After our first series of US Privacy Masterclass webinars, we fielded many questions from privacy professionals across the industry. Some of the most asked questions were around the GLBA, NIST, GPC, and PIAs in California and the Health Insurance Portability and Accountability Act (HIPAA). In this blog, we’ll go over these questions and explain how your organization can comply with these additional laws along with the US privacy landscape.
The GLBA is the overarching privacy law for the financial sector that requires institutions to disclose their data collection and sharing practices to customers, and have protection measures in place for sensitive data. The GLBA also mentions that it will preempt any state laws that are inconsistent with its requirements. However, for state laws that provide “greater protection”, the GLBA will prioritize such legislation.
For the CPRA, financial information that falls under the GLBA’s scope is exempt from its regulations, barring the private right of action for a data breach. However other information that financial institutions collect is still under the CPRA’s jurisdiction.
The four other state laws in effect (Virginia (CDPA), Colorado (CPA), Utah (UCPA), and Connecticut (CTDPA)) all exempt any financial institution and its affiliates that are subject to the GLBA from its regulations.
NIST is a non-regulatory agency in the US that defines certain sets of standards for technologies across public and private sectors. While they’re well known for their cybersecurity frameworks that are frequently used as industry-wide standards, another prominent framework is the NIST Privacy Framework. This is voluntary and helps organizations answer critical questions around the state of privacy in their operations, based off requirements laid out in the GDPR and CCPA.
NIST’s privacy framework is broken up into core, profile, and implementation levels.
For additional information on NIST’s privacy framework, read more here.
The Global Privacy Control (GPC) allows consumers to define their preferences across websites. The GPC was developed by a group of publishers, tech companies, and browsers to give customers a way to avoid having to opt-out of multiple websites and instead set their preferences at once.
Businesses that are under the jurisdiction of the CCPA / CPRA are required to honor GPC signals on their websites, or potentially receive an enforcement action. Make sure to use effective tools to keep your website and digital properties cognizant of the GPC.
Privacy Impact Assessments are new additions to the US privacy landscape. The CPRA defines the threshold in a broad manner, mentioning “businesses whose processing presents a significant risk to consumer privacy or security” need to conduct regular PIAs. Having an established framework and template to conduct these PIAs will help your organization stay on top of these reports.
HIPAA is the primary regulation for the healthcare industry that is defined by three main rules – privacy, security, and breach notifications. As healthcare operations deal with sensitive patient information, PIAs need to be conducted to ensure the systems are up to date with the latest security checks and information is not subject to risk of breach.
Healthcare organizations need to make sure that PIAs are conducted at regular intervals to avoid patient information being placed in vulnerable situations or data workflows. HIPAA enforcement fines can go up to $50,000 per violation, so ensuring that the information is privacy compliant and at low risk of breach builds trust as well as avoids fines.
As 2023 rolls around and five states introduce new privacy regulations across the US, make sure your organization stays on top of compliance. Attend the US Privacy Masterclass 2.0 series to make sure you’re prepared for dealing with the new and expanded rights that these laws bring.