top of page

How Detailed Recordkeeping Saves the Day: Navigating US State Privacy Laws Without a Federal Safety Net




In the absence of a comprehensive federal privacy law, many businesses in the United States are required to follow a patchwork of state-specific and sectoral privacy laws to regulate data protection. This decentralized approach places the US as an outlier compared to other nations with overarching federal privacy regulations, such as the European Union's General Data Protection Regulation (GDPR). Instead, US states like California, Colorado, Connecticut, Florida, Oregon, Virginia, Texas, and Utah have developed their own privacy laws, each with unique mandates for businesses.


The general goal of these laws is to empower consumers to take control of their data, although the specifics can vary from state to state, potentially complicating compliance for businesses operating nationwide. Businesses subject to these laws must navigate various obligations including privacy policy disclosures, data minimization, security measures, risk assessments, and vendor management. This state-by-state approach can lead to inconsistencies and increased complexity for businesses.


From an information governance compliance perspective, however, all of these laws uniformly emphasize detailed recordkeeping.


And one of the questions that most regulators (federal and state) ask following an adverse data event like a data breach is:


Why the @#$%#@$ didn't you manage your records properly so that you could have prevented this mess!!


Here are some answers to that question:


  • Keep records of consumer rights requests and responses — whether they are for access, deletion, correction, or opting out of data sales.  To demonstrate compliance with the common requirement of complying with consumer rights requests, businesses must have records showing how they addressed these requests! Laws like the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA) both require businesses to document and respond to consumer data access, correction, and deletion requests within specified timeframes, ensuring transparency and accountability.

  • Maintain documentation of training sessions. Not surprisingly, legal compliance requires employee buy-in!! (OK, this should go without saying, but, unfortunately, it cannot be taken for granted). In order to comply with comprehensive state privacy laws, employees must be educated on data privacy practices, and in order to show that they have a commitment to compliance, it is critical for businesses to keep training sessions records.

  • Maintain records of assessments and data protection measures.  Data protection laws such as those in California, Colorado, and Virginia require businesses to conduct and document regular risk or data protection impact assessments (DPIAs) for high-risk processing activities and provide evidence of these to regulators upon request. Other sources of this requirement can be found within (or implied by) “reasonable safeguards” statutes (e.g., Florida, Texas, Illinois, Massachusetts, New York) or the HIPAA Security Rule. Maintaining these assessments helps companies to identify and mitigate potential vulnerabilities, enhances compliance and reduces the likelihood of liability from adverse data events. And regulators often review these assessments during inspections.


  • Show third-party vendor compliance. This obligation includes ensuring that vendors comply with data protection standards and requirements. Additionally, businesses should maintain due diligence records, which assess third-party vendors' data protection practices. Examples of this requirement include Connecticut’s SB6, which requires businesses to ensure third-party vendor compliance with data protection standards through documented data protection assessments, especially for high-risk activities​. Also, Texas’s HB4 mandates that businesses maintain due diligence records to assess and ensure third-party vendors' adherence to data protection requirements​.

  • Compile and regularly update a comprehensive inventory of personal data collected, processed, and stored. Maintaining this kind of inventory helps businesses to identify and mitigate compliance risks, protecting consumer data and adhering to legal obligations. Examples of this requirement include California Civil Code § 1798.100(d), which requires businesses to have a comprehensive inventory of personal data collected, processed, and stored, including agreements with third parties to ensure data protection standards and Colorado CRS § 6-1-1309, which requires entities subject to the law to have proof of documented data protection assessments for high-risk processing activities, including personal data sales and targeted advertising​.

  • Regularly update internal privacy audit compliance records. Examples of these records can include audit committee findings, recommendations, and actions taken to address any identified issues. This requirement is often part of the general duty of businesses maintain (and be able to show regulators) that they have reasonable administrative practices to protect the confidentiality, integrity, and accessibility of personal data.


The overarching theme in these requirements is the necessity of meticulous documentation.


The practice of detailed recordkeeping is not merely a bureaucratic exercise but a fundamental component of demonstrating compliance.


It allows businesses to show both regulators and stakeholders that they have responded appropriately to consumer rights, educated their employees, and assessed and mitigated risks to data security.

 

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page