Posted In: Business Transactions & Corporate Counseling, Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Jarman J. Smith on August 17, 2022
Despite facing major legislative obstacles, the proposed American Data Privacy and Protection Act (the “Bill”) has made history as being the first comprehensive privacy bill to be made available for a full chamber vote in either the House or the Senate. This historic feat means the United States is one step closer to establishing a federal standard for consumer data privacy. With Congress making progress toward passing a federal data privacy bill and new state-level data privacy regulations being enacted routinely, all organizations that process U.S. consumer data must review and update their policies and procedures for compliance with new and upcoming privacy requirements.
The Bill Reaches Congressional Floor for Vote
Upon pressure from the American people who are fed up with the lack of online privacy in the U.S., legislators have reached a landmark compromise to push the Bill forward. The Bill will now come on the U.S. House floor after the House Committee on Energy and Commerce markup resulted in a vote to advance the bill to full House consideration.1 The markup compromise includes language to change the private right of action’s effective date from four years to two years post-adoption, expanding categories of sensitive information, enforcement authority under the Federal Trade Commission, “actual knowledge” standards concerning minors’ data, and technical changes to the definitions for “covered entity” and “service provider.”2 The vote to advance the Bill marks the first time that a piece of comprehensive data privacy legislation will receive a full chamber vote in Congress.
Lingering Issues Concerning Preemption of State Privacy Laws
Although many amendments were accepted during the Committee markup, an attempt to exempt the California Consumer Privacy Act and the California Privacy Rights Act from the Bill’s preemption provisions was not taken up following a roll call vote. The argument for an exemption from preemption was framed less as an exemption and more as the establishment of a “federal floor” for all states to build from and not a specific carveout for California. The amendment would have allowed all states— not just California— to provide additional rights to those established under federal law.3 However, the amendment received bipartisan backlash as most committee members viewed it as the unraveling of the fragile Congressional compromise reached after years of discussions. Since California has established itself as a leader in U.S. data privacy regulation, the Bill risks losing supporters if the exclusion of California laws from preemption is not added by the time the House floor vote arrives. If these lingering issues are not resolved and the Bill is struck down during the full chamber vote, it could be a long time before Congress gets another chance to enact a federal privacy standard.
How to Become Compliant with New Data Privacy Regulations in the U.S.
When it comes to data privacy, it is better for organizations to be progressive in establishing and adopting the policies and procedures needed for compliance rather than scrambling to meet compliance requirements after the regulations come into effect. Organizations that are late to become compliant with data privacy laws in the U.S. face substantial liability risks relating to data breaches, consumer privacy lawsuits and regulatory penalties. To adequately prepare for the establishment of a federal privacy standard in the U.S. and to become compliant with applicable state-level data privacy regulations, every organization that processes U.S. consumer data must:
- Establish relationships with data privacy advisors.
- Discover and map personal data held by your organization.
o Discovering and documenting your organization’s data processing activities will increase your understanding of what data your organization holds, who it belongs to, and what regulations it may be subject to. Data mapping is a foundational element of every privacy program and will allow you to track the purpose for processing and flag potential risks.
- Conduct privacy impact assessments.
o Assessing data processing activities to flag and mitigate privacy risks is crucial in understanding how covered entities can better protect personal information and is also an essential requirement under many state privacy regulations, including the California Privacy Rights Act, the Connecticut Data Protection Act, and the Colorado Privacy Act.
- Establish policies and procedures to respond to privacy rights requests.
o Many consumers complain of violations of data subjects’ rights. Your organization needs to establish policies and procedures for responding to data subject requests to avoid any such violations.
- Enable adequate privacy governance.
o Businesses should develop and implement effective privacy governance programs to manage personal data in compliance with multiple state laws and varying requirements. Integrating privacy governance workflows into compliance efforts for U.S. state laws can assist with data mapping and applying applicable regulations.
The Bill is our best hope at protecting Americans’ privacy and data security while providing certainty to American businesses. Nonetheless, organizations should not wait on the enactment of a federal standard to begin prioritizing data privacy and cybersecurity. The foregoing steps for compliance with data privacy regulations should be reviewed by your organization’s decision makers immediately to protect sensitive consumer data and prepare for the future of data privacy legislation in the U.S.
How Brouse Can Help
As we await the enactment of a federal privacy standard in the U.S., organizations face major difficulties in trying to keep up with the brigade of state-level privacy regulations and requirements in effect now and the near future. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to establish, review, or update the policies and procedures needed for regulatory data privacy compliance in the U.S. and beyond. Additionally, our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.