States Introduce New Privacy Laws… With Different Ways That They Are Applied

From the start of the new year, we’ve seen the introduction of new privacy laws in California and Virginia. The new legislation in California brings changes to the existing 2018 California Consumer Privacy Act, and Virginia is currently the only other state to also bring in new privacy laws. But they won’t be the last. Connecticut’s and Utah’s privacy laws both come into effect later this year, with Colorado following in 2024. Thus it seems that the ball is starting to roll when it comes to ensuing that privacy is by default in the US. Though there appear to be a lot of variance as to how these laws are applied.

Wade Barisoff, Director of Product, Data Protection, at cybersecurity software and services provider Fortra had this comment:

“As new states contemplate their own flavors of data privacy legislation, the only consistency will be the fact that each new law is different. We are already seeing this now; for example, in California, residents can sue companies for data violations, whereas in others it’s their attorney general’s offices that can impose the fines. In Utah, standards apply to fewer businesses compared to other states. As each state seeks to highlight how much they value their citizens’ rights over the next, we’ll see an element of (for example), ‘What’s good for California isn’t good enough for Kansas’ creep in, and this developing complexity will have a significant impact on organizations operating across the country. 

Before GDPR there were (and still are) many different country laws for data privacy. GDPR was significant, not because it was a unifying act that enshrined the rights of people and their digital identities to govern how their data could be handled, but it was the first legislation with real teeth. Fines for non-compliance were enough to force companies into action. 

So far, five states have (or will have) individual laws, but there are 45 more yet to come. The amount of money and time companies will spend enacting the proper controls for these individual privacy laws fuels the argument for a more unified national approach to data privacy standards, as the penalties for non-compliance are significant.  Also, as states begin to increase the demands on business, usually without fully understanding the technology landscape and how businesses work with shared and cloud-based technologies, there’s a potential that companies will be forced to make the decision not to conduct business in certain areas. A national approach would allow businesses to tackle data privacy once, but as it stands, with the federated states model, doing business within the U.S. is likely to get more complicated and expensive.”

Hopefully, there will be a move to have a consistent standard for privacy laws across the US as that benefits consumers and companies. Though I fear that such a move is years away which is bad for both parties.

Leave a Reply

%d bloggers like this: