The US privacy landscape has evolved since the first comprehensive state privacy law, the California Consumer Privacy Act (CCPA), was passed in 2018. Since then, Californians have voted the California Privacy Rights Act (CPRA) into law and five other states have passed their own comprehensive state privacy laws. 

This complex patchwork will cause headaches for affected organizations of all sizes and all levels of maturity. For companies at the beginning of the maturity curve, focusing on the most visible aspects of US privacy compliance, such as consumer rights requests and privacy notices, can help prevent consumer complaints. As your organization matures its privacy program, refining internal operational efficiencies can launch your privacy program beyond compliance and toward promoting consumer trust. At the far end of the maturity scale, organizations can look to develop further policies for the use of personal information that is both lawful and ethical.  

But, before you can tackle these three priorities, you must understand US state privacy and what challenges compliance might bring. 

An update on US privacy laws

Six state privacy laws will be, or will become, effective between January 1, 2023 and January 1, 2025. These laws will define the US privacy landscape in lieu of a federal privacy framework. The comprehensive state privacy laws in the US include:  

• California Privacy Rights Act (CPRA): Passed in November 2020, it will amend several key areas of the CCPA upon its entry into effect on January 1, 2023 
• Virginia Consumer Data Protection Act (CDPA): Passed in March 2021, it will enter into effect on January 1, 2023 
• Colorado Privacy Act (CPA): Passed in July 2021, it will enter into effect on January 1, 2023 
• Utah Consumer Privacy Act (UCPA): Passed in March 2022, it will enter into effect on December 31, 2023  
• Connecticut Data Privacy Act (CTDPA): Passed in May 2022 , it will enter into effect on July 1, 2023
• Iowa Consumer Data Protection Act (ICDPA): Passed in March 2023, it will enter into effect on January 1, 2023 

Aside from the six comprehensive privacy laws that make up the US privacy landscape, organizations must also be aware of privacy laws with a significantly narrower scope of application in Nevada and Maine that entered into effect in 2019 and 2020 respectively.  

While organizations focus on state-level privacy legislation, many of the incoming state laws include exemptions for personal information already covered by sectoral laws in the US. 

• Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to protect consumers’ financial information 
• Health Insurance Portability and Accountability Act (HIPAA): Requires covered entities to prevent sensitive patient health information from being disclosed 
• Children’s Online Privacy Protection Act (COPPA): Establishes guidelines for protecting the privacy of children under 13 
• The US Privacy Act of 1974: Allows individuals to request records about themselves held by government agencies 

These are just a handful of the different privacy laws that organizations must potentially contend with, not to mention countless other privacy-related statutes across the US. The case for a federal privacy law has never been clearer, and while the American Data Privacy and Protection Act (ADPPA) gathered significant momentum in the first half of 2022, there is still a long way to go before it can be considered a serious possibility. 

Still waiting on a federal privacy law? Don’t hold your breath on ADPPA

US legislators are as close as they have come in over a decade to passing a federal privacy law. The ADPPA represents the first bi-partisan effort to pass a national privacy framework since 2011 and at the time of writing the bill is currently being discussed on the house floor ahead of mid-term elections.  

However, despite the complexities of compliance with the patchwork of state privacy laws, don’t hold your breath for a federal privacy law to harmonize privacy legislation in the US. Several objections have already been raised at the ADPPA’s preemptions provisions, which are said to diminish the strength of consumers’ rights in states like California, which already has a high benchmark. And, at the earliest, the ADPPA wouldn’t enter into effect until the middle of 2023 even if it had a relatively smooth passage through the House and the Senate. 

Instead, organizations should be looking ahead to January 1, 2023 and ensuring they have the appropriate measures in place to comply with the incoming laws and their most visible areas of compliance. Consumers will have a heightened awareness of their rights. Organizations that can’t fulfill these rights will likely find themselves falling foul of enforcement provisions and potentially losing the trust of their customers.  

How to approach US privacy

In the absence of a federal privacy law, you can still take a unified and maturity-driven approach to the current patchwork of state privacy laws to alleviate the pressures of compliance with varying cross-state requirements. 

Take the ever-changing nature of the US privacy landscape into account, look ahead to the horizon, and don’t discount laws that haven’t yet entered into effect. Be proactive and future-proof your privacy compliance programs to save time and resources that would be wasted reacting to each change as it comes. 

