What is Data Privacy? How Does it Impact Employers?
May 30, 2023Many states are enacting data privacy legislation modeled after the European Union’s (EU’s) General Data Protection Regulation.
Most people believe that privacy is a fundamental human right — an essential aspect of autonomy and foundational for many other human rights. Privacy enables us to create and manage our boundaries, protecting ourselves from outside interferences in our lives. It enables us to negotiate how we want to engage with the people, community, and world around us.
Our community’s understanding of privacy, and the boundary-setting rules we create together based on this understanding, enable us to regulate who has access to our bodies, homes, and personal possessions — as well as to our communications and personal information.
According to Privacy International, the most significant challenge to privacy is that “the right can be compromised without the individual being aware. With other rights, you are aware of the interference — being detained, censored, or restrained. With other rights, you are also aware of the transgressor — the detaining official, the censor, or the police.” Increasingly, we aren’t informed about the monitoring we are subjected to. Most of us also lack the opportunity and capability — as individuals — to even question these activities.
Data protection and privacy
An important element of an individual’s right to privacy is the protection of personal data, and over 100 countries around the world now have some form of privacy and data protection laws in place. In the United States, several federal and state laws cover different aspects of data privacy, but the US currently lacks a comprehensive data privacy law like the General Data Protection Regulation (GDPR) that the European Union enacted in 2018.
The United States has historically allowed businesses and institutions to collect, use, sell, and share personal data without any notification to individuals whose personal data is being manipulated. The harm-prevention approach our federal government has taken to protecting privacy has been focused on regulating the use of that data in specific sectors only. These sectors include regulations applying to financial data (Graham-Leach-Bliley Act – GLBA), medical data (Health Insurance Portability and Accountability Act – HIPAA), education (Family Educational Rights and Privacy Act – FERPA), and children (Children’s Online Privacy Protection Act – COPPA). All these rules protect against and prevent the misuse of certain categories of personal information. There is a lot left out.
In contrast, countries in the European Union (EU) ascribe to a broad, rights-based approach to protecting personal information. The rights-based approach holds that privacy is a basic human right, and individuals own their personal information. Who can use it — and what they can do with it — is a matter of personal choice.
The GDPR codifies several key principles concerning data privacy protection that are useful in understanding the new state privacy laws coming into effect in 2023. These new state laws emulate the rights-based philosophy of the GDPR and represent a comprehensive approach to privacy protection, which applies to a broad range of business sectors.
Under the GDPR, organizations that process personal data are classified as either data controllers or data processors. Understanding the roles and responsibilities of data controllers and processors is critical to ensure compliance with the GDPR.
- Data controllers are responsible for determining the purposes and means of processing personal data. They are the ones who decide why personal data is being processed and how it is being processed. They have a legal obligation to ensure that personal data is processed lawfully, fairly, and transparently.
- Data processors are entities that process personal data on behalf of a data controller. They process personal data according to the instructions of the data controller.
With regard to personal information, the GDPR delineates several specific rights of individuals. While the emerging state laws in the United States differ in a few details, all of the emerging state-level legislation parallels, for the most part, the privacy rights that are established in the GDPR.
- The right to be informed.
- The right to rectification.
- The right of access.
- The right to be forgotten (erasure).
- The right to restrict the processing of your data.
- The right to data portability.
- The right to object.
- Rights regarding automated profiling and decision-making.
State legislation
There are several new state data privacy statutes becoming effective in 2023.
The California Privacy Rights Act (CPRA) became effective on January 1, 2023. The CPRA amends the California Consumer Privacy Act (CCPA), which had already codified several individual privacy rights modeled after the GDPR. The new legislation creates a new state agency, similar to data protection agencies in EU countries that are responsible for the enforcement of the GDPR.
The Virginia Consumer Data Privacy Act (VCPA) became effective on January 1, 2023. It codifies GDPR-like individual rights, but in 2022 the “right to delete” was replaced with the “right to opt-out” for certain types of processing.
The Colorado Privacy Act (CPA) goes into effect on July 1, 2023. In addition to establishing a rights-based regulatory tool similar to the GDPR, the Colorado legislation requires data security and contract provisions for vendors and assessments for “high-risk” processing.
The Connecticut Data Privacy Act (CDPA) goes into effect on July 1, 2023, and establishes GDPR-like individual rights as well as requires data minimization and other security measures for “high-risk” processing.
The Utah Consumer Privacy Act (UCPA) becomes effective on December 31, 2023. In addition to establishing individual rights based on the rights outlined in the GDPR, the Utah legislation also requires data security and contract provisions. The Utah legislation does not include risk assessments.
Two additional state legislatures have passed legislation that will become law over the next few years. The Iowa Consumer Data Protection Act goes into effect on January 1, 2025, and the Indiana Consumer Data Protection Act goes into effect on January 1, 2026.
The introduction of state-level comprehensive privacy bills is currently at an all-time high. The International Association of Privacy Professionals (IAPP) tracks these bills through the legislative process. While many of the 22 proposed state-level bills currently being tracked will not become law as introduced, reviewing the key provisions of this developing legislation helps us understand how the concept of data privacy is evolving in the United States.
Privacy in New Hampshire
In New Hampshire, where our employment law practice is located, privacy legislation has taken a piecemeal approach. Notably, in 2018, the State Constitution (N.H. Const., art. 2-b) was amended to provide that “[a]n individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent.” However, there has been little case law interpreting this broad provision.
To date, New Hampshire also lacks a comprehensive statutory framework akin to the GDPR. This year, Senate Bill 255 — “An Act relative to the expectation of privacy” — came close. It passed the Senate with minor amendments but was retained in the House Judiciary Committee for further work. The bill, as introduced and passed by the Senate, reflects the consumer rights and business obligations typical of GDPR-inspired legislation in other states.
Each year, the authors of this blog also post an update on the New Hampshire section of the 50-State Survey published by Media Law Resource Center. The survey provides up-to-date and comprehensive coverage of media libel, media privacy, and employment libel and privacy law in each state. Our report for New Hampshire includes a detailed review of all the relevant statutory and common law in these areas. Until there is a comprehensive state-level data privacy statute in place, New Hampshire’s understanding of privacy is largely based on emerging case law.
Preparing for compliance by businesses, organizations, and employers
While these new state laws are intended to be comprehensive in scope, they also contain certain carve-outs for data already protected under other laws (e.g. HIPAA). The statutes may vary with respect to their reach —such as businesses that hit a revenue threshold, or requirements based on the number of residents, consumers, households, or devices with data. Organizations doing business in states with comprehensive data privacy laws in place need to understand the scope, requirements, potential liabilities and penalties, and the means of enforcement in those states.
Even if your organization is not currently affected by the new privacy regulations becoming effective this year, it’s important to understand what these new laws are about and begin creating a foundation from which to analyze and implement their requirements. Compliance with any comprehensive data privacy law will require organizations to examine and update their privacy policies; the process for addressing targeted marketing, advertising, and cookies; data processing agreements; data security standards; and employee training. Any business or organization with employees will also need to understand and anticipate how emerging trends in privacy law might affect employment relationships in their workplaces.
If you have any questions about how emerging data privacy legislation will impact your business or non-profit organization — and how to prepare for compliance — don’t hesitate to contact Orr & Reno for assistance.
About the Authors: Steven L. Winer and Lindsay E. Nadeau
