The US States Taking the CCPA Road
Data protection legislation has become a global trend. Following the adoption of the EU’s General Data Protection Regulation (GDPR), countries across the world from Australia and Japan to Brazil and Canada have adopted tough privacy and data protection laws. However, the United States, one of the biggest players on the digital market, has yet to adopt a nation-wide comprehensive data protection regulation.
Efforts to enact data protection laws have so far been focused at state level with California leading the way with its Consumer Privacy Act (CCPA) and other states following in its footsteps. As US legislators begin seriously considering the possibility of a federal data protection law that would harmonize data protection across the United States, several states have moved forward with their own initiatives with varying degrees of success.
Nevada Expands its Data Privacy Law
On May 29, 2019, Nevada enacted Senate Bill 220 (SB-220), an amendment to its online privacy law similar to the CCPA. Despite being passed in the wake of the CCPA, SB-220 will come into effect on 1 October 2019, three months before the CCPA will come into force on 1 January 2020, effectively making Nevada the first US state to give consumers the right to opt out of the sale of their personal information.
That being said, the SB-220’s applicability criteria are much narrower than those of the CCPA. Sale for example is defined as the exchange of information for monetary considerations only, whereas the CCPA also adds valuable consideration to the list. This means that consumers can opt out of the sale of their information to other companies looking to profit directly from it, but may not have a choice if the data is sold for other purposes.
The law also includes a number of exceptions. Disclosures to data processors, service providers, affiliates, as part of a transfer of assets in case of merger, acquisition and bankruptcy or for purposes consistent with the reasonable expectation of the consumer do not fall under its incidence. Data protected through GLBA and HIPAA is also excluded.
In case of noncompliance, the SB-220 authorizes the Nevada Attorney General to seek an injunction or civil penalties of up to $5,000 for each violation of the law.
Oregon Updates its Data Breach Law
Another state that updated its existing legislation was Oregon that expanded its data breach notification statute on 24 May 2019, with its new provisions coming into effect on 1 January 2020, at the same time as the CCPA. The update extended the law’s applicability criteria to so-called vendors, essentially data processors and service providers that companies might contract and transfer consumer data to in the course of data management or processing activities.
Under the new provisions, vendors are obligated to notify Oregon’s Attorney General when they detect a data breach affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined. If the original data collector has already notified the Attorney General, they no longer need to do it. Affected consumers must also be notified within 10 days of the breach.
Texas Takes a First Step Towards Data Protection Legislation
Two privacy bills were introduced in the Texas legislative session this year. House Bill 4518, inspired by the CCPA, failed to pass. The second, House Bill 4390, passed, but in a heavily amended version that simply updates Texas’s data breach notification statute and creates the Texas Privacy Protection Advisory Council tasked with researching data privacy laws across the world and putting forward recommendations for statutory changes to the Texas legislature no later than 1 September 2020. The Advisory Council’s findings are likely to play a significant role in future Texas privacy law drafts, but it also means that a comprehensive law may not be proposed before the 2021 Texas legislative session.
HB 4390 updates Texas’s data breach notification requirements in its existent Identity Theft Enforcement and Protection Act. Companies will now have 60 days to notify Texas consumers about a data breach from the moment they become aware of it. They must also notify the Texas Attorney General if the breach affects more than 250 Texas consumers. The new provisions will come into effect on 1 January 2020.
Washington Strengthens Data Breach Notifications, But Rejects Privacy Bill
On 22 April 2019, the Washington legislature unanimously passed HB 1071, a bill that expanded requirements for data breach notifications, but failed to approve SB 536, its ambitious new privacy act inspired by the GDPR. While legislators are determined to push on, they will have to wait for next year’s legislative session to make their case.
HB 1071 reduced the notification window companies and government organizations have to notify affected consumers and the Attorney General from 45 to 30 days. Previously, notifications were required only when lost or stolen data included consumer names in combination with four types of personally identifiable information(PII): Social Security numbers, driver’s license numbers, state ID numbers or financial information. The categories of PII have now been greatly expanded to include full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data.
New York Ups the Stakes
Not one to be left behind, New York’s new Privacy Act (NYPA) is set to take data protection further than the CCPA and even its European cousin, the GDPR, have. Bill S5642, introduced last month by New York Senator Kevin Thomas, the Chair of the Consumer Protection Committee, if passed, will expand the scope of data privacy as we know it.
Among other things, it explicitly states that a data fiduciary’s duty is first and foremost to protect consumers’ data and that consideration supersedes any duty owed to owners or shareholders of a legal entity or affiliate, controller or data broker. The NYPA would also expressly grant New York residents injured because of a violation of the bill the right to file a lawsuit against the offending company.
Unlike the CCPA, the NYPA does not limit applicability to an earnings threshold. This means, that, like the GDPR, any business and even NGOs can be affected by it. The only excluded entities are state and local governments, those collecting and processing data falling under the scope of other data protection regulations such as HIPAA or GLBA and data sets maintained for employment records purposes.
While the NYPA is still in the very early stages of the legislative process – it is now under committee review and still lacks a co-sponsor – it shows New York’s commitment to a tough approach to data privacy and protection.
With different states at various stages of enacting data protection legislation, the clear discrepancies between the bills, whether they are strict new laws or minor adjustments to existing ones, are likely to intensify debates over a US federal privacy law.Like the EU itself that saw the need for a unified data protection regulation that would ensure smooth business operations across its member states, the US is likely to look to a federal privacy law to standardize data protection requirements nation-wide and facilitate compliance for companies doing business across multiple states.
However, until then, US businesses and international organizations offering goods and services to US residents must keep a close watch on state privacy laws as they change and evolve to make sure their compliance policies are up to date at all times.