In the last decade, there has been a marked rise in the creation of state-level privacy laws and regulations throughout the United States. This movement has been propelled by several factors, such as heightened consumer awareness and concerns about data privacy, reports of major data breaches, and the lack of a comprehensive federal privacy law akin to the European Union’s General Data Protection Regulation (GDPR) or India’s Digital Personal Data Protection Act (DPDP). As individual states continue to enact laws and regulations in response to their citizens’ privacy concerns, the overall data protection framework in the U.S. becomes an increasingly complex patchwork, making it far more challenging for organizations to maintain compliance with them.

A primary factor contributing to the increase in the number of state-level privacy laws and regulations is the heightened awareness among the citizenries at large regarding the collection, use and protection of (or inability to protect) their personal data.  Because of the near-constant barrage of high-profile data breaches reported over the last couple of years and incidents such as Cambridge Analytica, which exposed not only the vulnerability of having large amounts of personal data collected but also the potential for misusing that data, awareness of what organizations are doing with personal data has significantly increased. Because of that, people are now demanding greater control over their data, which is leading their respective state legislatures to act in the absence of comprehensive federal regulation.

Another factor is that the rapid speed at which the market has moved to offer digital services for consumers has outpaced the laws and regulations designed to protect the privacy of those services.  State-level governments have begun to recognize the need to quickly modernize these laws to address the new landscape of privacy challenges posed by technologies such as artificial intelligence (AI), internet of things (IoT) devices – such as connected fitness equipment; and, sophisticated data analytics platforms designed to identify potential consumers based on certain digital profiles.  With the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California has long been at the forefront of state-level legislation protecting citizens’ privacy rights.  Other states have since followed suit, with the Virginia Consumer Data Protection Act (VCDPA) and Connecticut Data Privacy Act (CDPA) being two examples of strong privacy laws that other states have enacted to protect their citizens’ privacy.

What should not surprise anyone is that economic considerations also play a key role in the adoption of (or inability to adopt) state-level privacy laws. States find themselves using privacy laws and regulations to compete with each other to position themselves as leaders in the protection of personal data to attract both businesses and consumers who prioritize data security. The existing patchwork of state-level privacy laws and regulations, each with its specific requirements and enforcement procedures, is partially the result of this competition between states (a summary of state-level privacy laws/regulations can be found here).

The lack of a true national-level data protection framework has sparked a serious discussion and debate in both state legislatures as well as the U.S. Congress on the need for a comprehensive federal data privacy law.  Proponents of such a law argue that having a comprehensive national privacy framework would provide both consistency and a level of certainty for organizations involved in interstate operations, thereby lowering their overall compliance burden and allowing for quicker innovation of new technologies and services that only have to meet one privacy standard instead of fifty.  Additionally, a national privacy law could potentially offer stronger individual protections for consumers by establishing requirements and controls for data protection that are applicable nationwide, rather than the current landscape where citizens of one state may have stronger protections than citizens in another state.

The European Union’s General Data Protection Regulation (GDPR) is often cited by experts and practitioners as a solid model for such a national-level data privacy law. Because of the strong controls on personal data, the GDPR sets a high bar for data protection globally and has influenced the development of privacy legislation in both India and the Asia-Pacific region. A U.S. federal privacy law similar to the GDPR could combine the current patchwork of state-level regulations to provide more robust overall privacy protections comparable to those that citizens of the EU receive.

Getting a federal data privacy law passed in the U.S. Congress will likely prove to be more challenging than it was for the member states of the European Union to come together to adopt the GDPR. Differing views among lawmakers from each state on issues such as how strong the consumer protections should be, what options individuals have to control their data; and, whether or not the federal privacy laws should override state laws already in place (the issue of preemption) make it extremely difficult to craft a law that will make it through both houses of the U.S. Congress. Additionally, lobbying efforts by various industries and advocacy groups (both for and against) further complicate and slow the legislative process.

