The United States has some industry-specific privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) that apply to the healthcare industry and the Gramm-Leach-Bliley Act that applies to financial institutions, but no law that protects consumer information generally across all industries. But the lack of a general privacy law does not mean that US companies have no privacy obligations. In fact, companies operating in the US can have an even more complicated web of privacy laws to navigate than European companies do.
In the absence of a comprehensive federal law (and the improbability that Congress will enact one in the near future), individual states are beginning to tackle the issue on their own. California adopted the California Consumer Privacy Act (CCPA) in 2018 and California voters modified the CCPA by adopting the California Privacy Rights Act (CPRA) by ballot initiative in 2020. Virginia passed its Consumer Data Protection Act (CDPA) in March 2021. Eleven other states have one or more bills pending. Nine states have debated bills that either died in committee or were postponed. While there is not yet a broad consensus on what a privacy law should include, there is a broad consensus that legislation is needed, and discussions will undoubtedly continue.
This patchwork of privacy laws can be more challenging for businesses than a single federal law. First, when legal theories evolve at the state level, businesses that operate across state lines need to monitor the laws of all the states they touch. Second, dissimilar state laws require businesses to sort out how to apply different laws to different consumers. For example, almost every law defines “personal information” slightly differently, so a business needs to decide whether to operate under a single definition that will satisfy all states’ laws or to try to apply different standards to different states’ residents.
There are no easy answers for businesses, particularly for smaller businesses that lack internal resources to monitor multiple states’ laws and maintain compliance policies and procedures that work across their entire geographic footprint. That said, there are a few strategies that most businesses should adopt:
- Know what personal information you are collecting, why you are collecting it, and where you keep it. It’s impossible to protect information if you don’t know what information you have or where it is.
- Know the laws of the states in which you have offices or customers or are otherwise “doing business.” Privacy laws apply based on where the consumer lives, not on where the business is headquartered, or which state’s laws are selected in the company’s Privacy Policy or contracts.
- Always consider privacy and data security when you are about to make an investment in computer equipment, software, or a new business line. These are inflection points where the cost and complexity of enhancing privacy and data security can be minimized. “Privacy by design” is much easier than “privacy by retrofit.”
- Make sure the Privacy Policy on your website is complete and accurate. From the consumer’s point of view, there shouldn’t be any “gotchas.” Most of the state laws that are being debated or adopted require that a business disclose what personal information it is collecting, what it does with the information, and with whom it shares the information. Consumers lose trust (and file lawsuits) when their information is collected or used in ways that were not disclosed and they didn’t expect.
- Understand the privacy implications of how you use information. Does your website use cookies to track users’ actions on your website? Do you use Google Analytics to understand how customers are using your website or to serve up customized advertisements? These are all ways companies use personal information and they all affect the explanation in your Privacy Policy of what information you collect and how you use it.
Privacy policies and data security programs can – and should – have different levels of complexity, depending on the nature of your business, what information you collect, and how the information is used. But every business collects personal information in some way, shape, or form, so every business should think through the issues that are relevant to it and develop a privacy and data security strategy that fits its size and needs.
Edited by Maryssa Gordon, Senior Editor, Price of Business Digital Network
