Culture of Compliance | State Data Privacy Laws: A Moving Target
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin: Welcome to Frazier & Deeter’s Culture of Compliance podcast series where we discuss compliance as a competitive advantage in today’s marketplace.
I’m Sabrina Serafin, Partner and national leader of Frazier & Deeter’s Process, Risk, & Governance practice and today we’re talking to Jodi Daniels, Founder and CEO of Red Clover Advisors, a data privacy advisory service that specializes in General Data Privacy Regulation (GDPR), US Privacy law and other aspects of data strategy, Jodi welcome back to the podcast.
Jodi Daniels: Hi, Thank you so much for having me. I’m glad to be here.
Sabrina: You came on the podcast earlier this year to talk about the trend of individual States passing privacy laws that apply as protections to the residents. We’ve invited you back to give our listeners an update on further state legislation. First, can you give us some background about what concerns inspired states to work on their own legislation individually?
Jodi: Absolutely, one of the biggest reasons is that there’s not a national standard. What we have here in the United States is what we call a sectoral approach, there’s individual privacy laws. For example, if you want to block a telemarketer you have the ability for ‘do not call list,’ that’s a national privacy law. We’re all familiar with HIPAA that covers us from a healthcare perspective, your financial services, your bank or your credit card statement, they are covered under a separate privacy law.
So, there’s not a comprehensive privacy law that covers all the other kinds of data and I just listed a couple of even the national privacy laws. As a result, states who wanted to really offer their residents more privacy protections, the only other option was to begin creating their own privacy laws and that’s what we saw with the introduction of CCPA, the California Consumer Privacy Act that was passed in 2018 and became effective and enforceable in 2020.
Sabrina: For listeners who are not familiar, can you give us just some quick highlights of the California law?
Jodi: Yes, and it’s important to also understand, we’ll talk a little bit about the California law now, and what’s starting to happen with the California law going forward because there’s some interesting and exciting updates.
First, is that the California law now applies to businesses and it’s really all about making sure that they are communicating what they’re doing with data, what are they collecting what are they using and there’s a very large emphasis on the sharing of data with third parties. We’re familiar with a privacy notice there’s a long list of requirements of what needs to be in a privacy notice.
The California law introduces something called individual rights kind of similar to what we have in HIPAA or for those familiar with GDPR the European Union’s national privacy law, it introduces individual rights, meaning someone could ask “I’d like to know what you’re doing with my data,” “I’d like to know what kind of data you have,” “I’d like for you to delete my data,” “I’d like for you to not use my data, I have a series of individual rights.”
And the California law today also has a big emphasis on sharing data with third parties, and as a part of that is very focused on the sale of data to third parties. Many of us listening may have received a catalog in the mail at some time, that they never signed up for. How did we all get that? Well somewhere along the line our information was sold, and then a company bought it to market to us. In the California law there’s a part that’s all about the ability to tell me that my data has been sold and allow me to opt out if my data has been sold.
Companies really have to understand the flow of their data to be able to determine the impact to them if they’re sharing or selling data what that privacy notice needs to be an individuals’ rights. I mentioned there’s a new and exciting California law in November of 2020, and we’ve talked about this before on the show to that one of the items that Californians voted for was the new privacy law its acronym is CPREA, California Privacy Rights and Enforcement Act. And that law brings it closer to GDPR, it introduces more rights, it poses more obligations on a company to protect data, to think about how they’re using that data first and companies nowadays will need to identify where they are complying with the existing California law and then do a little bit of a gap analysis to where they might need to go going forward.
Sabrina: So now that we have more states joining in, talk to us about what’s happened this year with me with other new legislation.
Jodi: Well Virginia decided to join the party and became the second state to introduce what is known as a comprehensive privacy law. And Virginia’s law is almost a cross between the new California law and GDPR. It takes some of the language from GDPR, for someone listening that might be familiar with the concept of a controller that company that collects the data and decides how it should be used, versus a processor that is a service provider for example, and a variety of others, it has similar individual rights as GDPR. The difference though, is under the California law employees and businesses are really in scope and in the Virginia law it’s very focused on consumers. Virginia also has a much more narrow definition on the sale of data and there’s a variety of other similarities and differences.
