By Cynthia Brumfield
While at the federal level security and privacy legislation are lost in a morass of partisan politics and corporate lobbying delays, states have been moving ahead to push through an impressive number of important bills that help fill in the gaps. A search of the Legiscan database reveals that hundreds of bills that address privacy, cybersecurity and data breaches are pending across the 50 states, territories and the District of Columbia.
The most comprehensive piece of state-level legislation across these often-intertwined categories that has been enacted over the past two years is the sweeping California Consumer Privacy Act (CCPA), enacted and signed into law on June 28, 2018. Inspired by the EU’s groundbreaking General Privacy Data Protection Regulation (GDPR), the legislation aims to give the state’s consumers greater control over how businesses collect and use their personal data. In November 2020, California voters approved the California Privacy Rights Act (CPRA), which creates a new consumer privacy agency and aligns privacy regulations more closely with the GDPR.
The CCPA is slated to take effect on January 1, 2020, giving those who believe the bill was too broad or too narrow time enough to limit or expand its scope. So far two bills have been introduced in the California Assembly to expand the scope of CCPA, while nine draft bills seek to limit its impact.
In the sections below, we summarize the current provisions of the CCPA, along with other major pieces of state legislation that have been recently enacted and signed into law. Each of these recently adopted measures in its own way significantly impacts privacy, data security, cybersecurity or data breach notification requirements in the respective states.
The CCPA incorporated many of the GDPR-inspired provisions in what had previously been a ballot measure in the state called the Consumer Right to Privacy Act of 2018. The legislation’s provisions “grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”
The law applies to applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information.
Among some of the more noteworthy of the many expansive provisions in the law are sections that:
California Privacy Rights Act (CPRA)
California voters approved this ballot measure in November, making it law effective on January 1, 2023, though with a six-month grace period on enforcement. The CPRA mandates the creation of a consumer privacy agency, which takes responsibility for privacy law violations away from the state’s attorney general.
The most significant changes from the CCPA are:
While California’s CCPA grabbed all the headlines, Nevada quietly passed its own tougher online privacy law, Senate Bill 220, which was signed into law by the governor on May 30, 2019. The bill amended Nevada’s existing privacy law by requiring businesses to offer consumers an opt-out regarding the sale of their personal information, with some exceptions. The bill goes into effect on October 1, 2019 prior to the effective date of CCPA, making Nevada’s legislation the first in the U.S. to grant consumers a right to opt out of the sale of their personal data.
Unlike CCPA and GDPR, Nevada’s bill does not add any new notice requirements for website operators but does require them to post certain items of information in their privacy policies, including the categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices.
Organizations that violate these terms may be subject to a penalty up to $5,000 per violation as well as a temporary or permanent injunction. Under the law, the attorney general’s office will have the power to bring actions for violations but must allow offenders a 30-day period to fix violations other than those that deal with opt-out rights.
On June 7, 2019, Maine Governor Janet Mills signed a bill to protect the privacy of online consumer information. The bill goes into effect on July 1, 2020. The legislation specifically bars broadband internet access providers from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access,” with some exceptions.
The bill also prohibits broadband providers from refusing to serve a customer or charging them more if they don’t consent to the use, disclosure, sale or access of their personal data.
The bill further requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. Under the bill, personal information is defined as (a) “personally identifiable customer information” about the customer and (b) information derived from the customer’s use of broadband internet access services such as web browsing history, geolocation data, device identifiers and a number of other technical data points that can be used to identify individuals.
Regulators at the New York Department of Financial Services (DFS) adopted new rules, 23 NYCRR 500, on February 16, 2017 that place certain minimum cybersecurity requirements on all covered financial institutions. These rules require each company to assess its specific risk profile and design a program that addresses its risks in a robust manner.
The deadline for certain required regulatory activities under the new rules was March 2019. Under the requirements, any DFS-regulated entity that meets certain criteria (more than 10 employees, more than $5 million a year in revenue and year-end assets exceeding $10 million) that is doing business in New York is required to establish an internal cybersecurity program to protect information assets under their control.
Smaller entities have to meet other obligations, including limiting access to information, assessing their risk, implementing policies related to third-party data control, and their own data disposition. All regulated entities are obliged to report data breaches, regardless of size.
The rules further require covered entities to designate a Chief Information Security Officer, and maintain audit trails, among a host of other good cybersecurity practices spelled out in the regulation.
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (Senate Bill S5575B), which expands the state’s current data breach law and imposes affirmative cybersecurity obligations on covered entities.
Among other things, the bill:
The first four provisions go into effect on October 23, 2019 while the last one mandating security requirements goes into effect on March 21, 2020.
Signed into law by Governor Charlie Baker on January 10, 2019 and effective as of April 11, 2019, the new law:
Copyright © 2021 IDG Communications, Inc.
By Cynthia Brumfield