Comprehensive consumer privacy laws are rapidly proliferating at the state level, producing a patchwork of differing standards across the United States. Fifteen states now have broad consumer privacy statutes, with several more set to enact laws soon. States are also passing sectoral laws addressing children's data, geolocation, biometrics, and data brokers, creating additional variability. Tennessee's law mandates a written privacy program reasonably conforming to the NIST privacy framework. Minnesota's law requires a designated chief privacy officer or similar official and affirmative consumer notices for material changes to privacy practices. Companies that updated policies last year may already be noncompliant.
However, as the realm of privacy law advances, compliance is becoming more complicated. Remember when you could update your privacy disclosures and be in good shape for a few years? Well, those days are long gone. New privacy laws are being enacted on the state level at breakneck speed, and lawmakers keep moving the goalposts. As a result, even if you updated your privacy policy and other aspects of your compliance program last year, it may already be outdated.
Fifty states, fifty standards In July alone, new comprehensive, wide-ranging consumer privacy laws in Tennessee and Minnesota took effect. This brings the number of states with comprehensive consumer privacy laws to 15. Four more states - Maryland, Rhode Island, Kentucky and Indiana - plan to enter the fray by next January. Other states have enacted dozens of laws focused on children's data, geolocation data, biometrics, data brokers and more. As can be expected, these laws do not mirror one another, so the disconnects continue to grow.
The Tennessee Information Protection Act requires companies to maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework. Meanwhile, the Minnesota Consumer Data Privacy Act requires controllers to name a chief privacy officer or other individual (such as a data protection officer) with primary responsibility for directing policies and procedures implemented to comply with the law.
Collection
[
|
...
]