After learning of the latest information on the pending Virginia Consumer Data Protection Act, one of my clients exclaimed “If every state comes up with their own rules, this is going to be a nightmare.” Yup, but in the long run, privacy laws are converging.
There are a lot of pending or recently enacted privacy laws throughout the world. If you look at the requirements from a high level, they are all moving toward an intersection of three foundational sources: GDPR, CCPA/CPRA, and some regional specifics.
As with my client, a US-based company that provides product multi-nationally, the emergence of GDPR was a shock requiring a change in business practices for many organizations. CCPA and LGPD just added some more changes to the company’s practices.
I could go on about the need for a US Federal Data Protection Law, but I am an optimistic realist; meaning I’d like one too, but do not see it happening very soon. So once again, the states will step in. We must continue to prepare for a hodgepodge of laws.
Clearly, my client thinks the world is providing lemons as new privacy regulations are brought forward, especially at a US state level. However, with requirements converging globally, a business can prepare for these changes in ways that minimize the impact of these new regulations on their business.
I do not expect the global convergence of requirements to happen very quickly, but it is an evolutionary step I am confident will happen. With this in mind, an organization can build or revise a privacy program around GDPR and CCPA/CPRA requirements. By focusing on requirements that are becoming more common—such as data subjects’ rights, data minimization, and data transfer protections to name a few—a privacy office will find itself ahead of the curve instead of reacting when the laws are enacted.