March 05, 2020
Enterprise Program Leadership

New State Regulations: Getting Ahead of the Compliance Curve

On January 1, 2020, the California Consumer Privacy Act (CCPA) became effective; enforcement will begin July 1, 2020. Now, additional states are following California’s lead. 

CCPA — the much-buzzed-about state statute — is intended to protect California residents’ data privacy and improve personal data protection as it relates to how businesses collect and use personal information.

As details around the regulation were solidified, many companies ran analyses, some made assumptions, and many did nothing because they believed that the CCPA wouldn’t impact their company.

With additional states proposing to pass their own CCPA-like legislation, that could be changing. New York, Maryland and Massachusetts have all had regulations pending for some time, and Illinois recently jumped on board proposing their own data privacy legislation.  As more and more states start moving toward finalizing regulations, more and more companies are going to be impacted.

For those who are local to the Chicagoland area, the proposed Illinois regulation is especially interesting as it has the potential to be highly impactful.  The details of the proposal appear to follow the requirements from California, but there are some differences of note, including the definition of “sale of data.”  Based on this regulation’s drafted language, following the roadmap laid out by California would not be wasted effort and would help companies to be prepared.

Although it’s always easy to kick the can down the road and deal with things like this “when the time comes,” getting ahead of the curve is advantageous. All businesses experience ebbs and flows.  Taking advantage of relative downtimes can help ensure preparedness for changes and avoid the inevitable fire drills that arise when the timing isn’t great.

No matter which state passes legislation next, how that impacts your organization, and how the nuances differ, foundational basics will be required.  Preparedness is key, and the following things can be done now:

  • Define personal information (PI) data elements stored throughout your systems.
  • Identify where those elements are stored.
  • Measure the impact of those data elements. If data is deleted, are there downstream impacts?
  • Inventory all privacy notices to be updated, if needed.
  • Review relationships with vendors that supply data being ingested into the systems and receive data from the systems. Is that transaction considered a sale of data?

Yes, it can all be overwhelming.  But the sooner companies get organized, the easier it will be to implement change as it is needed.

We can help.

Kenway Consulting is a management and technology consulting firm that empowers companies to thrive in tomorrow’s market by helping them with compliance and regulatory changes, data and analytics, technology implementations and transformations, and process improvements today.

Working as a bridge between business and IT stakeholders, we create an actionable strategic roadmap that reduces risk and positions your company to confidently and efficiently comply with regulatory requirements now and in the future.

Interested in learning more? Read about Kenway’s experience in the data privacy regulatory space here, or reach out to us at for more information.

How Can We Help?