With a total of 12 comprehensive state privacy laws in the books, organizations have a lot of ground to cover. Even businesses that have found reprieve in the recent postponement of California Privacy Rights Act regulations enforcement can agree that compliance efforts will only continue to increase.
But, as privacy professionals know, privacy is more than just compliance. At their root, the dozen state privacy laws are about making sure companies address applicable privacy obligations and expectations in their operations.
To this end, academics have suggested imposing a corporate law-adjacent duty of loyalty on companies to prohibit uses of personal data that conflict with consumers' best interests. While none of the comprehensive state privacy laws have gone this far, their collective requirements impose a duty of care on companies when processing personal data. In light of this, it is worth exploring the difference between these duties, how the current obligations amount to a duty of care, and how to approach privacy programs and operations that meet these requirements.
Duty of loyalty
Data protection rules aim to protect individuals and their data as they interact with organizations seeking to collect and use personal data. Professors Neil Richards and Woodrow Hartzog summarize the U.S. approach to data privacy in three obligations: do not lie to consumers, do not harm consumers and follow the Fair Information Practice Principles. They note that these rules, even in combination, are not sufficient to meet the intent of privacy laws. To remedy this gap, they suggest a duty of loyalty.
In U.S. and U.K. business law, the duty of loyalty requires directors and trustees to place the interests of the company and shareholders before their personal interests.
When applied to privacy, a duty of loyalty would require organizations using personal data to act in the consumers' best interest. In practice, it would mean moving from the standard notice-and-consent model to limiting many common practices that are absent consumers' informed and affirmative consent. But if it is not required by law, organizations are unlikely to voluntarily switch gears.
The American Data Privacy and Protection Act was viewed by many as the most promising attempt at a comprehensive federal data privacy law. Introduced in the 2021-22 congressional session, the ADPPA was written to establish requirements for how companies, nonprofits and common carriers handle personal data. Taking a cue from the several state privacy laws passed before the bill's introduction, the ADPPA offered the usual arsenal of consumer protections: the right to access, correct and delete personal data, to opt out of targeted advertising, and to not be discriminated against based on protected characteristics.
Most notably, the bill contained an entire "Duty of Loyalty" section containing requirements for data minimization, purpose limitation, privacy by design and sensitive personal data use. Whether just by virtue of similarity in name or overlap in concept, rules regarding how bona fide loyalty programs can be run also fall under this section.
This bill's duty of loyalty requirements is similar to the academic proposal noted above in that they would have required businesses to act in consumers' best interests for privacy practices. Specifically, entities covered by the ADPPA would have been required to limit their personal data collection, processing and transfer practices to those reasonably necessary to provide individuals with the requested products or services, and would have been prohibited from certain other uses like transfers of individuals' personal data without affirmative express consent.
Duty of care
While state privacy laws do not require companies that deal with personal data to follow duty of loyalty-type obligations, they do have requirements that collectively impose a standard of care for personal data processing. This standard of care requires more than internal policies and privacy notices drafted or reviewed by lawyers. It requires companies to develop and maintain cross-functional programs and operations to appropriately collect, use and disclose personal data in a way that mitigates potential risks, including to uses of personal data that people may not agree with. Consider the following types of requirements contained by the laws:
- Data protection assessments. Many of the laws require companies to conduct and document risk assessments before engaging in particular uses or disclosures of personal data, like targeted advertising, certain profiling or automatic decision-making, "sales," or processing of sensitive personal data. These must be provided to regulators upon request. These assessments need to be cross-functional, with Colorado regulations mandating they "involve all relevant internal actors from across" the company. The requirements to identify risks and safeguards, and evaluate how the safeguards appropriately mitigate risks, seek to impose a standard of care, at least before in-scope activities occur.
- User interface design. Many of the laws prohibit "dark patterns" in user interface and experience design, including by restricting many practices commonly used online, and companies are restricted in use and disclosure of personal data obtained from such practices. These requirements impose a duty of care when obtaining data or consents for use of personal data.
