Who says there are no privacy laws in the US?
By Shaquelle Duncan
To the casual eye, it may look like the United States is doing very little to regulate privacy. When examined further, however, the overwhelming amount of existing and pending privacy law at the state level tells a completely different story.
Not only are there almost 600 pending and current laws combined, but they cover a wide variety of privacy concerns ranging from consumer data collected by service providers to data obtained through automatic license plate readers. Although the federal government has done little to regulate privacy, the same cannot be said for states. In light of this fact, perhaps what we should be talking about is that states are, in fact, leading the way in creating privacy protections.
So, what does this all mean exactly? Americans do have a vast amount of privacy rights, they’re just not in one comprehensive piece of legislation like in some other regions. This reality, however, while good news for Americans, can be a big challenge for companies.
Implications for companies
Each state has enacted at least one privacy law, New Mexico being on the low end with one law addressing data breach notification and California being on the high end with more than thirty.
For a company looking to comply, this patchwork of laws presents different levels of challenges depending on the location of the company and its points of sale. For larger companies that have a broad presence across the United States, this presents a major hurdle. Luckily, there is a fair amount of overlap, as a good number of states have modeled their laws on other states’ laws relating to similar issues or privacy rights.
For example, as it pertains to genetic privacy, many states have adopted laws that contain nearly identical language requiring consent before obtaining, accessing, disclosing, or retaining genetic data. Alaska’s Genetic Privacy Law, AS 18.13.010 provides for the following:
“a person may not collect a DNA sample from a person, perform a DNA analysis on a sample, retain a DNA sample or the results of a DNA analysis, or disclose the results of a DNA analysis unless the person has first obtained the informed and written consent of the person, or the person's legal guardian or authorized representative, for the collection, analysis, retention, or disclosure.”
Six other states, including Nevada and New Mexico, provide identical protections. Twenty-six states provide more narrow protections, requiring consent only to disclose such genetic information.
Further, multiple states currently have proposed legislation that have vast similarities to California’s Consumer Protection Act. While proposed legislation like Rhode Island’s Consumer Privacy Protection Act and Mississippi’s HB 2153 parallel the CCPA very closely, other states such as New York and North Dakota have proposed legislation that deviates from the structure of the CCPA but contain similar wording.
This extensive overlap should alleviate some of the challenges for businesses, but it’s never been truer that the devil is in the details. Because of the areas of divergence and the sheer number of laws, managing compliance with the vast and varied privacy laws in all 50 states is nearly impossible.
How Can Sentinel Help?
Sentinel’s privacy program management technology, Ethos, is equipped to help you understand what is required of your organization, track your progress towards implementation, and ensure that you stay up to date with the ever-evolving nature of privacy law across the United States and abroad.
It uses information about the nature of your business, like what data you process, where you operate and what you do with that data, to create actionable and understandable steps based on laws and other frameworks applicable to your company. The beauty of it all is that with Ethos, you are able to see requirements that are common to multiple laws and include them your business’s compliance measures. Once you meet a requirement, you get credit for it throughout your business context — streamlining your workflow and eliminating duplication of effort.
The states have made big strides in regulating data privacy. With more than 350 enacted laws and 200-plus pending laws, companies have a real challenge in keeping up. Some relief lies in the overlapping legislation that has been adopted in a number of states, and in knowing that Ethos can help manage this complex web of state laws.