May was a busy month for state privacy law updates and amendments. In addition to amendments made by Texas to its breach notification law, both Oregon and Nevada expanded their privacy-related laws this month, while Illinois’s CCPA-like law failed to pass after a variety of amendments related to whether the law would allow for a private right of action.
In Oregon, the legislature expanded its data breach notification statute (ORS §§ 646A.600 et seq.). Oregon’s updated data breach law, which was signed by Governor Kate Brown on May 24, 2019 and goes into effect on January 1, 2010, expands breach notification requirements to cover “vendors,” which it defines as “a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.” Under the new law, a vendor must notify Oregon’s Attorney General when subject to a security breach affecting the personal information of over 250 Oregon consumers, or when the number cannot be determined. Vendors do not need to notify the Attorney General if the covered entity has already made the notification. Vendors must also notify their business customers of the breach within 10 days – a change from previous language mandating notification “as soon as practicable.” The law also expands Oregon’s definition of personal information to include usernames, but only when combined with authentication factors.
On May 29, 2019, Nevada Governor Steve Sisolak signed Senate Bill 220 (SB-220), a California Consumer Privacy Act (CCPA)-like law which goes into effect on October 1, 2019. This law, which amends a prior Nevada law covering consumer privacy disclosures, requires operators to allow consumers to submit verified requests through a designated request address directing operators not to sell any covered information that the operators have collected or will collect about a person. Because SB-220 goes into effect in 2019, before the January 1, 2020 effective date of CCPA, Nevada will be the first state to provide consumers with the right to opt out of the sale of their personal information. The Nevada law, however, is much narrower than the CCPA:
- “Sale” is defined as “the exchange of covered information for monetary considerations to a person for the person to license or sell the covered information to additional persons,” a narrower definition than “for monetary or other valuable consideration.”
- Sale also excludes disclosures to data processors, to operators providing a service requested by the consumer, for purposes consistent with the reasonable expectation of the consumer, to affiliates, and as part of a transfer of assets.
- Like the CCPA, SB-220 specifically excludes entities subject to the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. SB-220 also excludes vehicle manufacturers and repairers who collect information related to a motor vehicle’s technology or service.
SB-220 authorizes the Nevada Attorney General to seek an injunction or civil penalty of up to $5,000 for each violation of the law.
Although many other proposed laws were not enacted this year, data breach and data privacy laws remain priorities for many state legislatures. In the absence of an omnibus federal data privacy or breach law, states will continue enacting varied laws governing these issues. Companies should be aware that these laws are constantly changing and that it is crucial to stay apprised of these changes to ensure compliance with a patchwork of state laws. Because these laws ultimately will be enforced by State Attorneys General, companies also should consider an effective attorney-general outreach strategy as part of their broader approach to government relations.