Overview
This has been a busy year for privacy legislation, with dozens of states deliberating consumer privacy bills. Today, 13 states have their own consumer privacy laws, a tally that climbs to 15 if we include the health privacy bills that passed in Washington and Nevada. Despite little progress at the federal level, the US Securities and Exchange Commission finalized rules around cybersecurity, and the Federal Trade Commission maintains its unwavering commitment to privacy enforcement.
In this webinar, David Saunders and Sabrina Guenther Frigo, Associate General Counsel – Privacy & Data Management at CUNA Mutual Group, reviewed the legislative year to explore what might be in store for the future of privacy legislation.
Key takeaways included:
- Conducting a close review of the applicability thresholds and definitions of the new and emerging state laws will be important. Companies should consider all their encounters with consumers in a particular state, including through their products, services and website interactions. Documenting this analysis is a helpful exercise to demonstrate to regulators (and to private parties in states like Washington where there is a private right of action) that a certain state’s law does not apply.
- The state privacy law model is continuing to evolve as states pass new laws. Newer laws are increasingly moving toward more rigorous requirements (e.g., opt-in consent for use of sensitive personal information). Data protection impact assessment requirements are becoming more detailed, with states drawing upon the requirements of other states’ laws and regulations in drafting their requirements.
- Businesses should assess whether the time has come to adopt a national approach to compliance with data privacy laws. With 13 state laws now in effect, companies should seriously consider whether adopting a national approach based on the highest level of compliance is easier than accounting for potentially 20 different state privacy laws by the end of 2024.
- Despite the lack of comprehensive privacy rules at the federal level, federal agencies have been actively using their authority to regulate corporate privacy practices. While we are unlikely to see a federal privacy law passed in 2024, we can expect to see federal agencies continuing to exercise their authority in the privacy space.