Keeping on Top of Changes in U.S. Privacy Laws

By Paul Breitbarth

The privacy regulatory environment in the U.S. continues to be a complex sea to navigate, changing on an almost daily basis. New privacy bills, amended bills, bills not making it out of committee, bills in debate in state legislatures. Of course, that doesn’t even take into account the discussion happening at the federal level. All of this is creating anxiety among privacy professionals, who are struggling to stay on top of ongoing legislation updates.

Currently, all eyes continue to be on the California Consumer Privacy Act and its amendments (and amendments to amendments). Vermont Attorney General T.J. Donovan observed that California’s policy could directly influence the behavior of other state privacy officials saying, “As California goes, so goes the nation. Watching how the rules in California are going to be developed is going to be critical.”

In many ways, CCPA is paving the way for a period of major change to the privacy compliance landscape in the U.S. At the time of publishing, Nevada and Maine have passed their own new privacy laws relating to consumer rights (Maine’s law applies to internet service providers only), and an additional 11 laws are in various stages of debate and amendment in state governments including Louisiana, Texas, Vermont, New Jersey and Washington.

Nevada’s new privacy law went into effect on Oct. 1, three months before the CCPA will. However, unlike the CCPA, it applies only to operators of online commercial services, requiring these companies or individuals to seek permission to sell a consumer’s personal data.

In the Evergreen State, the Washington Privacy Act was introduced in January and passed in the state Senate only two months later, but the bill did not make it to the House of Representatives. However, the prevailing sentiment is that this bill will be brought back in future sessions.

The bill in Louisiana focuses on protecting consumers online while they’re using the Internet and social media. While this may seem narrowly focused on ISPs, one of the definitions of the law seems to cover anybody operating a commercial website in the state of Louisiana, which would have significant implications for a large number of organizations.

Staying on top of it all

In a recent Nymity survey of privacy professionals in North America, almost half of respondents (47 percent) ranked building a privacy program as their top priority. How is your financial institution prepared to execute a data subject access request and demonstrate completion? How will you track, honor, reply and inform on a request for a right of access? How do you future-proof your organization for new and changing legislation? Some companies have taken the approach of addressing compliance one law at a time. However, with the volume of amendments and new legislation in the US (and around the world), this approach clearly won’t scale.

Under the European Union’s General Data Protection Regulation, “accountability” is enshrined as a legal obligation. Banks must be able to demonstrate compliance under the law. While the word “accountability” is not present in the legislation from California and Nevada (and in other states), it is a useful compliance concept.

An accountability approach to compliance means that financial institutions implement and embed relevant policies, procedures and other measures throughout the organization, and assign responsibility for the completion of these activities. Ideally, the activities are also reviewed on a regular basis (for example, quarterly or annually). As a result, documentation such as minutes of meetings, memos preparing decisions, the actual policies and procedures and log files are produced and can serve as evidence to demonstrate compliance to regulators and other stakeholders.

When my company began helping organizations prepare for GDPR, we mapped the text of the regulation to the Nymity privacy management accountability framework and identified 39 articles requiring evidence of a technical or organizational measure in order to demonstrate compliance. Those 39 articles mapped to 55 privacy management activities (technical and organizational measures) that, if implemented, would produce documentation to demonstrate compliance with the requirements. For the CCPA, we have identified nine of the 23 provisions, so far, requiring evidence of a technical or organizational measure in order to demonstrate compliance.

Structuring an organizational measure to demonstrate compliance

With clarification from lawmakers on various elements of the CCPA still pending, financial institutions may not have a sense of urgency when it comes to getting their compliance programs ready. However, we learned from our survey that the privacy office is often faced with competing priorities with CCPA compliance activities (35 percent) and continued GDPR compliance activities (26 percent) still figuring strongly, so it is critical to get started as early as possible for each regulation.

Banks can employ a three-step approach to building privacy compliance programs that can address multiple privacy laws:

  • First, identify which of the mandatory privacy management activities that apply to the law you have based your privacy program on. Then make sure that they are embedded in your organization including the policies and procedures you have implemented to ensure compliance. Compare them to the new law you are dealing with and verify that all elements that are embedded in the new law’s legal provisions are also part of your internal policies and procedures.
  • Second, review the privacy management activities that are considered mandatory for the new law you are working on, but are not part of your existing data protection compliance program. It may be that you have implemented these activities in your organization, for example as part of your security program. If so, you can repeat the check described above. If you have not implemented those activities, then you will likely have to implement new policies and procedures to address the gaps.
  • Third, as the regulatory environment has become more complex and the business impact of non-compliance has become more significant, our survey showed that over 70 percent of privacy professionals feel privacy has evolved into an integral part of the overall strategy and planning for their businesses. Financial institutions may be required to re-prioritize the team’s infrastructure and grow the headcount for the teams handling the compliance program.

GDPR has set the stage for new or enhanced privacy legislation from jurisdictions around the world. The introduction of a new law, or changing requirements of an existing law, will always require some effort to ensure ongoing compliance. While it may seem increasingly challenging to navigate the sea of privacy regulations, taking an accountability approach to compliance enables organizations to use existing mechanisms to meet revised compliance goals.

Paul Breitbarth is director of EU operations and strategy at Nymity, a privacy compliance software provider.