Companies can face serious financial, legal, and reputational penalties for failing to comply with data privacy regulations. Data breaches involving private personal information may result in large fines imposed by regulatory entities such as the Office for Civil Rights (OCR), which enforces HIPAA. Businesses may also be forced to address lawsuits initiated by individuals whose personal information has been compromised.
While the U.S. has protected healthcare and financial data through HIPAA and PCI DSS, the country has lagged behind the European Union (EU) in protecting individuals’ private data. The EU’s General Data Protection Regulation (GDPR) is a comprehensive data privacy and security law. It mandates stringent rules regarding how companies can use personal data and provides individuals with rights to control access to and erasure of their information. U.S. companies with EU customers must comply with the GDPR.
Data privacy regulations are rapidly evolving in the U.S., and businesses must prepare for these changes or risk non-compliance violations. Unfortunately, the changes are not as straightforward as complying with a nationwide equivalent to the GDPR. Let’s look at how companies can keep up with new data privacy regulations in the U.S.
How Are Data Privacy Regulations Evolving in the U.S.?
The realities of U.S. national politics have, so far, made it impossible to implement overarching data privacy regulations. The lack of a national policy has opened the door for states to develop localized privacy laws. Privacy regulations in the U.S. are generally evolving in several fundamental ways.
Fragmentation
States are implementing data privacy laws to protect their residents. California led the way with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These laws provide California residents with substantial control over their personal data, including the right to know how data is being used and shared.
Other states are following suit, with many now implementing comprehensive privacy laws. This fragmentation results in a state-driven regulatory landscape with overlapping regulations. Companies must navigate a challenging and complex patchwork of privacy laws to maintain compliance.
Focus on consumer rights
Despite the lack of federal guidelines, most state laws are converging around core consumer rights, such as an individual’s right to:
- Access personal data;
- Delete personal data;
- Correct inaccuracies;
- Opt out of data sale and sharing opportunities.
This convergence is creating a de facto nationwide standard for privacy regulations.
Enforcement emphasis
States are ramping up enforcement actions to penalize non-compliant entities. Regulators are holding violators accountable for issues such as failing to honor opt-outs, misleading consent agreements, and unethical data broker practices. Legislators are emphasizing enforcement of privacy laws rather than merely documenting and codifying them.
Expanded scope
Digital transformation is affecting more aspects of everyday life and how private information is collected and used. New laws are expanding protection for health, location, financial, and biometric data. They are also increasingly focusing on protecting children’s and teens’ data.
Artificial intelligence (AI) and automated decision-making are also affecting the evolution of privacy regulations. New laws and amendments are addressing AI-driven data use, profiling, and algorithmic decision-making. Regulators are striving to enact legislation that provides transparency and fairness in the use of personal data.
What Steps Should Organizations Take to Protect Sensitive Data?
Organizations must take the appropriate measures to address evolving U.S. data privacy regulations. Several steps are essential to protecting a business from the risks of non-compliance and the associated penalties.
Understand the Dynamic Regulatory Landscape
Company decision-makers must understand the fragmented and expanding data privacy regulatory ecosystem. While state-mandated privacy laws may have a similar focus, they may be executed and enforced differently, adding layers of complexity to compliance efforts. Teams must prepare tightened regulations regarding biometric, location, and other types of personal information. Companies will need to implement stricter data-handling policies and security controls to comply with privacy laws. Workflows may need to incorporate explicit opt-in consent to data sharing rather than relying on opt-out options.
Inventory All Data Resources
Businesses must inventory all data resources to understand where sensitive, personal data is stored and processed. Companies must identify the personal data they collect and track where it is stored, how it is used, and who can share it. Comprehensive data mapping is a core control for compliance.
Build a Unified Data Privacy Baseline
Teams cannot address all state-level privacy laws individually. It quickly becomes impractical to maintain separate processes for each state’s regulations. Companies that attempt this strategy risk operational inefficiencies and ongoing workflow modifications to comply with new laws.
A better approach is to build a unified data privacy baseline aligned with strict state laws such as California’s CCPA and CPRA. The compliance program should be designed to meet the strictest state requirements, such as opting out of data sharing, disclosing data usage, and providing individuals with access and deletion capabilities. Businesses may need to implement state-specific adjustments in addition to their baselines to comply with local regulations.
Design Systems to Support Privacy Rules
Companies should build systems that incorporate foundational elements of data privacy. These elements include:
- Data minimization that only collects the data you need;
- Purpose limitation that eliminates arbitrary data reuse;
- Retention controls that automatically delete data when it is not needed.
Design decisions can be essential in audits to demonstrate evidence of compliance activities.
Let VAST Help You Maintain Compliance
VAST’s services and solutions can be instrumental in helping your company prepare for the evolving U.S. data privacy regulations. The following examples address different aspects of data privacy regulatory compliance.
- Our Security Lifecycle Review provides a deep understanding of your environment and enables our experts to work with you to mitigate vulnerabilities that may impact regulated data.
- We offer managed backup services that ensure all regulated data is protected and retained to meet compliance standards.
- Our information governance services help you find the sweet spot between controlling data so tightly that it impacts operations and controlling it so loosely that it exposes personal data to compliance violations.
Call VAST today and learn how our expert teams can help you prepare for evolving U.S. data privacy regulations.
