States Move To Enact and Expand Data Privacy Legislation

Since 2023, we have seen an explosion in the number of state data privacy laws, demonstrating a clear focus amongst state governments in data privacy. In fact, according to the National Conference of State Legislatures, “at least 40 states and Puerto Rico introduced or considered at least 350 consumer privacy bills in 2023.” These data privacy laws create protections for a range of several types of data, from general consumer data protections to specific protections for health data and minor data. Furthermore, many of these new state data privacy laws have effective dates in 2024, and additional state data privacy laws will likely see passage in 2024. This state-level data privacy trend has a significant impact on state IT procurement and awareness of its effects can enable IT companies to better position themselves in the state and local market, even when selling to states that have not recently passed a new data privacy law. With this in mind, we feel it is important to look at these data privacy trends.

We will start by looking at examples of recent state data privacy legislation and the common data privacy actions taken by state governments before looking at how vendors can best position themselves in this privacy-focused market.

State Data Privacy Legislation

Washington, Nevada and Connecticut have all recently passed legislation with health data privacy provisions. Washington and Nevada’s laws, in particular, are focused on health data privacy. Washington’s My Health My Data Act is the first state law to create additional health data privacy protections not provided by Health Insurance Portability and Accountability Act (HIPAA), while Connecticut’s health data privacy regulations are part of a more general state data privacy act. All three states’ laws contain provisions expanding health data restrictions to organizations outside of HIPAA’s scope, prohibiting geofences around healthcare facilities, and forbidding organizations from distributing or collecting consumer health data without consent. Additionally, some of the provisions in each of the three states’ laws have upcoming effective dates in 2024, and several other states, such as Illinois and New York, are considering their own health data privacy legislation.

Connecticut’s new data privacy law, in addition to creating health data privacy regulations, also creates additional privacy protections for data related to minors and general consumer data. For instance, one provision in Connecticut’s new law with an effective date in October 2024 forbids organizations from collecting minors’ precise geolocation data, and another requires organizations perform data protection assessments for data processing activities that present a “heightened risk of harm” to consumers. Other states with recent consumer data protection laws include Oregon, Texas, Florida, Montana, and Utah. It is worth mentioning, however, that Utah’s new data privacy law, the Utah Consumer Privacy Act, effective as of December 31, 2023, differentiates itself from many of the other recent state data privacy laws by being more business-friendly than its contemporaries thanks to, among other factors, the use of more restrictive definitions and a threshold of applicability that requires fewer companies to adhere to the new regulations.

Common Provisions Amongst States

While the contents of the more general new data privacy laws vary by state, many of them share some common provisions. Common provisions include mandatory data privacy assessments for high risk data, requiring organizations receive consent before selling consumers’ personal data (or, at the very least, requiring organizations allow consumers to opt-out of the sale of their personal data), allowing consumers to obtain copies of the data organizations have collected on them, and requiring organizations to delete consumers’ data upon the consumer’s request. Furthermore, several of these laws contain provisions granting additional protections specifically for minors’ data, as well as provisions creating additional data privacy requirements for biometric data and provisions requiring organizations adopt data security practices. Some laws also have data minimization requirements, meaning they require organizations to collect only data that is necessary for them to accomplish their purpose, though a February 2024 report by the Electronic Privacy Information Center and the U.S. Public Interest Research Group (US PIRG) Education Fund on state data privacy laws found only California, which passed its comprehensive data privacy act in 2018, had strong data minimization rules.

In addition to data privacy legislation, numerous states have created Chief Privacy Officer (CPO) positions. The structure of these Chief Privacy Officer roles varies by state. For example, some Chief Privacy Officers have authority over their states’ entire governments, while others have more limited authorities, and some Chief Privacy Officers answer directly to their state governor’s office, while others answer to the state Chief Information Officer (CIO) or other officials. Similarly, Chief Privacy Officers’ duties also vary by state. Responsibilities may include working on data privacy standards and data privacy employee trainings for state agencies and approving IT procurement contracts. Chief Privacy Officers involved in IT procurement are particularly relevant for vendors and partners to consider when selling to state agencies; however, regardless of the specifics of their role, state Chief Privacy Officers play an important part in determining how state agencies treat citizens’ data.

What this Trend Means for IT Companies

Now that we have taken a look at some of the data privacy trends impacting state governments, let’s look at how IT companies can best position themselves in this increasingly privacy-focused market.

First, even if you are selling to a state that has not passed any state-level data privacy policies, adhering to the data privacy regulations in states which have passed such policies can still make your products more competitive. Being able to point to compliance with additional regulations not needed where you are selling your services may make government decision makers more interested in your solutions.

Numerous polls have found the majority of Americans are concerned with how companies and governments are using their data, including an October 2023 report from Pew Research finding 71% of US adults say they are somewhat concerned about how the government uses data it collects about them and 81% of US adults saying companies will use the information they collect in ways people are uncomfortable with, so government officials may be responsive to solutions which address some of the public’s privacy concerns.

Furthermore, many of the new state data privacy laws also come with new data security requirements. This creates plenty of opportunities for organizations selling cybersecurity solutions. Make sure to talk to your state customer about how your solution can protect the services they already have in place and look into partnering with companies selling IT solutions outside the cybersecurity space that might benefit from additional data protection services. If you sell non-data security solutions, emphasize any tools built into your solutions to keep consumer data secure. Examples of relevant cybersecurity solutions with potential opportunities arising from these data security requirements include identity and access management solutions and encryption, both of which can ensure data in the cloud or in transit remains secure.

Additionally, look into whether the state you are selling to has a Chief Privacy Officer and, if they do, what their role entails. You will want to pay particularly close attention to CPOs who have a role in their state’s IT procurement approval process. Even those CPOs without a direct say in IT procurement may still have an impact on the state agencies you wish to sell to by establishing privacy standards for the agency.

Discuss with your customer any tools you have in place to ensure data privacy regulation compliance and assure your customer of the effectiveness and robustness of your data organization, management, and maintenance procedures. If a state agency you have a contract with requests you delete particular kinds of data (and state laws or contractual terms require you comply with such a request), for instance, having effective metadata that enables you to easily identify which information meets the criteria for deletion and which does not can reduce your workload and assure your customer that you can adhere to their request without making any errors.

Finally, remember state agencies are also working to adhere to data privacy requirements themselves. Talk to your customer about any solutions you have which can help agencies adhere to data privacy regulations. AI document redaction software, solutions which ensure data is properly deleted, and solutions which check the data your customer collects to verify if it is information they are allowed to collect may all find opportunities here.

While these new data privacy regulations may increase IT companies’ regulatory burden, they also present tons of potential opportunities for companies in the public sector market. Given that we expect this trend of states establishing data privacy requirements to continue, we highly recommend IT companies stay aware of these opportunities and keep up to date with state data privacy changes so as to remain well positioned as the state data privacy landscape changes. IT companies failing to keep up to date with the changing data privacy landscape risk finding their products or services falling into non-compliance. It is better to have data privacy procedures that you do not need than to lack data privacy procedures required by regulation, and it is better to meet these requirements before these laws are enacted than find yourself having to quickly add these data privacy procedures to your solutions in order to continue selling to certain state and local governments.

To get more TD SYNNEX Public Sector Market Insight content, please visit our Market Intelligence microsite.

About the Author:
Gabriel Zighelboim serves as the market insights data analyst within the market insights team at TD SYNNEX Public Sector, specializing in leveraging quantitative and qualitative analysis of government IT procurement data to deliver actionable insights to TD SYNNEX’s vendors and resellers in the public sector.