Despite these obstacles, there are signs of progress.  Bipartisan support for a national data privacy framework is developing, and several pieces of legislation that outline such a framework have been introduced in Congress.  The ultimate success of a federal data privacy law will depend on developing a reasonable strategy that takes into account the concerns of individuals’ private data while allowing for the use of that data to continue the innovation of new services and software.

What Steps Can Software Developers Take to Address Privacy Laws & Regulations?

Software developers, who typically have no formal legal training to interpret these laws, have to navigate their way through the patchwork of state-level privacy regulations in the absence of a comprehensive federal privacy law to ensure compliance.  The following are some specific steps that developers can take:

1. Implement a “Privacy by Design” approach: Software developers need to incorporate privacy into the design and development of software from the very beginning. This requires that, as part of their requirements for a minimum viable product, they ensure that any private data collected is only what is needed to be collected from an end user (data minimization) from a functionality perspective; and, that they ensure that there are user-friendly privacy controls are in place to allow for control over how the private data is used by the organization.

Articles 25(1) and 25(2) of the GDPR (see here) outline an organization’s responsibilities around privacy/data protection by design and data protection by default and are a useful reference to implementing such an approach.

2. Complete Transparency of Privacy Policies: Developers should disclose their organization’s privacy policies to end users in a clear and easily obtainable manner. This can be done either by giving people access to the organization’s policies via website or the ability to download documentation; or, by giving them a way to contact an organization to get in touch with the organization for more details. By doing this, users gain trust in the organization and can make fully informed decisions regarding their data as a result.
3. Provide Users With Control Over Their Personal Data: As part of their design, software developers should put in place user-friendly privacy controls that allow users to have a level of control over the personal information collected and how it is used by the organization. This includes the ability to correct, remove, and transfer any personal data collected by the organization; and, more importantly, the ability to request that the organization completely delete all personal data and provide confirmation that they have done so.
4. Keep Informed About Privacy Regulations: To be aware of new privacy laws and regulations in the states in which they operate, software developers should collaborate closely with their legal and/or compliance teams. This allows them to better understand the particular privacy requirements of each state’s regulations as they are working on their product.  Regular meetings between these groups can provide developers with the most up-to-date information regarding these regulations.
5. Information Security Controls: While the types and levels of security controls will vary among organizations based on the types of services they provide, they should include strong encryption of personal data (different levels of encryption can be used for differing types of data), stringent access controls to ensure there is no unauthorized access to personal data; and, regular security audits to confirm that the controls in place are working. These controls are in place to prevent external data breaches and theft of personal data; and, to prevent the unauthorized access of personal data by members of the organization who should not have access.  Software developers should also work closely with their internal security teams to ensure that these controls are in place not only in the main production environment but also in the development and testing environments as well.
6. Third-Party Risk Management: If software developers are either using third-party code as part of their platform or sending personal data to a third party as part of the functionality of the software, the organization must assess and manage the privacy practices of any third-party vendors and partners whose code has been used. This is usually done through specific contract provisions for data protection and requirements that vendors are required to adhere to all applicable privacy laws and regulations.  While developers themselves are usually not involved in ensuring these provisions are in place, they do need to work closely with their legal and procurement teams to ensure that those teams are aware of all third parties who may have access to personal data.
7. Developer Training: The organization should provide regular training to developers on best practices for privacy in software development; and, the overall importance of a strong data privacy program in the organization. This helps developers maintain a consistent awareness of the importance of protecting private data being used by the organization.
8. Incident Response: The software development team should be an active participant in helping the organization develop and maintain an incident response plan to address data breaches, unauthorized access of personal data; and, other security incidents quickly and effectively. The development team can nominate one or more people to serve as part of an incident response team as well as to take specific training on incident response as a developer. They should also be aware of the notification procedures required by applicable state-level privacy laws and regulations in the event of a breach, unauthorized access, or other security incident.

By taking these actions, software developers and their respective organizations can better navigate the evolving regulatory environment and build software that respects user privacy. While the path to a comprehensive federal privacy law remains uncertain, the momentum toward stronger privacy protections is undeniable. Software developers, as key players in the digital ecosystem, must proactively adapt to these changes to ensure compliance and uphold the privacy rights of users.