After the introduction of the CCPA in 2018 a whole slew of states got on board the data privacy bandwagon, and it looked like there was real momentum in the direction of increased rights for citizens over their own data. By the middle of 2019 more than a dozen states had introduced some kind of privacy bill, either from scratch or as an amendment to existing privacy laws.
So how has that turned out?
Well, if you’re an advocate for increased user rights then you’d have to say things haven’t progressed quite as well as you might have hoped.
Several bills including those from Hawaii, Maryland and Mississippi have stalled in committees.
Many states, including Connecticut, Louisiana, Hawaii and Texas, dropped their bills in favour of setting up “task forces” to further investigate the topic.
Bills in New Jersey, Massachusetts, Illinois and others were referred back to committee or are pending carryover.
And in New York and Washington, privacy bills that were said to be even tougher than the CCPA also stalled, with New York merely making amendments to its existing data breach act.
But is this the result of hard business lobbying, or a sensible precautionary delay by states who don’t want to be endlessly bogged down with amendments and litigation because of untried legislation? After all, the passage of the CCPA has been followed by a stream of amendments which have only just been whittled down to a few successful ones.
I think it’s safe to say that there’s both things going on. Business will always lobby against extra regulation and any law that allows for them to be sued. What if ambiguity in the laws themselves could lead to litigation?
In addition, why not wait and see how the CCPA plays out in the real world. Let California go through the messy business of trial and error!
Below are listed the most recent updates from various states who have managed to pass their privacy bills, and that have come into effect recently or will do in the coming few months. This list of points isn’t exhaustive, so if you think you need to be compliant then do read the bill text (linked to from it’s number). What I have tried to do is translate some of the more tortuous legalese into something that more resembles plain English.
California Consumer Privacy Act of 2018 (CCPA)
Effective January 1, 2020
The last amendments have been passed before CCPA takes effect:
- Provides exemption for data held about employees and job applicants
- Provides exemption for data held about business customers
- Expands the definitions of “personal information” and “publicly available information”
- States required methods for receiving consumer requests
- Provides exemption for vehicle warranty/recall purposes.
It’s also worth noting three non-CCPA privacy bills, separate from the CCPA, which have passed recently in California:
- Revises the definition of “personal information” to include unique biometric data, tax ID numbers, military ID numbers amongst other things
- Provides directions regarding breach notification.
- Prohibits social media websites or apps from allowing people they know are under 13 to create an account unless they have the consent of the parent or guardian
- “Reasonable measures” must be taken to ensure that the person giving consent is the parent or legal guardian
- Does not come into force until 1 July 2020.
- Requires data brokers to register with the Attorney General
- Requires the AG to make the information provided accessible on its website.
An Act To Protect the Privacy of Online Customer Information
Takes effect on July 1, 2020
- Only applies to broadband internet access providers
- Prohibits selling customers’ personal information, including internet usage data, without specific consent
- States that providers must not discriminate against the customer by providing a lesser or no service if they decline to give consent.
Personal Information Privacy Act amendments
Took effect on October 1, 2019
- Amends the existing PIPA.
- Applies to businesses that maintain data, not just those who own or license it. Processors are now liable under the act.
- Requires that information related to a data breach cannot be used for anything other than notification, including notifying national information security organizations.
- States that data processors cannot charge data controllers to access data and information required for the breach notification process.
An Act Relating to Internet Privacy
Took effect on October 1, 2019
- Adds to existing data privacy laws
- Grants the right for users to opt-out of data being sold
- Requires that operators to establish a “designated request address” to be used by users who want to opt out of data being sold
- Requests must be responded to within 60-90 days
- Does not apply to personal information collected offline.
The New York SHIELD Act
Takes effect in March 2020
- Amends the state’s breach notification law
- Expands the definition of “breach” from “acquisition” to “access”
- Expands the definition of “personal information” to include credit/debit card numbers, usernames and passwords or other authentication data, and biometric information
- Expands the scope of businesses that the law applies to, to include any entity with personal information of NY residents
- Requires businesses to implement “reasonable safeguards” to prevent a breach of personal information
- Expands the exemptions to notify of breaches under certain circumstances
- Expands the time within which the state Attorney General can bring an action against a company from two years to three.
Consumer Information Protection Act
Takes effect January 1, 2020
- Amends the Consumer Identity Theft Protection Act (including shortening the name of the act!)
- Changes the scope of a “breach of security” so that it now covers personal data that someone “maintains and possesses” rather than previously “maintains”
- Adds username and password (or other form of authentication) to the list of personal information sufficient to trigger breach notification.
- Requires that “vendors” notify individuals within 10 days if they are affected by a data breach
- Requires that “vendors” notify the state Attorney General if a breach affects more than 250 people.
Takes effect January 1, 2020
- Amends the Texas Identity Theft Enforcement and Protection Act
- Creates the Texas Privacy Protection Advisory Council, “to study data privacy laws in this state, other states, and relevant foreign jurisdictions”.
- Requires that individuals be notified within 60 days if they are affected by a data breach
- Requires that the Texas Attorney General be notified within 60 days if personal information of more than 250 Texans has been breached
The other privacy act HB 4518, which would have granted consumers more rights over the personal information being processed, stalled in favour of HB 4390.
The most important question you have to ask right now is what data privacy strategy is best for my business? Do you try to keep up with the constant changes, or do you put in the most restrictive data privacy rules in order to cover all bases? Will this be seen as attractive by your customers, or is this going to negatively affect your competitiveness?
TBG can help you navigate this rapidly changing environment and find out what’s best for your own circumstances.
Contact us today.