Data Privacy Law Shake-Up: GLBA, State Laws, and What’s Next

If you thought keeping up with data privacy regulations was challenging before, buckle up—the landscape is changing faster than ever. Between federal updates, a wave of new state laws, and California leading the charge with groundbreaking legislation, businesses across the Golden State need to stay sharp to remain compliant.

The past two years have brought some of the most significant changes to data privacy law we’ve seen since HIPAA first made everyone nervous about handling personal information. Let’s break down what’s happening and what it means for your business.

GLBA Gets a Major Overhaul

The Gramm-Leach-Bliley Act just got some serious teeth. The Federal Trade Commission finalized major amendments to the GLBA’s Safeguards Rule that took effect on June 9, 2023, and they’re not messing around.

Enhanced Safeguards Rule Requirements:

• Mandatory risk assessments and strict access controls
• Encryption of customer data both in transit and at rest
• Appointment of a qualified individual to oversee information security programs
• Regular testing and monitoring of security measure effectiveness

But wait, there’s more. As of May 13, 2024, financial institutions must notify the FTC within 30 days of discovering any data breach affecting 500 or more consumers. That’s a pretty tight timeline when you’re dealing with a crisis situation.

For businesses handling financial records, this means your data protection strategies need to be bulletproof. The days of “we’ll figure it out later” are officially over.

State Laws Are Racing Ahead

While federal lawmakers debate, states aren’t waiting around. In just the past two years, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island have all enacted comprehensive data privacy laws. Most of these are set to take effect between 2023 and 2025.

But California, as usual, is setting the pace. The California Delete Act, signed on October 10, 2023, is a game-changer. This pioneering law allows California residents to submit a single request to delete their personal information across all registered data brokers. Data brokers must register with the California Privacy Protection Agency and comply with deletion requests—no exceptions.

For businesses managing records storage in California’s Central Valley, this creates new challenges around data lifecycle management and secure destruction protocols.

Federal Efforts and What’s Coming

The American Privacy Rights Act (APRA) made headlines when it was introduced in April 2024, promising to establish a comprehensive federal framework for data privacy. The proposed legislation would have limited data collection and usage, expanded consumer rights to access and delete personal data, and required data broker registration.

Unfortunately, APRA faced significant opposition and stalled in Congress. However, its introduction signals the direction federal privacy law is heading—more comprehensive, more restrictive, and more consumer-focused.

Meanwhile, regulatory enforcement is ramping up. The FTC continued aggressive enforcement of privacy regulations throughout 2023, bringing numerous cases against companies for data breaches and inadequate consumer data protections. The Consumer Financial Protection Bureau has also announced plans to regulate data brokers under the Fair Credit Reporting Act.

What This Means for Your Business

All these regulatory changes boil down to one thing: businesses need rock-solid records management systems that can handle evolving compliance requirements.

Key areas to focus on:

• Secure Storage: Your records storage must meet encryption and access control standards
• Data Lifecycle Management: Know what you have, where it is, and when it needs to be destroyed
• Retrieval Capabilities: Quick access for compliance requests through professional retrieval services
• Secure Destruction: Proper disposal when retention periods end

The complexity of managing compliance across multiple jurisdictions makes professional records management more valuable than ever. With NAID AAA Certification and decades of experience, the right partner can help navigate these choppy regulatory waters.

Don’t let changing privacy laws catch your business off guard. The regulatory environment will only get more complex, and the penalties for non-compliance continue to grow.

Ready to future-proof your records management strategy? Call us at (800) 685-9034 or complete the form on this page today to discuss how Pacific Records can help your business stay compliant in this rapidly evolving regulatory landscape.