Data privacy issues and corresponding regulations are some of the greatest challenges that companies face today. While companies affected by the GDPR have felt the initial wave of fines, requirements, and standards, privacy is now an international issue.
The US has already started moving towards revolutionary privacy regulation. With laws passed in California and Nevada and bills planned in many other states, companies should expect to be impacted within the coming months.
This article breaks down the crucial parts of each state’s privacy regulation law/bill — including who they cover, when they take effect, penalties, how to achieve compliance as well as why states took the steps before the federal government to protect consumer’s personal data.
The California Consumer Privacy Act
As one of the first privacy laws passed after the GDPR, the CCPA is acting as the blueprint for other bills in the US. Effective January 1, 2020, the CCPA applies to a business that collects/processes California residents’ personal data or does business in California. These businesses are subject to the CCPA if they either:
- Exceed a gross revenue of $25 million
- Buy, receive, sell, or share (combined total) personal information of 50,000 or more consumers households, or devices
- Gain 50% or more of annual revenue from selling consumer’s personal information
The CCPA grants rights to consumers similar to the GDPR, including the disclosure of personal information and requests for personal data. Businesses are required to respond to verifiable consumer requests with information, such as categories and data of personal information, third parties, and categories of third parties with which data is shared, and more.
The section, known as Data Subject Requests (DSR) grants users access to deletion options for their personal information. Also, the CCPA requires that businesses display a “Do not sell my personal information” link on their homepage. The CCPA will be enforced by the Attorney General and includes fines up to $7,500 for each individual violation.
Nevada’s Privacy Law
Nevada’s privacy law was signed in on May 29, 2019, and was effected on October 1, 2019, three months before the better-known CCPA. The laws are very similar but have a major difference in how “sale” is defined. Nevada’s law is narrower, not covering all service providers and being more lenient on financial institutions. According to InfoLawGroup, the CCPA and Nevada law are similar in that both require “businesses to come up with a process to verify the legitimacy of a consumer opt-out request and require businesses to respond to the request within 60 days.” Similar to California, Nevada’s enforcement lies with the Attorney General and includes fines of up to $5,000 per violation.
New York’s Privacy Bill
In May 2019, New York State Senator Kevin Thomas introduced one of the most revolutionary bills in data privacy. The requirements were standard and included the ability for residents to access, correct, delete, and keep their personal data from third parties.
However, more expansive provisions were added, such as obligations to data fiduciaries and the right for residents to file a lawsuit against companies if they are injured by reason of a violation. This private right of action is one of the biggest separating points from other regulations and could incentivize consumers to go after companies that lack compliance. The bill is also broader than the CCPA, covering any company that holds the “sensitive data of New York residents”, with no revenue requirement for covered entities.
With laws passed in two states, bills proposed in others, and nine states passing new data breach notification laws, we’re witnessing the beginning of a massive shift towards protection for consumer data and accountability for businesses that control and process it.
To sustain compliance, businesses must be aware of current laws, future regulations in the works, and the potential for different standards across the US. Creating processes for data handling, data portability, and mapping, and user opt-in controls are a few of the necessary practices for businesses that collect personal data.