States Increasingly Focus on Data Privacy Protection | How to Prepare Your Business for the Coming Wave


Do you have questions about what’s to come in the data privacy world? Join us for a webinar on August 3rd at 12 PM EST, with author Chris Arrendale, Dennis Dayman, and Jack Wrigley. 

Sign Up


On May 10, Connecticut Gov. Ned Lamont signed into law the Connecticut Data Privacy Act (CDPA), making it the fifth state to pass a comprehensive consumer privacy legislation, following California, Colorado, Utah and Virginia.

While details vary, the five laws generally give their states’ consumers:

  • The right to know about the personal information a business collects about them and how it is used, shared, and sold.
  • The right to delete personal information collected from them (with some exceptions) 
  • The right to opt-out of the sale of their personal information.

These laws aim to give consumers more control over information collected about them. Simply put, in many legislators’ eyes, too many companies have collected too much information on individuals and failed to secure it properly, leading to a string of data breaches.

Importantly, California’s Consumer Privacy Act includes a private right of action allowing individuals to sue, making California’s law the most threatening to businesses that run afoul of it. States’ Attorneys General will enforce the other four.

There also looks to be a wave of new state privacy legislation on the way. At least 34 states and the District of Columbia in 2022 introduced or considered almost 200 consumer privacy bills in 2022, according to the National Conference of State Legislators. The need for national data privacy legislation is more important than ever to have a uniform understanding for citizens of the United States.

The time for brands to act is now.

4 Steps on how to prepare for Data Privacy Protection


1. The first thing to do is determine which of these laws applies to your specific business. For example, Colorado’s law applies to businesses that “control or process the personal data of at least 100,000 consumers during a calendar year; or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 consumers.”


2. Next, the business should conduct an internal audit of exactly what data it collects and the various places it is stored. When someone opts out, the company must have the mechanisms in place to delete all of the person’s data wherever it resides.

Start the process by getting representatives of all the various stakeholder departments into a room together. These representatives should at least include members of legal, compliance, marketing, sales, and IT.

While mapping out when and where information is collected and where it is stored—and if applicable, where it is sold—it is important to assess whether all the information collected is necessary.

Current sales-and-marketing technology allows brands to collect a mind-boggling array of information, all aimed at giving the company the ability to spot potentially marketable moments among individual prospects and customers.

But just because a brand can collect certain information doesn’t mean it should. Any internal data audit should include a serious assessment of what is actually necessary to grow the business. 

The sales team will naturally be the most aggressive on the depth and breadth of information they want to collect and keep. Marketing will be slightly less aggressive. Legal, Compliance, and IT will probably be more reserved.

But in any company, it is important to keep in mind that employees are essentially either in sales or they’re in sales support. As a result, the sales team’s opinion on what data to collect and retain should carry a great deal of weight.

This isn’t to say sales should lord over the data decisions, but everyone at the table must consider that if the sales team doesn’t meet its numbers, the whole operation suffers.


3. It’s also important to review third-party contracts with partners. For example, if a company uses a third-party data processor where data goes through that provider at the point of collection or gets sent to the service provider and sent back from the provider to the business, does the provider have the right to share that data with its other clients or use it to provide services to them?

4. Next, it is important to craft a notice to be provided at all points of data collection explaining to customers and prospects what information is being collected, why it’s being collected, and what will and will not be done with it. The notice should include a link to the company’s privacy policy and an easy way to opt out.

If possible, the notice should explain the benefits to customers and prospects of the information collected, such as it will allow a more personalized experience.

Also, the notice should never say the company won’t engage in an activity that it may one day engage in. 

For example, it may not be wise to say the company will never share or sell customer data, even if the company currently does not share or sell. If a company makes that claim and then one day gets sold, its data assets are essentially worthless to the buyer. Or at the very least, a class-action lawsuit waiting to happen.

Unfortunately, there is a never-ending supply of malicious actors willing to comb through corporate privacy claims looking for instances of where the brand did not live up to its promises. And in California, those malicious actors can be any one of its 39.4 million residents.

So while claiming never to share or sell customer information might seem like the responsible thing to do, it would be wiser to consider every possible future scenario that might make that promise regrettable.

In closing, basic privacy protection boils down to four points:


  1. Data transparency; giving people the ability to know what information is being collected, how it is used, where it’s sold or shared and who has access to it.
  2. If a company is sharing or selling data, it must get opt-in consent.
  3. Data minimization: A brand should only collect necessary information that it needs in order to perform the service/product offering.
  4. Non-discrimination: A brand should not discriminate against customers who opt out or fail to opt into having their information collected through treatment or pricing.


Do you have questions about what’s to come in the data privacy world? Join us for a webinar on August 3rd at 12 PM EST, with author Chris Arrendale, Dennis Dayman, and Jack Wrigley. 

Sign Up


About the Author


Chris Arrendale

Chris has more than 22 years in the technology, privacy, security, and software industry. Chris graduated with his BA from Emory University and his MS from Southern Polytechnic State University. He also maintains several professional certifications including Certified Information Privacy Professional (CIPM, CIPT, CIPP/US, CIPP/G, FIP), Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Information Systems Auditor (CISA), Certified Data Privacy Solutions Engineer (CDPSE), Certified HIPAA Privacy Security Expert (CHPSE), as well as many other security, privacy, and cloud certifications. He has extensive knowledge on consulting with companies on their privacy and data security needs. Chris has previously worked as a Chief Privacy and Security Officer for multiple organizations. He has traveled extensively as a speaker, author, and consultant. Chris recently authored a book on email deliverability, privacy, and compliance titled "Deliverability Inferno".



Verify, Protect and Grow Your Database