From the GDPR to the CPRA, the alphabet soup of new privacy legislation is getting thicker and denser. Don’t know your CCPA from the PIPEDA? You might want to get started PDQ!
The California Consumer Protection Act (CCPA), enacted in haste, updated (repeatedly) at leisure, took several pages from the European Union’s General Data Privacy Regulation (GDPR) in passing the US' first comprehensive data privacy law.
Not surprisingly, other states are climbing on board with their own recipes for personal information protection, whether "comprehensively" (CO, VA), or categorically (NV law addressing info shared for DM, VT law targeting data brokers).
Other states' recipes didn't hit the sweet spot, consider Washington and Florida, don’t expect them to leave the kitchen with such politically and personally-charged juicy issues still on the table.
Possible federal privacy concoctions are also being samples, including one this week. However, CA lawmakers have signaled they would sour on the issue of any federal regulation that lacks the key ingredients in the CCPA.
We've seen how the first course plays out in other consumer-directed laws, such as data breach notification statutes, charitable solicitations, and promotions. Once the table is laid, companies may be faced with the choice of carving out some states from their marketing activities or refocusing on the first course and tailoring their information gathering practices to the strictest compliance level. Bland, perhaps, but less likely to cause nasty reflux?
That being said, nationwide compliance assumes that a company is presented with two competing obligations, as has occasionally resulted from diverse data breach statutes, for example.
Some compliance steps may be more difficult to digest than others – take CA's recent announcement that its law requires that Global Privacy Setting (GPC) (browser setting automatically allowing users to exercise opt-out rights) be treated as valid “do-not-sell-my-personal-information.”
Needless to say, there are fewer answers than questions in this rapidly evolving space. For now, organizations are wise to mind their P’s, Q’s and IoT’s and consider the need to proactively address privacy by design now, rather than scramble to remediate later. There is no time like the present to step back and evaluate your data collection practices. Who knows what the second course will bring?