Companies large and small are beginning the new year by staring down six new state laws regulating consumer data collection that are going into effect in 2024:

1. Washington My Health My Data - March 31, 2024
2. Nevada Consumer Data Health Privacy Law - March 31, 2024
3. Texas Data Privacy and Security Act  - July 1, 2024
4. Florida Digital Bill of Rights - July 1, 2024
5. Oregon Consumer Privacy Act - July 1, 2024
6. Montana Consumer Data Privacy Act - October 1, 2024

‍

In addition to planning a path to compliance with these laws, many of the privacy professionals we speak to are also watching for public summaries of enforcement of the laws that went into effect in 2023 and earlier, to gain perspective into regulator expectations so that they can adjust accordingly.

‍

At the same time, the teams we speak to are also keeping up on the active class action landscape. With older, analog-world privacy laws being tested in the digital space via civil suits – the latest being pen register laws – it can feel like there could be new issues to contend with coming out of left field at any time. 

‍

Collecting and evaluating all this information is quite an undertaking, but privacy professionals understand that the stakes are high, and they soldier on. Knowing that gaps bring the risk of fines, reputational damage, and loss of consumer trust, privacy teams are well aware that they must take action.

‍

We have the opportunity to speak to a wide range of companies across the consumer and B2B economy. In this post, we’re going to share some of what we’re hearing about how leading companies are tackling the challenges of 2024.

Step 1: Scrub your Vendor List

Coming into 2024, we see a wide variety of approaches to compliance with data privacy laws, but at this point, most large and medium-sized companies have established a privacy program of some sort, even if it’s embryonic. Nearly everyone is starting 2024 from somewhere.

‍

Leading companies are looking at compliance in 2024 as a process of refinement at the foundation of their existing privacy program, rather than an overhaul. And they are starting with consolidating their understanding of what data collection is necessary to drive the business – especially when there are third-party vendors involved.

‍

Using vendors can bring benefits, but it also exposes companies to liability by creating risks such as misuse and inappropriate sharing of data with fourth parties, breaches, etc. Leading companies are taking a hard look at which of their vendors are delivering enough real value to offset the risk, and are eliminating those who don't make the cut.

‍

Step 2: Assess your Gaps

Each data privacy law has its own constellation of requirements, but there are many common threads across laws. For example, lawmakers and regulators across jurisdictions are coming to agreement that some types of data collection, such as that used for targeted advertising, present a particularly high risk to consumers. 

‍

Companies that have eliminated unnecessary data collection and vendors are better able to identify the common threads most relevant to their business and create a focused assessment of gaps to be addressed for each law going into effect.

‍

Key areas in the laws to look for are:

• Differing disclosures required in privacy policies
• Nuanced definitions of “sensitive data”
• Requirements around respecting universal opt-out mechanisms, such as Global Privacy Control

‍

Step 3: Automate your Governance Processes

If you’re not putting vendor scrubs and gap assessments into action on your website, then it’s just theater. Leading companies are taking active steps to ensure that their updates are put into practice on their sites and in their ad campaigns. They also realize that a one-time QA of privacy policies, Consent Management Platform implementations, and cookie inventories is not enough. 

‍

Governance across a company’s technology stack can be difficult for manual processes to keep up with because the tech itself is constantly changing: vendors independently release code updates according to their own schedules (which unfortunately, sometimes contain bugs), the site’s own dev team releases updates on a different schedule, and much of the digital ecosystem’s ad transactions happen in near-real time. 

‍

Further, governance can be challenging to get right because complexity – both technical and organizational – is high. And in this demanding economic environment, we see many companies grappling with the reality of needing to cover all this new ground with existing (or sometimes, fewer) resources than in 2023. 

‍

One solution is to automate as many compliance processes as possible. Automation can improve the level of protection from unexpected problems, as well as create time for privacy teams (which are often a team of one) to invest in critical work that adds more value to the business than manually QA’ing a website for the umpteenth time.

How Boltive Helps

Tech is a moving target, and it doesn’t take much to trigger unwanted attention from someone who is looking for mistakes. And the risks to companies have never been higher, from fines and lawsuits, to brand damage and loss of consumer trust that can hurt the bottom line in an increasingly competitive marketplace. 

‍

The automation of site and ad campaign QA and governance is where Boltive makes a meaningful difference for our clients. Privacy Guard’s patented, advanced automation technology keeps an eye on your site and ads, and will alert you when something is amiss. 

‍

The process of evolving your privacy program to meet the challenges of 2024 won’t always be easy, but it is absolutely possible. If you would like to find out how we may be able to support your company to achieve its compliance goals, please reach out – we’d love to offer you a free assessment of your site.

‍