Data Privacy Laws by State: The Good, The Bad, and The Ugly

When Open AI co-founder Sam Altman announced that Chat GPT was expanding its privacy settings to allow users to disable their chat history and exclude their data from AI training, private citizens and businesses all had the same question:  

Did Chat GPT record every piece of data typed into the platform prior to this decision? 

While some may disagree about Chat GPT representing a greater cybersecurity risk than its predecessors, this machine learning-enabled site can store personally identifiable information entered into the chatbot, leaving users and the businesses they work for vulnerable to privacy breaches.  

Timers, reminders, dictionaries, and encyclopedias were quickly swapped for voice-command activated attendants. Have you mistakenly said “thank you” to your Google or Siri home speaker yet? 

As technology continues to advance, your employees are increasingly welcoming the convenience and seamless integration of virtual assistance into their work lives. Governments and privacy experts on the other hand, are pushing back, expressing concerns about data retention policies.  

Since 1996, healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates, have been subject to strict rules and standards for the handling of personal health information (PHI). Under the Health Insurance Portability and Accountability Act (HIPPA) these entities are required to implement physical, technical, and administrative measures such as encryption, access controls, and regular risk assessments to promote trust and confidence in the healthcare system. 

In 2018, the European Union implemented the General Data Protection Regulation (GDPR). This comprehensive privacy law is aimed at protecting individuals’ right to access, correct, and delete their personal data. Under GDPR, consumers have the right to object to the processing of their data, if organizations don’t provide extensive documentation about how their information will be used.  

While states are responsible for regulating data privacy, the Federal Trade Commission (FTC) has the authority to investigate and take action against businesses that engage in unfair or deceptive practices related to data privacy. 

Remember the 2019 Facebook court trials?  

The FTC fined Facebook $5 billion for violating users’ privacy following an investigation that uncovered evidence of the tech giant allowing their users’ personal information to be shared with third-party apps without their consent. 

Sensitive business information, such as contract terms, billing information, and payment details could pose a serious risk, if released to the competition or the public. Let’s talk about the kinds of threats your business could be facing if your employees use Chat GPT to wordsmith routine client correspondence: 

Most states have data privacy laws in place to protect their residents, but some states have none. Meaning that, depending on where you live, you may have no legal recourse to protect yourself, your business, and your employees from loss of revenue, damage to reputation, identity theft, and legal consequences.   

California, Vermont and New York residents benefit from some of the strongest data privacy protections: 

  • The California Consumer and Privacy Act gives the state’s residents the right to know what information businesses collect about them, the right to delete that data, and the right to opt-out of the sale of their personal information. 
  • Vermont’s Data Broker Regulation not only gives the state’s residents the right to opt out of having their personal information sold by data brokers, it also requires data brokers to register with the state and disclose their data collection practices. 
  • New York’s Stop Hacks and Improve Electronic Data Security Act mandates that businesses implement reasonable data security measures and report data breaches to the attorney general’s office. 

Mississippi and South Dakota may have no specific data privacy laws, but state governments require that entities deliver breach notifications to all parties affected. Alabama, Arkansas, Kentucky, Utah, and Wyoming businesses are left vulnerable to unauthorized access, use, and disclosure of employees’ personal information and company operational records. 

Valuable data is often isolated in a multitude of databases and separate systems that aren’t integrated through a centralized governance process or data architecture. If your business is already in compliance with data privacy laws, here are some best practices you can follow to protect any personal or sensitive data at your disposal: 

  • Use strong passwords and change them frequently
  • Avoid sharing personal information online, especially on social media 
  • Be cautious when clicking on links or downloading attachments in emails 
  • Monitor credit reports and bank statements regularly for signs of fraud 
  • Use encryption and access controls to protect sensitive data 

Need help navigating the rapidly changing landscape of language model-powered chatbots? 

Consider implementing a consent management and validation protocol. The businesses we support benefit from an ongoing data governance initiative, including hassle-free comprehensive compliance automation. In addition to promoting transparency, a consent management platform can ensure that your employees are informed about the purpose, scope, and risks associated with processing company data.  

If you need a strategic partner who can help you take advantage of increased efficiency, reduced risk, and more intelligent decision-making, let’s work together. Project-3’s solution architects will support your team in identifying the right tools to enforce your business’ unique privacy policy across key operational touch points.  Contact us for more info. 

Top 5 Pitfalls to Avoid When Using Google Analytics 4

Top 5 Pitfalls to Avoid When Using Google Analytics 4

As digital marketers and data enthusiasts, we understand the critical role of accurate analytics in driving business success. Since its launch in 2020, Google Analytics 4 (GA4) has become an essential tool for gaining deep insights into user behavior across multiple...

read more
Top 10 Key Features of Google Analytics (GA4)

Top 10 Key Features of Google Analytics (GA4)

Google Analytics 4 (GA4) represents a significant evolution from Universal Analytics, transitioning from session-based to event-based tracking. This shift prioritizes user interactions across platforms and devices, providing richer insights through the tracking of...

read more