Extract from Melissa Paulk’s article “Compliance in Chaos: How Companies Can Achieve Privacy Compliance in a Complex and Uncertain Regulatory Landscape”
State legislation continues to evolve at a rapid pace. The U.S. currently has 20 states with comprehensive data privacy laws in effect, and several more states have introduced bills that are moving through their respective legislatures. As companies scramble to maintain compliance, state enforcement authorities are ramping up inquiries and enforcement actions. Additionally, some states have eliminated mandatory cure periods, potentially denying companies the opportunity to remediate violations before facing fines and penalties. Even when the company is not subject to fines or penalties, investigations and notices of noncompliance often result in operational disruption. As the regulatory landscape expands, the financial risk exposure of a business increases exponentially.
Despite the steady addition of new state laws, companies were once able to achieve full compliance by meeting the requirements of the most complex U.S. state legislation: historically, California’s privacy law(s). Between state laws focusing on specific issues like biometrics, health data, children’s privacy, data brokers, and artificial intelligence and new laws introducing entirely new compliance obligations and unique revenue and number of records thresholds, the U.S. privacy compliance model has grown complex and difficult to comply with. Also, each state’s approach to enforcement is different. Most state laws do not permit a private right of action but defer enforcement authority to officials such as attorneys general, district attorneys, and government agencies. But several states have included private rights of action in newly introduced legislation. The nuances between state laws and possible inclusion of more private rights of action broaden the business, legal, and financial risk for companies handling personal data.
Compliance with the long-lamented patchwork of state privacy laws is becoming increasingly unmanageable for companies with multistate operations. Below are some practical strategies organizations can use to build a compliance program foundation that can withstand the regulatory upheaval:
