How-to guide: How to develop, implement, and maintain a US privacy law compliance program (USA)

Introduction

This guide will assist in-house counsel, private practice lawyers, risk and compliance officers, and human resource departments to develop and implement a US privacy law compliance program. This guide provides an overview of the US privacy law environment and outlines a framework for a privacy law compliance program’s development and implementation.

This guide covers:

1. Sources of data privacy obligations
2. Steps to assess company needs and implement policy

This guide can be used in conjunction with the following How-to guides: How to implement privacy by design within your organization and How to develop, implement and maintain a US information and data security compliance program.

Section 1 – Sources of data privacy obligations

It is important to draw the distinction between data security and data privacy.

Data security encompasses the measures, policies, and technologies involved in protecting data from external and internal threats. Compliance with data security measures does not necessarily satisfy data privacy requirements. Data privacy, especially as relates to consumers, requires organizations to adhere to regulations surrounding how the data they secure is collected, shared, and used. Increasingly, data privacy also includes the rights of consumers to opt out of the data collection process. Adhering to strict data privacy and protection standards will help you stay on the right side of the law and establish trust with your customers.

In short, data security protects data from malicious threats while data privacy addresses responsible governance or use of that data. Data security is outside the scope of this resource. More information on this subject can be found in How-to guide: How to develop, implement and maintain a US information and data security compliance program.

1.1 Federal law

The legal landscape governing privacy in the United States is complex. It is critical that organizations conduct independent research and evaluations of compliance based on the jurisdiction, industry, and other factors pertaining to the specific organization. However, some of the key privacy laws in the United States include:

• The Gramm-Leach-Bliley Act of 1999 (GLBA), (PL106-102) – governs financial institutions and protects the privacy of consumers’ non-public personal information by setting privacy and security standards.
• The Fair Credit Reporting Act (FCRA) – governs credit reporting agencies and entities that supply information to such agencies and protects the consumers’ information provided to credit reporting agencies.
• The Fair and Accurate Transactions Act (FACTA) – amends the FCRA and includes consumer rights provisions designed to improve the accuracy of consumers’ credit-related records.
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (PL104-191) and the privacy rules adopted pursuant to HIPPA (45 CFR Part 164) – govern ‘covered entities’ that create, receive, maintain, transmit, or access patients’ protected health information (PII) and protects electronic and hard copies of PII.
• The Family Educational Rights and Privacy Act (FERPA) – governs schools that receive funds under an applicable US Department of Education program and protects the privacy of student educational records.
• The Children’s Online Privacy Protection Act (COPPA) – governs operators of websites and other online services that either are directed to children under the age of 13, or that have actual knowledge that they collect personal information online from children under the age of 13.

For further information, see How-to guide: How to determine and apply relevant US privacy laws to your organization and How to develop, implement and maintain a US information & data security compliance program, and Checklists: Understanding privacy laws in the US, Privacy and data security law training and Completing a data privacy risk assessment.

1.2 State law

While federal law often pre-empts any state laws that may be enacted, given the inaction of the federal government on comprehensive data protection legislation (eg, the American Data Privacy and Protection Act), many states have initiated their own laws. One source, for example, has reported that since 2018 data privacy bills under consideration have grown from just two to nearly 60 across the United States. Generally, data privacy laws seek to give consumers the right to:

• determine if their data can be collected;
• opt out of having their data sold to third parties;
• access and review the data that is collected about them;
• ensure the accuracy of their stored personal data;
• request to have their data deleted; and
• receive prompt alerts if their data is compromised during a data breach.

Various states including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia, have already enacted comprehensive state data privacy laws. Other states have proposed new comprehensive consumer privacy laws including Massachusetts, Mississippi, New York, and Oklahoma. If enacted, these states will demonstrate a decided trend toward new consumer privacy rights and business obligations.

The wave of new states considering consumer privacy rights means that many companies will be required to reassess their collection and use of personal information, modify their business practices, and develop internal data privacy compliance programs.

See further, Q&A US Data Protection and Privacy (state-by-state).

1.3 Contracts

Even if there is no federal or state regulation that arises from an organization’s data collection and usage, organizations may be contractually obligated to undertake certain measures relating to data privacy. These requirements may stem from contracts with business partners, clients, or third-party providers as well as agreements that the organization drafted. See How-to guide: How to manage third party supply chain data privacy, security risk and liability.

