Mar 25, 2022
A lack of a unifying federal privacy law in the U.S. like the European Union’s General Data Protection Regulation (GDPR), and a growing patchwork of state regulations to keep track of, can make it tricky for your business to maintain compliance. This is exactly why we have today’s guest here to help us navigate the difficult eco-system of state privacy laws. Donata Stroink-Skillrud is the President of Termageddon and the engineer behind Termageddon’s policy questions and text. She is a licensed attorney and a certified information privacy professional. She often volunteers at the Illinois State Bar Association holding courses on the General Data Protection Regulation where she teaches other attorneys on the importance of privacy and what Privacy Policies should contain.
Privacy and protecting your personal data has probably shown up on your radar a lot lately because of the number of merchants that have reported data breaches. Target had a huge data breach of 40 million customers back in 2013. When an event of this scale happens, you realize we can’t depend on others to protect our data. It was her experience with having her own data compromised in that breach that led Donata to pursue a career in privacy law and policy.
However, there is also an enormous cost involved in compliance. Having a privacy policy on your website is just the first step in compliance. Each state has their own privacy laws, so understanding those laws and making sure you comply, for many businesses, requires a full time Compliance Officer.
At one point in her career, Donata ended up being the person that fielded all of the business privacy compliance questions, and she found that meeting the compliance standards for each state was rather repetitive.
This led to the quest for automating this repetitive process of asking the same questions and gathering the same data, and with that automation process, Termageddon was born.
Businesses were thrown another “privacy curveball” in 2014 when the EU passed GDPR. Today, companies don’t just have to worry about privacy laws in the U.S., they now have to worry about international privacy laws.
GDPR standardized the privacy laws for all the EU countries. The US has not taken that step yet, so business owners and the public must grapple with a bevy of very complex privacy laws in each state.
From the consumer standpoint, it’s very difficult because these state privacy laws require all these disclosures, making privacy policies really long, really difficult to read. There’s a lot of information there. It’s very hard for consumers to understand which privacy rights apply to whom. The privacy laws also don’t explain the gray areas like how they define a resident, and when a person officially becomes a resident of a state.
Different state laws have different definitions of what it means to sell data. But some companies are saying, we don’t really sell your data, but according to California’s law, we do.
This makes it confusing for both businesses and consumers to understand what their privacy rights and obligations are.