By Raj Dhaliwal
Originally published in Utah Physician Magazine, April/May 2024
The increasing prevalence of technology in the everyday lives of consumers has had an unintended consequence, at least from the viewpoint of consumers. Consumer information is now tracked nearly 24/7, including sleep-wake cycles (tracked through smartwatches and similar products), exercise patterns and daily commutes (tracked through smartphones), brand preferences and product purchases (tracked through mobile applications, product sites, and cross-website tracking). Essentially, whole consumer profiles can be built on individual consumers and their households based on technology used by consumers in their homes, cars, at work, and even in their pockets.
Given the increased intrusion by commercial actors into the privacy of consumers, lawmakers in the U.S. have started to enact and implement comprehensive privacy legislation granting consumers specific privacy-related rights. However, the recent passage of laws has occurred almost exclusively at the state level. Although there are many federal privacy-related laws, these laws are largely (i) industry-specific, such as the Health Insurance Portability and Accountability Act (HIPAA) (applicable to healthcare providers and their business associates) and the Gramm-Leach-Bliley Act (GLBA) (applicable to financial institutions), or (ii) age-based privacy laws, such as the Children’s Online Privacy Protection Act and student privacy laws.
As of today, only a handful of states have implemented comprehensive privacy legislation (i.e., California, Colorado, Utah, and Virginia, among others).1 Still, many other states are currently actively considering comprehensive privacy legislation (i.e., New York, Ohio, Pennsylvania, and Georgia, among others).2 This patchwork of privacy laws has increased the compliance burden of businesses in all industries engaging in interstate commerce due to the differing privacy obligations businesses are subject to depending on the states in which their consumers reside.
While these comprehensive state privacy laws have largely exempted information subject to federal privacy laws (i.e., such as protected health information subject to HIPAA or financial information subject to GLBA), businesses subject to these federal privacy laws may still be subject to applicable state privacy laws with respect to other consumer information not otherwise regulated by federal privacy laws. For example, under the California Consumer Privacy Act (CCPA), the protected health information of a clinic or physician practice group doing business in California would not be subject to the requirements of the CCPA, while other information collected by such clinic or physician practice group, such as employment information, would subject the provider to the CCPA’s requirements in relation to the collection and processing of such information.
Given the hodgepodge framework of privacy laws in the United States, navigating compliance obligations of the various federal and state privacy laws can be difficult for businesses, whether such businesses are operating in a single state or multiple states. Still, there are practical steps that businesses can take to review their privacy practices in light of applicable privacy laws:
- Application of Laws. The first step in determining whether current privacy practices are adequate is understanding which privacy laws are applicable to the business. Which state is the business physically located in? Are there other states in which the business directly operates? Are the business’ services made available to consumers in other states? If the business operates in
one or more states that have adopted comprehensive privacy laws, the business should work to determine how such laws apply to the business. - Updating Privacy Policies. Businesses should update their public-facing privacy policies so as to incorporate the requirements of applicable state privacy laws. For example, each of the states that have implemented comprehensive privacy laws to date has afforded specific consumer privacy rights to residents of such states (i.e., data access rights, deletion request rights, and opt-out rights among others). Businesses will need to include consumer rights notices in their privacy policies depending on which state privacy laws are applicable to them.
- Data Mapping. Data mapping or creating an internal data inventory is important for businesses to (i) analyze the collection, storage, and processing of the information described in their privacy policies; (ii) map data flows to assess what information may need to be disclosed publicly and/or pursuant to a state-specific privacy rights request; and (iii) categorize all data stored so that it is accessible to the business as needed.
In short, while the current U.S. consumer privacy regulatory framework is fragmented, businesses can take steps to clarify their obligations under applicable privacy laws.
Endnotes
1. www.iapp.org/resources/article/ us-state-privacy-legislation-tracker
2. Ibid
Raj Dhaliwal
moc.nqr@lawilahdr
801-323-3679
Raj Dhaliwal’s practice specializes in corporate, securities, and technology transactions. Mr. Dhaliwal’s representation of companies spans the entire corporate life cycle, including pre-formation planning, general corporate governance, venture capital financing, capital events, and mergers and acquisitions. He has been voted by his peers as one of Utah’s “Legal Elite,” as published in the Utah Business Magazine (2022). He has been selected for inclusion in Mountain States Super Lawyers (2022 and 2023) as a “Rising Star” in the category of Mergers and Acquisitions.
