Beyond CCPA: Privacy Regulations in America
March 10, 2020
Since CCPA entered into force on January 1, there have been many new discussions and proposals for other similar state-level regulations, an overarching Federal law, and even a U.S. data protection agency to act as a governing body for privacy law enforcement, of which the Federal Trade Commission has retained partial responsibility for thus far. With so many new privacy regulations in the works, it’s only a matter of time before these laws become impossible for organizations to wrap their arms around.
Some key trends with privacy laws are as follows:
- Individuals having rights to access, disclosure, and joint control
- Failure to comply is going from “possibly enforced” to direct or class action lawsuits
- Risk is not only of enforcement, but of reputation damage and “cancel culture” campaigns
- No more asking for forgiveness later
- Increasing focus on capturing user opt-in and consent
- Companies handling data requests must establish identity first to protect privacy
In addition to California’s new CCPA laws, there have been a number of proposed state-level regulations, each with their own set of unique principles.
Inspired by GDPR and CCPA, the most recent iteration of the Washington Privacy Act is an updated version of the bill that made significant progress in the Washington State Legislature in 2019, but after Senate approval, failed to pass in the House of Representatives. The key cornerstones of this bill are coming up with different approaches to regulating new technologies like facial recognition and voice apps.
The Wisconsin Data Privacy Act aims to create rights for Wisconsin residents that are similar to CCPA and GDPR while also imposing significant new obligations on businesses. The ultimate goal of the legislation is to strengthen Wisconsin’s data security and breach notification requirements. Similar to GDPR, the Wisconsin Data Privacy Act would be enforceable by the AG and violations could result in penalties of up to $20M or up to 4% of total annual revenue, whichever is greater.
On the stricter end of the spectrum, the New York Privacy Act, which was introduced in May 2019, would give residents there more control over their data than in any other state due to a “data fiduciary” provision in which businesses that collect and control data would owe fiduciary duties to the individuals whose data was collected, thus obligating them to prioritize the individuals’ privacy over their own profits.
While similar in nature to CCPA laws, the Massachusetts Data Privacy Law differs in that it would give individuals the right to sue for any violation of the proposed law, and would give them the ability to bring action without ever having suffered a loss of money or property as a result of the violation.
Also bearing similar language to CCPA laws, Hawaii’s SB 418 offers all of the same basic rights and protections, but where it lacks in similarity is its applicability to businesses beyond just websites that conduct business in their specific U.S. State, potentially affecting websites based anywhere in the world that don’t offer adequate data protection.
Under Maryland’s SB 613, businesses will have similar obligations to disclose information usage, but will go a step beyond the CCPA when it comes to disclosing third-party involvement. This bill would require companies to disclose any information being shared with third parties, even if the data was transferred for free. SB 613 also enacts stronger preventative measures for the disclosure of personal data collected about children.
North Dakota’s HB 1485 would completely restrict websites from passing on any information to third parties without the consent of users. There is no right to have information removed or deleted once consent has been granted.
Future Federal Law
The problem with so many state-level laws is the compliance nightmare it would create for companies with multiple headquarters, locations, and franchises throughout the U.S., which is why the following federal privacy bills were circulated in Congress at the end of 2019:
- Consumer Online Privacy Rights Act of 2019 (COPRA)
- Staff Discussion Draft of the United States Consumer Data Privacy Act of 2019 (CDPA)
- A bill released by House Energy and Commerce Committee staff
The aforementioned bills have important similarities, which has given privacy professionals reason to believe that a federal law may be closer than had been previously anticipated. It’s important to note that these are just proposed recommendations, and are very likely to be subject to negotiation before an official law goes into effect, but the fact that these pointed discussions are happening around federal privacy today is certainly a positive sign.
In the meantime, companies with multiple U.S. locations – that are far more likely to be impacted by multiple state-level laws – are encouraged to implement privacy-first solutions as soon as possible. The easiest place to start is by emboldening consumers’ privacy rights with personal data requests, as there are a number of specific stipulations around this process that can trigger harsh penalties for noncompliance. One such stipulation is performing safe and accurate identity verification so that returned data doesn’t fall into the wrong hands.