As demonstrated by the €183 million fine facing British Airlines, data privacy issues and corresponding regulations are some of the greatest challenges that companies face today. While companies affected by the GDPR have felt the initial wave of fines, requirements, and standards, privacy is now an international issue.
The US has already started on a path toward revolutionary privacy regulation. With laws passed in California and Nevada and bills planned in many other states, companies should expect to be impacted within the coming months.
This article breaks down the crucial parts of each state’s privacy regulation law/bill — including who they cover, when they take effect, penalties, how to achieve compliance as well as why states took the reins before the federal government to protect consumer’s personal data.
As one of the first privacy laws passed after the GDPR, the CCPA is acting as the blueprint for other bills in the US. Effective January 1, 2020, the CCPA applies to a business that collects/processes California residents’ personal data or does business in California.
These businesses are subject to the CCPA if they either:
Exceed a gross revenue of $25 million
Buy, receive, sell, or share (combined total) personal information of 50,000 or more consumers households, or devices
Gain 50% or more of annual revenue from selling consumer’s personal information
The CCPA grants rights to consumers similar to the GDPR, including the disclosure of personal information and requests for personal data. Businesses are required to respond to verifiable consumer requests with information, such as categories and data of personal information, third parties, and categories of third parties with which data is shared, and more.
This section, known as data subject requests (DSR) grants users access to and deletion options for their personal information. Also, the CCPA requires that businesses display a “Do not sell my personal information” link on their homepage.
The CCPA will be enforced by the Attorney General and includes fines up to $7,500 for each individual violation.
Nevada’s Privacy Law
Nevada’s privacy law was signed in on May 29, 2019, but is effective on October 1, 2019, three months before the better-known CCPA. The laws are very similar but have a major difference in how “sale” is defined. Nevada’s law is narrower, not covering all service providers and being more lenient on financial institutions.
According to InfoLawGroup, the CCPA and Nevada law are similar in that both require “businesses to come up with a process to verify the legitimacy of a consumer opt-out request and require businesses to respond to the request within 60 days.”
Similar to California, Nevada’s enforcement lies with the Attorney General and includes fines of up to $5,000 per violation.
Washington State’s Privacy Bill
Washington’s Senate passed a bill on data privacy in March of 2019 with a 46-1 vote. The bill remains in the Senate after being passed through and amended in the House. Similar to the CCPA, Washington’s bill facilitates privacy requests for access, correction, deletion, and more.
The bill has garnered support from the public and businesses alike. As Brad Smith, Microsoft’s Chief Legal Officer, stated, “At Microsoft, we believe privacy is a fundamental human right, and we support efforts by lawmakers in Olympia to protect the data and privacy of Washington consumers in a manner that allows innovation to continue and is also sensitive to the needs of the state’s small businesses.”
Drawn straight from the CCPA, Washington’s bill allows for fines up to $7,500 per violation. If passed, the bill could be effective as soon as December 31, 2020.
New York’s Privacy Bill
In May, New York State Senator Kevin Thomas introduced one of the most revolutionary bills in data privacy. The requirements were standard and include the ability for residents to access, correct, delete, and keep their personal data from third parties. However, more expansive provisions were added, such as obligations to data fiduciaries and the right for residents to file a lawsuit against companies if they are injured by reason of a violation. This private right of action is one of the biggest separating points from other regulation and could incentivize consumers to go after companies that lack compliance.
The bill is also broader than the CCPA, covering any company that holds the “sensitive data of New York residents”, with no revenue requirement for covered entities.
Federal Regulation? What to Expect Going Forward
Despite proposals from the Government Accountability Office and officials, including Marco Rubio, federal data privacy regulation is still in the early stages. While the government has focused on data scandals, with strong action from the FTC, laws to control companies that collect, share, sell, and process consumer data are sitting on the backburner.
In response, states have taken action. With laws passed in two states, bills proposed in others, and nine states passing new data breach notification laws, we’re witnessing the beginning of a massive shift towards protection for consumer data and accountability for businesses that control and process it.
Servicing data subject access requests is one of the greatest challenges faced by companies achieving compliance with the GDPR and will similarly impact companies under most other privacy laws. According to a recent report, 58% of companies are receiving 11+ DSR requests per month, and 28% are receiving over 100. Further, the challenge arises when companies store user data in multiple systems. 65% of companies report having 11 or more systems with data that must be accessed to service a DSR.
To sustain compliance, businesses must be aware of current laws, future regulation in the works, and the potential for different standards across the US. Creating processes for handling DSARs, data portability and mapping, and user opt-in controls are a few of the necessary practices for businesses that collect personal data.