Section 2 – Steps to assess company needs and implement policy

Privacy compliance is an ongoing concern for all organizations as data privacy regulations become more of a challenge and more legislation is adopted throughout the United States. As a result, the cost of compliance has increased substantially, making it necessary for companies to adopt and employ privacy compliance programs. In addition, a robust privacy compliance program tells customers and business partners that the organization operates with a culture of responsibility and transparency and this will help to build trust.

Depending on the customer base, employees, and the organization’s sphere of business, it may be necessary to comply with at least some of the federal data privacy laws described above, in addition to the laws in each of the states that have adopted data privacy legislation. As a result of these factors, each company’s data privacy compliance program needs will be unique. Further, because the organization’s business and data privacy compliance requirements will change over time, a dynamic privacy compliance program will be needed to continually identify and mitigate future potential compliance risks.

For further information, see Checklist: Understanding privacy laws in the US.

2.1 Step 1: Assessment of compliance program needs

2.1.1 Assign responsibility

When assessing and developing the privacy law compliance program, it is essential that company leadership drives the process. Additionally, early in the development process, organizational leadership should designate a data privacy officer to lead the initiative and ensure risks to privacy and compliance are appropriately addressed across jurisdictions. For larger organizations, this may require the appointment of regional privacy officers across multiple jurisdictions who can report to the organization’s global data privacy officer.

Assessing the organization’s privacy law compliance program needs and developing a privacy compliance program will likely require the data privacy officer receiving support from both internal and external resources. In-house compliance staff (ie, legal, compliance, and IT departments) will have an intimate familiarity with the organization’s operations and typically carry the greatest responsibility. They also have the advantage of being readily available for consultation. External compliance assistance in the form of external legal counsel and other specialists (such as IT providers) may also be employed to advise on and manage the development and implementation of a compliance program. A provider outside of the organization has the advantage of being able to give an unbiased outsider’s perspective. They can also make recommendations without institutional biases (eg, inertia or departmental loyalty) that may hinder the implementation of a new approach to a problem. They may also be in a position to provide expertise which does not exist within the business, such as advice on how to manage complex cross-border compliance considerations.

2.1.2 Evaluate existing data profile

To implement the most appropriate and effective privacy compliance program possible, organizations will need to assess a myriad of factors related to the business. It is beneficial for organizations to start with an evaluation of the company’s data profile. This is a high-level overview that includes where the company operates, where it stores data, the identity of data subjects, and the parties with access to that data. The existing data profile will provide an indication of the measures that need to be taken, and will also help ‘triage,’ or prioritize, any data privacy issues that may be identified.

Geographic footprint

Which jurisdiction’s laws an organization is subject to depends on where the organization is physically located and where it conducts business. When conducting a preliminary analysis, consider the following factors:

• the physical location of company;
• where the company does business;
• where the company collects and retains information; and
• physical storage versus electronic storage.

Understanding the geographic footprint of the organization will help shape the development of a privacy compliance program, as it also provides the organization with a legal foundation from which it can seek to understand its needs and risks and what it needs to do to stay (or become) compliant. Legal counsel will also have a basis for their evaluation and advice regarding the compliance plan.

Data use

Information regarding the data that the organization processes needs to be gathered to determine the appropriate compliance measures to be taken. For example, an organization that processes data related to medical conditions will have different compliance needs than one that accumulates data related to real estate transactions. The types of critical factors that should be identified include the following:

• types of data collected, such as PII, health information, financial or credit information;
• what the data is used for;
• who has access to the data;
• whether only users within the organization may use the data and whether contracts that contain data privacy obligations are in place with affiliates, vendors or contractors;
• methods by which data is currently protected; and
• how data is transferred.

Evaluation of data profile and compliance needs

Once the geographic footprint and data use have been identified, legal counsel can use this information to assess which data privacy laws and other legal obligations apply to your organization and which obligations relating to the collection, use, storage, and deletion of data will need to be complied with.

Following identification of the relevant laws and obligations that apply to your organization’s data processing, conduct a gap analysis to ascertain whether, and to what extent, your organization is compliant with its data privacy obligations.

Where a gap analysis identifies that your organization is not fully compliant with its legal obligations, take steps to develop and implement measures as part of your compliance program that enable your organization to meet its legal obligations. Where there are a number of areas of non-compliance, it may be prudent when addressing these, to assess the risk associated with each one and prioritize those areas of non-compliance that would pose the greatest risk to your organization in the event that there was a breach of the obligation or if the non-compliance came to the attention of relevant authorities.

