February 22, 2024
Since the introduction of the European Union’s General Data Protection Regulation (GDPR) and its expansive reach, U.S. businesses have been faced with comprehensive data protection and privacy considerations like never before. As you may know, there were no such laws (federal or state) in the U.S. at that time, and U.S. businesses questioned the GDPR’s reach and applicability. Well, since then, U.S. states took it upon themselves to bring a wave of new data protection legislation, forcing U.S. businesses to consider the topic yet again (and this time it’s in their backyard).
Over the past five years, twelve new comprehensive U.S. state privacy laws have been passed. And there are more in the pipeline. Consider, for example, the influx in bills introduced over recent years – in 2018 only two bills were introduced on this topic, compared to the 59 that were introduced in 2023. This wave is not limited to the U.S. either – in recent years at least ten countries have enacted new laws or amended their current laws to take a more comprehensive approach. And this wave is only likely to gain momentum (e.g., IAPP 2023 Global Legislative Predictions Report predicts parliaments around the world will continue introducing new legislation or building upon existing, and according to the United Nations Conference on Trade and Development an additional 9% of countries have draft legislation on the table). Gone are the days when businesses (especially in this interconnected world) can ignore these comprehensive data protection and privacy laws without placing a certain level of risk upon themselves.
How do you navigate this ever-changing data protection and privacy landscape? Let’s unpack how you can help your clients avoid seven common pitfalls that businesses fall into.
- Pushing it off until “another day” – As you now know, there is a growing wave of legislation in this area, so sticking your head in the sand is not the best approach. If these laws do not yet impact a business, it is only a matter of time before they do. Becoming compliant doesn’t happen overnight. But the upside is, if a business has started making real efforts towards compliance, enforcers have been less likely to “throw the book at them.” However, it’s important to note that as time passes, enforcers will have increasing compliance expectations as businesses have time to get their processes in order. Not only can civil penalties for non-compliance add up quickly (U.S. state civil penalties range from $2,000 to $20,000 per violation), but consumers care about how a business handles their information. A 2023 IAPP Privacy and Consumer Trust Report found that nearly 68% of consumers are either somewhat or very concerned about their online privacy.
- But we’re a “B2B” business – Generally, it is true that the protections and rights under these laws apply to consumers, but in at least one state these protections also apply in commercial and employment contexts. Not to mention, their reach is expensive.
It is critical that B2B businesses also consider areas such as: (i) what and whose information is collected and analyzed on their website; (ii) how customers use their products or services; and (iii) what requirements they have with their customers or vendors, for example. Once a business completes this exercise, it may be surprised to find just how much of an impact these laws have on them.
- We don’t do business in the states with this comprehensive approach – A business need not be based in a state to be impacted by its data protection and privacy laws. For example: (i) a business’ website may track and collect information of its visitors who may be from other states (or other countries); (ii) a business, through interstate commerce, may do business in a state with such laws and with customers that control or process personal data; (iii) a business may have cross-border data transfers (i.e. transfer data between the U.S. and E.U); or (iv) a business may have contractual obligations with its vendors or customers.
- We’ll just “wing-it” – Unlike the businesses that push compliance efforts off to another day, these businesses have no plan for implementing compliance processes. Instead, their plain is to “wing-it” if/when they receive a data subject request, or questions from a customer or enforcement body, for example. Understandably, we all get inundated with buzz words like “data collection and sharing,” “opt-in” or “opt-out” consent, “data minimization,” and so on, but it’s important not to underestimate the heavy lift that comes along with executing these tasks.
According to the Transcend 2022 State of Data Visibility Report, the amount of data that a business manages has increased at least ten-fold in recent years. Couple this with the fact that about two thirds of businesses do not have an accurate picture of the data they hold (according to the same Transcend Report) and you begin to see the problem – a business cannot possibly know what data it has, why it has it, or where it has it, let alone ensure it is deleted. So, it is nearly impossible for businesses (who only continue to collect more and more data) to “wing it.”
- Wait, it applies to our products? Data protection and privacy laws cover personal data regardless of where it lives. For many businesses, privacy considerations are not part of its product design process. But for businesses that provide products that control or process personal data (e.g., “smart” devices, SaaS providers, etc.), this presents a problem. They would do themselves a disservice if they didn’t pause to consider the potential implications these laws have on the data their products collect, store, or manage and their customers’ use of such data.
- Rogue vendors – Data protection and privacy laws not only apply to a business’ own use and operations, but they also require a business to ensure its vendors are processing and handling data in a compliant manner. These requirements can include specific contractual obligations, auditing rights, and so on. So, a business must pay attention to what its vendors are doing and include proper contractual obligations accordingly.
- We’re too small – Undoubtedly many data protection and privacy laws exempt businesses that do not meet certain thresholds (e.g., minimum revenue amounts, or percentage of revenue from sale of data, etc.); however, that is not the end of the analysis. Do not forget to consider the other ways these requirements may find their way to the business (e.g., contractually, or as a “processor” of personal data).
So, how can you and your clients navigate privacy compliance efforts in such an interconnected and data-driven world?
First and foremost is data mapping. It is fundamental to executing key compliance tasks like processing data subject requests, data minimization and retention, identifying risky data processing, data risk assessment requirements, and navigating new regulations by way of gap analysis.
Secondly, it is a team effort. The right players must be on the team for a business’ compliance efforts to be successful. For example, legal and compliance, IT, and security, as well as representatives from the sales/marketing, and operations teams should all be involved in the discussion.
Finally, you do not have to reinvent the wheel. Businesses can leverage existing standards and frameworks to help establish processes and overall privacy compliance (e.g., ISO 31000, ISO/IEC 27557, NIST Privacy Framework, and U.K. Information Commissioner’s Office Accountability Framework).
While the complexity and scale may vary, all businesses that process personal data must wrestle with data protection and privacy risk. The above tips provide a few basic steps to help jump start a business’ compliance processes to identify, quantify, and prioritize risks that emerge in this ever-changing data protection and privacy landscape.
P.S. A large elephant that has recently entered the data protection and privacy room is AI. While not addressed in this article, AI can be leveraged to help accomplish privacy compliance requirements but presents its own set of challenges when used by a business in its daily operations; so, suffice it to say, proceed with caution.
About the Author: Nicole M. Danner is an associate with Wisler Pearlstine, LLP and a member of the firm’s business, corporate, and tax and data privacy and cybersecurity practice groups. She focuses her practice in the areas of commercial contracting, data privacy and security, corporate governance, emerging regulatory issues and risk avoidance, and other general business needs.