Over the years, states in the U.S. have rapidly passed legislation related to consumers and how businesses handle their data.  In addition to the legal requirements, these laws also have technical requirements that companies must fulfill to comply with the law.  Both California and New York have been influential in the U.S. by passing stringent laws about data privacy and data protection.

With these new laws comes confusion about how businesses can manage their legal mandates and still do business.  The article will discuss actions that companies can take to be better prepared to comply with these legal mandates and technical requirements related to consumer data handling, including managing consumer rights to transparency, aligning privacy policies to actions, and using reasonable safeguards to protect data.

The Customer’s Right to Data Transparency

Most data privacy and data protection laws, including the CCPA, the CPRA, and the NY SHIELD Act, call for transparency with consumers about how their data is being managed and protected.  Businesses must be able to disclose to consumers:

  • Which types of data they are collecting about consumers
  • How they are using the data that they collect about consumers, and
  • The specific data that they have collected about a particular consumer in the event that the consumer submits a data subject access request (DSAR), asking the business to amend or delete their personal information

It is also essential for businesses to have a plan to respond quickly to these consumer requests because many of the DSARs are time sensitive. For example, under the CCPA, businesses have 30 days to respond to a consumer’s initial DSAR. As a result, companies need to proactively find ways to manage their data so they can respond to these requests promptly.

The Business Alignment of Data Policies and Actions

It is essential that companies align their business actions with data privacy policies to protect their customers’ personal information. In 2020, we saw many class-action lawsuits filed under the CCPA alleging that those companies made false claims or statements about how they handled consumer data. If true, those statements indicate a misalignment between those companies’ actual business practices and their privacy policies. The CCPA requires that companies whose customers include California residents update their privacy policy every 12 months. However, whenever a company releases a new product or implements a new technology that changes the way they are handling consumer data, they should make an update at that time as well.

Reasonable Safeguards

Reasonable safeguards related to the New York SHIELD Act are about being able to have physical, technical, and administrative controls to protect consumer data.  Reasonable safeguards include making sure that a company’s data stance is in line with their activities in the scope of data collection and consumers’ data rights. For example, the New York SHIELD Act applies to almost every business with a New York resident as a customer, regardless of business size, with minimal exceptions for companies. As a result, companies of all sizes need to be prepared to look at their cybersecurity stance and create a plan for managing consumer data.

We will continue to see other U.S. states pass laws about data privacy and data protection that will likely borrow from the CCPA, CPRA, and the NY SHIELD Act. It is important to proactively implement the procedures and technology now needed to comply with these regulations, before you start to receive DSARs or experience a customer breach, because these regulations are already being enforced with shortened response deadlines. In addition, a lack of visibility into your data increases the risk of a data incident occurring, since it’s impossible to protect data if you don’t know what you have and where it is stored. Waiting will only further expose your organization to greater liability in the event of a data breach. Technology that Automates the Data Classification process can significantly reduce your company’s data risks and costs.