Many new data privacy laws are emerging. Businesses must continually prove privacy compliance. Review current data privacy laws and get advice on how to build a multi-compliance Security & Privacy program.
In today's data economy, businesses collect and use gigantic amounts of consumer data. Intentionally or not, personal data is used in surprising ways, such as targeting ads or adjusting interest rates. More companies are profiting from Personally Identifiable Information (PII) data which often gets passed between countless third parties, each enabling possibilities for privacy compromise.
Many new consumer privacy laws have emerged over the last few years. Most states have consumer privacy legislation, with California, Colorado, Virginia, and New York having the most active and comprehensive laws thus far. Given the growing privacy concerns by voters and legislators, changes in state privacy laws will likely continue to evolve rapidly.
According to Matthew Corwin – Attorney and Privacy Consultant, "Businesses are often concerned with proving privacy compliance often as a contractual requirement."
Here is an overview of some of the more prevalent consumer data privacy regulations which may apply to your organization. More importantly, advice on how to build a multi-compliance Security & Privacy program.
In the fall of 2020, ~55% of California voters approved Proposition 24, the California Privacy Rights Act (CPRA) expanded the California Consumer Privacy Act (CCPA). The complete law becomes operative January 1, 2023, with a couple of critical changes for 2022 and covered organizations need to prepare. Notably, when CPRA goes into full effect on January 1, 2023, it will apply to all data collected as of January 1, 2022.
Effectively the CPRA brings the CCPA up to par with GDPR and beyond with, for example, the consumers' privacy-right-of-action provision. To maintain compliance, organizations should conduct a privacy risk assessment considering new and existing requirements. Use the results to draft or update security controls, privacy policies, protocols, procedures, and training appropriately.
BIPA is interesting as one of the first laws defining protected biometric information. It limits how biometric data can be collected or used and requires consumer consent and use notices. It also enables consumers to sue for infractions.
Passed on March 2, 2021, VCDPA defines personal data similar to those outlined in CPRA California. According to experts, the law has somewhat broader exceptions for the uses of data from which consumers cannot opt out.
Similar to other states, VCDPA applies to companies that
In June 2020, Colorado passed ColoPA, which;
The attorney general or district attorneys may enforce it.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in a commercial activity.
Organizations covered by PIPEDA must generally obtain an individual's consent when collecting, using, or disclosing that individual's personal information. People have the right to access the personal data held by an organization. They also have the right to challenge its accuracy.
Organizations must use personal data only for stated purposes. If an organization is going to use it for another purpose, it must obtain consent again. Appropriate safeguards must protect personal information.
PIPEDA Compliance
Businesses must follow the 10 fair information principles to protect personal information, set out in Schedule 1 of PIPEDA.
The principles are:
The industry-specific HIPAA Privacy rule applies to healthcare providers and their business associates. HIPAA addresses the use and disclosure of sensitive personal health information (PHI). The goal is to allow health care consumers to have knowledge and control over their sensitive data while still allowing the necessary data flows to support patient healthcare.
The Health and Human Services (HHS) enforces HIPPA.
What is HIPAA Certification?
Since 2003, covered entities must be compliant with HIPAA privacy rules. There is no HIPAA certification that an organization can achieve. The Office of Civil Rights (OCR) has resolved 98% of cases through corrective actions.
Covered organizations must perform annual audit reviews to show how policies and procedures meet the security and privacy requirements.
What is PII in healthcare?
The term Personally Identifiable Information (PII) used in other laws is replaced with Protected Health Information (PHI). While the acronyms are both pronounced 'pie,' the same PHI is specific to HIPPA regulations in the healthcare continuum.
Personal Health Information:
Similar terms for Protected Personal Information - pronounced 'pie':
Is IP Address PII?
An IP address must be considered a Unique Personal Identifier when it can be used to uniquely identify a consumer.
Unique Personal Identifier
Persistent identifiers which can be linked to a consumer time and across services:
What is not PII?
What is a Privacy Policy?
Notice of privacy policy is a hard requirement in CPRA and other regulations. An online privacy policy is a legal statement describing what information is collected, why personal data is collected, how the organization uses information, where or with whom it will be shared, and allow consumers to opt-out of data sharing.
A privacy policy internal to an organization is part of the employee training regimen on the proper collection, use, and storage of sensitive companies and protecting consumer information.
What is a Data Retention Policy?
A data retention policy describes how data should be stored and for how long. It details why an organization retains specific data and the established protocols for destroying data to comply with business needs, contractual and legal obligations.
Most organizations do not have the internal bandwidth or expertise to develop and manage privacy operations independently. A good consultant can save time and streamline the process by tailoring the privacy scope to fit your organization.
Turvantis has the experience to examine privacy policies, protocols, and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization.
We have helped hundreds of organizations address the challenges of conveying complex privacy concepts with clear policies, procedures, training, and outward-facing documentation.
Turvantis has the experience to examine privacy policies, protocols, and procedures the same way regulators and class action attorneys do. Our experienced and accredited team has the competence and expertise to drive effective privacy management in your organization. We have helped hundreds of organizations address the challenges of conveying complex privacy concepts with clear outward-facing documentation.
We have the expertise to examine from both a technical and legal compliance lens and manage any projects required to fill any gaps. Our team is good at what they do, but they are also recognized leaders in the industry.
Unlike so-called boxed solutions, which only give you checklists, templates, basic instructions, and video training, then leave you with the work. Truvantis can also do the hard work for you and simplify nuances of interpreting regulations and assessing the effectiveness of privacy controls.
The landscape of privacy regulations is vast and continuously evolving. Truvantis can help you select and track which requirements are applicable. We can help build a robust central privacy program capable of supporting the entire matrix of international, federal and rapidly changing state laws and regulations affecting your business.
We help your organization take an organized and prioritized approach to your privacy program.
Ready to move forward?
Contact Truvantis for more information and to start your pre-audit consultation.