- Data minimization. Most of the laws require companies to evaluate and collect solely the minimum personal data needed for the stated purpose of collection. This can be seen as a duty of care when requesting or obtaining personal data.
- Vendor contracts and oversight. The laws tend to prohibit "sales" of personal data, which may occur when companies disclose personal data to vendors, partners or others without a number of statutorily required contract provisions in place. These contract provisions include rights to audit and assess privacy operations and practices of vendors, and the California regulations say a failure to exercise these rights can make a company responsible for its vendor's privacy violations. Together, these obligations require companies to meet a care standard when selecting, contracting and continuing to use a vendor.
- Consents and opt outs. Some of the laws require specific opt-in consents before data can be collected or used. For example, in most cases, Colorado now requires opt-in consent before any sensitive personal data can be collected. Relatedly, many of the state laws require companies to honor individual requests to opt out of having data about them "sold," used for targeted advertising or used in certain automated decision processes, with regulations detailing the steps companies must take to honor these requests and communicate them to vendors and others they have disclosed the data to. These requirements impose care obligations that impact how personal data can be lawfully collected, used and disclosed.
- Deidentified data. Many of the laws require companies to develop and follow technical and operational protocols before data can be viewed as deidentified and exempt from requirements that apply to personal data. These protocols often require changes to practices with masked, pseudonymized or other not directly identifiable data types that companies thought were out of scope for privacy requirements. In this way, these laws impose a care standard for personal data.
- Safeguards. Most of the laws include obligations for administrative, technical, organizational and physical safeguards when collecting, storing and processing personal data. Colorado's law and regulations even refer to this as a "duty of care," which, regardless of terminology used in the other laws, amounts to another type of a care obligation companies must honor for personal data.
While none of the laws expressly require companies to have cross-functional privacy programs and operations to address these obligations, the obligations require a standard of care to be applied to personal data across business units and functions. Privacy program and operation frameworks like the National Institute of Standards and Technology Privacy Framework can help in choosing an approach, and Tennessee's law gives companies an affirmative defense to violations of the law if their privacy program complies with it or with comparable frameworks.
Looking forward
With the Colorado Privacy Act and Connecticut Data Privacy Act recently coming into effect, and the California and Colorado attorneys general announcing enforcement sweeps, companies should understand how their privacy programs and operations address the key requirements of these laws, and know where they fall short. Consider the following steps to develop and maintain privacy programs and operations that address the obligations these laws impose, and support your company in meeting the duty of care required for personal data:
- Assess how the laws' requirements apply to your company's business practices, including based on an up-to-date understanding of what personal data consists of and the company's actual practices in processing it. Leveraging or developing data maps and records of processing, and working with stakeholders responsible for personal data practices like data governance and data security, can help inform this assessment.
- Set your risk tolerance and compliance approach, including by aligning on roles and responsibilities to perform functions necessary for your planned compliance approach. Cross-functional stakeholder involvement and management alignment will likely be needed to meaningfully address the obligations of the laws, many of which cannot be performed by privacy teams alone.
- Verbalize how you process personal data properly, based on your planned compliance approach, with documented policies and standards, appropriate training and awareness activities, targeted engagement, and involvement of key stakeholders.
- Maintain an understanding of how your company's cross-functional privacy program and operations address the applicable requirements, as well as your company's desired risk tolerance and compliance approach. Developing or mapping to a privacy program or operations framework could be a helpful way to maintain this understanding.
- Monitor the performance of key operations or controls for the privacy program and operations. Focused audits, assessments, spot checking and/or monitoring of key performance indicators may be appropriate techniques for monitoring the program and operations.
A privacy program and operations based on the above steps will give a strong foundation to address the duty of care obligations these comprehensive state privacy laws currently impose, and should give businesses a head start if any laws ultimately adopt a duty of loyalty obligation for personal data.