Last Updated on June 21, 2024
Our conversations with clients show that many SMBs and SMEs are surprised to learn how fast US state-level privacy laws are evolving, as well as international data protection rules. Often they are unsure about how the patchwork of current laws impacts their compliance picture, or what data protection risks they face.
Currently 18 states have passed privacy bills, many of which (e.g., California, Colorado, Connecticut, Utah, Virginia) are already in force or soon will be (e.g., Montana, Oregon, Texas).
For unprepared businesses, this legislation is a minefield of potential compliance enforcement actions, lawsuits, data breaches, and reputational harm. Addressing these risks demands a comprehensive plan to:
- Achieve provable privacy compliance without bogging down in legal complexity, and
- Uphold privacy rights as a core business value.
This article explains why now is the time to transform privacy challenges into trust-building opportunities. Privacy and data protection investments can’t just be a cost factor. As consumers, investors, regulators, and marketplaces intensify their privacy focus, organizational growth and success increasingly depends on deriving competitive value from strong stakeholder trust.
How did privacy laws become so important?
The digital transformation of global business has fueled the movement and mining of personal data at unimaginable scale. Extreme interconnectivity coupled with historically lax protections has spawned ubiquitous data security risks for consumers and businesses. As personal data is rampantly stolen, improperly monetized, and otherwise misused, concerns about how data is stored and processed are coming to the forefront and expanding regulatory protections.
Companies store, process, and transmit mountains of personal data, including sensitive financial, health, and identity records—but often are not fully transparent about how they use or share it. Individuals may be unaware of how their data is being exploited and uninformed about their privacy rights to limit exploitation.
Sensitive personal data is likewise highly valuable to cybercriminals pursuing fraud and identity theft. Organizations that have yet to invest in privacy may glaringly fail to protect it and pay a hefty price not just to recover from an incident but also potentially fines and legal claims.
To safeguard their constituents from exploitation and other impacts, lawmakers the world over are implementing legislation to bolster privacy rights and mandate stronger data protection and governance processes. The model for this global initiative is the EU’s General Data Protection Regulation (GDPR), in effect since 2018.
What privacy laws apply in the US?
Unlike the EU and many other nations, the US has had a patchwork of national laws applicable to specific privacy contexts. These include:
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Children’s Online Privacy Protection Act (COPPA)
- The Family Educational Rights and Privacy Act (FERPA)
- The Fair Credit Reporting Act
- The Privacy Act of 1974
Besides these industry or situationally specific privacy statutes, individual US states are filling the protection gap for consumers with their own privacy programs.
As of June 2024, these US states have passed privacy laws:
US State Law |
Year Passed | Date in Force |
1. California Consumer Privacy Act (SB 1121) | 2018 | January 1, 2020 |
2. Colorado Privacy Act (SB 190) | 2021 | July 1, 2023 |
3. Connecticut Data Privacy Act (SB 6) | 2022 | July 1, 2023 |
4. Delaware Personal Data Privacy Act (HB 154) | 2023 | January 1, 2025 |
5. Indiana Consumer Data Protection Act (SB 5) | 2023 | January 1, 2026 |
6. Iowa Consumer Data Protection Act (SF 262) | 2023 | January 1, 2025 |
7. Kentucky Consumer Data Protection Act (HB 15) | 2024 | January 1, 2026 |
8. Maryland Online Data Privacy Act (SB 541) | 2024 | July 1, 2025 |
9. Minnesota Consumer Data Privacy Act (HF 4757) | 2024 | July 31, 2025 |
10. Montana Consumer Data Privacy Act (SB 384) | 2023 | October 1, 2024 |
11. Nebraska Data Privacy Act (LB 1074) | 2024 | January 1, 2025 |
12. New Hampshire Privacy Act (SB 225) | 2024 | January 1, 2025 |
13. New Jersey Privacy Act (SB 332) | 2024 | January 15, 2025 |
14. Oregon Consumer Data Privacy Act (SB 619) | 2023 | July 1, 2024 |
15. Tennessee Information Protection Act (HB 1181) | 2023 | July 1, 2025 |
16. Texas Data Privacy and Security Act (HB 4) | 2023 | July 1, 2024 |
17. Utah Consumer Privacy Act | 2022 | December 31, 2023 |
18. Virginia Consumer Data Protection Act (SB 1392) | 2021 | January 1, 2023 |
What about national privacy laws around the world? According to the International Association of Privacy Professionals, 137 countries (about 70% of nations and 80% of the world’s population) are covered by some form of national data privacy law as of March 2024. Many countries have also recently made existing privacy laws more comprehensive.
What personal data is of greatest concern for data protection?
Personal data, also called personal information, has many definitions under law but occurs in two primary contexts:
- Personal data refers to any data element that, alone or in combination with other data, can be used to unambiguously identify an individual or household. Common examples are our names, home addresses, phone numbers, and email addresses.
