Navigating the US Data Privacy Landscape

The EU release and implementation of the GDPR inspired a slew of data privacy acts and laws across the globe.

Threats of data leaks have kept businesses in the US on the edge. In April 2019, personal data of 533 million Facebook users was leaked, while LinkedIn suffered a breach later in the year when the data of its 700 million users was leaked. In 2019 again, the data of 1.1 billion users of Alibaba was compromised. Organizations in the US must comply with data privacy laws and various state guidelines so they can safeguard their stakeholders. US states, for the lack of a central federal framework are addressing this by creating their own laws which may slowly shape the country’s future privacy landscape.

This makes the data privacy law landscape in the US is complicated, especially when you consider the myriad of data privacy laws that attempt to balance between the Constitution, the Federal Trade Commission, and the power granted to US states. Organizations, across industries, need to comply with dozens of different state-wise privacy laws and hundreds of legal requirements.

In our post we discuss some of the most recent laws, their scope and their impact on businesses.

In contrast to Europe’s GDPR, the US has a multitude of data privacy laws such as HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA, which target only specific types of data in special situations. For example, the HIPAA protects a certain type of personal health information. Yet it does not guarantee adequate security, as evidenced by the LabCorp breach which affected 7.7 million customers.

California was the first to do something about privacy protection with its California Consumer Privacy Act (CCPA), established in January 2020; and was also the first law in the US to be inspired by GDPR. Colorado and Virginia too have introduced comprehensive consumer data privacy laws that are quite similar to California, such as the right to access and delete personal information and to opt-out of the sale of personal information, etc. Similarly, several other US states have set in place their data privacy laws. Let’s look at some of them.

Source : IAPP
Navigating these laws is difficult

All the data privacy laws require businesses to put in processes to handle interactions with customers for privacy requests, create new internal roles to handle interactions with regulators, and train personnel on the latest and ever-changing rules. As the laws start driving enterprises toward new data principles, holding large amounts of customer data will increase liability and building products and services in a privacy-centric way will become more important for businesses. Businesses thus need to address all three pillars of Data Privacy, namely

1. Customer Identification and Access Management
2. Customer Consent and Preference Management
3. Customer Data Management

An approach to a complex data privacy landscape

What’s required is a structured approach by businesses that addresses business processes as well as various policies, an approach that is supported by technology initiatives that can simplify compliance without impacting customer experience. Here is an approach to Data Privacy Compliance Initiatives:

• Understand the requirements
  • Understand the varied laws and their requirements
  • Identify any conflicting and complementing requirements
• Data Analysis
  • Establish the precise inventory of personal data within the enterprise
  • Identify and map PII (Personably Identifiable Information) as per the law
  • Identify actions that need to be taken to fulfil current and future obligations
• Evaluate / Design & Implement Solution
  • Evaluate / design solutions to help implement data privacy
  • Implement solution that includes systems to ensure policy dissemination, agreement, consent management and revocation in line with the laws
• Manage Risks
  • Review the program and identify risks that need to be managed
  • Audit and perform Data Protection Impact Assessment
  • Be aware of the third party data the business leverages and it’s privacy status
  • Work towards continuously improving data privacy implementation

SLK’s experts understand the data privacy landscape in the US, and are experienced in providing Compliance as a Service solution on top of our Intelligent Data Management tool that allows identification of PII elements/ sensitive data as per GDPR, CCPA or any guidelines. The tool is futuristic and is configurable to align to new laws or changes to existing ones. It supports all types of databases and offers both on premise and Cloud installations for documents/data across the enterprise.

Abbreviation key:

• HIPAA – Health Insurance Portability and Accountability Act
• FCRA – Foreign Contribution Regulation Act
• FERPA – Family Educational Rights and Privacy Act
• GLBA – Gramm-Leach-Bliley Act (also known as the Financial Modernization Act)
• COPPA – Children’s Online Privacy Protection Act
• VPPA – Virtual Power Purchase Agreement

Please contact [email protected] if your business needs help with compliance to data privacy laws.

Authored by Kulpreet Kaur and Hemant C Reddy