{"id":2660,"date":"2022-05-11T15:35:00","date_gmt":"2022-05-11T21:35:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2660"},"modified":"2024-12-05T09:55:15","modified_gmt":"2024-12-05T15:55:15","slug":"simplifying-us-privacy-landscape","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/simplifying-us-privacy-landscape\/","title":{"rendered":"Simplifying the Complex US Privacy Landscape"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

Simplifying the Complex US Privacy Landscape<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

What\u2019s the current state of the US privacy landscape?<\/h2>\n

In the last 4 years, the US privacy landscape shifts every time a new state law regulating consumers\u2019 privacy gets enacted.<\/p>\n

During this period, the US went from the first privacy law focused on consumer rights, the\u00a0California Consumer Privacy Act<\/i>\u00a0(CCPA), to 5 new consumer privacy state laws (California<\/a>,\u00a0Virginia<\/a>,\u00a0Colorado<\/a>,\u00a0Utah<\/a>, and\u00a0Connecticut<\/a>).<\/p>\n

If consumer privacy laws follow the trend seen in the data breach notification or the insurance data security spaces, more states will jump on this bandwagon.<\/p>\n

Complying with these privacy laws \u2013 especially when needing to comply with several \u2013 takes incredible resources and effort.<\/p>\n

But if you look at the big picture, there are common grounds and opportunities between these state laws.<\/strong><\/p>\n

Ideally, there would be a single federal law. Yet the lack of a federal privacy law results in some states with unique requirements.<\/p>\n

Despite their differences, the core principles are the same. That\u2019s where your focus needs to be to develop an efficient compliance strategy.<\/p>\n

Prioritize your efforts and address the most relevant nuances of the US privacy landscape in the following core areas.<\/p>\n

Individual rights<\/h2>\n

Mostly all the current state privacy laws have regulated the right to access, deletion, correction, portability, and opt-out, minus Utah, which did not include the right of correction within their law.<\/p>\n

The CCPA modified by CPRA includes two additional rights, the right to know and the right to limit the use and disclosure of personal data.<\/p>\n

While the state laws have a general deadline of 45 days for responding to individual requests, opt-out requests, may need to be dealt with within 15 days in California and Connecticut.<\/p>\n

Opt-out requests may include from sales of data or targeted advertising, may need to be dealt with within 15 days in California\u00a0and Connecticut.<\/p>\n

General obligations<\/h2>\n

Obligations such as information security, having agreements with processors, privacy notice requirements, purpose limitations, DPIA, and requirements around data minimization and processing sensitive data and\u00a0data from children<\/a>, are present in most of the current state laws.<\/p>\n

Additionally, the CCPA has a record keeping obligation that is unique to this jurisdiction (at least 24 months) and shares the obligation to implement opt-out mechanisms (do-not-sell link or opt-out preference signal) with Colorado\u00a0and Connecticut.<\/p>\n

State privacy law enforcement<\/h2>\n

The State Attorneys General are the government agencies in charge of enforcing the current consumer privacy laws, except for Colorado, where district attorneys have enforcement powers.<\/p>\n

There is no private right of action in most of the laws, besides\u00a0the CCPA, which includes a private right of action<\/a>\u00a0for matters related to security breaches.<\/p>\n

Additionally, all the current state laws have included a period to allow a business to cure any alleged violation before the AG initiates any enforcement actions.<\/p>\n

Colorado and Connecticut established a temporary\u00a0cure period of 60 days while Virginia and Utah established a permanent 30-day period.<\/p>\n

California is the only State that established a cure period exclusively for violations related to security breaches where individuals must provide businesses with 30 days to cure any violation before initiating actions to pursue statutory damages.<\/p>\n\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t

This summary provides general information about applicable laws and does not constitute legal advice regarding specific facts or circumstances.<\/i><\/p>\n

 <\/p>\n

\n
    \n
  1. CCPA Regs. \u00a7999.315(f)<\/li>\n
  2. Public Act No. 22-15 \u2013 Connecticut Act Concerning Personal Data and Online Monitoring \u2013 S.6(a)(6)<\/li>\n
  3. The California Attorney General must issue implementing regulations on risk assessments with respect to processing of personal information by July 1st, 2022 \u2013 see \u2013 S.21(15)(b).<\/li>\n
  4. Cal. Code Regs. Tit. 11, \u00a7 999.317<\/li>\n
  5. The Colorado Attorney General will adopt rules regarding a universal opt-out mechanism by July 1st, 2023.<\/li>\n
  6. Colorado\u2019s cure period will be in force until January 1st, 2025 (See Colo. Rev. Stat. \u00a7 6-1-1311(d)) and Connecticut will be mandatory until December 31, 2024. From January 1st, 2025, the AG may provide business with a cure period taking into considerations established in the law (See Public Act No. 22-15\u00a711).<\/li>\n<\/ol>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\tFollow us<\/strong>\n\t\t\t\t\t
    \n\t\t\t\t\t\t\"\"<\/a>\n\t\t\t\t\t\t\"\"<\/a>\n\t\t\t\t\t\t\"\"<\/a>\n\t\t\t\t\t\tLink Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t
    \n\t\t\t\t\t\tKey Topics<\/strong>\n\t\t\t\t\t\t