New Year, New … Privacy Program?  

January is a time of renewal, providing an opportunity for new focus. With Data Privacy Day almost upon us, and the expansion of data privacy legislation in the United States, now is the ideal time for businesses to update their data privacy program with best practices and plan for the next stage. How? Go back to the basics. 

For the skeptics, Data Privacy Day is an actual holiday (sans greeting cards). Designed to raise consumer awareness, it was intentionally set at the beginning of the year, as an annual reminder to billions of online consumers — and the businesses that hold their data — to think about data protection. 

Data privacy issues and legislation are poised to gain steam. Since 2018, when California passed the first comprehensive data privacy legislation in the U.S., 11 states have passed similar legislation, with the promise of more on the way. As of the end of 2023, the statutes in five of those states are effective, with Utah joining California, Virginia, Colorado and Connecticut. While ongoing legislative sessions are expected to yield additional statutes, it is unlikely any new legislation would change the landscape for 2024. Generally, state legislatures are building in effective dates ranging from 9–12 months to 2–3 years out. The result is that the roadmap for 2024 privacy compliance is set, barring any legislative surprises.

Although Arizona does not currently have pending legislation, it has previously introduced bills, such that the possibility is not off the table. Regardless, the reality for any business is that compliance with this web of state privacy laws is becoming mandatory due to the interstate reach and applicability of state privacy legislation. The number of businesses operating in only one state is dwindling. Even if compliance isn’t mandatory, there are current and developing best practices that will undoubtedly make it into Federal Trade Commission jurisprudence in its role as the de facto U.S. data protection authority.

The good news is that data privacy teams will be able to enjoy a lull for the next six months until new statutes come online in July 2024 for Montana, Oregon and Texas, making now the perfect time for businesses to update their privacy program. If a business has an updated privacy program, accommodating any business operations in Montana, Oregon and Texas will be straightforward because the affirmative obligations reflected in those statutes are similar to existing laws. 

Businesses will, of course, want to confirm the applicability of each of those laws to its activities in those states. While Montana and Oregon have thresholds similar to those in many other states, Texas is likely to throw businesses a curve ball. While most states require the business to process (or, in California, buy, sell, share) data of a minimum number of residents in that state — varying from 35,000 to 175,000 — there is no similar threshold in Texas. Instead, Texas focuses on the concept of a “small business.” If a company is processing data of any Texas residents, the law may apply whether it is one resident or 100,000 residents. 

If a business does not yet have a privacy program, now is the perfect time to look across all 11 existing laws and incorporate their basic shared tenets into a base privacy program. Doing so does not have to be a heavy lift, as the shared tenets are straightforward and center on three things: transparency, notice and choice. What does this mean in practice? Below is a high-level list of things a business should focus on in building a privacy program: 

1. Provide a clear and comprehensive public-facing privacy notice of data collection, use and disclosure practices.
2. Ensure transparency in collecting data.
3. Provide consumers real choices about their data. 
4. Not collect (or keep) more data than is needed for the purposes disclosed. 
5. Implement commercially reasonable and appropriate physical, administrative and technical measures to ensure data remains confidential, available and secure. 
6. Take responsibility for contractors processing data by requiring robust, documented contractual provisions.
7. Provide consumers with the ability to make delineated requests regarding their data, such as confirming what data a business has, correcting data, opting out of certain uses of data (such as for online advertising and marketing), and requesting deletion of data. 
8. Provide internal training for the privacy program and security incident preparation.

While this list is not exhaustive for compliance with all data privacy laws, and there are a lot of complexities and nuances to contemplate, businesses can review their program with these basic tenets in mind. This will also set the foundation for issues such as advances in AI and IoT, which will continue to raise complexities and risk around data privacy. Ensuring that a data privacy program covers the basics will create a solid foundation for years to come. 

And ensure businesses have a Happy Data Privacy Day!  

Heather Buchta is a partner at Quarles in Phoenix, where she is office chair for the Intellectual Property Group, co-chair of the firm’s Data Privacy and Security Team, and involved in the firm’s AI initiative. She has practiced intellectual property and information technology law since 2001, when she joined Quarles.

Did You Know: Data Privacy Day is January 28, 2024. The holiday began in 2007 in Europe as Data Protection Day and was first adopted in the U.S. in 2009 to be made permanent in 2014 by Congress. Data Privacy Day is now celebrated in 27 countries.