Digital Privacy Reform – Looking Beyond California
The California Consumer Privacy Act (CCPA) certainly proved to be a game-changer in the digital space. Taking effect at the beginning of last year, California’s stringent digital privacy laws have affected businesses all over the country since enforcement began on July 1, 2020.
Since then, California voters have approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA), also known as the CCPA 2.0. The CPRA will amend certain provisions of the 2018 CCPA such as:
- The extension of the HR and B2B exemptions through Jan. 1, 2023.
- A new, stand-alone privacy agency tasked with issuing regulations and administrative enforcement of the law.
- Significant amendments implicating AdTech and cookies compliance (including a new definition of “sharing” in the context of “cross-context behavioral advertising”).
- Limitations on and disclosure requirements relating to businesses’ retention of personal information.
- New limitations on purposes of processing to those that are “necessary and proportionate.”
So the big question is, what’s next?
UPDATED – During the first year of CCPA enforcement, California’s Attorney General published more than two dozen “illustrative examples” of non-compliance notices that were sent to wide range of businesses spanning a number of industries. Alleged violations involved policy disclosures, consumer requests, and opt-out of sale requirements.
As of September 2021, there were a number of bills pending in California’s legislature to amend the CCPA and the CPRA. These bills would have the potential to impact how companies approach each law.
Can regional businesses in other states relax and continue dealing in consumer personal information without restriction? We don’t recommend it. California was first. But other states have already made massive efforts toward implementing their own version of digital privacy laws.
Here’s the rundown…
States (Besides California) to Watch for Digital Privacy Reform
UPDATED – Following in the footsteps of California, and most recently Virginia and Colorado, Ohio introduced a comprehensive consumer privacy bill, the Ohio Personal Privacy Act (the “Act”). By introducing the Act, Ohio follows the growing nationwide trend towards stronger state privacy laws related to consumer rights.
- Colorado: Colorado joined California in passing its own comprehensive data privacy legislation on July 8, 2021. The Colorado Privacy Act (the “CPA”) is set to take effect on July 1, 2023.
- Nevada: In Nevada, the SB220 protects consumers’ ability to opt-out of data collection and sharing, including financial penalties for companies that fail to comply. Nevadans now have the right to sue data brokers that violate their privacy rights.
- Maine: Maine’s Act to Protect the Privacy of Online Consumer Information went into effect July 2020 and includes: Right to restriction of processing, transparency requirements, non-discrimination, and the right to opt-out of sale of personal data.
- Vermont: New digital privacy laws went into effect on January 1st, 2020, requiring data brokers to register annually with the Attorney General’s office
States with Pending Legislation – *UPDATED*
- Illinois: The Illinois House of Representatives is considering two privacy bills: The Consumer Privacy Act and the Right to Know Act. Both bills involve data transparency, biometrics and genetic information. The Right to Know Act would creat a data broker registration list.
- Massachusetts: The Massachusetts Information Privacy Act was designed to protect consumers from unauthorized collection, use, and monetization of their personal information. It was introduced by State Senator Cynthia Stone Creem in February 2021.
- Minnesota: Minnesota State Representatives Steve Elkins and Mohamud Noor introduced HB 1492, the Minnesota Consumer Data Privacy Act, in February. This was the second privacy bill to be introduced to the Minnesota House of Representatives during the current legislative session.
- Nebraska: Nebraska’s bill, LB746 would include right of access and information, right of deletion, right to opt-out of sale of personal information, age-based opt-in, transparency requirements, and non-discrimination.
- New Hampshire: Pending legislation regarding business usage of biometric information from consumers.
- New York: Although protections are not yet adopted, one bill (the New York Privacy Act — NYPA) overlaps the Right to Know Act. The NYPA surpasses the CCPA and CDPA by requiring data controllers to collect opt-in consent from consumers before processing personal data for any purpose and requiring data controllers to respond to consumer requests to correct personal data.
- North Carolina: In April 2021, the North Carolina General Assembly introduced Senate Bill 569, the Consumer Privacy Act of North Carolina (CPA). The CPA would expand protections to consumers in the North Carolina Identity Theft Protection Act.
- Ohio: Ohio’s comprehensive consumer privacy bill is known as the Ohio Personal Privacy Act. It primarily applies to companies in Ohio and businesses that collect data about consumers in Ohio. Businesses are now expected to post reasonably accessible, clear, and conspicuously privacy policies to inform consumers about the data they collect.
- Pennsylvania: Pennsylvania’s bill HB1049 is pending legislation regarding consumer data privacy.
- Rhode Island: Pending legislation regarding Consumer Privacy Protection Act, biometric information, Special Legislative Commission, and responsibilities of device manufacturers.
- South Carolina: Pending legislation regarding Cellular Data Protection Privacy Act and state-contracted telecom usage of consumer personal data provide broad protections. If approved, it would apply only to biometric information, such as fingerprints, ris scans, and DNA.
- Wisconsin: Three bills make up the Wisconsin Data Privacy Act (non adopted yet), each covering a different area of privacy and protection.
States with No Active Bills, Task Force Substituted
As of 2020, the following states had launched data privacy task forces to study the matter in detail.
- Connecticut
- Hawaii
- Louisiana
- Massachusetts
- North Dakota
- Texas
States with No Active Bills and No Task Force
The following states have no active data privacy bills as of September 2021.
- Alabama
- Alaska
- Arizona
- Connecticut
- Delaware
- Florida
- Georgia
- Idaho
- Illinois
- Indiana
- Iowa
- Kansas
- Kentucky
- Maryland
- Michigan
- Mississippi
- Missouri
- Montana
- New Jersey
- New Mexico
- Oklahoma
- Oregon
- South Dakota
- Tennessee
- Utah
- Washington
- West Virginia
- Wyoming
The possibility of a US federal privacy law is still under consideration. And even if just a few of the states with pending data privacy legislation pass new laws, the amount of jumping through hoops for US businesses will increase.
Privacy Regulation
Privacy regulation is coming for everyone. Whether it’s on a state-by-state basis, or ideally, at the national level, businesses in every state need to pay attention to what is happening in California with the CCPA and start making policy and technical changes now, while there is still time to do it at your pace.