Base your initial efforts on the areas of compliance that make the most sense compared to your organization’s maturity level. For example, an organization that is at an earlier stage of its maturity journey might opt to focus on ensuring they are able to fulfill consumer rights requests accurately and in the prescribed timeframes over building complex, fully automated programs. 

Focusing on addressing these areas of compliance can help your business to achieve goals beyond compliance and begin to nurture consumer trust through thoughtful and measured actions.  

Priority 1: Address the most visible and highly enforceable components

While there is little in the way of enforcement actions being taken against violations of state privacy laws, what we do know is that those responsible for enforcing the law are focused on violations of consumer rights and preferences. In California for example, the Office of the Attorney General (AG) has issued many notices of violations to organizations for breaches of the CCPA and recently handed down its first public enforcement action in relation to consumer opt-out requests not being respected. 

Consumer rights

Generally, US state privacy laws offer a similar set of rights to consumers, though there are some nuances between each law that should be observed. For example, the CPRA expressly requires organizations to allow consumers to limit the use of their sensitive personal information and the UCPA requires organizations to provide consumers with the ability to opt out of processing personal information. Whereas other states require organizations to obtain specific opt-in consent before processing sensitive personal information. Furthermore, the CDPA, CPA, and CTDPA all offer consumers the right to appeal decisions made by organizations in relation to rights requests and neither the UCPA nor ICDPA include a right to correction.   

When fulfilling privacy rights under US state privacy laws, it is essential to understand your obligations in each state. Each state law has different requirements that you must consider to help build and maintain consumer trust and avoid potential penalties for non-compliance. 

Fulfilling consumer requests all starts with having an appropriate intake method for consumers to make requests, and privacy notices should provide information relevant to each state where visitors may access the website. 

Identification verification is an essential part of fulfilling a privacy rights request. The CDPA states that data controllers are not required to fulfill the request if it cannot be authenticated by commercially reasonable efforts. Furthermore, the CPRA gives a broader definition of a “verifiable consumer request” and states that organizations are not obligated to provide personal information without verifiable identification. 

There are also different permitted timeframes for responding to requests that organizations must understand and stick to in order to avoid complaints being made by consumers. The CPRA requires businesses to provide confirmation of a request’s receipt within ten days of the request being made, whereas other laws do not require confirmation to be sent to the consumer. Additionally, all five state privacy laws give organizations 45 days to respond to consumer requests with the possibility of a 45-day extension where necessary and reasonable.

The Right to Opt-Out

Organizations that are embedded in the advertising ecosystem will have to pay particular attention to opt-out requests. The CPRA, CDPA, CPA, and CTDPA all provide the right for consumers to opt-out of the sale of personal information, targeted advertising, and profiling. The UCPA also offers consumers the right to opt-out but does not include the right to opt-out of profiling. However, under the ICDPA the right to out-out of targeted advertising in mentioned but not explicitly defined in the law.

One commonality across all six laws is the need to host a conspicuous intake method for consumers to exercise their right to opt-out, although the specifics do differ between laws. California has a specific requirement for organizations to adopt a “Do Not Sell or Share My Personal Information” link on company web pages. 

The CDPA offers the vaguest requirements for where an intake method should be hosted, stating, “the controller shall clearly and conspicuously disclose such processing, as well as how a consumer may exercise the right to opt-out of such processing.”

The CPA requires businesses that process personal data for purposes of targeted advertising or the sale of personal data to provide a “clear and conspicuous method” for consumers to exercise their right to opt-out in privacy notices as well as in a “readily accessible location outside the privacy notice” such as a webpage.

The UCPA mentions that businesses must disclose in a clear and conspicuous manner:

• any sale of consumer data or engagement in targeted advertising, and  
• the manner in which a consumer may opt out of the sale of personal data or processing for targeted advertising. 

The CTDPA requires controllers to provide a “clear and conspicuous link” on the controller’s website to enable a consumer or that consumer’s agent to opt out of targeted advertising or sale of the consumer’s personal data.

