The United States’ (U.S.) privacy law landscape is continually shifting and evolving as federal and state privacy proposals continue to be debated and become enacted. The recent change in the privacy law sphere can mainly be attributed to the inherent demand of customers for transparency from business organizations.
The added interest for transparency all stemmed from Cambridge Analytica’s irresponsible use of data in 2018, which affected millions of users in the U.S. Further statistics add that 85 percent of Americans will stick with an organization during a business crisis if it has an excellent history of being transparent.
This is because transparency eliminates the anxieties or suspicions of customers about the value of their services. By providing customers every detail about your offerings, including their limitations, businesses can prove that they are not trying to hide any inconsistencies.
More than anything else, business transparency is about developing customer relationships that can withstand tough challenges. In other words, committing to transparency in a digital landscape sets your business up for success and provides your clients with realistic expectations.
One of the most popular U.S. state laws geared towards providing customers more control about their information is the California Consumer Privacy Act (CCPA) of 2018. In general, CCPA was crafted to improve privacy rights and consumer protection for California residents.
More specifically, CCPA can be applied to any enterprise, including any for-profit organization that collects personal data of consumers or does business within California and meets the following thresholds:
- Has yearly gross profits over $25 million
- Purchases or sells the personal data of 50,000 or more customers or households
- Earns more than 50 percent of its annual revenue from selling the personal data of their customers
Under the CCPA standards, organizations are mandated to employ and uphold reasonable security procedures and practices in safeguarding consumer information. They are also required to update their privacy policies by including a full description of the privacy rights of California consumers.
CCPA became effective at the start of 2020 but will only be enforced on July 1st as it currently undergoes numerous challenges from multiple organizations within the state. The primary intentions of CCPA are to provide California residents with the right to the following:
- Decline to the sale of their personal information
- Access personal data that is held by businesses and service providers
- Have a general idea of what personal information is being collected about them
- Know whether their personal information is disclosed or sold and to whom
- Not experience discrimination after exercising their privacy rights
CCPA also has similarities to the European Union’s (E.U.) General Protection Data Regulation (GDPR) because it requires organizations to inform consumers about their privacy rights. However, businesses that are in compliant with GDPR does not necessarily mean that they are already CCPA compliant.
This is because of the critical differences between two statutes, particularly on the definition of personal information. CCPA defines personal data as data that can identify, assign, relate to, and can directly or indirectly be connected with a customer.
This information can include names, postal addresses, email addresses, and internet protocol addresses, aliases, unique personal identifiers, online identifiers, and passport numbers. Unlike GDPR, this data needs to be linked with a particular household or consumer to be considered as personal information; otherwise, companies can use it without consent.
As the state government continues to polish the CCPA statute, many states are expected to follow the footsteps of California soon. While CCPA-like legislations in Texas and Mississippi, states like Nevada have made headway to its online privacy efforts. At the same time, proposals in New York seem to be gaining momentum and are expected to heat up in the coming weeks.
Nevada’s Senate Bill (S.B.) 220
In May 2019, the Governor of Nevada enacted the SB 220, which requires organizations to provide customers with a right to opt-out of the sale of their data. Generally, SB 220 requires operators of online services and websites that gather personal data from Nevada customers to assess the extent to which they are selling covered data within the scope of the law. This enables them to decide as to whether their online privacy notice is required to be updated.
While it has some similarities to the CCPA, the law does not require the organization to provide a notice of the opt-out right like the “Do Not Sell My Personal Information” home page link. Moreover, SB 220 does not limit the number of times a consumer can make opt-out requests in a year as well, unlike CCPA, which only limits users to two within 12 months. The law also has no provisions that are related to the access or deletion or a private right of action to security breaches.
Other than that, the law also differs in its definition of the sale. The Nevada law characterizes the deal of personal information like the exchange of covered data for monetary consideration by the operator to the individuals for them to sell or license the covered data to additional information. The SB 220 also has five exceptions to the term of a sale, which include the following concepts:
- Release of information to an individual who processes the data on behalf of the operator
- Disclosure to a person with whom the customer has a direct relationship for the goal of providing a service or product requested by the customer
- A tip-off to an affiliate of the operator
- Disclosure of information that is consistent with the reasonable expectations of the customer while considering the context in which they have provided the confidential data to the provider
- Unveiling in the manner of bankruptcy, acquisition, merger, and other transactions in which an individual assumes control of part or all of the assets of the operator
What is more, SB 220 also requires that the operator reply to the verified requests of consumers not to sell their information within 60 days, with an extension of up to an extra 30 days. The enforcement authority of SB 220 is granted to the Attorney General, who can instigate legal proceedings and have the court issue a permanent or temporary injunction.