In conducting a gap analysis and preparing to implement a compliance program, you should consider what resources will be required to make your privacy compliance program effective. New internal resources may need to be added, and advice from outside consultants may be necessary. Budget and management support may be required and these should be sought at the earliest opportunity.

2.2 Step 2: Implementation of compliance program

Any time personal data is processed or held (regardless of how much), the impact of data privacy laws must be considered. While the laws that an organization might be subject to will vary depending on its operations, and the steps that need to be taken to implement a compliance program will vary depending on the organization’s data profile and existing state of compliance, there are a number of common areas to consider in implementing a data compliance program:

• Develop and implement internal privacy and preparedness policies – internal privacy and preparedness policies are directed to those inside the organization, typically its employees and contractors. Although directed internally, these policies may deal with the private information of those outside the organization, such as clients and customers. There is no legally required or standard form for internal privacy policies and procedures and your organization’s approach will depend on its data profile. Internal privacy policies may include policies that explain to employees and contractors how their personal information is collected, used, and disclosed, and also policies on how employees should use, collect, and disclose data and, importantly, what they should not do. Preparedness policies are a part of an organization’s business continuity plan and address what to do in the event that something goes wrong (eg, a data breach). The failure to take the appropriate measures in the event of an incident can be devastating to an organization and therefore it is important that policies and procedures are in place ahead of time that help the organization to respond appropriately. While the exact steps to be taken in the event of an incident may be a function of both geographic location and the type of industry involved, there are some measures that may be considered best practice. A policy should include, at a minimum, preparation for an incident; identification of an incident (when it happens, rather than after the fact); containment of the incident to minimize damage; eradication of the incident; and, more importantly, the cause of the incident, recovery steps, and post-incident actions – lessons learned, new security measures, etc. See further Checklist: Drafting internal privacy policies and procedures and Completing a data incident response plan assessment, and Responding to a data breach.
• Develop and implement external privacy policies – external privacy policies outline how an organization gathers, uses, and discloses consumers’ information. These might be published by, for example, including the policies on a website or app or by attaching them to correspondence or other documents, including contracts. See further Checklist: Drafting a consumer privacy policy.
• Put in place processes to regulate relationships with third parties (including affiliates, vendors, and contractors) – organizations should take steps to ensure that all third parties and vendors with access to data are properly vetted through a due diligence process to ascertain whether they can appropriately protect data and, ultimately, whether your organization should have a relationship with them. Due diligence should consider a number of matters including:
  • whether they have been involved in or participated in prior data-related incidents or lawsuits;
  • background checks on key personnel to see if they have a questionable history regarding data privacy;
  • the financial condition of a third party or a vendor – a company in financial distress may not be able to take or follow the necessary security measures; and
  • the state of their own data privacy compliance measures.

See further How-to guide: How to manage third party supply chain data privacy, security risks, and liability.

