State legislatures from coast to coast, including Indiana’s, are turning their attention to consumer data privacy—and the issue could have a large impact on Indiana’s tech sector.
Within the past four years, four states have passed comprehensive data privacy laws—California and Vermont in 2018, and Colorado and Virginia in 2021. And they’re likely to be joined by others: Many states have considered such legislation since 2018, and Indiana and Ohio are among those that have taken up the issue so far this year.
According to the National Conference of State Legislatures, more than 25 states introduced comprehensive data privacy legislation in 2021 alone.
The NCSL defines comprehensive privacy legislation as bills that seek to regulate the collection, use and disclosure of personal information and that provide consumers with rights related to that information, such as the right to access, correct and delete it.
Under the California law, personal information includes a user’s name, postal address, internet protocol (IP) address and email address, among other things. It also includes cookies—the files websites use to track users’ online habits. One common example: online ads that follow a user around from site to site, based on that user’s data profile.
The matter is of interest to Hoosier businesses because they must comply with the laws of the states in which they do business. So, a company that gathers data on customers in many states is faced with the challenge of keeping up with the privacy laws those states enact.
Local companies say they welcome stricter privacy regulations, in part because protecting customers’ privacy is a way to build trust. But the companies also worry that, in the absence of national regulations, trying to comply with multiple state laws will be a heavy burden.
“Companies can’t keep up with a patchwork of 50 different privacy laws. They can’t do it,” said Christopher Day, CEO and co-founder of Indianapolis-based marketing technology company DemandJump.
Founded in 2015, DemandJump uses artificial intelligence and data analytics to help its customers improve their ranking in online search results.
So far, the biggest impact has been from California’s law, which went into effect in January 2020, with additional provisions that go into effect on Jan. 1, 2023. Vermont’s law took effect in July 2020.
Both Virginia’s and Colorado’s laws are slated to go into effect next year—Jan. 1 in Virginia, and July 1 in Colorado.
Indiana’s legislation, Senate Bill 358, has passed the Senate. It passed the House Commerce, Small Business and Economic Development Committee on Feb. 17, and the full House has until Feb. 28 to vote on it. If the bill passes, the law would go into effect Jan. 1, 2025.
Scot Ganow, a partner in the Dayton, Ohio, office of law firm Taft Stettinius and Hollister LLP, said data privacy has become a hot issue for a couple of reasons.
Taft is based in Cincinnati and operates offices in 11 cities, including Indianapolis.
A recent change to European laws is one reason, Ganow said.
The European Union’s General Data Protection Regulation, or GDPR, was adopted in 2016 and took effect in 2018. It updates European data privacy laws from 1995 and is sometimes described as giving individuals “the right to be forgotten” because one of its provisions allows customers to request the deletion of their personal information.
The GDPR’s data privacy standards apply to companies that do business with European Union residents, including U.S.-based businesses. So, Ganow said, when GDPR went into effect, U.S. companies began thinking more closely about data privacy.
The second reason, he said, is that Americans have become more aware over the last decade or so of data security and data privacy because of high-profile data breaches and incidents like the Cambridge Analytica scandal in which the political consulting firm accessed Facebook users’ information without the users’ knowledge.
Day, the DemandJump executive, said he also believes consumers have grown weary of being bombarded with online ads based on data-gathering that goes so far as to include tracking a user’s physical location in order to advertise nearby retailers.
“People are getting a little creeped out that they never actually do a search for something, but all these ads are popping up,” Day said.
But trying to comply with the growing number of privacy regulations “could literally cause some small companies to go out of business,” he said.
His company has already spent $200,000 so far to comply with two different online infrastructure and security requirements, SOC 2 and ISO 27001, he said, and the final tab will be even higher once that work is complete.
Compliance with the California data privacy law hasn’t been as costly for DemandJump, Day said, but the burden would become significant if the company were to have to make adjustments for multiple new state laws.
Bob Kobek, president of Indianapolis-based CustomerCount, said his company spent close to six figures on compliance when the European Union and California laws took effect.
CustomerCount collects and reports customer survey data on behalf of its clients, which include major hotel chains around the world.
To comply with the new laws, CustomerCount had to rework its software so it could strip surveys of personal identifying information if a CustomerCount survey-taker in California or the European Union made that request.
“We had to dismantle and rebuild,” Kobek said.
His concern is that CustomerCount might have to do a lot more work if other states pass legislation that differs substantially from what has already passed.
“I don’t want to have to rework my code 51 more times, for crying out loud.”
A national standard?
Kobek is also a committee member with the Indiana Technology and Innovation Association, a group that lobbies on behalf of the tech industry statewide. He keeps tabs on privacy legislation nationwide as well.
Whenever he has occasion to talk with legislators from states that are mulling their own privacy laws, Kobek said, he urges them to model their laws on California’s or Virginia’s so the rules will be more consistent
across the country.
Kobek and Day both say what they’d really like to see is national privacy legislation, creating one consistent set of rules.
“I believe that the vast majority of consumers, and even tech companies, are open to and welcome privacy-related legislation,” Day said. “You should be able to have control over whether you want your personal data sold.”
Kobek said he is confident national data privacy legislation will pass in Congress next year, noting that numerous privacy bills are already circulating there. “There will be federal legislation, there’s no question about that.”
U.S. Rep. Andre Carson, D-Indianapolis, has introduced two privacy-related bills, though neither is comprehensive. One of Carson’s bills is related to transparency around companies’ use of online algorithms; the other is related to the privacy and security of COVID-19 data.
“He is very hopeful that these bills and others like it will become law, and he is working to make that happen,” a Carson spokesman told IBJ.
But others are not so optimistic.
Ganow, who worked in the privacy sphere since 2003, said he doubts Congress will ever pass a comprehensive privacy bill. “They’ve been talking about a federal privacy law forever, and I just don’t think we’re going
to get there.”
Compared with Europe, which has a long history of establishing privacy protections for individuals, Ganow said the U.S. tends to take a more sector-driven approach to the issue. This has given rise to laws like the Health Insurance Portability and Accountability Act, or HIPAA, which is focused on patient health information.
Getting Congress to agree on comprehensive privacy regulations probably won’t happen, he said.
What’s more likely, Ganow said, is that the provisions of the California law will become widely adopted. That’s what happened in the auto industry, where California set emissions standards that were stricter than the national standard. Numerous other states went on to adopt California’s standards as their own.
And, regardless of whatever state or national legislation might pass, Ganow said, data privacy is becoming more of an expectation within the business community.
So, he said, he advises clients to tackle data privacy issues now, if they haven’t already. “Even if you don’t have to comply, now is the time to start getting ready to—because this isn’t
Aiming for California compliance is a good goal, he said, because it’s likely to put a company in a good position for compliance with other states’ laws.
The compliance process can be difficult and time-consuming, Ganow said, because it involves multiple steps: inventorying the data the company collects, classifying that data, knowing where the data resides, assessing the risks to the data and coming up with a plan for protecting it.
But at the end, Ganow said, his clients have seen big benefits from going through the process because, in thinking about their data, they can glean new insights. “It forces you to look deeper at your business, because the data is the lifeblood of your business.”•