Article

How states can address evolving privacy laws

Key considerations for states as privacy standards expand

November 15, 2023

Key takeaways

While U.S. state privacy laws focus on commercial businesses, state entities should also prioritize privacy.

Public entities gather a significant amount of constituent data by providing services and programs. 

States can take several steps to incorporate new or improve existing privacy practices.

#
State & local government
Risk consulting Government Cybersecurity consulting Cybersecurity

As of November, 12 states have passed comprehensive privacy laws to protect the use of personal information. All 12 laws target the conduct of commercial entities that operate within the state or collect or sell a certain number of records pertaining to that state’s residents. The new laws highlight privacy best practices such as adequate notice, opt-out rights, and a consumer’s right to access or delete data.

The trend toward codifying privacy rights and improving consumers’ control of their data started with the passage of the European Union’s General Data Protection Regulation in 2018. While the recently passed U.S. state laws focus primarily on commercial entities, government entities should also take measures to maintain public confidence and trust, and to mitigate risks to the state.

Though this article focuses on state governments, cities, and counties face the same privacy obligations and the same challenges in ensuring compliance.

States should conduct a thorough evaluation of their vendors and partners and have adequate data-sharing contract language, as using third-party services does not relieve the original state entity from the growing array of compliance and privacy obligations.

Why states should care about privacy

By providing public services and programs, states gather a substantial amount of constituent data. Some data collection is compulsory (such as criminal justice records, birth certificates, and death certificates), while other data is provided to state entities by residents to receive benefits such as tax credits, rebates, and public assistance. A single state, in providing services to its residents, can collect a variety of data, including personally identifiable information, credit card information, protected health care information, federal education records, and tax information.

Units of state governments also share data with other agencies or trusted partners and vendors. Within a state, an entity might share data for the purpose of research, public health or safety, trend analytics, program use metrics, verification, and advertising. States gathering and sharing data increase their attack surface by disseminating data to other agencies and partners—and sometimes, by collecting and retaining more information than necessary.

States should conduct a thorough evaluation of their vendors and partners and have adequate data-sharing contract language, as using third-party services does not relieve the original state entity from the growing array of compliance and privacy obligations. To maintain the trust and confidence of their residents, states must monitor third-party data collection and sharing, and maintain the confidentiality of sensitive information.

Steps to mitigate privacy risks faced by states and the public

A state’s excessive collection of information, inability to provide records to its constituents, or failure to maintain the confidentiality of sensitive data can erode public trust and cause considerable reputational harm. Constituents can also face more tangible harm such as identity theft, electronic benefits transfer fraud, or unemployment scams.

However, a state can incorporate new—or improve existing—privacy practices to promote transparency and public trust. Examples include:

icon - CRM sales enablement best practices

Program-level assessments

Examining the overall privacy practices of a state government program or organization is crucial, and should include ensuring compliance with best-practice standards such as the Fair Information Practice Principles (FIPPs).

Privacy impact assessments

States can conduct these assessments when initiating any process, program, or procurement for a software application.  The state should examine what information is collected and the justification for collection, as well as requirements around consent and subsequent data sharing and access.


CPO or virtual CPO services

Appointing a state chief privacy officer or leveraging virtual CPO services can help ensure an effective privacy program and provide a designated point of contact to handle privacy-related incidents.

The information lifecycle and privacy

Privacy should be integrated into a state’s data management and cybersecurity processes so that all teams work in unison to ensure data is properly collected, shared, maintained, and destroyed. 

We understand the complexity of the information that states encounter in providing services for the public and can design, build, and maintain a customized privacy program that addresses your privacy and compliance requirements.

RSM contributors

  • Laura Gomez-Martin
    Director

Related insights

Related topic

Are you providing accountability and transparency?

With government-focused expertise, we can advise you on technology solutions, operational efficiencies, financial projections, and board training.