• Implement an automated data collection, retention and deletion program – this should comply with any applicable data retention laws or regulations that require that data be kept for a minimum amount of time, and outside of these time periods, should eliminate data no longer needed to be retained by the organization. The program should, if possible, be automated to avoid human errors in determining the data to be deleted. Automated data deletion will also help rebut any claim that unfavorable data is being deleted to avoid the possibility of it be used in any litigation against the organization.
• Ensure that employees are adequately trained – all organizations that collect data have data and security obligations, but it is the employees who must carry out these obligations on a daily basis. Training ensures employees are aware of their obligations, how to fulfill them, and why compliance with data security and privacy policies and procedures matters. See further Checklist: Privacy and data security law training.
• Utilize tools to help manage privacy – organizations should utilize available tools to help manage risk. Examples of such tools include:
  • Content management systems – data privacy management systems offer mechanisms for privacy personnel to oversee their organization’s privacy program. These systems can provide secure solutions for an organization to document compliance processes, help to map sensitive information, automate processes that would otherwise be performed manually, and effectively utilize reporting functions. Individuals managing an organization’s privacy program will be the most frequent users of these systems; however, content management tools can typically also support use by employees across the organization. Some of the most critical elements of a system include its mechanisms for breach notifications, access requests of data subjects, the governance of data access, and ease of administration. Therefore, organizations should carefully examine the available functions of a content management tool with regard to these elements and determine whether the tool’s features meet the demands of the privacy program and the wider organization. Further, organizations should ensure that privacy and technology teams (especially managers of these teams) are thoroughly trained on the use of such management software to allow for proper oversight of data and privacy program protocols and procedures.
  • Encryption – encryption involves the translation of sensitive data into another form or code, which can help ensure only authorized personnel are able to access this data. To put it another way, encryption is a way of limiting the persons who may access data. It makes data privacy possible, when data is handled or moved. Encryption generally requires authorized users to enter a password or key in order to access specific data sets, and provides a means by which organizations may securely process customer or employee data that should be kept confidential. However, encryption can be costly in terms of efficiency, as workers may be forced to get through multiple levels of encryption to complete their work. Organizations should also consider how extensively to use encryption tools, since encryption systems may require significant planning and maintenance to be effective.  
  • Pseudonymization – pseudonymization involves the de-identification of data by replacing personal identifiers (eg, names and Social Security numbers) with randomly generated codes or symbols. Sensitive data is replaced with fictional data (eg, a user name that is different from the user’s actual name). By employing the use of pseudonymization, organizations can help protect sensitive data while also minimizing the amount of such data at a large scale. In turn, this helps reduce an organization’s overall risk with regard to data processing, while ensuring the sensitive data held by the organization remains useful. Thus, organizations should consider utilizing pseudonymization ­­to safeguard data, as well as the integrity of the privacy compliance program.
• Develop mechanisms for regular reassessment of physical and electronic security measures, see further How-to guide: How to manage your organization’s data privacy and security risks.
• Companies with multinational operations should become familiar with the Department of Commerce Data Privacy Framework Program that enables eligible US. companies to self-certify their participation in the EU-US Data Privacy Framework. This helps to facilitate cross-border transfers of personal data in compliance with EU law.
• Ensure that all data privacy compliance measures are fully documented, verifiable, and accessible. Include conformance with internal inquiries or external audits as well as the process for reporting noncompliance and a clearly defined evaluation path. Monitoring, auditing, and use of controls can help mitigate potential damages and other negative implications in the event of confidentiality failures.

Failure to manage data privacy risks can result in data breaches at the hands of skillful hackers. For example, in September 2017, the credit reporting company Equifax, Inc. announced that hackers had stolen the personal and financial information of nearly 150 million Americans from its computer networks in one of the largest data breaches in history. This breach resulted in more than 300 class action suits against Equifax. The company agreed to a global settlement with the Federal Trade Commission and includes payment of up to $425 million to help affected persons. 

The compliance program should not be kept secret from employees or other internal stakeholders, even as it is being developed. Employees may have helpful insights regarding areas of weakness to be addressed, or may be able to suggest practical measures to be taken. In addition, letting employees know about the program in advance puts them on notice that the program is coming, and the organization takes its compliance seriously.

2.3 Step 3: Post-implementation strategy

The post-implementation strategy, much like the original implementation plan, will be unique to each organization. However, some common areas of concern include:

• monitoring the changing legal landscape, particularly changes to state law since this is the area of law with the potential for the greatest change;
• conducting regular risk assessment of data security procedures, outside storage sites, vendors, and affiliates;
• ongoing evaluation of the predetermined plan or guidelines for dealing with potential incidents (breaches in data security or potential breaches);
• conducting regular assessments of the privacy compliance program and updating privacy policies as needed.

Keep the compliance program up to date. Updates should be made when new issues or situations arise, when there are changes in the law, or when there are changes in the organization or its structure. In addition, regular updates should be scheduled, and that schedule adhered to, so the organization can avoid falling into a kind of ‘no news is good news’ stasis.

Additional resources

Related Lexology Pro content

How-to guides:

How to determine and apply relevant US privacy laws to your organization 
How to manage your organization’s data privacy and security risks 
How to implement privacy by design within your organization 
How to develop, implement and maintain a US information and data security compliance program 
How to evaluate the effectiveness of a data security or data privacy compliance program 
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity 
How to draft a privacy policy, and privacy and data security provisions in contracts 
How to manage third party supply chain data privacy, security risks, and liability 
Incident response plan readiness and identification of a reportable data breach 
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws 

Checklists:

Understanding privacy laws in the US 
Completing a data privacy risk assessment 
Drafting internal privacy policies and procedures 
Completing a data and information security risk assessment 
Drafting a consumer privacy policy 
Developing key privacy and data security contractual terms and provisions (B2C) 
Privacy and data security law training 
Completing a data incident response plan assessment 
Responding to a data breach 
Privacy and data security due diligence in M&A 

Quick views:

Key data privacy and data security terms 
Collection and use of non-consumer data 
Regulation of data brokers 

Reliance on information posted:

While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.