What is Data Privacy?
One can think of data privacy as all the processes involved in how confidential or personal information or data is collected, used, and shared or governed. No singular policy governs data privacy, with requirements and penalties varying across states and countries. Data privacy laws are legal constructs that set clear lines around which data is considered sensitive, what information may be gathered, and how this information should be protected with technological and procedural safeguards.
Data privacy is not the same as data security, although the terms are often used interchangeably. Data security encompasses the measures, technologies, and policies that are used to protect data from threats – both internal and external. Data security alone does not necessarily ensure data privacy requirements are met, but it is a set of tools that can help meet those requirements.
Data security protects data and data privacy governs that data responsibly.
Businesses determined to ensure data privacy treat personal data differently than other types of information they may work with daily. To meet data privacy laws (current or proposed), it’s important to take proactive precautions to bolster your organization’s data management technologies and policies when it comes to the information that could harm individuals if it fell into the wrong hands.
Data Privacy Falls Under Compliance Requirements
Data privacy can fall under an industry or country’s broader compliance regulations. Compliance can mean simply following a rule or, in many cases, following multi-national, or national laws, such as GDPR, FISMA, HIPAA and HITECH, PCI DSS, SOX, and more.
Compliance has pre-set conditions or requirements including data privacy, security, and protection that organizations must follow to meet data security requirements. As too many regulated industries have found out, not complying can result in hefty fines, or censure.
How Will New Data Privacy Laws Impact My Organization?
If your organization is in any of the states with the soon-to-be enacted or proposed data privacy laws detailed below you will first want to take a close look at your existing data security stance. Are your data privacy and data security policies up to date? Are they enforced? Do you need more robust technology in place to meet the increased security demands for data privacy?
An impending new data privacy law that will impact your organization is a great time to take a look at your existing data security policy. Here’s a few suggestions of what to consider and potentially update:
- Are the key staffers for each element of your policy still the right process owners?
- Does your policy cover the technologies and tools you’re currently using? Are old technologies still being detailed?
- Have you added or updated any technology to your efforts around data privacy or data security? Are they still effective?
- Is your employee education and training plan still working?
- Is your policy enforcement plan still effective?
- Has access for employees, trading partners, or clients changed? Have you considered the risk of the extended enterprise and third parties you interact with?
- Does your policy adequately address your industry’s compliance requirements?
- Is the data you need to protect being stored and transferred securely?
Related Reading: How to Create a Cybersecurity Policy for Your Organization
What are the Existing U.S. Data Privacy Laws?
At the time of this post, only one state – California – has a data privacy law on the books. But, just around the corner, more states will roll out data privacy laws. Here’s what’s currently in place.
California’s Consumer Privacy Act (CCPA)
The CCPA was the first state data privacy act passed in the U.S. passed on Jan. 1, 2020. The act provides the state’s consumers more control over their personal information. It applies to those doing business in California with annual revenue topping $25 million, or those receiving more than half of their revenue from selling the personal information of California residents, or to businesses that buy, receive or sell personal information of 50,000 or more California residents, households or devices. Civil penalties are limited to $2,500 or up to $7,500 for each additional intentional violation.
The rights granted to California residents under CCPA include the following. Many of the states soon to enact similar laws grant similar rights:
- The “right to know” which means residents can ask an organization to share what personal information they have, how it’s used, shared, stored, and why they have it.
- The “right to delete” which says that residents can request an organization and its service providers to delete collected personal information. A few exceptions, such as for security practices, legal obligations, and others are exempt.
- The “right to opt out” where Californians can ask an organization to stop selling their personal information.
- The “right to non-discrimination” ensures that goods or services cannot be denied, or price differentials applied if someone exercised their CCPA rights.
What are the Emerging Data Privacy Laws by State?
Soon, sunny California won’t be an island in terms of data privacy regulations as several more states have undertaken legislation that underscores just how important protecting personal data is for the well-being of its residents and for the businesses entrusted with their personal information.
The Virginia Consumer Data Protection Act (VCDPA)
First up, is the Virginia Consumer Protection Act (VCDPA), effective Jan. 1, 2023. As the second privacy act in the country, the VCDPA will apply to all people conducting business in the state and either:
- Control or process the personal data of at least 100,000 Virginia consumers
- Earn more than 50 percent of gross revenue from sales of personal data of Virginia residents
- Control or process the personal data of at least 25,000 Virginians
With this law, Virginia consumers will gain the rights to know if a controller is processing their personal data and have access to it. They can correct inaccuracies to or delete their personal data, secure a copy of data held on them, and opt out of having their personal data sold or used for advertising or profiling.
State and local government bodies have some exceptions to this data. The VCDPA requires the Attorney General give 30 days written notice of violations. If corrected in 30 days, no action is taken. If the violation continues, civil penalties of up to $7,500 may be applied for each violation.
