Data privacy is a new and rapidly evolving area of law. New laws are being passed, regulations written, and court cases resolved. While that may be exciting for privacy professionals, for businesses that have to comply with laws like the California Consumer Privacy Act (CCPA), it means they can’t just become privacy compliant and then forget about it.
Continuous compliance requires staying up to date with all of these developments and adjusting your practices accordingly. Here we’ll explain why that is (with examples), and what you can do about it.
If you’re not a legal professional, it would be understandable to think that once a statute is passed by a legislature, that’s the law and nothing about it changes unless the legislature passes a new statute.
However, in the United States and many other countries, “the law” is formed from multiple sources, such as regulations and judicial opinions, and evolves over time even if the statute itself never changes.
Take the CCPA, for example. It’s a comprehensive law, but the legislators knew they couldn’t predict every eventuality, so they delegated authority to the California Privacy Protection Agency to create and revise regulations. These regulations have to stay within the boundaries created by the CCPA, but they still have the force of law and can be changed relatively easily.
Now imagine that a business has been accused of violating the CCPA and fights that accusation in court. The judge will look at the various sources of law (the CCPA, the Agency’s regulations, and what other judges have decided in the past), and apply the rules to the specific facts of the case in front of them. Afterwards, that judicial decision itself becomes a new source of law, and any businesses who are engaging in similar behavior will have to examine the decision carefully and figure out how it applies to them.
Don’t feel bad if this is a little confusing. Lawyers study for years learning to determine what the law is in a specific situation, and then spend the rest of their careers disagreeing with each other about it.
The main point to understand is that privacy laws are not static; they can change greatly over time, and businesses have to keep up or face repercussions.
Comprehensive data privacy laws are a recent phenomenon; the EU passed its General Data Protection Regulation in 2016, California followed suit with the CCPA in 2018, and now many other states have passed or are considering their own laws. Because this area is so new and technology changes so quickly, the laws are changing at a fast pace.
Consider the example of a business that became CCPA compliant in 2021. By early 2023, here is just a short list of requirements that have changed:
This is by no means an exhaustive list, and the changes are still coming. For example, the CPPA is currently drafting rules regarding when and how businesses must submit risk assessments for their data processing. Once that happens, all businesses will have to look at the new rules and decide what it means for them.
Staying up to date with privacy compliance across multiple states and countries is a full-time job, but many businesses balk at the idea of hiring an in-house privacy expert or racking up expensive legal fees. TrueVault provides a much more cost-effective solution.
With TrueVault, businesses can manage compliance with many privacy laws in one platform. Create your own data map, onboard vendors, and more, all through a guided software experience. Our privacy professionals stay current with the latest developments, then incorporate any new legal requirements directly into the platform. Wherever possible, these updates are applied automatically, and if any action is required on your part, we provide the guidance and tools to do it.
Learn more about TrueVault and view a demo by contacting our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.