Blog Post
The state of US privacy law
There’s been plenty of privacy news in the US so far this year.
President Biden’s State of the Union address declared data privacy as one of the key tenets for the remainder of his term in office. The proposed American Data Privacy and Protection Act (ADPPA) received bipartisan support when it was introduced to the House of Representatives in June 2022, but faces challenges from states already committed to their own privacy legislation.
On January 1, 2023, the Virginia Consumer Data Protection Act (VCDPA) and California Privacy Rights Act (CPRA) came into force.
The Colorado Privacy Act and Connecticut Act Concerning Data Privacy and Online Monitoring are due to come into force from July 1, 2023.
In 2023 alone, 16 other states have proposed their own privacy laws. January saw proposals from Hawaii, Indiana, Massachusetts, New Hampshire, New York, Vermont and Washington. While in February, new legislation was proposed in Maryland, Minnesota and Texas, along with two further proposals from New York.
Iowa’s new privacy law was passed unanimously by both Senate and House. The law will take effect from January 1, 2025. The Iowa law follows a similar model to that of California, Colorado and Virginia in both the protections it offers and the exceptions it supports.
As with other states’, Iowa’s new law identified data “controllers” — entities that “determine the purpose and means of processing personal data” — and data “processors” — entities that process that data on behalf of controllers. It provides data rights to consumers including the right to confirm whether processing of personal data will occur. They’re also granted rights to get a copy of their data, request its deletion and opt out of the sale of their data.
Many of these bills seek to provide consumer protection where gaps exist in federal and state law. With an increasingly patchwork set of rules and regulations across the US, it remains to be seen whether federal legislation will simplify or further complicate the compliance landscape for US organizations.
For US organizations, as well as international businesses operating in the US, the challenge of keeping up with privacy legislation can’t be overstated. However, there are steps they can take to comply with the common principles across most state, federal and international privacy legislation today.
This starts with understanding the data they hold and where it resides and evaluating the security of those locations. They can simplify the data environment by determining the data that delivers value and disposing of information that’s redundant or obsolete. Finally, performing a periodic data inventory exercise ensures they’re able to identify and address any unexpected data stores.
Learn more in our free white paper, “Do You Know Where Your PII Data Is?”