The California Consumer Privacy Act (CCPA) goes into effect Jan. 1, 2020. The Golden State’s privacy legislation, which gives consumers new rights regarding the collection of their personal information, has certainly garnered many headlines when it comes to privacy law news in the US.
But California isn’t alone. Several states are in the process of enacting similar acts relative to protecting consumer data privacy in the digital era. US states have taken the lead in a country which, at the moment, does not have sweeping data protection legislation on a federal level like the European Union does with GDPR. Rather, in the United States, there is a “jumble of hundreds of laws enacted on both the federal and state levels” in regards to privacy data protection on US citizens, according to a report by Steven Chabinsky and F. Paul Pittman of White & Case. The researchers also noted the Federal Trade Commission Act protects consumers against “unfair or deceptive practices” and serves as the enforcement arm for federal privacy and data protection regulations.
Related Article: Is the California Consumer Privacy Act the New TSA?
State Privacy Legislation Not Brand New
Although many states are currently enacting new legislation, state privacy legislation is nothing new in the US. US states have been leaders in privacy regulation and enforcement for some time, according to Mitchell Noordyke, CIPP/E, CIPP/US, CIPM with the International Association of Privacy Professionals (IAPP). He cited Illinois's Biometric Information Privacy Act, which has been around for a decade.
“Multiple states have passed legislation that targets a certain industry, activity, or type of data in the past,” Noordyke said. “What is new in the current moment is the energy at the state level to pass a comprehensive, rather than a narrow, approach to regulating privacy.”
The Law Keeps Evolving
But companies that process customer data in the digital world should take note: while there is interest in passing significant comprehensive privacy legislation in multiple states, moving from an introduced bill to enacted legislation is fraught with potential hangups, according to Noordyke.
“Industry representatives and privacy advocates both have legitimate concerns and priorities that must be addressed prior to a workable solution making its way through a state legislature,” he said. “That being said, the sheer number of states working on comprehensive privacy legislation suggests that there will be at least one or two more states with comprehensive privacy laws in the next couple years.”
Related Article: Revitalizing the Consumer-Brand Trust Economy
Let’s take a look at some of the current US state privacy legislation that has been passed or is still moving through a legislative process:
California Consumer Privacy Act (CCPA)
Status: Approved, June 28, 2018
Effective date: Jan. 1, 2020.
What it does: Grant consumers a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information and the categories of third parties with which the information is shared.
Maine Act to Protect the Privacy of Online Customer Information
Status: Approved, June 6, 2019
Effective date: July 1, 2020
What it does: Prohibits a provider of broadband internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. As the IAPP notes, this applies only to Internet service providers.
Nevada Act Relating to Internet Privacy
Status: Approved, May 29, 2019
Effective date: Oct. 1, 2019
What it does: Prohibits an operator of an Internet website or online service which collects certain information from consumers from making any sale of certain information about a consumer if the consumer doesn't want this.
Pennsylvania Consumer Data Privacy Act
Status: Introduced April 5, 2019
What it does: Provided for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information.
Massachusetts Consumer Data Privacy Act
Status: Introduced Jan. 22, 2019
What it does: A consumer can request that a business that collects their personal information disclose to that consumer.
Hawaii Act Relating to Privacy
Status: Introduced May 9, 2019
What it does: Businesses must disclose the categories and specific pieces of identifying information collected about a consumer upon verifiable request from the consumer. It must also disclose the identity of third parties to which the business has sold or transferred identifying information about a consumer upon verifiable request from the consumer and publicly disclose the categories of identifying information that is collected from consumers.
New York Privacy Act
Status: Introduced Jan. 18, 2019
What it does: Requires companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
Maryland Online Consumer Protection Act
Status: Introduced Feb. 4, 2019
What it does: Requires certain businesses that collect a consumer's personal information to provide certain notices to the consumer at or before the point of collection. Also authorizes a consumer to submit a certain request for information to a certain business that collects the consumer's personal information.
Conclusion: Bills Share Common Principles
Each state's approach to a comprehensive bill is different, but there are common principles across them. They all will require an organization to conduct some form of data inventory and data flow mapping at a minimum to begin a journey to compliance, according to IAPP's Noordyke.
A common approach to compliance with privacy laws has been one based on jurisdiction, he added. Noordyke cited segmenting data into European vs. US consumers. “But,” he said, “as states become more active that approach may become too much of an administrative burden for organizations to implement practicably. Companies may want to consider a global, rather than jurisdiction-based, approach to privacy.”
Compliance strategy, Noordyke added, is a situation-specific assessment, and one for which a company should engage counsel and consider its stakeholders. “Assessing current data practices, thinking critically about whether a global- or jurisdiction-based compliance strategy is better for the business,” he said. "And understanding the common principles that underlie the various state bills are good first steps for companies in the current moment.”