Privacy Compliance is Complicated and It Matters

Oct 21, 2024 by Eric D. Reicin, President & CEO, BBB National Programs

As U.S.-based companies expand operations, understanding and complying with privacy laws becomes essential. Doing so protects your business or nonprofit from potential legal pitfalls, and it is another way to enhance trust with stakeholders.

Privacy regulations are designed to protect individuals' personal data from misuse and ensure that businesses handle this information responsibly. While a few federal privacy rules relate to particular industries, cybersecurity, or defined populations such as the Family Educational Rights and Privacy Act (FERPA) for students and the Children's Online Privacy Protection Act (COPPA) for children, there is no comprehensive federal privacy law.

Given the variation of privacy laws across different states and the globe, it is crucial for U.S. companies to stay informed. One place to get started is the privacy framework overview created by the National Institute on Standards and Technology (NIST).

While California was ahead of the game, enforcing a privacy act in 2020, four new state-level data privacy acts took effect last year in Colorado, Connecticut, Utah, and Virginia. Generally, these laws provide residents of those states with the right to know what personal data is being collected, to whom it is being sold, and the ability to access and delete this information. This year, new privacy rules are taking effect in Montana, Oregon, and Texas. (And earlier this year, the California Privacy Protection Agency was first able to enforce updated regulations from the California Privacy Rights Act.)

In 2025, eight states (Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee) will see the effective date for new privacy rules. And it would not be a stretch to see several other states joining Indiana, Kentucky, and Rhode Island in 2026, as well as likely upcoming AI legislation that will have privacy components embedded in it, such as Colorado's new AI law, which will go into effect on February 1, 2026.

Earlier this year, bipartisan lawmakers released draft legislation to establish a comprehensive federal consumer privacy framework, the American Privacy Rights Act of 2024 (APRA). Though Congress is highly unlikely to enact it, APRA has garnered bipartisan support, including key members of the House and Senate. In July, the Senate overwhelmingly passed two children’s online safety bills, but it is unclear whether they will make it to a House vote before the election. 

Meanwhile, for organizations that conduct business overseas, the privacy landscape is even more complex. Certainly, the task of keeping abreast of laws can seem overwhelming. But resources are available for identifying global privacy laws and assessing their relevance to your business or nonprofit organization’s strategic objectives.

This can be accomplished through a multifaceted approach, including:

  • Instituting robust data governance and mapping across data flows, being cognizant of vendors and other third parties; 
  • Identifying baseline practices providing adequacy through country-by-country recognition; and
  • Seeking legal guidance, including considering whether to use a “standard contractual clause” or other mechanisms, such as the Data Privacy Framework (DPF).

 

Given the complexity of the world’s business supply chain and the reliance of nearly every individual and business on electronic transfer of data, every organization needs to consider its data privacy policies and how to implement them. 

The EU General Data Protection Regulation (GDPR), created in 2018, remains one of the most stringent privacy laws globally, and it affects any company handling the data of EU residents (which encompasses citizens and temporary residents, including non-citizens) regardless of where the company is based. Among its requirements are “data subject rights,” proving individuals the right to access, rectify, delete, and restrict the processing of their personal data. 

The rise of generative AI through the use of large language models (LLMs), however, is underscoring questions about whether GDPR coverage extends to this burgeoning new technology. We are starting to see government entities look at this issue, and I expect states like California will promulgate rules on personal data in LLMs in the coming years.

GDPR applies to businesses processing data of residents within and outside of the EU, including U.S. businesses. But privacy rules have gone global, necessitating what one commentator from the Information Accountability Foundation called the beginning of a “long dance towards interoperability” with the Cross Border Privacy Rules System (CBPR). CBPR is a voluntary, enforceable privacy certification that businesses can use to demonstrate compliance with internationally recognized data privacy standards. It is designed to bridge the gaps between different privacy regulations outside the EU, but is intentionally designed to align with European regulations.

The U.S. government spent considerable time and effort in working with nine regional economies to create a workable framework, resulting last year in the Department of Commerce’s issuance of the Global CBPR Declaration.

Under Global CBPR, companies apply for certification through a recognized Accountability Agent, such as our non-profit organization, BBB National Programs. Then, through the assessment process, the Accountability Agent reviews the company's privacy policies and practices against the CBPR requirements. Once certified, companies and nonprofits must maintain compliance and undergo periodic reviews.

By providing a standardized privacy framework, CBPR facilitates the smooth, protected flow of data. Participation can enhance consumer trust and confidence in your data protection practices, providing a potential competitive advantage. As the IAPP puts it, participation in CBPR can “unlock your global data privacy interoperability.” Similarly, the DPF Program is an approved mechanism to legally transfer (or access) personal data from the EU and the U.K. to the U.S. Most recently, the Swiss Federal Council has added the U.S. to the list of countries with an adequate level of data protection. Effective September 15, 2024, U.S. organizations that certify to the Swiss–U.S. DPF can commence receiving transfers of personal data from Switzerland without implementing additional safeguards.

Whether it is GDPR, CBPR, DPF, or one of the multiplying state privacy laws, compliance is key. Non-compliance with privacy laws can result in significant fines. For instance, violations of the GDPR can lead to fines of up to 4% of a company’s global annual revenue.

As privacy regulations continue to evolve, U.S.-based organizations must prioritize compliance to protect their operations and build trust with consumers. By understanding and adhering to privacy laws within the U.S. and internationally, your organization can mitigate risks and ensure a robust data protection framework. 

Originally published in Forbes

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more