Cyber Risk Advisory

Four key questions for privacy programs in the U.S.

Dylan Roberts

Consultant, Strategy, Privacy, and Risk

Blog Images 2023 Coalfire Main Image Blog Four Key Questions 800x420 FINAL

With new state privacy laws being passed each year, organizations are tasked with developing privacy programs that are compliant with applicable laws. To help organizations identify their current privacy program maturity, privacy professionals can ask four questions to determine where they stand.

Key takeaways:

  • U.S. state privacy laws are being passed at an increased rate.
  • To comply with these laws, organizations should identify if they possess the capabilities to track processing activities and privacy risks.
  • Organizations must develop adaptable privacy programs to maintain compliance with an increasingly complex regulatory landscape.

Four key questions for privacy programs in the U.S.

The California Consumer Privacy Act (CCPA) has paved the way for six other states to enact comprehensive privacy laws. Iowa and Indiana now join California, Colorado, Connecticut, Utah, and Virginia as the state privacy law landscape spreads across the country. The dominoes have fallen as many other states have bills in committee. Many organizations find themselves with their back against the wall with the deluge of new requirements. But there are four key questions organizations can ask to begin to understand the maturity and compliance of their privacy program.

1. Do we know what processing activities are occurring?

In this fast-paced world, hesitation can mean the difference between being an industry leader or another name in the crowd. Organizations may change their processing activities or ingest new and different data types to remain competitive in the market. However, each US state privacy law requires documentation of the processing activities, which can be a monumental task for an organization to implement and maintain.

Without proper guidance, organizations run the risk of omitting key processing activities from documentation and being noncompliant with multiple state privacy regulations. Understanding and documenting processing activities efficiently and effectively is critical to maintaining compliance with state privacy laws.

2. How do we identify privacy risk?

As a square is a rectangle, but a rectangle is not square, so too is privacy security but security, not privacy. U.S. state privacy laws require organizations to identify privacy risks due to processing activities.

Privacy risk, while similar to an information security risk, has to be measured using different metrics, and many organizations may struggle to identify and document these risks appropriately. Organizations must consider risks associated with, but not limited to, transparency regarding data collection, accessibility to consumer information, and the lawfulness of processing activities.

Additionally, many organizations do not measure such risks against industry standard frameworks, increasing the likelihood that a privacy risk becomes a noncompliance reality. Beyond the letter of the law, a lapse in privacy risk mitigation poses a serious threat, as noncompliance can cause irreparable reputational harm. Understanding how to measure privacy risk is essential to ensure compliance with state privacy laws.

3. How are we maintaining our privacy program?

Updates to the CCPA via amendments found in the California Privacy Rights Act (CPRA) and enforcement of the Colorado and Virginia privacy laws have created a new compliance burden for many organizations.

Each law excludes different industries, enforces different rules, and requires the protection of different data types. More importantly, the rights afforded to individuals—and who constitutes individuals—vary per state. Nuances to each privacy law have led to a complicated regulatory landscape for organizations to parse through.

For example, California and Virginia exclude HIPAA covered entities, while Colorado does not, creating a new regulatory burden on such entities. Due to the unique language in each state's privacy law, organizations must create adaptable and modular privacy programs to meet such nuances. Implementing an overarching privacy framework is crucial to this adaptability, allowing organizations to quickly add controls as needed and guarantee the longevity of a compliant privacy program.

4. Where do we begin?

The answer to this question depends on the nature and maturity of the organization. It is not uncommon for organizations to have little or no experience with data privacy. Many are anxious about starting the journey for data privacy compliance, while others are completely unaware of the regulatory landscape. While beginning that journey may seem insurmountable, there are simple measures to begin that make compliance efforts much more manageable:

  • Create a documented privacy program
  • Find a privacy framework that aligns with the organization's current capabilities
  • Document known processing activities
  • Discover unknown processing activities and privacy risks

For organizations with more advanced privacy programs, challenges remain to overcome to maintain compliance with the new U.S. data privacy laws.

  • Maintain privacy documentation that adapts to state laws
  • Develop a novel privacy framework that aligns with business goals
  • Optimize record of processing activity documentation
  • Implement privacy by design standards
  • Stay informed on regulatory trends to predict future privacy program requirements

The journey for data privacy program management has only just begun. Forty-three states remain in passing privacy legislation, and the trend shows no sign of slowing down. As the privacy landscape grows among the states, organizations face more complex standards that are not easily understood. By asking these four simple questions, organizations can begin identifying the maturity of their privacy program. By doing this, organizations can begin to develop a privacy program that is adaptable to the unknowns of U.S. data privacy regulations.