- Sensitive personal data, which is generally subject to stronger data protection requirements. Sensitive personal data can not only identify you, but also reveal or relate to important “private” areas of your life—like how you spend your money or what activities you prefer. This includes gender identity, sexual choices, race/ethnic affiliation, political or religious beliefs, health information, IP data, biometrics, and geolocation data.
Because of the significant potential privacy and cybersecurity damage and risk to data subjects from failing to protect sensitive personal data, companies that work with this data often face elevated compliance requirements.
How much are businesses spending on privacy compliance in 2024?
Privacy laws seek to protect consumers and other stakeholders by mandating minimum data protections and privacy rights supports. These extensive new controls and workflows can impose a heavy cost burden and learning curve on covered entities. For example, a 2019 estimate placed the cost of compliance with California’s CCPA alone at $55 billion, or 1.8% of Gross State Product (GSP). Another estimate put the total CCPA compliance cost at $78 billion annually, spread across the US.
Some businesses will grudgingly “do the minimum” on privacy to sidestep regulatory penalties and reduce the most egregious data breach risks as they maintain or expand their data monetization regimes.
The report emphasizes the critical role of privacy protocols as a trust builder and business enabler—helping to offset if not subsume privacy program costs. “Digital trust” is not merely “nice to have.”
Making a true “privacy culture” apparent to stakeholders is where the competitive power of privacy lies. This is an exploding success driver with business models that rely on personal data.
How long does it take to build a privacy program?
Company size and complexity, applicable privacy regulations, privacy process maturity, funding, expertise, and many other factors influence how long it takes to put a robust data privacy program in place. 6 to 18 months is a common estimate.
For companies selling both in the US and internationally, tracking individual compliance with all those overlapping and dynamic rules would be extremely complex. Many businesses instead aim to implement data protection policies and procedures that give data subjects a full spectrum of privacy rights and ensure a trustworthy, accountable relationship with stakeholders.
By approaching privacy activities strategically and holistically instead of working towards compliance piecemeal, businesses stand a better chance of showing strong privacy protections to stakeholders in all jurisdictions, while also streamlining compliance efforts. In concert with holistic planning, many businesses seek to gain scarce expertise, improve performance, and save operational costs by outsourcing some or all of their privacy program.
Achieving ISO 27701 certification
Another way to reduce privacy compliance burdens and reap competitive benefits is to achieve certification against ISO/IEC 27701, “Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.” This popular international privacy standard allows organizations to extend an existing ISO 27001 Information Security Management System (ISMS) certification to encompass a unified Privacy Information Management System (PIMS)—improving efficiency, leveraging ISO 27001 investments, and showing stakeholders a comprehensive, independently verified, and internationally recognized privacy certification.
Further, ISO 27701 was designed to operate across all geographies, enabling organizations to show compliance with multiple jurisdictional privacy requirements while building a solid foundation to address core privacy principles that many laws have in common.
What are privacy benefits for orgs that get it right?
Organizations that recognize the synergy between privacy investments and competitive advantage can enjoy a wide range of business benefits and financial wins. These include:
- Enhanced brand trust and loyalty
- Greatly improved data governance
- Streamlined regulatory compliance and stronger audit results
- Quicker, more efficient responses to data subject requests
- Reduced sales friction and more new customer wins
- Reduced risks and losses from data breaches
- Supporting business innovation while enhancing the stakeholder experience
- Accelerated incident response
- Making the business more attractive to investors
Despite the undeniable overhead associated with privacy compliance, 78% or more of Cisco study respondents across Asia, the Americas, and Europe saw privacy laws as having a positive impact on their organizations. 95% overall say benefits exceed costs, with an average privacy ROI of 160%. Despite the complex compliance picture, 86% of US businesses surveyed favored privacy laws.
What about AI impacts on privacy and trust?
Companies have been overall quicker to monetize AI than to address its privacy, data protection, and intellectual property risks. Even many privacy-aware entities have been slow to reassure stakeholders and build confidence around AI privacy issues.
Both individuals and business partners are rightfully expressing concern about AI practices. Business that can demonstrate their stakeholder is only used for agreed, legitimate purposes in AI contexts can quickly build credibility and a differentiating message for their privacy program.
Next steps
CBIZ Pivot Point Security provides a full scope of services to help your business achieve compliance with applicable privacy and data protection laws, such as GDPR, CPRA, and NJDPL. This includes establishing clear and defined parameters governing AI use and privacy challenges. We work closely with client teams to evaluate the effectiveness of controls, confirm alignment with evolving regulations, and create management systems and strategies that enable your organization to optimize privacy benefits while proactively managing risks.
Contact us to schedule time with a privacy expert.