If you are interested in our monthly data privacy tracker, tracking all of the developing federal and state data privacy laws in the United States, contact us for more information.
From Equifax to the recent Russian hack, over the past few years, growing threats and concerns regarding data privacy and security have inspired hundreds of privacy law proposals within the United States (US) federal and state legislatures.
Though privacy legislation has so far failed to pass on a federal level, the likelihood of such legislation increases every day, especially, as state legislatures continue to advance their own data privacy bills.
All fifty states in the US, in addition to the District of Colombia, Puerto Rico, Guam, and the Virgin Islands, have already implemented data breach notification laws and have considered at least one or more data privacy bills in the last two years. And (thus far) in 2021 alone, four states have enacted new and/or substantially revised data privacy laws, including California, Colorado, Nevada, and Virginia; and Connecticut and Texas passed legislation to broaden the scope of their data breach notification laws. This considerable number of legislative proposals, and even some successes, in such a short amount of time, reflects the drive and willingness of US lawmakers on both sides of the aisle to implement a comprehensive data privacy law framework.
Ready or not, comprehensive data privacy laws will be coming soon to a state near you!
To maintain the status quo with data privacy legislation in countries around the world, in 2018, following the enactment of the General Data Protection Regulation (GDPR) in the European Union, California became the first state to pass a comprehensive data privacy law, the California Consumer Privacy Act of 2018 (CCPA). Initially passed by referendum, California citizens again voted to substantially modify and expand the protections provided by the CCPA, by passing the California Privacy Rights Act of 2020 (CPRA) in November of 2020. To reduce confusion, the CCPA and the CPRA are herein referred together simply as the “CCPA.”
By enacting comprehensive data privacy legislation, not once but twice, before any other state, California and the CCPA paved the path and set the best practice standards for data privacy in the United States. Following in its footsteps, nearly every state has proposed legislation modeled on and similar to the CCPA. This year, both Colorado and Virginia successfully passed CCPA-like legislation (while countless other states were extremely close).
As a result of the CCPA’s influence, state privacy laws (at minimum) generally include the following rights and requirements:
- The Right to Know. A business must affirmatively disclose, at or before the point of collection, the categories and sources of personal information collected and the business or commercial purposes for which personal information is collected, sold, or shared.
- The Right of Access. Upon request, a business must inform an individual: (i) the specific pieces of personal information it has collected, and (ii) the categories of personal information that were sold or disclosed, and the categories of third parties to whom each was sold or disclosed. Additionally, a business must provide a consumer with data portability.
- The Right to Delete. Subject to certain business exceptions, a business must comply with a request to delete any personal information the business has collected about an individual.
- The Right to Correct. A business must use commercially reasonable efforts to comply with a request to correct inaccurate personal information.
- The Right to Opt-Out. A business must comply with an individual’s right to “opt-out” and direct a business not to sell, share, and in some cases, even disclose or use the individual’s personal information.
- The Right to Equal Service. A business is prohibited from discriminating or retaliating against, from providing lesser quality services or goods, or increasing fees because individuals have chosen to exercise any of their rights.
- Written Contract Requirement. A business must have a written contract with its service providers and contractors to require such party to comply with certain privacy restrictions and obligations.
- Consumer Requests Requirement. Among other requirements, a business must provide individuals at least two methods to submit a request and respond to any such request within forty-five days. Service providers and contractors must also cooperate and assist a business in the fulfillment of any such request.
- Exemptions. Generally, all states offer exemptions for data processed pursuant to the GLBA and HIPPA. Some states also provide partial or full exemptions for certain entities and personal information, including financial institutions, non-profit organizations, employee information, and information collected during business transactions. Businesses should be careful in interpreting these exemptions; while the exemption may apply to some of the data processed by your business, it often will not exempt all of the data processed by your business and/or all of the uses of such data.
- Enforcement and Private Right of Action. State laws typically place enforcement powers with the Attorney General and/or a new regulatory body established for this purpose of compliance and oversight. Some states also provide individuals a private right of action for certain violations by a business under the law.
While only a few states have enacted comprehensive data privacy legislation so far, each law has included some variation of the provisions summarized above. Though approaches may slightly vary, lawmakers are consistently united on the concept of data privacy and individuals’ right to know and access the personal information businesses may collect about them. Data privacy law is a bipartisan issue that every state has considered and will continue to consider until such legislation is passed (whether at the state or federal level).
As the patchwork of state data privacy legislation continues to grow, the pressure is mounting on Congress to push through federal law. Although legislation failed to pass under the Trump Administration, many believe the Biden Administration will have the numbers to get a bill passed. While it is still unclear exactly what form such legislation will take, CCPA-inspired provisions are a common theme among the current proposals. Therefore, it is likely that any federal data privacy legislation will mirror the provisions typically found within state laws such as the CCPA (as described above).
Nonetheless, some contentious issues remain unknown, including (i) whether the law will include a private right of action, (ii) whether the FTC or a new government department will be responsible for enforcement, and (iii) whether federal law will preempt state laws and/or existing industry-specific federal laws.
Until lawmakers find compromise on these key provisions, a federal data privacy law will remain a pipedream. And, in the absence of federal law, CCPA copycat legislation will continue spread across the states, increasing compliance costs and confusion, and impacting all entity-types and sizes.
Contact us for more information.
Rather than wait for the enactment of federal or state data privacy legislation, it may be advantageous for your entity to be proactive by updating its data privacy practices and protections now. Baldini Lang LLC has extensive experience working with data privacy laws and assisting clients in mapping out the steps they must take to comply with minimum requirements to best practice standards.