How states can address evolving privacy laws

As of November, 12 states have passed comprehensive privacy laws to protect the use of personal information. All 12 laws target the conduct of commercial entities that operate within the state or collect or sell a certain number of records pertaining to that state’s residents. The new laws highlight privacy best practices such as adequate notice, opt-out rights, and a consumer’s right to access or delete data.

The trend toward codifying privacy rights and improving consumers’ control of their data started with the passage of the European Union’s General Data Protection Regulation in 2018. While the recently passed U.S. state laws focus primarily on commercial entities, government entities should also take measures to maintain public confidence and trust, and to mitigate risks to the state.

Though this article focuses on state governments, cities, and counties face the same privacy obligations and the same challenges in ensuring compliance.

Why states should care about privacy

By providing public services and programs, states gather a substantial amount of constituent data. Some data collection is compulsory (such as criminal justice records, birth certificates, and death certificates), while other data is provided to state entities by residents to receive benefits such as tax credits, rebates, and public assistance. A single state, in providing services to its residents, can collect a variety of data, including personally identifiable information, credit card information, protected health care information, federal education records, and tax information.

Units of state governments also share data with other agencies or trusted partners and vendors. Within a state, an entity might share data for the purpose of research, public health or safety, trend analytics, program use metrics, verification, and advertising. States gathering and sharing data increase their attack surface by disseminating data to other agencies and partners—and sometimes, by collecting and retaining more information than necessary.

States should conduct a thorough evaluation of their vendors and partners and have adequate data-sharing contract language, as using third-party services does not relieve the original state entity from the growing array of compliance and privacy obligations. To maintain the trust and confidence of their residents, states must monitor third-party data collection and sharing, and maintain the confidentiality of sensitive information.

Steps to mitigate privacy risks faced by states and the public

A state’s excessive collection of information, inability to provide records to its constituents, or failure to maintain the confidentiality of sensitive data can erode public trust and cause considerable reputational harm. Constituents can also face more tangible harm such as identity theft, electronic benefits transfer fraud, or unemployment scams.

However, a state can incorporate new—or improve existing—privacy practices to promote transparency and public trust. Examples include: