Lawyers Tout 'One-Size-Fits-All' for Compliance With Slew of State Privacy Laws
Given the expanding universe of state privacy laws, often with different requirements, a reasonable compliance approach is to follow the most stringent law, a panel of privacy lawyers said during the American Bar Association's Privacy and Emerging Technology National Institute Friday. It's likely that the strictest law will cover other states' requirements, they said.
Sign up for a free preview to unlock the rest of this article
Using the strictest rule approach makes compliance a “one-size-fits-all” exercise, said Sam Goldstick, senior counsel at Foley and Lardner, adding this is “easier said than done." Still, the approach requires fewer resources and is "more streamlined than you normally would [get] if you were to comply with" each of the about 20 state privacy laws.
On the opposite end, Elizabeth Canter, partner at Covington and Burling, said, “The most fractured approach you could take is having a separate privacy program for every single state, which doesn't make a ton of sense.”
But there is also a middle option as well, where you create a privacy plan for the average state, and then add extra steps for compliance with the most restrictive states, Canter said.
A challenge of following a different approach for every state is, “especially on the public-facing side,” companies must frequently "update your policies and your user interface, data subject request forms ... given the pace of change,” she said. “That's resource intensive” and creates opportunities for error.
Goldstick sounded a cautionary note that can impede the one-size-fits-all approach: the definitions of what counts as sensitive data often vary state by state (see 2503200044). “It's important, if you're taking [a standardized] approach, that you would be utilizing the broadest definition of sensitive personal information there is out there,” he said.