Private: New State Privacy Laws – What’s Required?

New State Privacy Laws – What’s Required?  

As with so many cultural and societal trends, the state of California led the way with the nation’s first state privacy law back in 2018. And just last year, Virginia and then Colorado passed similar versions. At the time of this writing, another 20 states have proposed privacy legislation, all of which are currently being discussed in committee at various stages of development. While many of those bills likely won’t see the light of day, some probably will. If you’re a compliance professional at an organization that collects and processes personal and sensitive information (and what company isn’t these days?) it will be increasingly important to watch these developments carefully.

If you’re a compliance professional at an organization that collects and processes personal and sensitive information (and what company isn’t these days?) it will be increasingly important to watch these developments carefully.

Many of you reading this who are charged with legal or operational privacy compliance have probably already done a lot of work to set up controls to manage the CCPA’s requirements, and maybe even the CPRA’s. But what new obligations, you may be wondering, will these proposed state privacy laws impose on our business? Many of the bills being considered are similar in nature and composition to the existing California, Virginia, and Colorado laws, with provisions calling for:

Right of Access, or an individual’s right to request and receive their personal data from a business or other organization. All the proposed bills but West Virginia’s currently include language providing for this consumer right.

Right of Rectification/to Correct and the Right of Deletion, which provides the right for individuals to correct or amend inaccurate information that a business holds about them. Most of the proposed legislation provides for both these rights. Notably, New York, and West Virginia do not provide for either right, as currently written.

Right of Restriction, providing for an individual’s right to limit or prohibit a business or other organization from processing their personal data. Several of the proposed laws limit this right to sensitive data or, alternatively, provide a right to opt-out of using data for profiling or targeted advertising purposes.  Pay attention to this one, as your future marketing efforts may well be affected by individuals exercising their rights where applicable.

Right of Portability, generally, where data processing is done based on consent or a contract, consumers have the right to receive their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another entity without hindrance from the original business to which the personal data had originally been provided. Only 11 of the proposed bills do not provide this “right of data portability”, signaling a growing trend to include this consumer right. Determining how to respond to these requests efficiently and effectively will certainly take some time and effort reworking existing data processing systems, procedures, and processes.

These are just some of the consumer rights being considered in the draft laws, and monitoring which ones come into force will be critical for your compliance efforts.

If you’d like to hear more about these pending bills and how to prepare for the eventuality of their compliance requirements, join us for an interactive webinar hosted by the IAPP on March 10th at 11 AM EST, where we’ll discuss them in depth and provide time for audience questions. The seasoned legal and operational privacy professional panelists all have years of experience advising clients on compliance best practices. You can register for the webinar here: Leverage Your Compliance Efforts: Preparing for Upcoming State Privacy Laws. We hope you can join us!

And for more information on Myna Partners and our risk management services, contact Eric Dieterich, Managing Director, at: eric.dieterich@levelupconsult.com