3 steps to operationalize opt-outs

1. Identify third-party trackers involved in targeting ads. Organizations can manually inspect their websites to identify what third parties are processing web visitor’s information. This analysis can also be performed with a web scanning tool that can identify and categorize third parties. Once identified, these third parties should be categorized by a specific purpose of processing so that individuals can request opt-out of a particular process.
2. Deliver a compliant, consumer-friendly experience. Organizations should determine the user experience for individuals opting-out. To honor GPC signals you will need to detect those browser-based and communicate that the GPC has been detected and respected. This informs the user how to request a full opt-out of sale, or in the case they have identified themselves, exercise another right such as access or deletion – which often occurs through a submission form or an account preference center. 
3. Enforce the opt-out by blocking the tracking from continuing. This can be done through a variety of methods that vary in terms of impact. You can choose to implement one of the following: 
   • Follow an industry standard such as the IAB 
   • Leverage vendor-specific APIs that support ‘privacy mode’  
   • Block trackers directly through a tag manager

Both the CPRA and the CPA mandate that organizations honor opt-out signals received from universal controls such as the Global Privacy Control (GPC) or privacy-focused browsers. 

What is the Global Privacy Control?

The GPC is a user-enabled method for communicating opt-out preference signals. Consumers can utilize the GPC to send a single universal signal to all webpages and applications that they interact with, rather than having to make multiple requests individually on each site. 

The GPC is a tech standard that was developed by privacy advocates, publishers, and browsers. Honoring signals from the GPC and similar technologies is now mandated in certain states. The California AG issued an FAQ in July 2021 that specifically calls on businesses to respect opt-out of sale requests made via the GPC. 

The CPA also allows consumers to communicate their opt-out preferences through a “user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general.”

Moving from a request-based approach to a preference-based approach

For greater transparency and control, organizations are beginning to make the shift from a request-based approach to consumer rights to a preference-based approach. This creates a cohesive experience for the individual that allows them to practice their rights universally without any difficulty. 

Instead of requiring individuals to make a request through a form, route them toward a trust center within pre-existing accounts. If the individual would like to opt-out of sharing their personal information, they can do so easily within a centralized trust center that provides transparency about how and why data is collected and enables the individual to practice their rights.

Employee rights

Where consumer rights are ubiquitous among US privacy laws, employee rights are not quite as common. In fact, across the five state privacy laws coming in 2023, just the CPRA grants employees certain control over their personal data in an employment context. 

Previously the CCPA placed an exemption on employee data, which was due to expire on January 1, 2021. However, the CPRA has extended this exemption to January 1, 2023. The CPRA also amended what rights are now offered to employees. Previously employees were limited to the right to know and private right of action in the event of a breach of unencrypted data. Upon the expiration of the employee data exemption, the CPRA will grant employees the following rights:

• Right to know  
• Right to correction  
• Right to deletion  
• Right to opt-out of sale or share  
• Right to limit use and disclosure of sensitive personal information  
• Right to not be retaliated against for exercising rights 

Fulfilling employee rights requests will pose a unique challenge to organizations. These requests will require a different intake method and different identity verification process, and will relate to personal data found in multiple different formats and sources. Furthermore, employee requests are often more sensitive in nature than consumer requests. These can arise in the event a candidate is looking for information on why they were rejected, a former employee is looking for information on why they were let go, or an active employee seeking information on why they were passed for a promotion. These are often legal discoveries for an employment dispute submitted in the form of privacy rights requests. 

Employee data is typically found in sources such as HR databases, recruitment tools, and payroll software. This includes structured and unstructured data that relates to personal information, such as bank account information, salary information,​ marital status,​ and medical records. Often employee data is commingled with other employees’ information, in which case you may need to redact other individuals’ sensitive information or proprietary business information before responding to the request. 

Context is also key when handling employee rights requests. It’s more likely for an employee to submit a request seeking data specific to a particular event, incident, or decision. In this case, the employer must return files, emails, chats, and other information with personal information about that requestor from other individuals’ inboxes or tools within the organization. 

The challenge of discovering unstructured data and data redaction is that both exercises are time-consuming when done manually and can often lead to inaccurate results. And with the volume of employee requests likely to spike upon the exemption lifting, organizations must consider automation to streamline the process. 

Privacy notice and disclosures

Privacy notices are an organization’s way of effectively and transparently communicating their privacy practices and information about how consumers’ personal information is collected, used, and shared. Each of the six privacy laws require organizations to present a privacy notice to consumers at the time of collection, and these notices must contain certain information. Typically, the information required in a privacy notice includes details about your organization, how personal information is used, individuals’ privacy rights, and how those rights can be exercised. 

While there have been few enforcement actions taken under US privacy laws to date, as more laws enter into force in 2023, highly visible areas of compliance – such as providing a privacy notice – are likely to come under scrutiny. This is a pattern that can be seen in Europe, where fines for information provision obligations are among the most common enforcement actions issued. 

