On March 24, Utah joined the ranks of California, Colorado and Virginia, becoming the fourth U.S. state to enact a consumer data privacy law. But it will not be the last, says Alexis Kateifides, senior counsel at OneTrust’s Centers of Excellence, in this interview with CCI.
Bill Millar, managing editor, Corporate Compliance Insights (CCI): What just happened in Utah?
Alexis Kateifides (AK): Several states were in the running to be the next to enact privacy bills. California, Colorado and Virginia were the first to do so, and now states like Maryland, Oklahoma, New York and others have bills active in their legislatures. My team has been keen to know who would be next, and as turned out, Utah became the fourth state to do so with its Utah Consumer Privacy Act (UCPA).
CCI: What does this mean for those doing businesses in Utah?
AK: Those encountering data privacy laws for the first time will have some work to do. First you must determine if your business fits the profile [see info box]. Those that do are going to have to put some time into thinking about how they are using personal data. Where is data collected? How is it used? Why? They will need to go through their policies and processes and their contracts with vendors. They will also need to think about how they will fulfil consumer requests for information.
CCI: How should they get started?
AK: The first question you must ask yourself: have we seen this before? There have already been data privacy laws passed in California, Colorado and Virginia. So, there will be companies who are familiar with this sort of legislation.
If the company is already addressing programs from other states or maybe has experience with the GDPR, it will be less of a burden on teams needing to factor UCPA into their existing programs. That is, the Utah law includes a lot of similar treatment for things like:
- Data subject rights
- Transparency
- Security obligations
- Vendor management
Then it’s a matter of mapping — where are we operating and need to comply? Identify the similarities, but in particular, pay attention to the differences.
One way to approach this is to create some sort of baseline: This is how we manage consumer data. From there, you can adjust your program to reflect the nuance of each state.
Another idea to consider, maybe start with the GDPR, a global standard, and say that’s your baseline for everywhere you operate. Or you could consider ideas like privacy by design or the ISO/IEC 27001 or 27701 standards for information security and privacy management.
CCI: Who will enforce these rules?
AK: One of the issues that comes up with these rules is whether they provide for a private right of action — a citizen’s right to file a lawsuit. Of the three enacted in the U.S. so far, California’s CPRA is the only one to include such a right.
In this regard, Utah’s law is very similar to that of Virginia and Colorado in that it will be up to the state attorney general as to whether to initiate proceedings. However, there are several layers to that process. For example, a company might be issued a notice from the AG and given a 30-day period to cure the violation. Then, informing the AG of the correction, that could be the end of the action.
CCI: What are the risks of getting this wrong?
AK: You need to be concerned about the regulatory risk, which can range from fines to cessation of business. But in the end, it’s becoming much more of an issue of reputation. Of trust.
And so, a lot of our clients are having a look at how to migrate from treating this as an issue of compliance to building out a program of trust. They want to build programs that focus on transparency with not just customers but employees, partners, suppliers, the community, investors and other stakeholders.
CCI: Who will be next?
AK: A number of state legislatures are reviewing privacy bills. Others may soon follow. In any case, all of this is very similar — reminiscent — of what happened in the early 2000s with breach notification laws. In the absence of a federal breach notification law, states began issuing their own rules, with California being the first. Today all 50 states have some form of breach notification law.
Now it appears the same thing is happening with data privacy regulation. California was again the first, and now we are again seeing this gradual domino effect of other states passing similar laws of their own. So far that’s only four, but momentum is building.
So, one of the questions we’re asking: will this become a similar situation where we’ll wind up with 50 different sets of data privacy rules? Or will this shape discussions leading to a federal privacy law? It’s hard to say either way.
CCI: What are the chances there will be a federal law?
AK: That is very hard to say. Certainly, there would be benefits to harmonization from a company’s perspective. They would not have to learn to comply with 50 separate sets of rules.
There is also a benefit to consumers in that they will be treated consistently wherever they do business. A federal consumer data privacy law could provide consumers with greater awareness of how to control their data and their privacy.
The other piece is how this could be helpful in the context of international data transfers. Right now, there are concerns in the EU, U.S., U.K. in this area. Developing a federal privacy law, setting a standard, would simplify matters.
This interview has been edited for length and clarity.