Another state, the third state to enter the party this year is Colorado which signed into law in July of this year. Also, a comprehensive lots called CPA, the Colorado Privacy Act and it kind of borrows again from California and Virginia and a little bit of GDPR and kind of has you know its concepts it wants to emphasize very much on privacy notice, individual rights, protection of data and thinking basically before any data is collected and used companies really have to go through an assessment and all of these laws also make sure that companies are paying attention to the vendors, to the sharing of data and again that sale of data piece.
Sabrina: This looks like a compliance trend that’s going to just keep coming. Are there other states that seem likely to pass privacy legislation, this year 2021?
Jodi: Well, you know it’s always an interesting toss up when we talk about legislation, and I think for most sessions, we probably won’t expect any more from what may have been introduced in 2020 or 2021 at a state level to be passed, although interestingly in July of 2021 Ohio introduced a new privacy law it’s called OPPA, Ohio Privacy Protection Act, I really think it should have been OPA, then we all could have been “OPA!” Maybe they’ll adjust it, but that hasn’t passed yet it’s just been introduced.
Washington did not pass after the third try this year, I do believe that Washington will continue to come back until it passes. Florida was so close to passing, many people thought that Florida was absolutely going to pass and kind of at the last minute, there were some changes, and it did not pass, and there’s probably 16 to 20 other states that have introduced privacy laws.
The idea of when is really just a matter of priority for that moment in time in the legislature and what’s happening in that state. There’s obviously a lot of competing priorities right now that states are having to deal with. Privacy is continuing to be a really important one, and when we look back over these last couple years and see nearly half the country introducing some type of privacy law, even if they all haven’t passed that’s a signal to us of where we are going to go.
California was the first to introduce data breach laws, and now we have a data breach law in every state. I do believe unless and until there’s a national law that will be introduced and passed, because there’s often a national law introduced, we will continue to have a patchwork state privacy law system.
Sabrina: Jodi you mentioned there isn’t a national privacy law or privacy legislation, where does the current administration sit when it comes to privacy?
Jodi: I think a great signal of this administration’s view on privacy is with President Biden’s recent executive order on promoting competition in the American economy that was issued in July of 2021, and in multiple places it references privacy and security. It really wants to ensure that any app, any type of technology, whether it be from the US or especially from outside the US considers privacy and security throughout its entire life cycle.
It’s referenced multiple times in the executive order, for anyone interested just search online and enter privacy you’ll see it multiple times and I think that’s really a beginning step for everyone to understand that cyber security is a critical piece for any organization going forward, small to large, government, nonprofit and corporate. It signals that the administration takes privacy and security very seriously, and this is a critical step in continuing that conversation.
Sabrina: Thank you Jodi, given the landscape keeps changing are there recommendations that you have that apply to any business, no matter how large or small, what are just the facts?
Jodi: Absolutely, the most important piece any company should be doing, whether you are small or big is understanding the data flow, and that means thinking about your company and the type of data it collects and where does it collect it. Think about your employees, think about your vendors and your customers.
Think about marketing the actual core product or service you have, maybe customer support financial activities, customer surveys. Think about all the different places where data is, understand the very specific types you’re collecting, is it name email, and so on and so forth and where it’s being stored.
I often hear companies tell me ”well it’s all in the cloud it’s fine.” It might all be in the cloud, and it might be fine if you have the right measures in place, you really can’t think about the right security measures to protect everything if you don’t know where everything is, so the very, very first step is to understand all of the data flowing through your organization. That will help identify when any state law is passed, what changes you have to make to your privacy notice, because the questions are going to go back well what kind of data do you have, and what are you doing.
Individual rights, well what kind of data do I have and where is it, how do I protect it? What type of future plans do you want? So tip number one is going to be, understand your data flow. Tip number two would be anytime you’re doing something new in the company, a new marketing campaign, a new update to a product feature or service offering that is an update that involves collecting or using or sharing data differently than you did before. There should be an assessment, oftentimes someone’s asking how much does it cost, how many people do we need, what kind of technology, now we need to also add in the privacy pieces. Those would be my top two tips.
Sabrina: Great advice Jodi, and I want to thank you for being with us today and helping our listeners stay up to date with the changing privacy regulatory landscape; and to our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast and please join us for our next episode as we continue to discuss transforming compliance requirements into investments in your business.