The Evolution of State Consumer Privacy Laws
By now, it should be common knowledge that the California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. It’s also well-known that the state’s privacy legislation provides consumers with new rights concerning the collection and processing of their personal information.
With privacy law violations and countless data breaches being heavily featured in the news, the CCPA has not been without it's fair share of publicity.
As we approach the final quarter of 2019, and with still no concrete signs of a Federal privacy law on the horizon, several states are busily working on the enactment of their own consumer privacy laws.
It’s hard to deny that the example set by Europe’s General Data Protection Regulation (GDPR) has provided an urgent incentive for U.S. states to provide appropriate protections for its own citizens. However, according to a report by law firm White & Case, there is a “jumble of hundreds of laws enacted on both the federal and state levels” when it comes to consumer privacy protection for citizens of the United States.
Nothing new about State Privacy Legislation
Despite the massive rise in consumer privacy and data protection issues during the past few years, state-level privacy legislation is nothing new. In fact, according to Mitchell Noordyke, CIPP/E, CIPP/US, CIPM with the International Association of Privacy Professionals (IAPP), US states have been leaders in privacy regulation and enforcement for some time. He said:
Multiple states have passed legislation that targets a certain industry, activity, or type of data in the past, …What is new in the current moment is the energy at the state level to pass a comprehensive, rather than a narrow, approach to regulating privacy.
However, businesses that collect and process personal information should take care to note that while the momentum increases in states’ eagerness to pass comprehensive privacy legislation, the journey of a newly-introduced bill to enacted legislation is often hampered by various obstacles, and is likely to be subject to several amendments.
According to Noordyke:
Industry representatives and privacy advocates both have legitimate concerns and priorities that must be addressed prior to a workable solution making its way through a state legislature, …That being said, the sheer number of states working on comprehensive privacy legislation suggests that there will be at least one or two more states with comprehensive privacy laws in the next couple years.
In this article, we examine the progress made by multiple states, as they work almost feverishly to pass comprehensive privacy laws that can be adhered to by covered organizations.
#1: California Consumer Privacy Act of 2018 (CCPA)
Current Status: Approved - June 28, 2018
Enactment Date: January 1, 2020
The CCPA provides residents of California (consumer) with the right to submit an access request to a business, requiring it to disclose:
the categories and specific pieces of personal information that it collects about the consumer;
the categories of sources from which that information is collected;
the business purposes for collecting the information; and
the categories of third parties with whom the information is disclosed or sold.
#2: Nevada Consumer Privacy Law
Current Status: Approved - May 29, 2019
Enactment Date: October 1, 2019
In a nutshell, Nevada’s privacy law requires operators of websites and online services to honor a consumer’s direction not to sell his or her personal information. Unlike the California Consumer Privacy Act, Nevada’s law differs in notable ways, signalling the coming of a patchwork of fifty-plus different data privacy standards across the country, much like the state data breach notification laws.
#3: New York Privacy Act
Current Status: Introduced - January 18, 2019
Enactment Date: January 1, 2020
New York’s privacy bill echoes some of the protections in the CCPA, such as allowing consumers to see what data is being collecting on them, and who else has access to that data. They can also request correction or erasure, as well as the right to refuse their data being sold or shared with third parties.
The New York Act is being heralded as “bolder” than the CCPA, by requiring businesses to disclose their methods of de-identifying personal information and place special safeguards around data sharing, as well as allow consumers to be notified of the names of all entities with whom their information is shared.
#4: Hawaii Privacy Act
Current Status: Introduced - May 9, 2019
The Hawaiian privacy law requires that businesses disclose the categories and specific pieces of identifying information collected about a consumer upon receipt of a verifiable request from the consumer. The business must also disclose the identities of any third party organizations or persons to whom the business has disclosed, sold or otherwise transferred the personally identifying information of a consumer upon verifiable request from the consumer, and publicly disclose the categories of identifying information that is collected from consumers.
#5: Maine Act to Protect the Privacy of Online Customer Information
Current Status: Approved - June 6, 2019
Enactment Date: July 1, 2020
The Maine privacy act prohibits internet service providers from using, disclosing, selling or granting access to customers’ personal information, except in cases where the customer expressly consents to such use, disclosure, sale or access.
#6: Pennsylvania Consumer Data Privacy Act
Current Status: Introduced - April 5, 2019
The Pennsylvania Consumer Privacy Act is an Act providing for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the Attorney General.
#7: Massachusetts Consumer Protection Law
Current Status: Introduced - January 22, 2019
Massachusetts has Bill SD.341, which is “an Act relative to consumer data privacy,” and draws much of its language from California’s CCPA. However, one of the main differences between the Massachusetts Bill and the CCPA, is that the Bill provides an exception for businesses that collect or disclose their employees’ personal information, “so long as the business is collecting or disclosing such information within the scope of its role as an employer.” The Bill creates a private right of action for consumers who have “suffered a violation.”
#8: Maryland Online Consumer Protection Act
Current Status: Introduced - February 4, 2019
Maryland’s Online Consumer Protection Act requires certain businesses that collect a consumer's personal information to provide various notices to the consumer at or before the point of collection. The Act also authorizes a consumer to submit a request for information to a any business that collects personal data regarding the consumer.
Although there are certain common principles shared by all the above states, concerning their approach to a comprehensive privacy bill, each state will require covered businesses to conduct an inventory of data held, plus a data flow map, as a starting point for data privacy compliance, according to Mitchell Noordyke.
Noordyke mentioned segmenting data into European vs. US consumers. “But,” he said:
as states become more active that approach may become too much of an administrative burden for organizations to implement practicably. Companies may want to consider a global, rather than jurisdiction-based, approach to privacy.
Noordyke added that a compliance strategy is a situation-specific assessment, and one for which a company should engage counsel and consider its stakeholders. He said:
Assessing current data practices, thinking critically about whether a global- or jurisdiction-based compliance strategy is better for the business, ….And understanding the common principles that underlie the various state bills are good first steps for companies in the current moment.
NOTE: This article is provided for informational purposes only and does not constitute legal or professional advice. The Data Privacy Group recommends that businesses engage the services of an experience data privacy/data protection practitioner when preparing for compliance with data protection and privacy legislation.