Business leaders have a lot on their plates, between helping to ensure a business’s continued growth and financial success, retaining top talent in a competitive job market and keeping shareholders happy. Among conflicting priorities, data governance and consumer privacy often are viewed as an expense, a distraction or even an annoyance, something that may be tempting to procrastinate on or to “set and forget.” Yet, keeping privacy practices up to date is essential not only for staying clear of the risks of regulatory enforcement exposures and class action litigation but also to actually raise the value of the business and give it an edge over competitors.
To Have or Not to Have: The Importance of Maintaining a Consumer-Facing Privacy Notice
A privacy policy should describe how a business collects and uses personal information, whether consumer information is shared or sold and what rights consumers have with respect to their information. As an initial matter, companies, regardless of legal requirements, should consider providing to consumers a transparent disclosure of their information practices.
On the employment side of the equation, a written privacy policy can help reassure employees that their personal data is adequately protected. As industry research shows, consumers are becoming increasingly vigilant over how businesses use their personal data. As such, businesses that demonstrate transparent data practices, honor consumer rights, and have reasonable security measures in place to protect consumer data foster trust with consumers. The opposite also is true: mistakes in consumer data management may cause significant reputational risks, negative publicity and loss of trust.
Does a business only work in a B2B space? Or is the organization a nonprofit that does not work with “consumers” in a traditional sense? This does not mean they may not need a data privacy policy. As discussed below, many of the emerging privacy laws still may apply to their information practices.
A Surge in Omnibus State Data Privacy Laws
While there is no comprehensive federal privacy law, the past three years have seen a proliferation of state data privacy laws as well as sectoral regulations related to data privacy, creating a complex compliance environment for businesses. While the new state laws are largely based on the same principles, there are important differences that each business should assess for itself.
For example, while all state data privacy laws contain entity-level and data-level exemptions (for example, exempting nonprofits or data regulated by the Health Insurance Portability and Accountability Act (HIPAA)), these exemptions are not always the same. A business or a nonprofit organization may find the need to comply with some state laws and not others. Furthermore, certain information practices may require a notice to the consumer providing an opportunity to opt out in some states, or an affirmative consent in others.
In July 2024, omnibus data privacy laws went into effect in Florida, Oregon and Texas; on October 1, 2024, Montana’s data privacy law goes into effect. In 2025, Delaware, Iowa, Oregon (for nonprofits) and Tennessee laws become effective. Furthermore, many of the state laws feature initial right to cure provisions (an opportunity to fix violations before enforcement), which will sunset in the near future; for example the right to cure under Connecticut’s law expires in December 2024. As new laws continue to emerge on the state level and go into effect in the next several years, it is wise to prepare preemptively by updating privacy notices for compliance with the new laws.
For businesses that have not been covered previously by state data privacy laws, this may be a good time to review new thresholds and update privacy polices accordingly. While most state laws follow the same applicability structure and contain thresholds that are proportionate to state populations, there are certain notable variations. For example, the Texas law applies to an entity that conducts business in Texas and processes personal data, so long as it is not considered a small business under federal law.
A business generally will do well following the more-stringent requirements of the laws that apply to them; however, it still is necessary to review the requirements of each of the incoming laws and take note of any changes that may be necessary. Aside from making certain to check for compliance with incoming laws, annual updates are a requirement under the California Consumer Privacy Act.
New Sector-Specific Data Privacy Laws
On the state and federal levels, sector-specific data privacy laws and regulations are emerging. Arguably the most notable recent addition to this category is Washington’s My Health My Data Act (MHMDA), which, despite what the title may imply, has wide applicability to organizations that do not traditionally provide any health care services. This is due to the very broad definition of what constitutes “consumer health data.” Organizations that process data linked to Washington residents’ past, present or future health status should take a careful look at this law and assess whether they may be within its scope. If a business processes such consumer health data, it may need to not only review existing policy but also draft an additional, standalone privacy policy that meets the MHMDA requirements.
Generally, recent developments in the data privacy space have been focused on regulation of data brokers and businesses that process health data or children’s data, as well as biometric privacy and risks presented by artificial intelligence. Businesses in these sectors will want to be especially sensitive to the emerging sector-specific laws.
Recent Developments in AI Governance
Following the European Union’s lead in enacting its Artificial Intelligence Act (effective August 1, 2024), there are significant ongoing policy discussions in the United States relating to AI governance. To date, Colorado and Utah have adopted AI governance laws, but overall there are few concrete requirements, although the regulatory efforts seem to be moving at a fast pace.
Businesses engaging in developing or deploying AI systems will do well to look to the existing standards, such as the National Institute of Standards and Technology's AI Risk Management Framework and the International Organization for Standardization's ISO 42001, and implement risk management policies and programs ahead of the incoming regulation. Again, transparency is a core principle in most privacy laws and AI governance frameworks will require businesses to perform a careful assessment of the risks and make transparent disclosures to consumers.
Also, it should be noted that processes that constitute unfair or deceptive trade practices may trigger enforcement actions by the Federal Trade Commission (FTC) or State Attorneys General. Effectively, this means that companies must disclose their information practices, including any use of AI, in a consumer notice. Because of heightened requirements, companies should particularly assess their use of sensitive personal information as it relates to AI, and update privacy policies to reflect such use.
Changes in Actual Business Practices
Of course, if a business’s information practices are due to change in a material way, for example, the business is planning to employ advertising or analytics cookies or its purposes for processing data have changed, the changes must be reflected in an updated privacy policy before they take effect. The business also should take care to notify its customers and website visitors by way of an email update or a prominent website banner that the privacy policy was updated.
Businesses should be aware that the FTC monitors organizational compliance with the disclosures and promises set forth in their privacy policies, and has brought legal actions against organizations that misled consumers on how their information will be handled. As such, having an outdated policy, or worse, one you found online or borrowed from another website, is a bad idea.
Conclusion
A privacy policy is a living document and must be reviewed regularly. It is imperative that companies remain compliant with changes in federal and state privacy laws and keep track of their own information practices. It is a requirement under the California CCPA to review privacy notices at least annually, and a business should establish internal algorithms to facilitate such assessments. Once a company has reviewed and updated its privacy policy, consumers should be duly notified of any material changes.