While international privacy regulations are front and center in much of the press I’d like to turn your attention to a developing patchwork of US Federal and State privacy regulations in this post.
The profusion of current and impending US state digital privacy laws and their requirements, including digital minimization, are frequent topics in recent online law journals. For example, Sheila A. Millar and Tracy P. Marshall in, their article “The State of U.S. State Privacy Laws: A Comparison” provide a comparison table of:
- The California Consumer Privacy Act (CCPA)
- The California Privacy Rights Act (CPRA)
- The Colorado Privacy Act (CPA)
- The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA)
- The Utah Consumer Privacy Act (UCPA)
- The Virginia Consumer Data Protection Act (VCDPA)
All of these have been enacted. Those from California are already in effect, and the others are slated to become effective in 2023. Millar and Marshall also note, “While states forge ahead with privacy legislation, members of [the Federal] Congress continue to put forth their own federal privacy bills….”
Beyond those state laws already legislated, Zach Warren writes in the Law.Com Barometer that “More than 30 states (including New York) [are] considering consumer privacy bills, most of which vary in what rights and obligations apply.” He makes what in this context seems an extraordinary understatement: “If you’ve been viewing privacy as ‘follow a regulation or two and we’re good,’ that approach is about to become outdated, fast.”
The only way to manage this kind of risk is an aggressive data protection posture that aims ahead of regulation rather than following it. This means discovering and protecting sensitive data in your enterprise stored on-premise, in the cloud, or in hybrid environments or in transit.
One provision that seems common to GDPR and the state privacy bills is data minimization. According to GDPR, the principles of data minimization are that personal data be:
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’)
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
Only principle #3 is relevant to data protection, and we hear from our clients and industry sources that most US enterprises are addressing these requirements in a phased approach. They plan to immediately encrypt or tokenize all their sensitive data in databases, storage, etc., and then, sometime in the future, go through and delete what isn’t relevant anymore.
When enterprises put in place a regular data review schedule, this sensible approach faces one major challenge: identifying what data is relevant and what is not. To that end organizations will need a way to discover and classify their data easily.