Connecticut became the fifth state to pass a consumer data privacy law with the signing of SB 6, titled "An Act Concerning Personal Data Privacy and Online Monitoring." The law, which goes into effect July 1, 2023, is similar to privacy laws in Virginia, Colorado, and Utah, but it falls short of some of the provisions and protections in California's California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA).
This latest state law on privacy further intensifies the pressure on corporate compliance departments to attempt to address the increasingly difficult task of meeting the reporting and coverage requirements of various privacy laws, and it puts pressure on the federal government to come up with a national law that clarifies consumer privacy rights, says Lisa Sotto, partner and chair of the privacy and cybersecurity practice at Hunton Andrews Kurth LLP, a Richmond, Va.-based law firm.
"It's completely insane complying with all of these [privacy] laws; it's virtually impossible," she says. There is no "highest common denominator" that permits organizations to comply with a given set of privacy regulations to ensure compliance with all of them.
"It's a mess," Sotto says.
While all of the privacy laws have a lot in common, no two are identical. When you layer additional laws — such as those directed at privacy related to minors, healthcare, financial services, and other areas — on top of the five statewide laws, the matrix of compliance requirements becomes unwieldy.
Ever-Growing Thicket of Privacy Laws
Currently there is no national privacy law in the United States, but there is a patchwork of laws at the national and state levels that address varying areas of privacy. Among the federal laws are the Gramm-Leach-Bliley Act (GLBA), the Privacy Act of 1974, the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH).
There are also industry rules, such as the Payment Card Industry Data Security Standard (PCI DSS), that dictate how companies should handle consumer privacy. Sometimes laws and industry rules are in direct conflict, such as when a data breach needs to be reported and to whom, forcing companies to choose which regulations to follow.
Add to those state and local laws, such as the New York State Personal Privacy Protection Law, as well as international laws, such as the European Union's General Data Protection Regulation (GDPR) — which holds individuals across the globe liable for mishandling the personally identifiable information (PII) of EU citizens — and compliance becomes unmanageable.
One huge challenge companies face when trying to manage compliance is determining exactly what the laws require and how they define privacy, which is open to interpretation. Forrester analyst Stephanie Liu says the Colorado law, for example, does not permit the sale of personal information for "valuable consideration." It explicitly does not say selling only for cash but rather anything of value.
However, Liu says, she has "talked to a couple of data brokers who said that they do not sell data. If a data broker is making that argument, then you've got a loophole there."
Comparing the Utah, Colorado, Virginia, and Connecticut laws, the "definition of sale" is where they tend to differ, Liu says. "It's a huge headache," she adds.
Exactly the Same, Only Different
While the Connecticut law specifically talks about guarding consumers' privacy rights from those who sell products directly to the state's citizens, not all privacy rights are covered by the law. Insurance, for example, is a huge part of the state's economy, but insurance companies are not covered by this new law. Instead, says Sotto, those companies are covered by the federal GLBA regulations.
Boards of directors have a fiduciary duty of oversight when it comes to cyber, she says, and that is forcing them to take a much closer look at privacy as well. Boards are taking a much more personal interest in privacy and compliance, especially now that recent laws can hold board members personally liable if a company is breached or if PII is stolen and made public.
Protecting personal privacy could have an impact on cyber insurance rates as well. Ransomware attacks that steal PII and threaten to make it public are very common today, and cyber insurance policies often include coverage for paying those ransom demands.
For cyber insurance carriers, notes Forrester senior analyst Jess Burn, that means very high legal costs are included under the premiums. Companies that are breached "need to work with their outside counsel on data breach notifications for every single affected state," Burns says. "In addition, if it's a B2C company, [you have] consumer notifications, credit monitoring, and all of those different fees that come along with it. Oh, and then the fines are going to come in as well."
Not every privacy issue is addressed in privacy legislation, and not all non-PII is addressed directly in state privacy laws. Data that might contain personal data about investors, for example, is often addressed under other legislation that is not privacy-specific. The Fair Credit Reporting Act, for example, covers some consumer privacy issues that overlap the state privacy laws, as do HIPAA and other healthcare legislation, but these do not necessarily contradict other laws.
"Connecticut exempts employee data from its law entirely," Burn says. "That's another area where it's interesting to see [that] sort of the uncertainty, if we're being honest about how states are approaching it."