Via Forbes
Data privacy laws in the U.S. have become a complex patchwork of local, state and national regulations. At the beginning of 2023, five states’ privacy laws were set to go into effect, and another eight states established privacy laws that went and/or will go into effect between 2023 and 2026, according to Reuters. But who’s counting?
While each state law is slightly different, there are many overarching patterns. To prepare your business, here is a list of key trends I’ve observed in 2023 and what I believe they mean for the future.
1. Data Protection Impact Assessments
Many states explicitly require businesses to perform data protection impact assessments, known as “DPIAs” or “DPAs,” when a new project is likely to involve a high risk of harm to individual data subjects. For example, Colorado requires DPAs for some targeted advertising, sales of personal data and processing sensitive data.
2. Exercising Care With Sensitive Data
Not all data is created equal. Data that falls into the “sensitive” category requires special handling according to privacy laws—and the map is expanding. Multiple states, including Oregon, Texas, Montana, Delaware and Connecticut, have passed or enacted policies related to the processing of sensitive data. Washington state also passed the Washington My Health My Data Act.
I suggest reviewing your company’s consent processes to ensure consent:
• Is obtained through a consumer’s clear, affirmative act.
• Is freely given, informed and specific.
• Reflects the consumer’s unambiguous agreement.
3. Special Provisions For Minors
Some states have also implemented privacy legislation that protects the data of minors by setting restrictions on the processing of the personal data of a child without parental consent.
As a best practice, businesses should ensure their privacy practices and policies:
• Identify what personal data and sensitive personal data about minors is collected, shared or sold.
• Obtain the appropriate consent before collecting, sharing or selling personal data.
• Establish heightened security measures for sensitive personal data about minors.
• Apply an age-appropriate privacy notice with language children can understand.
4. Avoiding Dark Patterns In Design
“Dark patterns” is an ominous term for a questionable practice—and one that’s increasingly flagged by privacy regulations. “Dark patterns” refer to a user interface designed or manipulated in a way that subverts or impairs user autonomy, decision-making or choice.
Common dark patterns include:
• Pre-ticked boxes.
• Misleading buttons.
• Small fonts.
• Broken links.
• No reject links.
• Deceptive button colors and contrasts.
• Burying key terms.
• Tricking consumers into sharing data.
The California Consumer Privacy and California Privacy Rights acts, as well as the Colorado Privacy Act, are among those that include provisions surrounding dark patterns, and I believe more states are likely to follow.
To practice proactive privacy, review your user interfaces—buttons, toggle elements, sign-up forms or unsubscribe functions—to identify and eliminate dark patterns. Consider engaging an independent party to conduct user testing to identify dark patterns, particularly in consent processes.
5. Scrutiny Of Third-Party Vendor Contracts
Have you ever gotten in trouble because your sibling was caught with their hand in the cookie jar? So it also goes in privacy. Even if a business has solid privacy practices, it can be held liable for the actions of vendors.
To help protect your business in 2024:
• Review vendor contracts to ensure they include appropriate data privacy and protection language.
• Implement procedures to identify, manage and mitigate information security and privacy risks.
• Understand how vendors use personal information, and familiarize yourself with requirements surrounding data processing agreements.
• Confirm vendors can help your obligation to respond to individual rights requests.
• Conduct information security and privacy assessments to confirm third parties are compliant with applicable data privacy laws.
6. Cookie Banners, ‘Do Not Sell’ links, Universal Opt-Out
New state laws require controllers to allow consumers to exercise their rights to opt out of targeted advertising. Notably, some states also mandate the recognition of a “universal opt-out mechanism.”
I recommend businesses:
• Perform a cookie audit to review existing cookie banners on your website to confirm that they provide the requisite notices, enable users to opt-out (or opt-in), and that all cookies are properly categorized.
• Prepare to accept universal opt-outs.
• Include a “do not sell or share my personal information” or “your privacy choices” link and icon to your website’s footer.
7. Planning For Sustainable Compliance
Don’t let your efforts to establish privacy compliance get buried. Even though more state laws pass each year, businesses can build a durable data privacy governance model with a few best practices like these:
• Align privacy with your organization’s strategy.
• Meet regularly with different departments (marketing, product, operations, finance, HR, etc.) so privacy practices are integrated as a core part of your business.
• Establish and maintain a privacy framework that aligns with privacy principles.
• Implement a risk-based approach, and focus on the high-risk critical business processes and systems first.
• Having a dedicated resource (internal or external) focused on privacy.
• Be consistent in your privacy tasks. Regularly perform cookie audits, and update your privacy notice at least annually, if not more often.
Privacy practices are here to stay. Is your business ready?
Gartner has predicted that by the end of 2024, 75% of the world’s population will have their personal data protected by modern privacy laws. You can stay ahead of the game by keeping your team informed and consistently assessing how you’re doing with privacy risk assessments.