So far, 2023 has been a monumental year for new consumer data privacy laws. At the start of the year, we urged businesses to update their consumer privacy policies to comply with the new state laws in California, Colorado, Connecticut, Virginia, and Utah that have and will be implemented over the course of 2023 (see our February blog). In the past few months, five additional states have been added to that list with laws going into effect as early as 2024 through 2026. The principal aim of these regulations is to provide consumers with enhanced control over their personal information, thus reinforcing their privacy.
The vanguard states that have introduced these new data privacy laws for consumers are:
- Iowa
- Indiana
- Montana
- Tennessee
- Washington
While there are differences in each of these new laws, these new laws all share some core features. For example, they all universally allow consumers to control some aspects of their data while mandating businesses to implement measures that safeguard the privacy of personal data. Washington’s law is a bit different as it is more specific to health data but contains definitions that make it potentially applicable to nearly any type of personal data meaning it might apply to companies who would not consider themselves to collect or process health information.
While these states have not finalized their regulatory framework related to these new laws (so additional guidance is anticipated in the upcoming months), the enactment of these groundbreaking consumer data privacy laws underlines the escalating significance of privacy regulations. Businesses engaged in collecting or processing personal data must stay updated about these regulations and ensure compliance. This vigilance protects their customer’s privacy and helps circumvent the severe repercussions that follow the breach of privacy laws.
Private Right of Action
While there remains a fair amount of uncertainty about how these new laws may be implemented and enforced, an important defining fact that will assuredly have profound impacts on businesses is that Washington’s new law provides fora private right of action similar to California’s Consumer Privacy Act (CCPA). The CCPA contains a private cause of action that has created a fair amount of new litigation, targeting businesses with lax privacy policies and procedures. The advent of the new Washington law implies that consumers who sense an infringement of their rights under the Washington law have the option to file a lawsuit against the offending business similar to what we have seen in California.
This private right of action provision in the Washington law offers a potent resource for consumers to guard their privacy rights. Businesses handling personal data in Washington should be cognizant of the risk associated with non-compliance and strive to adhere to the law. While the Washington law does not go into effect until March 2024, the implementation of best practices involving consumer privacy often take many months of planning. Accordingly, we recommend that businesses who may be impacted by the Washington law start planning now.
Significance of an Updated Privacy Policy
In adhering to new regulations, businesses must ensure their privacy policies are current if they collect or process data from customers in the ten states. Such policies ought to be transparent, comprehensible, and in alignment with the applicable laws for the business.
Repercussions of Privacy Law Breach
The implications of infringing privacy laws can be harsh. Non-compliant businesses may face monetary fines, legal suits, and other punitive measures.
Just recently Meta (previously known as Facebook) was subjected to a staggering $1.3 billion fine by the Irish Data Protection Commission due to a breach of the General Data Protection Regulation (GDPR). The fine imposed on Meta serves as a stern reminder that businesses handling personal data must work diligently to protect data privacy and adhere to applicable laws. A failure to adhere to privacy regulations can result in substantial repercussions.
So, what should executives and business owners do in light of the implementation of these new laws?
- Review your current privacy policy and confirm with an expert that your customer’s data is being handled consistent with how the policy is written.
- Assuming you have a trusted lawyer, who is experienced in technology and data privacy law, ask them to review your current privacy policies to make sure they are compliant with applicable law, including the states with specific consumer data privacy laws.
- Assign an individual in the company to “own” the data privacy compliance process.
- Test your company’s actual response to some example requests that may come in from consumers.
This blog was drafted by Jack Amaral and Jon Farnsworth, both attorneys in the Minneapolis, Minnesota office of Spencer Fane, LLP. For more information, please visit spencerfane.com.
