Is Your Business Compliant with 2023 Data Privacy Laws?

2023 is expected to mark the beginning of a considerable change in US data privacy laws. Is your business ready?

In the past, the US has allowed businesses and other organizations to collect personal information without consent, using and sharing it for their own benefit. Federal laws designed to protect this information have been in place for some time, and some states have enacted their own laws.

This year, state and federal updates to data privacy laws, as well as brand-new state laws, are expected. To ensure that your business remains compliant, here we review existing laws and take note of what 2023 will bring.

1. Federal Data Privacy Laws

No single data privacy law that brings all of the individual states under its authority has ever been established, however below are federal laws that target specific areas like health, credit reporting, and financial institutions.

American Data Privacy Protection Act

ADPPA is still being considered, but has moved through the federal legislative process farther than all other data privacy regulations in the US. The ADPPA is designed to protect the right to privacy for children and grants individuals the right to bring legal action against any noncomplying business. The law also gives consumers the freedom to opt out of allowing their data to be transferred to third-party organizations.

Health Insurance Portability and Accountability Act

HIPAA governs the security and privacy of Personal Health Information (PHI) and applies to entities such as:

• Health plans, health insurance companies, and some government programs like Medicaid and Medicare.
• Healthcare clearinghouses and other entities that process non-standard health data received from another entity.

HIPAA covers both physical and electronic information.

Gramm-Leach-Bliley Act

GLBA requires companies offering financial services or products to consumers, including advice on investing, insurance and loans, to clearly explain how they will share their customers’ data. Any collected data must be fully protected.

Children’s Online Privacy Protection Act

COPPA controls operators of online services and websites who collect information from children under 13 years old. These organizations must:

• Post a privacy policy addressing how they collect personal information
• Obtain verifiable parental consent prior to collecting and using personal information
• Create and follow procedures to protect their security, confidentiality, and integrity
• Only hold on to collected information for as long as needed
• Provide parents with information about the entity’s personal data collection, use, and disclosure practices
• Offer a reasonable way for parents to review the personal details collected and to end further use

Controlling the Assault of Non-Solicited Pornography and Marketing

The CAN-SPAM Act of 2003 governs the sending of commercial email by requiring the sender to:

• Not use deceptive subject lines
• No use misleading routing information
• Identify the senders’ location
• Clarify the email is an advertisement
• Offer recipients the option to opt out of future emails and honor the request within 10 business days

2. State Data Privacy Laws

Individual states are either implementing or considering strengthening data privacy laws that govern the collection, storage, safeguarding, disposal, and use of personal data that is collected. State governments are hoping to increase the transparency of businesses using public information by requiring that organizations publicly notify of any data breaches immediately after they occur. This is to help consumers know that their information may be at risk and offers them the earliest convenience of checking to see if their information has been breached and protecting themselves against future attack.

• California, New York, and Virginia have already implemented data protection acts and Colorado, Utah, and Connecticut are expected to do the same before the end of 2023.
• Michigan, New Jersey, Ohio, and Pennsylvania are presently in active legislation.
• 20 other states with inactive legislation may potentially change their status and it is expected that all US states will eventually follow suit.

Staying On Top of Data Privacy Laws

When it comes to your business information, you are required to comply with data privacy laws through that information’s entire lifecycle, from the time it is generated until it is securely destroyed, whether it be hard copy or electronic information. The laws are there to not only protect your clients, but also you and your business, so it is wise to embrace them.

Wiggins Shredding provides secure shredding services to businesses throughout Pennsylvania and Tri-State Maryland, Delaware, and New Jersey. We are compliant with all data privacy laws, so shredding with us helps your business stay compliant, too. For more information or to book shredding, give us a call at 610-692-TEAR (8327) or complete the form on this page. Our shredding experts are standing by!