Priority 2: Automation and operational efficiency

Organizations that are further along the maturity curve and that have addressed the most visible areas of compliance can begin to consider automation and building operational efficiency to run a US privacy program at scale. Making the step from manual processing to automation can seem like a big undertaking; however, streamlining areas such as DSAR, risk assessment, and incident response processes can save time and resources and more importantly, help ensure you are handling consumers’ personal information accurately and appropriately. 

Data discovery and mapping

A foundational step in any privacy program is a data discovery and mapping exercise. With differing definitions of Sensitive Personal Information, opt-out requirements, and disclosure requirements from state to state, the necessity to perform this exercise becomes more apparent for US organizations to have a clear and comprehensive understanding of their data.

While data mapping is not a requirement found under US state privacy laws, having a comprehensive data map can assist your organization when fulfilling consumer and employee rights, meeting data minimization requirements, managing third-party risk, and responding to security incidents. 

Privacy Impact Assessments (PIAs)

Anyone who is familiar with the General Data Protection Regulation (GDPR) will be all too aware of the need to conduct Data Protection Impact Assessments (DPIAs), known more commonly across the Atlantic as Privacy Impact Assessments (PIAs). PIAs help organizations understand the level of risk that certain processing activities will pose to consumers. Understanding when and how to conduct a PIA in compliance with US privacy laws can become challenging, and with the privacy landscape set to continue developing, the challenge will only become greater.

When is a PIA required?

Currently, the CPRA has a broad threshold for conducting a Privacy Impact Assessment, stating “Businesses whose processing presents a significant risk to consumer privacy or security must submit a regular risk assessment to the CPPA.”  The California Privacy Protection Agency (CPPA) is expected to issue further regulations on this topic; however, until these regulations are issued, organizations must interpret whether their processing activities pose a significant risk without guidance. The CPPA met in February 2022 to discuss the CPRA rulemaking process and final CPRA regulations are expected to be released in the second half of 2022. 

The CDPA, CPA, and CTDPA are more prescriptive in their approach to PIAs, outlining several specific activities that require a PIA, including: 

• Processing of personal data for targeted advertising​  
• The sale of personal data​  
• Processing of personal data for profiling under certain circumstances​  
• Processing of sensitive data​  
• Processing activities involving personal data that present a heightened risk of harm to consumers​ 

And, under the CDPA and CTDPA, PIAs completed in compliance with other privacy laws can satisfy assessment requirements under both laws, so long as the original PIA has a similar scope and effect.

Under the UCPA and ICDPA, there is no requirement for a PIA to be conducted, however it is a best practice to organizations that are operating across multiple jurisdictions.

What should be included in a PIA? 

Understanding how to perform a PIA and what to include is also an important element for creating operational efficiency. A general theme can be seen across all state privacy laws that require a PIA; businesses performing a PIA should balance the benefits that the activity presents to the business against the risk it will pose to the consumer.  

On a more granular level, when performing a PIA under US state privacy laws, organizations should also consider:

• The context of processing  
• The relationship between the controller and the consumer whose personal data will be processed  
• The reasonable expectations of consumers  
• The use of de-identified data 

Upon completion of a PIA, organizations should document and retain the assessment for transparency and accountability with regulators if they come knocking. PIAs should also be reviewed regularly, and the risks highlighted by the assessments should be recognized and mitigated.

Incident management

Traditionally, breach notification requirements have sat outside of the comprehensive state privacy laws that have emerged over the past four years. In fact, each of the 50 states has its own breach notification requirements, which makes understanding your responsibilities for reporting a security incident particularly complex. This includes an understanding of the timeline for notifications, who should be notified, and how. Even the ADPPA’s preemption of state law doesn’t help to solve this problem, as breach notification laws are exempt from preemption under Section 404 (b)(2).

Whichever individual state requirements might apply in specific scenarios, there are several steps that organizations should take in response to a security incident: 

1. Be prepared, establish an intake process, and understand the next steps when you are alerted to an incident 
2. Investigate what happened and if personal or sensitive personal information is involved  
3. Assess the incident to understand the extent and severity of the incident 
4. Define a remediation strategy, limit damage, and collect and preserve evidence 
5. Notify regulators, individuals, and third parties where applicable 

Another vital part of an incident management strategy is being prepared for a rise in privacy rights requests in the fallout of any incident. Regulators in Europe have commented on this issue, stating “As a result of a breach, an organization may experience a higher volume of data protection requests or complaints, particularly in relation to access requests and erasure.” 

