Digital Access Rights for Some, or All?

Strategies for meeting multiple U.S. state privacy laws

As most information privacy and security professionals know, U.S. state laws like the California Consumer Privacy Act (CCPA) and its successor the California Privacy Rights Act (CPRA) provide residents of California with rights to access, correct, and delete information about them held by companies around the world. Following the passage of these CA state laws, the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA) have been signed into law and provide similar (although slightly differing) rights to residents of those states. The recent passage of these three U.S. state privacy laws, with more very likely on the way, begs an important dilemma for companies collecting and stewarding personal information:

Should we create policies and procedures to grant these digital rights only to those legally owed them (by jurisdiction) or offer the highest standard of rights to our full customer base (and in some cases employees)?

It’s an important strategic question, and there are pros and cons to each approach. Let’s look at the customized by jurisdiction path first.

Granting digital access rights to customers and employees by legal obligation only.

One benefit of this approach is potentially limiting the number of requests to be handled. Depending on volume, this could provide cost savings associated with the need to scale up response resources, including software systems and staff time to respond to requests (all three states require a response to the consumer within 45 days). Another advantage to this strategy is in creating custom, bespoke responses for each jurisdiction, thus tightening up compliance requirements for each law. As new laws come online, or existing laws are modified, new response procedures are added and updated.

There are several downsides to this approach though. By creating custom response policies and procedures for each law, you add complexity to your systems and increase the potential for errors. It can also be time consuming and labor intensive to craft and stand-up multiple response options based on jurisdiction. For some organizations, determining where customers reside legally, and thus what their rights are, can be difficult or impossible. Another factor to consider is corporate philosophy and risk tolerance: regardless of the current laws in force, should some of your customers deserve these digital access rights while others don’t based solely on where they reside? How might that play out in your long-term customer satisfaction goals and strategies?

Granting digital access rights to all customers and employees regardless of jurisdiction or legal obligation.

A very different approach is to carefully examine all existing state privacy laws, identify the commonalities and differences, and craft a response for all customers and employees that meets the highest common standard. Providing responses for the slight differences from law to law needs to be taken into account as well. Advantages to this approach are streamlining responses across the organization and providing consistency and efficiencies, while messaging to the entire customer base they all have access to the same rights. Challenges to this approach include the initial lift it will take to find the proper universal response that meets the specific legal obligations of each state and operationalize it. Additionally, providing rights to some customers or employees that aren’t necessarily entitled to them could potentially add labor and/or legal costs on the fulfillment side of the equation.

“Many of our clients like to take the harmonized approach to privacy rights, and it’s a good strategy in many organizations. It takes careful consideration and evaluation of the privacy laws in scope to get it right.”

Jennifer Martin, LevelUP Consulting Group Director

The best approach will be different for each organization of course, and depends on many factors including: corporate philosophy, risk tolerance, business goals, legal obligations, budget/resources and operational capabilities. Careful consideration and objective guidance can help you arrive at the optimum outcome and having the right perspectives at the decision-making table is critical to reach your desired end state.

Learn more about our Services by Regulation. For more information about LevelUP Consulting Group’s services, contact: John Verner at john.verner@levelupconsult.com.