Wave of State Data Protection Laws Is a Gathering Compliance Nightmare

A patchwork of advancing data privacy bills across the nation is creating a figurative field of landmines waiting to explode. Indeed, consumer data privacy bills are flying through legislatures in red and blue states alike. The bills are as diverse as the states passing them, leaving multistate companies to deal with a patchwork of rapidly changing rules. 

In the absence of a national standard for data protection, states are stepping up to assure consumers have protections in place. It’s becoming a logistical nightmare for companies, particularly cloud service providers and companies that reach out directly to consumers. 

Without a strong data-protection program, any piece of data carrying personal information could inadvertently cause a company to run afoul of a state law. Information has no boundaries. It zips across state lines, oblivious to the different laws and regulations that govern states. That’s where the challenge lies.

It’s understandable that states want to protect consumers’ personal information. Most companies have experienced more than one data breach. That’s especially true for cloud-based companies. 

Early privacy laws focused on managing data breaches and user security issues such as password protection. For a long time, California was the only statewith a law protecting consumers’ rights to manage their own data. Things are changing fast. Several states have now passed comprehensive privacy laws.  More are coming. Upwards of 100 privacy-protection bills have been introduced in state legislatures. 

For companies, that means navigating an ever-changing regulatory landscape with different definitions and different levels of rigor.

In some states, residents can opt out of certain data-processing activities or correct their own data. Other states have different privacy laws for large companies than for smaller ones. Different states also require companies to disclose privacy information at different stages of data collection. 

There’s no shame in being confused. Consumer privacy bills vary so much from state to state that even the definition of a consumer isn’t consistent. That’s a difficult thing for a software engineer to address, and it’s changing rapidly as more states adopt new laws. 

Compliance is no longer about checking boxes. It’s about implementing a robust set of data-protection measures that respect people’s rights to their own data, and it’s about companies being transparent and accountable in the digital world. 

A company has to determine which data protection laws it has to comply with, and what those laws say. Multinational companies are already doing this with countries that have comprehensive data protection laws, such as the UK GDPR. Some 137 nations have privacy laws, and the laws are as diverse as the countries that enacted them. 

So how does a company keep up? 

Every multistate company needs a security officer and privacy officer — or someone else charged with keeping track of the laws and making sure they’re being followed. That means constantly updating the company’s privacy policy and keeping residents of individual states apprised of their rights under state law. There should also be a contact name, email and phone number on the website — and the contact should be checking for messages every day.

It’s a complex world for companies to navigate, and it underscores the need for a unified approach. But it’s not clear when that will happen. The U.S. badly needs a unified data-protection law like the EU’s. The EU, in 1995, had a similar set of challenges. Leaders recognized the importance of ensuring a consistent level of protection. They saw that making the transference of information less complicated would propel the economy. In the U.S, the complexities of different data-protection walls act as a hindrance to growth.

It’s not just about simplifying compliance for business; it’s about ensuring Americans’ fundamental right to have their data protected. It’s essential that state and federal legislators, as well as federal agencies like the Federal Trade Commission, work together to make sure that happens. In the meantime, it’s up to companies to stay on top of the changing landscape.

It takes nine to 12 months to build a data-protection program. But it’s essential for a company that reaches across state lines. That’s the first thing a federal regulator or attorney general will look at in the event of a data breach. If there’s no program in place, all bets are off.