For the first time in the history of data protection regulations, organizations now need to comply with data protection regulations outside of their own state borders.
Over the past several years, 13 U.S. states have introduced new, comprehensive data protection regulations. They are California, Virginia, Utah, Colorado, Delaware, Montana, Oregon, Texas, Iowa, Indiana, Tennessee, Rhode Island, and New Jersey. And, as of this writing, three more states, Massachusetts, North Carolina, and Pennsylvania, have similar laws in the legislative process. Most data protection and privacy experts believe this trend will continue until all states have them.
If you’re wondering why or how this started, there are essentially two causes.
The first cause is the European Union enacting the General Data Protection Regulation (GDPR) in 2018, which gave individuals clear rights over how their personal information is processed. The second cause is the Cambridge Analytica Scandal that happened that same year, highlighting the dangers of personal information being sold and used without peoples’ knowledge or permission.
As one might assume, this new generation of state data protection laws have a lot in common, each giving their state’s citizens the right to access and correct their personal information, the right to restrict its sale of their personal information to others and to have it deleted completely on demand, and, of course, they all include the right to have personal information securely protected at all times.
And, to the point of this blog, each of these new laws bestows those rights on their citizens regardless of the location of the organization in possession of their personal data and regardless of where those citizens may travel.
For example, Iowa enacted a comprehensive data privacy law, known as Senate File 262, on March 29, 2023. It is effective on January 1, 2025, and it applies to organizations that sell products or services to Iowa residents that possess, control, or process the personal data of 100,000 Iowa residents. This theoretically includes Iowans who visit an organization’s website, since visitor personal IP addresses are considered as personal information and are often tracked. And remember, this has nothing to do with where the organization itself is located.
If a Nebraska-based firm (or a Washington state business) meets the threshold, the law gives its Iowan customers (including website visitors) the right to request and correct their personal information, the right to approve the processing of their personal information, the right to the deletion of their personal information, and the right to opt out of the sale of their personal data.
Additionally, those Nebraska-based businesses serving Iowans are also required to adopt reasonable information security practices, provide clear privacy policies, disclose if they sell personal data, and establish a process for consumers to appeal an organization’s refusal to act on any request to exercise their rights. The law also mandates a contract be in place with any data-related service providers and requires businesses to provide Iowan consumers with clear notice and an opportunity to opt-out of the processing of certain types of sensitive data.
Besides the potential financial penalties for violations, organizations that do not comply risk being further sanctioned or even denied the right to continue operation in a state.
While it may seem unfair that other state laws have such broad influence outside their borders, remember that it is only a matter of time before every state has the same requirements. At the same time this could lead to a similar national data protection and privacy regulation, in which case, any state law that is weaker (or nonexistent) would be superseded.
Here at Shred Vault, as all our blogs show, we keep a close eye on regulatory developments, and we do it so because of our responsibility to our clients to be their compliance partners. We take the trust they put in us very seriously.
So, whether it’s a simple one-time project or an ongoing data security program, we’re happy to bring the full extent of our regulatory acumen, and our unparalleled reputation for affordable, sustainable service to meet your secure destruction needs.
Contact us today!
© 2024 Shred Vault – All rights reserved.
