How to Navigate New State Data Privacy Laws

A new era is upon us as state governments are finally passing data privacy laws. Uncomfortable, and frankly unlawful, use of our data is finally being addressed after federal government inaction. Companies must comply with these ever-changing mandates as these laws take center stage in state legislatures.

The 2010s will be remembered as the Big Tech decade:

• Facebook saw its market cap rise from $24.31 billion in 2012 to $684.63 billion in late 2020, a modest 2,568% increase.
• Google saw its market cap increase from $359.5 billion in 2014 to $1.185 trillion in 2020, a smaller yet modest 229.6% increase.

The questions to ponder over this borderline ludicrous growth are:

• Why could these companies achieve this growth?
• What is being done to protect the consumer?
• How can organizations navigate these emerging regulations?

Previous Federal Government Privacy Laws (or lack thereof)

We need to go back to 1974, the last time the federal government passed a privacy act. Not many could have predicted the state of the world we live in now. However, the digital age has exponentially exploded in the past 50 years. Still, outside of Children’s Online Privacy Protection Rule (COPPA 2000), the federal government has neglected to pass modern-day data privacy protection acts. The federal government and regulators are traditionally reactive towards future initiatives rather than proactive. The Federal Trade Commission (FTC), designed to protect consumers, saw the implications of not protecting people’s privacy and tried to persuade Congress to act. In May 2000, the FTC urged Congress to enact laws protecting fundamental privacy rights for Americans, with similar arguments being used in congressional hearings today. This shows just how long this issue has persisted.

Companies like Facebook and Google have created their empires through personal data collection and using that information in an ecosystem of search optimization that allows third parties to target a specific audience. For example, companies looking to effectively advertise can target users by the following identifiers:

• Location
• Language
• Race
• Religion

These companies use this information to secure the correct views on their ads. Third parties can essentially buy your screen time. Additionally, once that information is collected by Facebook or Google, no federal laws force these companies to discard user information, allowing the next third party to target.

Changing privacy laws abroad and in the U.S.

Once a leader in privacy, the U.S. relinquished that title to Europe with its General Data Protection Regulation (GDPR) in 2016 and to its own California in 2018 with the California Consumer Privacy Act (CCPA). Companies must abide by these regulations and ensure their third-party vendors do as well. Connecticut, Colorado, Utah, and Virginia followed California’s lead and passed consumer privacy laws. California even updated its CCPA to enhance the scope and protection of its citizens. Other states, including Oregon, Oklahoma, Mississippi, and New York, have introduced bills in their respective state legislatures to enact consumer privacy.

These new regulations force organizations to enhance their third-party risk management. They can be fined if a third party does not comply with these new laws. Companies outsource more than is readily apparent to third parties, whether through email systems, data monitoring, or even cleaning services. Third parties must stay compliant with these new data privacy laws.

NTT DATA emphasizes our Environmental, Social, and Governance (ESG) capabilities to help organizations comply with regulations and social expectations from consumers. Each law passed in CA, CO, CT, UT, and VA differs from one another. It must be closely managed to avoid fines and reputational risks with consumers. California has the highest ceiling for fines, with organizations potentially being charged up to $750 per consumer per incident. However, the rules differ with each individual state.

How are you affected?

A good start at distinguishing between each state’s new privacy laws can be found here. These new laws are intense, but why care? Consider how many times have you personally searched for something and received an ad the next day? Targeted ads are not the problem, but rather the unlawful use of our data without transparency to the consumer. With these enhanced laws, third parties that rely on your data for ads or their business must now upgrade their model to stay compliant. And the organization that uses these third parties must also stay vigilant and do their due diligence to avoid penalties.

Even if an organization (or the third parties it uses) does not operate in these states, it’s time to become compliant. States are filling the void left by the federal government, and consumers are ready for more privacy.

We can help

NTT DATA can help your organization become and stay compliant by:

• Creating governance techniques to ensure proper techniques of handling and discarding data
• Determining whether your organization or third parties fit within the scope of these privacy laws
• Establishing a controller position that meets the qualifications and characteristics to enhance safety
• Ensuring compliance by synthesizing the scope of contract work and regulations in each state
• Proactively preparing your organization for future regulations in new states through government and market research
• Implementing incident management procedures to minimize risk

Most importantly, NTT DATA can institute security protections that guard sensitive information. This includes unauthorized activities, modifications, recordings, disruptions, and destruction. This information security ensures the safety of critical data, whether its intellectual property or account details.

We are entering a new decade of consumer protection, and it’s time to be proactive with third parties and customer data. The government’s inaction has caused data to be used freely by third-party vendors. Certain states are finally making the first move.

Learn more about emerging regulations and how to improve Risk Management & Compliance strategies.