Modernization of data privacy laws in the United States
In the digital age, the collection, use, and dissemination of personal information has become an integral part of daily life for consumers. From online shopping to social media to mobile apps and kiosks, individuals are constantly generating and sharing personal data. The trend of companies exchanging personal information has raised significant concerns about data privacy, particularly as the scale and scope of data collection continues to expand. In response, lawmakers and regulators in the United States are seeking to modernize privacy laws to better protect personal information.
Why is there a push to modernize privacy laws in the US?
Privacy laws have existed in the United States long before the age of IoT. In fact, the right to privacy is enshrined in the U.S. Constitution and has been recognized by the courts for over a century. Many privacy laws of the 70s and 80s protected access to medical and government agency records. However, the scope and application of privacy laws have evolved over time as new technologies have emerged, and consumers have become increasingly aware that this is their personal information too.
Overall, the push to modernize privacy laws in the United States is driven by concerns about data security, privacy, and the need to protect individual rights in the digital age.
- Increased data collection: In recent years, there has been a massive increase in the amount of data being collected on individuals by businesses, governments, and other organizations. This data is often used for targeted advertising, credit scoring, and other purposes, which has raised concerns about privacy and data security.
- Concerns about data breaches: Data breaches have become increasingly common in recent years, with many high-profile incidents affecting millions of individuals. This has raised concerns about the security of personal information and the need for stronger privacy laws to protect against such breaches.
- Growing awareness of privacy issues: As people become more aware of the amount of personal data being collected and the ways in which it is being used, they are becoming more concerned about privacy. This has led to increased pressure on lawmakers to pass stronger privacy laws that protect individual privacy rights.
- Increased use of technology: The widespread use of technology in everyday life has made it easier for organizations to collect and store data on individuals. This has led to a greater need for privacy laws that take into account the unique challenges posed by digital technology.
As technology continues to evolve, it is likely that these issues will remain at the forefront of the public debate.
The nuance of privacy laws in the US
At the state level, there is significant variation in privacy laws. Some states have comprehensive privacy laws, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (CDPA), which give individuals the right to know what personal information is being collected about them and to request that it be deleted.
Other states have narrower privacy laws that address specific issues, such as data breach notification or biometric information. Some examples include:
- Data breach notification laws: All 50 states and the District of Columbia have enacted laws that require businesses and other entities to notify individuals when their personal information has been involved in a data breach. These laws vary in terms of their scope and requirements, such as the timeframe for notification and the types of information that trigger a notification requirement.
- Biometric information laws: Several states, including Illinois, Texas, and Washington, have enacted laws that regulate the collection, use, and storage of biometric information, such as fingerprints and facial recognition data. These laws require businesses to obtain consent before collecting biometric data, and to implement appropriate security measures to protect the data from unauthorized access.
- Online privacy laws for minors: Some states, such as California and Delaware, have enacted laws that require operators of websites and online services that are directed at minors to obtain parental consent before collecting personal information from children under a certain age. These laws also require operators to provide certain disclosures about their data collection practices and to implement appropriate security measures to protect children’s personal information.
Despite this patchwork of laws, many believe that the United States lags behind other countries in terms of privacy protection. For example, the European Union’s General Data Protection Regulation (GDPR) provides individuals with more control over their personal data and imposes significant penalties for noncompliance. Some argue that the United States should adopt similar regulations to better protect individuals’ privacy.
However, the United States continues to follow the example of California’s CCPA/CPRA. More and more states every year are passing comprehensive privacy laws or amending previous laws for the digital age.
Revamping of the Utah Consumer Protection Act
The Utah Consumer Protection Act (UCPA) is not a new law, but rather a long-standing law that has been in effect for several decades. The UCPA was first enacted in 1973 and has been amended several times since then. The UCPA was originally designed to promote fair business practices and prevent fraudulent or deceptive business practices that harm consumers.
In 2018, when the Utah State Legislature passed House Bill 239, they amended several provisions of the UCPA to address. Some of the key changes made by House Bill 239 include:
- Providing the Utah Attorney General with additional authority to investigate and prosecute violations of the UCPA
- Clarifying the definition of “unfair” business practices
- Allowing for the recovery of attorney’s fees and costs in UCPA cases where a plaintiff prevails
In March 2021, Utah Governor Spencer J. Cox signed Bill 98 into law. Important aspects of the UCPA amendments made by Bill 98 include several changes that support data privacy regulations, such as:
- Data breach notification: Companies that experience a data breach must notify affected individuals within 45 days of discovering the breach. If more than 1,000 individuals are affected, the company must also notify the Utah Attorney General’s office.
- Right to opt out: The UCPA amendment requires companies to provide individuals with the right to opt out of the sale of their personal information. This right applies to both online and offline sales, and companies must provide a clear and conspicuous link on their website to enable individuals to exercise this right.
- Transparency and disclosure: Companies must disclose what personal information they collect, how it is used, and with whom it is shared. This includes the categories of personal information collected, the sources of the information, and the purpose of the collection.
- Data security: Companies are required to take reasonable steps to protect the personal information they collect and maintain. This includes implementing appropriate security measures, such as encryption and access controls, and regularly assessing and updating their security practices.
- Prohibition on discrimination: Companies cannot discriminate against individuals who exercise their rights under the UCPA amendment, such as the right to opt out of the sale of personal information.
- Enforcement: The UCPA amendment provides for civil penalties for violations of its provisions, with penalties ranging from $2,000 to $7,500 per violation. The Utah Attorney General’s office has the authority to bring enforcement actions against companies that violate the UCPA amendment.
These amendments to the UCPA are set to take effect on December 31, 2023. Until then, the UCPA remains in effect as it was prior to these amendments. It is important for businesses operating in Utah to be aware of these changes to the UCPA and ensure that their practices comply with the law once the amendments take effect.
Overall, the modernization of privacy laws in the United States is a complex and ongoing process. While there is significant variation in privacy laws at the federal and state levels, many lawmakers and regulators are seeking to create a more consistent and comprehensive framework for privacy protection. As individuals continue to generate and share personal data, the need for strong privacy protections will only continue to grow, making the modernization of privacy laws a critical issue for the future.
For more 2023 Privacy Readiness on all emerging US laws, request a copy today! Learn how Clarip’s privacy governance platform has prepared with true automation. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.
Mike Mango, VP of Sales
Clarip 2023 Privacy Readiness: CCPA to CPRA
The California Consumer Privacy Act and Regulations
Clarip Readiness 2023 Privacy Law Changes
Enable Transparency with Global Privacy Controls