How to Prepare For New Data Privacy Laws

Reviewing your business’s data collection practices today can help ensure you’re well-prepared for future legislation.

Although there is currently no federal law that curbs the collection and use of consumer data, some policy experts predict that it’s just a matter of time before such legislation is introduced. In the meantime, many states have taken matters into their own hands: In 2021 alone, more than 160 consumer privacy-related bills were introduced at the state level.

“Right now, we have a patchwork of privacy laws across the country. This patchwork of privacy protections for consumers is creating a lot of headaches for businesses because they’re having to comply with different requirements that vary among the states,” said Elizabeth Taylor, EVP, Head of Government Affairs and Economic Development at Regions Bank in Episode 5 of Commercial Insights with Regions Bank.

Many U.S. businesses have found themselves playing catch-up to comply — something their counterparts in the European Union have already been doing for years. In the months leading up to the 2018 General Data Protection Regulation (GDPR) compliance deadline in the EU, only about 33% of surveyed businesses had a compliance plan in place, according to an EY report.

Preparing for Data Privacy Laws

If you haven’t taken a close look at your data collection practices, now is a good time to do so. Here are three steps all businesses should take this year to ensure they’re well-prepared for any new consumer data protection laws that may be on the horizon.

Step One: Review your business strategy around data.

Take the time to review your business strategy around personal data collection, storage, and usage. What type of data are you collecting? Remember that customer databases and newsletter lists are both considered data. Is it essential to the success of your business? Are you collecting more data than you need? Are you storing it for longer than you need? Among the principles outlined in the GDPR, there are a couple that might be helpful as you consider your business strategy around data: The data minimization principle maintains that businesses should only collect and process data that is necessary for specific purposes, while the storage limitation principle affirms that businesses should only store personal data that serves a specific purpose for a certain amount of time.

Step Two: Make sure to map your data.

You can’t protect what you don’t know. Take an inventory (or data map) of the consumer data you’re collecting, retaining, and sharing. To start data mapping, you should identify what personal information your business collects and where it’s stored. You also want to determine how long the personal information is kept, with whom the information is shared, and for what purposes it’s used. While you’re at it, be sure you understand how any third parties handle your business’s consumer data, too. It’s a lengthy process, but one that is a requisite for any business that wants to comply with state-specific requirements and any potential future regulation at the federal level.

Step Three: Create a process for managing consumer requests regarding their data.

If you’re collecting and storing consumer data, you should also have a process for deleting it upon a consumer’s request. Under the California Consumer Privacy Act (CCPA), consumers have the right to request that their information not be sold to third parties. They can also request that a business deletes their personal information from the database after it’s collected. Even if your business operates locally and believes it isn’t subject to the CCPA, building in processes to address consumer requests is a good idea since it prepares your business to comply with any new consumer data protection regulations that might be coming down the pike. You should also carefully consider which of the state laws may apply to your business.

As you’re making adjustments at your business, make sure to watch for any changing legislation at the federal level, as well as in states across the country. While the introduction of new data privacy legislation might seem daunting, taking a proactive approach can go a long way toward alleviating any stress businesses might experience.

For more, be sure to check out the Summer 2022 issue of Commercial Insights Magazine.


This information is general in nature and is not intended to be legal, tax, or financial advice. Although Regions believes this information to be accurate, it cannot ensure that it will remain up to date. Statements or opinions of individuals referenced herein are their own—not Regions'. Consult an appropriate professional concerning your specific situation and for current tax rules. Regions, the Regions logo, and the LifeGreen bike are registered trademarks of Regions Bank. The LifeGreen color is a trademark of Regions Bank.