One & Done Privacy Compliance? Think Again!
Data privacy is a new and rapidly evolving area of law. New laws are being passed, regulations written, and court cases resolved. While that may be exciting for privacy professionals, for businesses that have to comply with laws like the California Consumer Privacy Act (CCPA), it means they can’t just become privacy compliant and then forget about it.
Continuous compliance requires staying up to date with all of these developments and adjusting your practices accordingly. Here we’ll explain why that is (with examples), and what you can do about it.
Why Privacy Law Is Always Changing
If you’re not a legal professional, it would be understandable to think that once a statute is passed by a legislature, that’s the law and nothing about it changes unless the legislature passes a new statute.
However, in the United States and many other countries, “the law” is formed from multiple sources, such as regulations and judicial opinions, and evolves over time even if the statute itself never changes.
Take the CCPA, for example. It’s a comprehensive law, but the legislators knew they couldn’t predict every eventuality, so they delegated authority to the California Privacy Protection Agency to create and revise regulations. These regulations have to stay within the boundaries created by the CCPA, but they still have the force of law and can be changed relatively easily.
Now imagine that a business has been accused of violating the CCPA and fights that accusation in court. The judge will look at the various sources of law (the CCPA, the Agency’s regulations, and what other judges have decided in the past), and apply the rules to the specific facts of the case in front of them. Afterwards, that judicial decision itself becomes a new source of law, and any businesses who are engaging in similar behavior will have to examine the decision carefully and figure out how it applies to them.
Don’t feel bad if this is a little confusing. Lawyers study for years learning to determine what the law is in a specific situation, and then spend the rest of their careers disagreeing with each other about it.
The main point to understand is that privacy laws are not static; they can change greatly over time, and businesses have to keep up or face repercussions.
Examples of How Privacy Law Has Changed
Comprehensive data privacy laws are a recent phenomenon; the EU passed its General Data Protection Regulation in 2016, California followed suit with the CCPA in 2018, and now many other states have passed or are considering their own laws. Because this area is so new and technology changes so quickly, the laws are changing at a fast pace.
Consider the example of a business that became CCPA compliant in 2021. By early 2023, here is just a short list of requirements that have changed:
- Two new privacy rights have been added—the right to correct inaccuracies, and right to limit use/disclosure of sensitive personal information
- Service provider requirements have become stricter
- Employee data is now covered
- The California Privacy Protection Agency has stated that all businesses that sell or share personal information must institute Global Privacy Control on their websites
- Businesses must state how long they intend to retain all categories of personal information
This is by no means an exhaustive list, and the changes are still coming. For example, the CPPA is currently drafting rules regarding when and how businesses must submit risk assessments for their data processing. Once that happens, all businesses will have to look at the new rules and decide what it means for them.
How to Keep Up with Changing Compliance Rules
Staying up to date with privacy compliance across multiple states and countries is a full-time job, but many businesses balk at the idea of hiring an in-house privacy expert or racking up expensive legal fees. TrueVault provides a much more cost-effective solution.
With TrueVault, businesses can manage compliance with many privacy laws in one platform. Create your own data map, onboard vendors, and more, all through a guided software experience. Our privacy professionals stay current with the latest developments, then incorporate any new legal requirements directly into the platform. Wherever possible, these updates are applied automatically, and if any action is required on your part, we provide the guidance and tools to do it.
Learn more about TrueVault and view a demo by contacting our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get compliant today
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo