Today’s privacy landscape is more complex than ever. As of late summer in 2023, five states have privacy laws in effect, with eight more set to roll out over the next two and a half years. In addition, another five states have active bills that could become law. These laws have different provisions governing to whom they apply, what rights consumers have, and what businesses’ obligations are.
Complying with this fragmented patchwork of laws is rapidly becoming untenable—if it isn’t already impossible.
These forthcoming state frameworks may exert pressure on the US Congress to take action on federal privacy legislation soon. But while businesses wait for federal privacy legislation to pass, they must act proactively to ensure compliance with state privacy regulations. They should consider taking the following four steps.
Build a comprehensive data inventory.
You can't possibly comply with privacy regulations if you don't know what data you hold, where it is stored, how long you keep it, and how you share and use it. A comprehensive data inventory leverages both institutional knowledge and technology to determine what data your organization has and how it is stored, used, and shared across its lifecycle.
It's critical to understand that a data inventory isn't a one and done project. Think of how often large enterprises add or remove software from their technology infrastructure, or add data storage facilities, acquire more data in mergers or through other means. All of these things dramatically alter your data landscape. It's far better to invest in technology that helps you maintain an up-to-the-minute inventory.
Conduct audits and assess risk regularly.
Just as a data inventory is a program, not a project, so too is risk assessment. If you understand where there are data risks, then your organization can focus its efforts on mitigating those risks first. Auditing your data retention and data security practices allows you to patch major holes first, then focus on getting all the details right.
Although patience may be running short on regulators' part, they are still inclined to work with organizations that demonstrate a good faith effort to comply with regulations, as opposed to organizations that are willfully negligent or show no desire to mitigate obvious risks.
Adopt industry-standard data privacy and cybersecurity compliance frameworks.
With thirteen and counting different data privacy regimens from US states alone, it's impossible to cater compliance to each and every individual requirement. It's far more efficient to adopt the most stringent set of standards for each of the consumer rights and business obligations created by the regulations, as they will certainly be in compliance with more relaxed regulations, like those laid out in the Utah Consumer Privacy Act.
Maintain an audit trail.
As we've mentioned in our whitepaper on the Compliance Trifecta, organizations' compliance efforts aren't complete just when they're accomplished--you have to be able to prove compliance to constituencies like consumers and regulators. That's why it's critical to make complete records of actions that demonstrate compliance and defensible risk mitigation processes.
Taken collectively, these steps can lay a foundation for compliance with any set of regulatory requirements. Businesses that have analyzed these compliance requirements, built a roadmap, and executed it have a considerable advantage in preparing for the upcoming privacy laws. Those that haven’t started yet or have blind spots in privacy programs should get started now!
For help in understanding the current state of state privacy laws in the US, download our US State Privacy Law cheat sheet today.