Third-party risk management

Third-party risk management (TPRM) is a crucial component of any compliance program that helps to identify and reduce operational risk. TPRM is equally vital in the context of US privacy, where incoming laws all contain provisions for contractual obligations between businesses and service providers when sharing personal information. Developing a TPRM program can help organizations to build an understanding of the third parties they use, how they use them, and what safeguards their third parties have in place in order to identify and mitigate potential risks. 

Priority 3: Building trust

As your privacy program matures and your privacy operations are running at full efficiency, privacy teams can focus their attention beyond compliance. Compliance should be seen as a baseline for privacy operations and organizations should consider developing aspects of their program beyond what they have to do toward what they should be doing. 

This view beyond compliance helps to drive more effective, ethical, and trusted use of data. Maintaining good privacy operations is at the heart of building consumer and stakeholder trust.

Managing sensitive personal information (SPI)

SPI typically relates to some of the most confidential and personal elements of an individual’s life. As a result, US privacy laws place stricter rules for the collection and usage of SPI, meaning that organizations that process SPI must take careful steps to ensure they are handling it within the boundaries of the law. 

Understanding exactly what information is classed as SPI under each state privacy law can be complex. SPI can include biometric information, political opinions, information related to sex life or sexual orientation, and philosophical beliefs. There are some characteristics such as race, ethnic origin, religious beliefs, and genetic data that are consistently classified as SPI under the CPRA, CDPA, CPA, UCPA, and CTDPA. When organizations don’t know what SPI they have, they are unable to apply appropriate protections and policies to it, leaving the information potentially vulnerable to external threats and in violation of US state privacy laws. 

There are also specific requirements placed on organizations for how they can use SPI.  Under the CCPA as amended by the CPRA, the ICDPA,  and the UCPA,  controllers must provide customers with notice and an option to opt-out prior to processing sensitive data. In the case of the CCPA as ammended, organizations are also required to provide a clear and conspicuous link on internet homepages, titled “Limit the Use of My Sensitive Personal Information,” to allow consumers to exercise this right. 

The CDPA, CPA, and CTDPA require data controllers to obtain affirmative consent from the consumer before processing SPI. The CDPA, however, also requires data controllers who process SPI to conduct a privacy risk assessment before processing.

Organizations that process SPI should conduct data discovery exercises and map this data in a centralized inventory to have a clear view of what SPI they hold. Accurately classifying this information can help you ensure that the correct information security safeguards and data governance policies are applied, document opt-in consent for the CDPA, CPA, and CTDPA, and limit SPI processing requests for the UCPA and CCPA as ammended.

Automating data retention

Data retention policies place a responsibility on the organization to manage the information they hold about data subjects and set limits on the length of time this information can be held for. While the CCPA and the CPRA do not provide direct obligations for businesses in relation to data retention, there are statutory and recommended retention periods for certain records within the state. For example, the California Fair Employment and Housing Act (FEHA) sets out statutory minimum periods that employers should keep employment records, such as successful and unsuccessful candidate information, employee medical records, and information relating to the right to work. Additionally, Division 3 of the California Civil Code highlights recommended retention periods for sales and marketing information such as customer records, marketing records including data used for direct marketing, and data subject access request (DSAR) records.

In comparison, there are fewer retention periods specified by law in Virginia and Colorado. § 59.1-579(b)(2) of the CDPA outlines a general provision for data controllers, stating that controller-processor contracts provide that the processor must, among other things, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law. The CPA also uses similar language in its text but doesn’t elaborate on specific retention schedules for personal information.

One of the central challenges for managing data retention policies is that required and recommended retention periods don’t only vary by state, but they also vary drastically according to the type of data record. Therefore, documenting the retention periods that need to be applied to each type of data record in your data map is critical. Once you’ve set the appropriate retention periods, these can subsequently be managed by automating the destruction, archiving, or redaction of that data and communicating the expiration of these policies downstream to the relevant stakeholders and third parties. 

Organizations have a challenge ahead of them to understand the requirements of the incoming US privacy patchwork and implement a compliant privacy program. Join the OneTrust US Privacy Masterclass program or catch up on demand to deep-dive into the US privacy landscape, consumer and employee rights, privacy risk assessments, and the steps you can take now to not only meet compliance by 2023.