How to Move the Privacy Needle Without Really Trying
As I write this, there are 13 states that have consumer data privacy and protection laws, all of which have very specific requirements for businesses that collect data from or about consumers in their states.
Many organizations have adapted to a privacy-centric world by addressing several fundamental aspects of consumer data privacy, including cookie notices, privacy policies, and managing complaints. Focus has often been on the first State regulations in the U.S.: the California Consumer Privacy Act and the California Privacy Rights Act.
But these are not the sum total of your privacy requirements. You should consider complying with all privacy regulations in every jurisdiction in which you do business. Maintaining strict adherence to all privacy regulations is a challenge for most organizations for the simple reason that no one has unlimited resources to throw at the problem.
Given this reality, how might you approach privacy holistically while also seeking to address compliance in every jurisdiction in which you do business? Here are some strategies to consider helping you organize your company's approach to policy compliance.
Identify Key Changes That Affect Your Business
Consider the developments that most affect your business. This summer, Oregon Governor Tina Kotek signed into law the Oregon Consumer Privacy Act (OCPA), which adds new wrinkles to the privacy environment, namely, it allows for civil penalties for employees of companies that run afoul of the law. If you are a small company or have no business in Oregon, you are safe. If you are large and place ads in national magazines or TV, you are subject to the law.
Focus on Sensitive Data
Today, sensitive data is the clearest and most strategic risk many organizations face today. Data that is considered "sensitive" varies from state to state but generally includes racial or ethnic origin, religious beliefs, medical or health data (beyond HIPAA), as well as genetic and biometric data that can be used to identify an individual. It's also data that touches upon hot-button issues, including immigration status, sexual orientation, precise geolocation, and data on children.
For instance, Washington State's My Health My Data Act will go into effect in March of next year, which empowers Washington residents with the right to access their consumer health data and receive a list of all third parties and affiliates, including contact information, who receive their individual data from the regulated entity. Geofencing went into effect on July 23, 2023. It prohibits the use of any form of location detection to locate a consumer within 2,000 feet or less of a facility that provides in-person health care services when used to track seeking health care, collect health data or send advertising messages or notifications.
Why does this matter? In addition to the risk of protecting sensitive data, many types of data now come with political risks. Since the Supreme Court overturned Roe v. Wade, health data has become extremely political and can lead to data fines and prosecutions by State Attorney General offices. State AGs are inherently political offices, and such prosecutions lead to positive publicity that helps them in their quest for higher office.
Automate Wherever Possible
While privacy laws can be dizzyingly complex, they have several attributes in common, although the specifics vary between jurisdiction and regulations. For instance, each law defines the scope, types of data that is protected, requirements around data collection and use, disclosure, data security, and individual rights.
Analyzing your operations to assess the degree to which they are compliant with each law is difficult, but the complexity can be automated. Let's say your company operates in California and you've conducted an internal review of your operations to ensure compliance. How can the work you've done to answer specific questions be applied to other states?
You can leverage independent and standardized assessments that are written to actual privacy laws and regulations, including GDPR, CCPA/CPRA, COPPA, HIPAA, and all other regulations. By answering just one set of questions, the assessment can evaluate your level of compliance with each state and tell you where to focus your attention to reduce risk.
You can also automate key privacy Key Risk Indicators (KRIs), data breaches, customer complaint rate, to spot potential risks to your privacy program. By creating a system that monitors KRIs, you can prioritize risk mitigation strategies, set well-defined objectives, and establish a clear threshold for the level of privacy risk you are willing to accept.
Enable Stakeholders to Focus on What Matters the Most
Related to the automation mentioned above, there are tools on the market to help business stakeholders to hone in on the issues that require their focus.
For instance, my company offers a platform that provides auditable real-time reporting, enabling stakeholders to pinpoint key risk areas and better manage privacy compliance efforts. This, in turn, helps stakeholders to serve as active participants in creating a culture of appropriate data use and ensuring that risks are identified and addressed before they result in major security incidents.
Finally, keep records of your compliance efforts. It will help if your company is ever asked by consumers, regulators, or consumer advocacy groups to document your commitment to privacy compliance.
The views and opinions expressed are solely those of the contributor and do not necessarily reflect the official position of the ANA or imply endorsement from the ANA.
Richy Glassberg is co-founder and CEO at SafeGuard Privacy.