Data privacy in the United States is a patchwork of regulations, which stands in stark contrast to the European Union (EU), which has a comprehensive data privacy law called the General Data Protection Regulation (GDPR). While some states have passed their own comprehensive data privacy laws that have drawn comparisons to the EU system, the U.S. still lacks a unified set of privacy regulations at the Federal level. This fragmented regulatory environment leaves businesses to navigate a maze of differing requirements, raising the stakes for compliance and protection.
The privacy landscape is rapidly changing as new state privacy laws come into effect each year. The current count of signed laws as of July 2024 is nineteen, with each state having different effective dates, requirements, and enforcement rules. With that in mind, if you work for a company that operates in multiple states or has clients throughout the country, you might be asking yourself, "How do I design a privacy program when the rules aren’t consistent?" To make things even more confusing, some states like California have already passed amendments to current privacy laws, making compliance a moving target. The California Consumer Privacy Act (CCPA) was amended in November 2020 to add new privacy protections that began January 1, 2023, with enforcement beginning in March 2024. Tracking all of this information is a full time job for a privacy officer. However, most companies do not have this dedicated resource, so the job typically defaults to legal or even IT to manage.
Creating a privacy program to gain compliance with the complex set of U.S.-wide privacy laws while also meeting Consumer Rights and Business obligations can be challenging, but it’s not impossible. It begins with creating a culture of privacy within your organization that goes beyond legal compliance. It’s true that privacy program development is often triggered by regulatory obligations. However, to be successful, an organization must take a deep look at the types of data being retained for both customers and employees to design a program that aligns with the organization’s goals while at the same time satisfying state laws. If your organization collects personal data, it needs to be defined as such and have its movement within your organization tracked. This is the easy part. The challenge is answering the many questions that follow, such as:
- How do you determine what personal data to keep vs. purge?
- How long should you keep it, and where should you store it?
- Are disclosures necessary? If so, does consent need to be obtained?
- Is an opt-out process necessary?
All of these decision points and how they are implemented tie directly to the privacy culture of your organization.
UHY’s Technology Risk & Compliance (TRC) practice can provide strategic privacy support to navigate these complex regulations. Our approach starts with a thorough analysis of the legislation and requirements that are foundational for a customized privacy program. We consider the whole organization — including growth targets, customer requirements, contractual obligations, and organizational ethics and initiatives — in our design of a privacy program. This framework ensures that your privacy strategy not only meets legal standards, but also aligns seamlessly with your overall business objectives and values.
Fill out the form on this page to discuss privacy with a member of our Technology Risk & Compliance Practice.
Have a Question?
Fill out the form to speak with one of our TRC professionals.