The U.S. state of Colorado has joined California, Virginia, the European Union, and Brazil in passing data privacy legislation. These laws give users greater control over their data and empower them to hold organizations that violate the rules responsible.
The Colorado Privacy Act (CPA), scheduled to go into effect on 1 July 2023, “provides consumers the right to access, correct, and delete personal data,” as well as the right to “opt out not only of the sale of personal data but also of the collection and use of personal data.” It also imposes “an affirmative obligation upon companies to safeguard personal data” and to “provide clear, understandable, and transparent information to consumers about how their personal data are used.” Additionally, it requires “data protection assessments in the collection and use of personal data.”
A cyber security law recently passed in the U.S. state of Connecticut, titled “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” takes a different approach to personal data protection. Whereas data privacy laws impose potential penalties on organizations that violate rules, the Connecticut law aims to encourage organizations to develop standards that safeguard users’ personal data in the case of a breach, such as a cyber attack. The law, planned to take effect in October 2021, protects organizations from potential legal liability if they have taken steps to protect users’ personal data with standards “that reasonably conforms to an industry-recognized cybersecurity framework.”
California Data Privacy Laws Take Aim at “Dark Patterns”
In March 2021, California amended its Consumer Privacy Act (CCPA), originally passed in 2018, to ban the use of “dark patterns,” which are user interfaces that subvert or impair user autonomy, decision making, or choice. Dark patterns often involve maze-like interfaces that make it difficult for users to opt out of a service, such as a subscription, or that require them to submit personal data in order to do so.
As part of the new requirements outlined in the CCPA, organizations cannot require users to submit personal data in order to opt out of a service unless it is necessary to make the request. Organizations also cannot require users to search through heavy text, such as privacy policies, in order to opt-out of third party data sharing.
The California Privacy Right Act (CPRA) is a separate law passed in November 2019 that revises and expands on the CCPA. Among these revisions, the CPRA requires organizations to respond to consumers requesting to know personal information collected from them any time after 1 January 2022 (whereas the CCPA had capped the timeline at twelve months of the request). The CPRA goes even further than the CCPA in protecting users from dark patterns, stating that agreement obtained through such methods “does not constitute consent.” The CPRA is slated to go into effect on 1 January 2023.
What Do Evolving Data Privacy Laws Have In Common?
The expanding patchwork of data privacy laws across the globe may seem confusing, but they share some basic principles. In particular, the laws in Europe, California, and Colorado, have something in common. According to Kate Barecchia, Global Data Privacy Officer and Deputy General Counsel at the cyber security company Imperva, “they all require an organization to be able to produce records to an individual upon request within a relatively short time frame.”
“They also require organizations to take action on an individual’s request to be forgotten – in other words, they all require an organization to delete an individual’s personal data if requested.” writes Barecchia in Security Magazine. “If the organization doesn’t know what data they have or where it lives, they can’t action those requests. A failure to action an individual’s requests can lead to high fines and reputational damage.”
According to Barecchia, there are two major steps organizations can take to ensure they are compliant with these laws. These include building “established, accurate data maps” (a taxonomy of user data collected on a website or application), and developing an understanding of user permissions, and “applying appropriate role-based access controls” that can help organizations effectively mitigate risk.
There currently is no comprehensive federal data privacy law in the U.S., and a majority of states still lack such legislation. However, many organizations will need to start rethinking their data policies if they want to continue doing business in governments with these laws. The good news? There are plenty of ways to get started. As we discussed in a previous post, this includes ensuring your organization is in compliance with all applicable industry regulations concerning data privacy, proactively communicating with your users when situations affecting their data arise (such as data breaches), and giving users greater control over their data.
Data Privacy Training for Your Organization
IEEE has recently launched the IEEE | IAPP Data Privacy Engineering Collection–a comprehensive collection of training and resources for engineers and technology professionals tasked with understanding, maintaining, and protecting data privacy. The Collection brings together the IAPP Certified Information Privacy Technologist (CIPT) training and credential with educational resources and standards from IEEE.
The IEEE | IAPP Data Privacy Engineering Collection trains engineers and technology professionals to ensure that an organization’s products and operations meet privacy goals and mitigate risks. The program delivers practical knowledge and insights to address challenges companies may be currently facing and in the future.
The IEEE | IAPP Data Privacy Engineering Collection includes:
- 7 online learning courses based on the IAPP Certified Information Privacy Technologist (CIPT) training and certification body of knowledge, including the option of the CIPT certification exam
- 15 online learning courses from IEEE on related AI, Data Privacy and Data Protection topics which offer CEUs/PDHs for successful completion
- 25 draft IEEE Standards critical to interoperability in data privacy
Barecchia, Kate. (19 July 2021). Managing data-privacy risk in today’s global environment. Security Magazine.
Blackwell, Husch. (8 July 2021). Colorado Privacy Act Signed Into Law. JD Supra.
Merkel, Jeremy. (2 July 2021). Dark Patterns Come to Light in California Data Privacy Laws. National Law Review.
Larose, Cynthia J. (28 June 2021). Changes in Connecticut’s Data Privacy Laws – But Not As Drastic As It Could Have Been. National Law Review.
(13 November 2020). New California Privacy Rights Act to Effectively Replace the California Consumer Privacy Act. JD Supra.