actually has to go through a formalized process to assess what is the risk of harm to the individual, and that includes targeted advertising, the use of sensitive data and the sale of personal data, as well as if there could be any other risk of harm and some other type of activity.
Sabrina Are there other states that seem likely to pass privacy legislation this year?
Jodi There’s New York that has four different privacy laws on the docket, with Governor Cuomo also asking for one to be passed, he’s very supportive of a privacy bill. The state of Utah and the state of Oklahoma have all introduced legislation. You asked if there are any that are similar or different, Oklahoma is a really interesting one to mention because Oklahoma is a bit more of an opt in requirement to using data, especially for advertising purposes, and that hearkens it closer to GDPR. The United States is still very much an opt out law, Oklahoma would really change things. Now, when it comes to sensitive data, that’s a different situation but Oklahoma is a fun one because it’s not a political thing on either side.
Again, it is expected to have an opt in situation for the use of data. So, they’re kind of all over the map, and there’s been a lot of other states that have looked at them but for 2021 this is where we are right now.
Sabrina You had mentioned biometrics is a factor in Virginia as different states add additional requirements. Is that going to cause other states to have to peel back and update their laws to reflect new risks or technology?
Jodi That’s a great question, one of the big challenges for companies to have to figure out how to even comply with a patchwork of state laws, it really will be up to the state. Where we are on some biometrics is, let’s take facial recognition as an example, you have cities passing facial recognition laws. For example, Portland, Oregon has its own facial recognition law, the State of Washington has a biometric and facial recognition law, the State of Illinois also has a biometric law. What Virginia is doing is it’s trying to put the biometric piece inside a single comprehensive privacy law as opposed to having them individually sliced.
I do think as technologies continue to evolve and grow, and companies, there will be some that try and push the envelope on what they should or shouldn’t be doing. Then, yes, you might have a state having to go back and figure out, “How do I deal with this new fancy technology?” Something like artificial intelligence, how and data ethics, and the ability to use artificial intelligence to make decisions. Well, what happens if that decision is unfairly harming someone’s privacy or the choices that are afforded to them?
That’s always the challenge with technology, the laws are always a little bit behind where the technology is. Many of these laws are trying to be encompassing enough to think about personal data and the requirement of having a company do an assessment to evaluate the risk of harm, it’s trying to be a part to capture all of these. I certainly think that you will continue to see evolution in privacy laws.
Sabrina You mentioned earlier, many organizations are going to have to keep up with many requirements. Do you have a parting piece of advice for how an organization that operates in multiple states or hits a number of different potential requirements? How do they keep up?
Jodi They need to start now, if they haven’t already. I think a number of companies have kind of hoped, “oh, it’s not in my state” or “I don’t have enough people there” and it’s coming to a state near you. I think the very first piece, and the foundational part, is to understand your data. It’s to create a solid, what we call a “data inventory”, break the business down into business processes, and always be updating what that is. Let’s use an example, e-mail marketing, everyone’s trying to get more contacts and more leads. If you have an e-mail marketing program, you probably are collecting names, e-mails, maybe a CRM, maybe an e-mail marketing system.
Do you ever change that marketing system? Do you ever change the fields? Are you able to manage either what state or country those people are from? If there’s ever a change, it should be updated, if there’s going to be a change, the privacy pieces should be considered first. In summary, it’s to update and always maintain your data inventory because then if a new state law comes, you’re able to determine, do we collect sensitive data? No, we don’t. Do we collect sensitive data? Yes, we do. Okay, here’s where we collect it and now they’re able to more quickly implement whatever requirements is necessary so that the data inventory piece is essential, as well as having someone, whether that’s an internal stakeholder or external be able to keep up with the various privacy laws. Just like they have to do with tax laws and HR laws, privacy is here to stay.
Sabrina Clearly, we’re dealing with a number of acronyms and we’re dealing with a number of dates. What is the most impending deadline?
Jodi At the moment, I would say 1/1/23 is going to be a very busy timeframe. Most of them are looking to have implementation or effectiveness by then. It’s certainly possible that it could be a 1/22 deadline, but safe to say 1/23.
Sabrina Thank you, Jodi, that’s great advice. We appreciate you being here with us today to help our listeners stay up to date with these changing privacy regulations. To our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode, as we continue to discuss transforming compliance requirements into investments for your business.