Generational differences in retail workplace safety
Workplace safety
State legislators are stepping up efforts to pass laws protecting individual rights to data privacy and security as consumers become increasingly concerned about sharing their personal data. On March 29, 2023, Iowa became the sixth state to enact comprehensive consumer privacy legislation. It joins California, Colorado, Connecticut, Utah, and Virginia in increasing consumers’ protections and […]
On March 29, 2023, Iowa became the sixth state to enact comprehensive consumer privacy legislation. It joins California, Colorado, Connecticut, Utah, and Virginia in increasing consumers’ protections and control over personal data and regulating businesses’ use of it.
States are expected to enact similar laws until Congress passes federal privacy legislation. The growing regulatory patchwork puts pressure on companies to monitor multiple states’ laws and maintain compliance policies and procedures that work across their geographic footprint.
Every business collects personal information in some way, shape or form. However, consumers have become increasingly uneasy with who sees their personal information. Recent studies by Pew Research Center, Cisco, McKinsey & Company, and KPMG show that most Americans feel they have little or no control over the data collected on them and who can access it, and they support a national privacy law.
Meanwhile, states have responded by passing their own laws to protect consumer rights that allow residents to access their personal data; correct inaccuracies in their personal data; delete their personal data; obtain a copy of their personal data in a portable format; and/or opt out of the sale of personal data, profiling and targeted advertising.
In 2023, five of the six state privacy laws become enforceable:
Although state privacy laws share similarities, there are differences in applicability, exemptions and enforcement to create compliance challenges for companies. Organizations subject to these laws will need to formulate a plan for compliance that accounts for the nuances of each law.
For example, under CO, CT and VA state laws, organizations must perform and document a data protection assessment (DPA) prior to selling personal data, targeted advertising or profiling to weigh the benefits of processing sensitive data against the potential risks to individuals. They must also obtain consumer consent to process sensitive information, such as health data, genetic or biometric data, children’s data and information that would reveal an individual’s race, ethnicity, sexual orientation, sex life or citizenship status.
California, on the other hand, requires two types of assessments in the CPRA’s amendments to the CCPA: one for processing data and another for cybersecurity
UT and IA do not require organizations to perform a DPA. However, both states require companies to notify consumers before processing sensitive information and provide them with an opportunity to opt out.
To avoid costly penalties, fines and reputation damage, organizations should take steps to comply with state privacy laws, including:
In the absence of national privacy legislation, states will continue to enact their own laws. Organizations will need to adopt a universal approach to privacy compliance to navigate a complicated web of state laws governing the collection, use and sharing of personal information.