Privacy Compliance is Complicated and It Matters

As U.S.-based companies expand operations, understanding and complying with privacy laws becomes essential. Doing so protects your business or nonprofit from potential legal pitfalls, and it is another way to enhance trust with stakeholders.

Privacy regulations are designed to protect individuals' personal data from misuse and ensure that businesses handle this information responsibly. While a few federal privacy rules relate to particular industries, cybersecurity, or defined populations such as the Family Educational Rights and Privacy Act (FERPA) for students and the Children's Online Privacy Protection Act (COPPA) for children, there is no comprehensive federal privacy law.

Given the variation of privacy laws across different states and the globe, it is crucial for U.S. companies to stay informed. One place to get started is the privacy framework overview created by the National Institute on Standards and Technology (NIST).

While California was ahead of the game, enforcing a privacy act in 2020, four new state-level data privacy acts took effect last year in Colorado, Connecticut, Utah, and Virginia. Generally, these laws provide residents of those states with the right to know what personal data is being collected, to whom it is being sold, and the ability to access and delete this information. This year, new privacy rules are taking effect in Montana, Oregon, and Texas. (And earlier this year, the California Privacy Protection Agency was first able to enforce updated regulations from the California Privacy Rights Act.)

Meanwhile, for organizations that conduct business overseas, the privacy landscape is even more complex. Certainly, the task of keeping abreast of laws can seem overwhelming. But resources are available for identifying global privacy laws and assessing their relevance to your business or nonprofit organization’s strategic objectives.

This can be accomplished through a multifaceted approach, including:

• Instituting robust data governance and mapping across data flows, being cognizant of vendors and other third parties; 
• Identifying baseline practices providing adequacy through country-by-country recognition; and
• Seeking legal guidance, including considering whether to use a “standard contractual clause” or other mechanisms, such as the Data Privacy Framework (DPF).

Given the complexity of the world’s business supply chain and the reliance of nearly every individual and business on electronic transfer of data, every organization needs to consider its data privacy policies and how to implement them. 

The EU General Data Protection Regulation (GDPR), created in 2018, remains one of the most stringent privacy laws globally, and it affects any company handling the data of EU residents (which encompasses citizens and temporary residents, including non-citizens) regardless of where the company is based. Among its requirements are “data subject rights,” proving individuals the right to access, rectify, delete, and restrict the processing of their personal data. 

The rise of generative AI through the use of large language models (LLMs), however, is underscoring questions about whether GDPR coverage extends to this burgeoning new technology. We are starting to see government entities look at this issue, and I expect states like California will promulgate rules on personal data in LLMs in the coming years.

GDPR applies to businesses processing data of residents within and outside of the EU, including U.S. businesses. But privacy rules have gone global, necessitating what one commentator from the Information Accountability Foundation called the beginning of a “long dance towards interoperability” with the Cross Border Privacy Rules System (CBPR). CBPR is a voluntary, enforceable privacy certification that businesses can use to demonstrate compliance with internationally recognized data privacy standards. It is designed to bridge the gaps between different privacy regulations outside the EU, but is intentionally designed to align with European regulations.

The U.S. government spent considerable time and effort in working with nine regional economies to create a workable framework, resulting last year in the Department of Commerce’s issuance of the Global CBPR Declaration.

Under Global CBPR, companies apply for certification through a recognized Accountability Agent, such as our non-profit organization, BBB National Programs. Then, through the assessment process, the Accountability Agent reviews the company's privacy policies and practices against the CBPR requirements. Once certified, companies and nonprofits must maintain compliance and undergo periodic reviews.

By providing a standardized privacy framework, CBPR facilitates the smooth, protected flow of data. Participation can enhance consumer trust and confidence in your data protection practices, providing a potential competitive advantage. As the IAPP puts it, participation in CBPR can “unlock your global data privacy interoperability.” Similarly, the DPF Program is an approved mechanism to legally transfer (or access) personal data from the EU and the U.K. to the U.S. Most recently, the Swiss Federal Council has added the U.S. to the list of countries with an adequate level of data protection. Effective September 15, 2024, U.S. organizations that certify to the Swiss–U.S. DPF can commence receiving transfers of personal data from Switzerland without implementing additional safeguards.

Whether it is GDPR, CBPR, DPF, or one of the multiplying state privacy laws, compliance is key. Non-compliance with privacy laws can result in significant fines. For instance, violations of the GDPR can lead to fines of up to 4% of a company’s global annual revenue.

As privacy regulations continue to evolve, U.S.-based organizations must prioritize compliance to protect their operations and build trust with consumers. By understanding and adhering to privacy laws within the U.S. and internationally, your organization can mitigate risks and ensure a robust data protection framework. 

Originally published in Forbes.