States Raise Stakes in GDPR-Inspired Privacy Laws

Written by Pam Baker
May 2, 2019

GDPR may be least of privacy compliance woes; here come state privacy laws.

Leading the way in state GDPR-like privacy laws is the California Consumer Privacy Act (CPPA). But make no mistake, other states are quickly following suit. But several studies say that many companies are still struggling to comply with the EU General Data Protection Regulation (GDPR). So how likely are they to meet additional state mandates?

The International Association of Privacy Professionals (IAPP) says there are plenty of studies showing a frightening number of companies are struggling to comply with GDPR. One of those studies is an April 2018 Ponemon Institute survey sponsored by the international law firm, McDermott Will & Emery. That study found “40% expect to become compliant after the deadline” and “8% of companies were not sure when they will achieve compliance.

McDermott Will & Emery’s Mark Schreiber

“We still have too little time and it’s a year later,” said McDermott Will & Emery Co-Chair, Privacy and Security Mark Schreiber, CIPP/US, in an IAPP report on GDRP a year later. “We expect 50% of covered companies are still in the process of GDPR compliance and it will likely go on for another couple of years.”

Now state laws are coming into the picture making it even harder for companies to comply with them all. Some say GDPR is the impetus for the recent rash of state privacy laws but it’s more a model than a motivator. Instead, it was rampant and hidden data collection and data sharing by social media giants that spurred outrage and a demand for more privacy protections in the U.S.

DataBank’s Mark Houpt

“The privacy law push started with the revelations of social media data sharing in 2017. The GDPR was a model for California law and may be a model for a U.S. national privacy law. But the real push was not from GDPR,” says Mark Houpt, CISO for DataBank.

The CPPA was the first of the state laws to appear on the scene. It will go live in a few months, on January 1, 2020, but the enforcement date is not until “until six months after the publication of the final regulations or July 1, 2020, whichever is sooner.” Other state laws are following close behind such as the Washington State Privacy Act. It is not yet a law as it still has to clear the House. The Senate voted 46 to 1 in favor of the bill and no one expects any problem with it passing in the House either.

The IAPP conducted a survey to see where companies stood in terms of potential compliance with the looming CPPA. “Rating CCPA preparedness level on a scale of 0 to 10, the average response was about 4.75,” says the report. The biggest obstacle to compliance is “a lack of time and…