In a recent survey , LexisNexis® found that many in-house counsel look forward to a future where Artificial Intelligence (AI) tools will improve their workflow.
Lexis+ AI™ eliminates hours...
This post was originally published in October 2019 and updated in September 2023.
Handling tax issues will never be considered an easy, pleasant experience, which is why so many taxpayers look to attorneys...
What is Practical Guidance?
Practical Guidance is a highly valuable resource for corporate legal professionals, including legal OPS, general counsel, in-house counsel and paralegals.
It enables lawyers...
In-house counsel are facing simultaneous headwinds of rising internal demands and pressures to control spending in an uncertain economic climate. Roughly one in four in-house counsel are anticipating decreased...
General counsels and in-house legal teams are often faced with an increasingly complex and fast-paced set of legal and compliance challenges. They are overwhelmed by repetitive, lower value requests and...
By David GiustiSenior Manager, LexisNexis® State Net®
The California Consumer Privacy Act (CCPA) sent chills up a lot of spines within corporate legal departments when it was adopted in 2018. This was the first comprehensive, consumer-facing data privacy law passed at the state level, and was widely viewed to be a harbinger of similar state data privacy laws that would soon flood across the nation like a tidal wave.
Nevada, Maine and even some major municipalities toed the water in the immediate aftermath of the adoption of CCPA, though none went nearly as far as the California law. Colorado and Virginia have each come closer since then, but even their laws do not contain the CCPA’s groundbreaking “private right of action” component that allows customers to sue businesses whose carelessness with securing their Personal Identifying Information (PII) leads to a data breach.
Meanwhile, proposed legislation in several states where a privacy law had strong support—Florida, Oklahoma and Washington—failed to pass because lawmakers disagreed on enforcement, according to Compliance Week®. As 2020 drew to a close, there was more confusion than clarity on the trajectory of CCPA-influenced data privacy legislation at the state level.
When the new legislative sessions started in January 2021, the data privacy floodgates opened up again, and in-house legal departments have taken notice. For example, a new Florida privacy measure was passed in that state’s House chamber in April, and the Law360® service reports that the bill is now under intense attack by powerful lobbying groups that argue it is a looming compliance disaster for businesses.
Indeed, “according to the State Net® database, at least 27 states have introduced far reaching consumer data privacy measures in 2021,” according to Rich Ehisen, managing editor of the State Net Capitol Journal™.
Corporate legal professionals have a daunting challenge of keeping up with these numerous state legislative debates across the U.S. And while many of the proposed bills share some basic principles, the details and enforcement mechanisms vary widely from one jurisdiction to another. This presents a real conundrum for in-house counsel to determine what actions should be taken with their corporate data privacy policies when there is so much uncertainty about where state-specific legislation is headed.
Most in-house legal teams appear to have chosen to develop data privacy policies that will comply with the most restrictive state legislation—which is still the CCPA at this point—and thereby maintain a conservative risk management posture that assures compliance with less stringent state laws. Other in-house teams appear to be taking a more agile approach, modifying their policies for individual states in which their commercial interests are sizable enough to justify a bespoke approach to data privacy in that jurisdiction.
Regardless of the strategic approach, all in-house legal teams face the same dilemma: how to walk through the significant compliance challenges posed by the patchwork of data privacy laws that vary from state to state.
Here are six key areas for corporate legal departments to review in their consumer-facing data privacy policies to make sure they are in compliance with CCPA-style legislation under consideration at the individual state level.
There are a number of useful resources available to help corporate legal professionals monitor the progress of data privacy legislation at the individual state level. The International Association of Privacy Professionals U.S. State Privacy Legislation Tracker is an intuitive tool that keeps in-house teams up to date with what is under consideration in various states and what is coming next in those respective processes.
The LexisNexis® State Net® legislative tracking system monitors pending data privacy bills and regulations and local ordinances in all 50 states and the District of Columbia, U.S. territories and select municipalities. For a complimentary State Net data privacy legislation report that you can download, please click here.*