The current state of privacy laws in the USA 2020: what you need to know
Author: Carole TheriaultDate: Tuesday November 12
After the introduction of the CCPA in 2018 a whole slew of states got on board the data privacy bandwagon, and it looked like there was real momentum in the direction of increased rights for citizens over their own data. By the middle of 2019 more than a dozen states had introduced some kind of privacy bill, either from scratch or as an amendment to existing privacy laws.
So how has that turned out?
Well, if you’re an advocate for increased user rights then you’d have to say things haven’t progressed quite as well as you might have hoped.
Several bills including those from Hawaii, Maryland and Mississippi have stalled in committees.
Many states, including Connecticut, Louisiana, Hawaii and Texas, dropped their bills in favour of setting up “task forces” to further investigate the topic.
Bills in New Jersey, Massachusetts, Illinois and others were referred back to committee or are pending carryover.
And in New York and Washington, privacy bills that were said to be even tougher than the CCPA also stalled, with New York merely making amendments to its existing data breach act.
But is this the result of hard business lobbying, or a sensible precautionary delay by states who don’t want to be endlessly bogged down with amendments and litigation because of untried legislation? After all, the passage of the CCPA has been followed by a stream of amendments which have only just been whittled down to a few successful ones.
I think it’s safe to say that there’s both things going on. Business will always lobby against extra regulation and any law that allows for them to be sued. What if ambiguity in the laws themselves could lead to litigation?
In addition, why not wait and see how the CCPA plays out in the real world. Let California go through the messy business of trial and error!
Below are listed the most recent updates from various states who have managed to pass their privacy bills, and that have come into effect recently or will do in the coming few months. This list of points isn’t exhaustive, so if you think you need to be compliant then do read the bill text (linked to from it’s number). What I have tried to do is translate some of the more tortuous legalese into something that more resembles plain English.
Prohibits social media websites or apps from allowing people they know are under 13 to create an account unless they have the consent of the parent or guardian
“Reasonable measures” must be taken to ensure that the person giving consent is the parent or legal guardian
Applies to businesses that maintain data, not just those who own or license it. Processors are now liable under the act.
Requires that information related to a data breach cannot be used for anything other than notification, including notifying national information security organizations.
States that data processors cannot charge data controllers to access data and information required for the breach notification process.
Expands the definition of “breach” from “acquisition” to “access”
Expands the definition of “personal information” to include credit/debit card numbers, usernames and passwords or other authentication data, and biometric information
Expands the scope of businesses that the law applies to, to include any entity with personal information of NY residents
Requires businesses to implement “reasonable safeguards” to prevent a breach of personal information
Expands the exemptions to notify of breaches under certain circumstances
Expands the time within which the state Attorney General can bring an action against a company from two years to three.
Amends the Consumer Identity Theft Protection Act (including shortening the name of the act!)
Changes the scope of a “breach of security” so that it now covers personal data that someone “maintains and possesses” rather than previously “maintains”
Adds username and password (or other form of authentication) to the list of personal information sufficient to trigger breach notification.
Requires that “vendors” notify individuals within 10 days if they are affected by a data breach
Requires that “vendors” notify the state Attorney General if a breach affects more than 250 people.
Amends the Texas Identity Theft Enforcement and Protection Act
Creates the Texas Privacy Protection Advisory Council, “to study data privacy laws in this state, other states, and relevant foreign jurisdictions”.
Requires that individuals be notified within 60 days if they are affected by a data breach
Requires that the Texas Attorney General be notified within 60 days if personal information of more than 250 Texans has been breached
The other privacy act HB 4518, which would have granted consumers more rights over the personal information being processed, stalled in favour of HB 4390.
The most important question you have to ask right now is what data privacy strategy is best for my business? Do you try to keep up with the constant changes, or do you put in the most restrictive data privacy rules in order to cover all bases? Will this be seen as attractive by your customers, or is this going to negatively affect your competitiveness?
TBG can help you navigate this rapidly changing environment and find out what’s best for your own circumstances.