The Colorado Privacy Act
Next, Colorado, with the Colorado Privacy Act (CPA), adds more data privacy protection effective July 1, 2023. The CPA applies to those who conduct business, make commercial products, or provide services purposely targeted to Colorado residents. In addition, it applies to entities that:
- Control or process personal data of at least 100,000 Colorado residents annually, or
- Get their revenue from the sale of personal data of Colorado residents or from controlling or processing data of at least 25,000 state residents
Unlike most other state data privacy regulations, the Rocky Mountain state’s mandates do not apply to all residents, such as individuals acting in an employment or commercial context, like when applying for a job. However, standard consumer rights are granted to individuals wishing to opt out of a controller processing their personal data for targeted advertising, for the sale of data, or for profiling purposes. Consumers also have the right to know if a controller is processing their personal data, along with the rights of correction, deletion, and right to data portability, which gives consumers access to a portable copy of their personal data.
Non-compliance is costly, with fines up to $20,000 per violation (with a written notice and 60-day period to correct the violation). This leeway, however, goes away Jan 1, 2025.
The Utah Consumer Privacy Act
On New Year’s Eve 2023, the Utah Consumer Privacy Act (UCPA) will take effect. The new act impacts data controllers and processers who:
- Conduct business in the state
- Produce products or services targeted to Utah residents
- Have a $25,000 annual revenue or more
And it impacts any entity that meets one of these conditions: processing or controlling personal data of 100,000 or more Utah consumers or receiving more than 50 percent of gross revenue of sales of personal data of Utah citizens, or processing data of 25,000 or more state consumers.
Like several states noted above, Utah residents will benefit from the following rights: access to their personal data, deletion of personal data, portability of a copy of their data, and the right to opt out of certain processing of their data such as it being sold or used for targeted advertising.
Violations can only be enforced by the state’s Attorney General, and data controllers must be provided with a written notice and given a 30-day cure period.
The Massachusetts Information Privacy and Security Act
And finally, the last state to move toward more data privacy legislation is Massachusetts. Currently in the proposal state, but advancing through the legislature, the Massachusetts Information Privacy and Security Act (MIPSA) would impact businesses in Massachusetts that earn $25 million or more in gross annual revenue; process personal data of 100,000 or more residents of Massachusetts; or serve as a data broker collecting and selling personal data of at least 10,000 state residents.
The proposed act would exempt state government bodies, as well as national security associations, etc. This act seeks to protect the personal data of Massachusetts residents, granting the rights to access, know, delete, correct, and have portability of their personal information.
The proposed MIPSA adds additional protection around specific personal information like race, ethnicity, or religion. And would give state residents the right to know about the collection and intended use of this sensitive information. Violators of MIPSA would undergo a civil investigation, with 30 days to correct the violation. Unresolved violations could result in restraining orders and penalties of up to $7,500 per violation.
How Can My Organization Help Meet Data Privacy Requirements?
Most organizations will require layers of solutions to address data privacy laws impacting their state. A few from Fortra data security suite of solutions include:
One way to govern data is to use a data classification solution. Visual and metadata labels are applied to the data needing protection and control. Data classification can work with other data security solutions, such as secure file transfer to look for these classification tags and ensure that data is only shared with appropriate individuals based on the established security policy.
Data Loss Protection (DLP)
Organizations using DLP can help keep sensitive data out of the wrong hands. With DLP, sensitive text, even hidden meta data, can be replaced ore redacted to sanitize documents as they move along their journey. Business can continue to flow, but the sensitive data that could fall under a data privacy law remains protected.
Related Reading: Why You Should Integrate Your MFT with DLP
Digital Rights Management (DRM)
Sending files via secure file transfer with strong encryption protocols seems like it should be enough to ensure data privacy. However, once a file is decrypted, the control of that data is lost. Adding a rights management solution to the protection GoAnywhere delivers to files at rest and in motions helps protect the privacy of data wherever that file travels.
Related Reading: End-to-End Rights Management Made Simple with MFT
How Can Secure File Transfer Help Protect Data Privacy?
Secure file transfer, like GoAnywhere MFT gives organization a streamlined, encrypted, centralized way to protect the files they send every day, especially those with individuals’ private information, with protection at rest and in motion. By giving employees a dashboard-style, user-friendly interface, organizations needing to adhere to data privacy laws can make it easier for employees to use the tool and not resort to a free file sharing solution or other unsecure method of collaborating and sharing files. Plus:
- Auditing and recording features help meet compliance requirements.
- Secure mail, separation of permission by user roles, and at-rest encryption all help meet data privacy requirements.
- Automation can help reduce human errors.
- Flexibility of deployment allows for on-premises, cloud, hybrid or even as MFTaaS.
GoAnywhere Can Boost Your Data Privacy Stance
The benefits of using GoAnywhere for data privacy concerns are best seen during one of our 15-, 30- or 60-minute demonstrations. Book yours today.