Privacy regulation in the United States has historically not been something business owners spent a lot of time worrying about – it’s been limited to specific industries or situations. But as this graphic demonstrates, that’s all changing.
Most business owners have heard of the California Consumer Privacy Act, or at least recognize it when they hear the title – but how about Maine’s LD 946? All three of the currently enacted laws affect the privacy landscape for US businesses, and most of the other legislative efforts on the map are expected to pass in the next year or two.
Don’t forget that these laws apply to the information about people living in these jurisdictions, no matter where the business holding the information is located. The lack of a California location doesn’t shield you from the compliance requirements of the California law. It isn’t enough to watch for the passage of a new privacy law only in the states where you operate, all of these laws potentially apply.
On the one hand, this proliferation of new privacy rules and regulations creates the potential for things to get messy and complicated, particularly for smaller businesses. Until and unless new federal legislation comes in to replace the state laws, businesses will need to pay attention to any new privacy legislation at the state level, at least in order to determine whether or not it applies.
On the other hand, regulations aren’t happening in a vacuum. Much as the global standard in privacy regulation is the European Union’s GDPR, US states are mostly following California’s lead in their privacy regulations. Using IAPP’s analysis of common elements as a guide, it’s possible to come up with a straightforward list of projects for businesses in the second half of 2019.
Inventory of Personal Information
The most common requirement in privacy legislation is to give individuals information about personal data collection. It’s impossible to comply without a clear inventory of the data you collect, the purposes it gets used for, and how it’s protected. This isn’t as easy as you might think; personal information is a broad category that includes elements like IP addresses recorded in web server logs and email addresses entered into web forms. Building out a usable inventory, even for a fairly small business, is a complex job and requires time and attention across the organization.
Thorough Data Management Processes
Consumers not only have the right to know about the information you collect, they’re often given the right to modify that information. Modification rights range from the ability to demand the correction of information to the right of deletion to restrictions on how the information may be sold or processed.
Regardless of the particular rights and privileges that apply to the information you collect, the solution is the same – you have to have clear, usable processes for managing that information. How are changes made? Who’s responsible for ensuring that requests are completed in a timely fashion? If someone makes a complaint, what records will you have to answer any investigation?
Chances are, the information you have is mostly managed in reasonable ways. But it has to be consistent, and it has to be verifiable for regulatory compliance, and those both require solid and efficient processes.
Comprehensive Privacy Notices and Customer Communication
Websites and companies have fine-print Privacy Policies – though it’s rare to find someone who’s actually read one. Regulators have taken notice of this and are frequently requiring clearer customer communication.
While you’re thinking about the compliance issues, take a moment to consider how this could benefit you as well. Here you have an opportunity to not only comply with regulations but also engage your customers in a conversation. Demonstrating that you take their personal information concerns seriously and being open about your practices can be an excellent business development tool.
Complete a Formal Risk Assessment
You’re probably used to risk assessments being a required security compliance element. Well, privacy regulations typically require them too. The details of the requirement are a little unclear – there’s very little in the regulations about scope and required elements – but in order to get real value out of the assessment, it’s worth rethinking your existing process from a privacy perspective. Make sure your assessment includes all systems involved in the storage of personal information.
If you’ve never included privacy concerns in your risk assessments before, it’s a good idea to schedule an extra privacy-focused assessment just to get a good snapshot of the current situation and be able to dedicate remediation resources. Without that extra effort, you may find your annual assessment project team overwhelmed by the changes brought on by the increase in scope.
Think About Your Project Timeline
These tasks take different amounts of time and energy depending on the size and complexity of the organization. At a minimum, with dedicated and knowledgeable resources and staff, the initial effort to create a personal data inventory takes four to six weeks. Risk assessments are similar, longer if you don’t already have a regular assessment process. Process development and adoption, on the other hand, are long-term efforts rather than discrete projects – you should expect the timeframe to be measured in quarters. These efforts are also difficult to do simultaneously without dramatically increasing the resources required – particularly since the results of the inventory impact the requirements of the others.
Be warned, the California Consumer Protection Act driving many of these requirements takes full effect on January 1, 2020. Enforcement actions won’t begin for another six months, but will be affected by the actions taken in the meantime. Although narrower in scope, Nevada’s new privacy requirements allowing users to opt out of the sale of personal information takes effect on October 1.
For all the necessary pieces of the puzzle to be in place ahead of these deadlines, you should be getting these projects scoped and scheduled now.