The Attorney General can also impose a civil penalty not exceeding $5,000 for each violation an operator commits. While these provisions are not considered exclusive, they are in addition to any other remedies provided by the law.
SB 220 also exempt financial organizations subject to the Gramm-Leach-Bliley Act (GLBA) from the scope of the law. Besides financial institutions, exemptions are also given to motor vehicle manufacturers and repair service businesses that acquire information from the motor vehicle about technology or related service to the vehicle.
New York’s S5462
Besides Nevada, New York is also determined to become the next battleground in the fight for the privacy rights of consumers over their personal information. Introduced by state senator Kevin Thomas, the New York Privacy Act or S5462 bill provides the consumers with the right to request the deletion of their data, which is relatively similar to the CCPA.
The S5462 bill also emphasizes the importance of transparency in business processes where the personal information of customers is being distributed through multiple endpoints between various companies. The statement further adds that personal information of consumers must not be used, distributed, or processed to a third-party service provider unless the consumer gives documented and express consent.
Moreover, every organization or any of their affiliates and every data broker and controller, which gathers, sells, or licenses personal data of customers should follow the duty of loyalty, care, and sensitivity expected of a fiduciary.
This is concerning safeguarding the personal information of a consumer against cyberattacks and any privacy-related risks that could potentially harm the data. Organizations also need to put the consumers’ best interests ahead without taking into consideration their interests and service providers.
The New York bill further characterizes that the fiduciary duty owed to a customer under this section shall supersede any obligation owed to shareholders or owners of the legal business of affiliate thereof. Furthermore, the bill would also expressly permit any individual who has been injured, employing a violation of the article to bring an action in their name and recover actual damages. The court may provide a reasonable attorney’s fees to a plaintiff who prevails in a case.
Massachusetts Data Privacy Law
The Massachusetts Data Privacy Law proposal shares a lot of CCPA language, particularly in the aspects of consumer access to personal data, right to delete, and an extensive definition of personal data including probabilistic identifiers.
Moreover, the Massachusetts Data Privacy Law also requires organizations to send their customers with an explicit notification to their privacy rights and an option to opt-out of the sale of data to third parties.
Maryland Online Consumer Protection Law
The Maryland Online Consumer Protection Act, also known as Senate Bill 613, has the potential to extend the scope of CCPA in some aspects. Organizations will have identical obligations to disclose data usage but to a lesser degree compared to the CCPA.
Similar to Massachusetts and California, SB 613 also uses a probabilistic identifier to determine a particular type of personal data. Nevertheless, the bill goes beyond the gist of CCPA when it comes to releasing information to a third-party.
Under SB 613, organizations need to disclose any data that is distributed to third parties, even if that information is transferred for free. The SB 613 also outlaws websites from knowingly disclosing any personal data gathered about children.
North Dakota’s House Bill 1485
HB 1485 of North Dakota, which is currently in the state’s House of Representatives, would ultimately limit websites from distributing any data to third parties without the explicit consent of users. Additionally, consumers have no right to have their information deleted or removed the moment they grant permission to organizations.
It also provides a considerable amount of fines if a covered organization violates a cease and desist order issued by the Attorney General. Violation range from $100,000 to $250,000 depending on whether the violation is intentional or unintentional.
New Mexico’s Senate Bill 176
Senate Bill 176 of New Mexico provides similar rights to consumers and impose the same but more limited disclosure obligations as those said in the CCPA. Nonetheless, the SB 176 does not narrowly describe the term consumer, business, and minor and could thus be extensive in scope than the CCPA.
In other words, SB 176 could potentially apply to any organization that gathers personal information from a consumer from New Mexico. The SB 176 also does not determine the limit for fines per offense that the attorney general may set. Still, it indicated that the maximum penalty for intentional transgressions is pegged at $10,000 per violation.
Washington SB 5376
The proposed legislation of Washington is geared with multiple concepts from the GDPR and the general framework of the CCPA. It applies to organizations that do business in Washington or produce goods and services that are intentionally targeted to the residents of the state.
SB 5376 also requires businesses to make their privacy notices available for disclosing the groups of information collected, the purposes for which they are used, and data related to the sale and distribution of personal data. The law grants the Washington attorney general to use its enforcement authority under the state’s consumer protection for violations of the act.
The attorney general can also seek civil penalties up to $2,500 per violation and $7,500 per intentional violation. Conversely, SB 5376 does not grant private rights of action for consumers.
The sudden increase in state-level privacy regulation activities has breathed a new life for federal legislation. This is why businesses must keep tabs on initiatives at the national level designed at standardizing, preempting, and harmonizing specific aspects of state consumer privacy laws.
A consultation with RSI Security is a great way to start fulfilling specific business compliance. Talk to an expert today and find out how being compliant with federal government regulations can take you ahead of the game.