When we did our last update on the status of US privacy legislation just a few weeks ago, there were 15 States with consumer privacy laws passed and/or bills on the table, including California (CCPA) and the most recent, Nevada (Act Relating to Internet Privacy). The fluid nature of the privacy landscape continues. In our recent webinar, we looked at the latest shifts and discussed the key similarities and differences amongst the various bills and laws.
And then there were 12.
All eyes continue to be on the CCPA and its amendments (and amendments to amendments). Vermont Attorney General T.J. Donovan observed that California’s policy could directly influence the behavior of other state privacy officials saying, “As California goes, so goes the nation. Watching how the rules in California are going to be developed is going to be critical.”
Nevada, largely viewed as a companion bill to CCPA also passed a few weeks ago, and will come into effect in October of this year. However, there were some notable bills that dropped off:
- Texas: The State passed a new Act that only amends their breach response law. However, it also requires that the State convene a Privacy Protection Advisory Council by September 1, 2019 for the purpose of studying data privacy laws in sister states and foreign jurisdictions. This may indicate Texas is preparing for comprehensive privacy legislation in the coming years.
- Illinois: Closely modelled on the CCPA, the bill cleared committee in late May only to be sent back in the last days of the session. The combination of large sectoral exceptions, new requirements beyond those in the CCPA, and class-action enforcement risk created enough controversy that the bill did not move forward.
- Washington: More similar to GDPR in terms of processes and overall compliance obligations, it also included discussion of facial recognition and meaningful human review; the bill did not make it out of committee and is unlikely to be discussed before 2020
“As California goes, so goes the nation.”
When the CCPA was introduced it was described as ground breaking. Given how many companies do business in the California it has also been viewed as a de facto national law. Although it has been likened to the GDPR there are a number of important differences. The GDPR is a broad omnibus law, while the CCPA is focused on consumer rights. These rights are core obligations in most data protection laws around the world, however California’s approach makes it unique in the United States.
Compared to CCPA, Nevada’s law is more focused on the right to opt-out of data selling. More restricted than California, this law applies to operators of websites or online services for commercial purposes. Like CCPA, it is subject to certain exemptions such as financial institutions, affiliates, and entities subject to HIPPA. It will also cover businesses without a physical commercial presence in Nevada but with a commercial website accessed by Nevada residents.
Additional sector specific laws (Maine and Louisiana – focused on providers of broadband internet access services) should also be helpful in understanding how the influence of the CCPA will unfold across the United States as a whole.
Trends and Outliers
While some laws/bills are broad and some sector specific, beyond the standard rights of access, correction and deletion, there are more commonalities than one may expect.
Do not sell
Strong enforcement provisions – by Attorney Generals - are in place for more than 50% of the laws and bills. We predict this provision could become more present than private right of action and we will be watching Nevada to see who this plays out.
Although not present in Nevada, equal treatment is included in more than half of the bills and laws. An organization cannot provide a lesser quality service/product or punish customers in any way for refusing the permission to sell their personal data (incentives and rewards are permitted). We will be watching implementation and enforcement closely to understand the impact of this obligation.
A major difference amongst the bills and laws is related to economics. Most bills are similar in structure to the CCPA in terms of defining company revenue, number of users, and percentage of revenue that comes from the sale of personal information to indicate who will be subject to the obligations. However, each state will strive to reflect the economic reality of their jurisdictions so those numbers could vary significantly. The emerging trend seems to be those generating approximately 50% of revenue from the sale/processing of personal information will be required to comply.
An Accountability Approach to Compliance
How is your organization prepared to execute a data subject access request and demonstrate completion? How will you track, honor, reply, and inform on a request for a right of access? How do you future proof yourself for new and changing legislation? The traditional approach has been to address compliance law by law. However, with the volume of amendments and new legislation in the US (and around the world), this approach is no longer scalable.
Under GDPR, accountability is enshrined as an obligation. Organizations must be able to demonstrate compliance under the law. While the word “accountability” is not present in the legislation from California and Nevada (or other states), it is a very useful compliance tool. We are also seeing more and more law firms and consultants in the US validating this approach to building privacy programs.
One place to start is by leveraging a framework. Nymity’s Privacy Management Accountability Framework defines categories and activities that map to over 800 laws around the world. Leveraging a framework allows companies to build and operationalize privacy compliance activities into a sustainable program.
If your company is required to be GDPR compliant, you likely already have key elements that can be leveraged across state laws dealing with the most common data subject requests: access, deletion, and correction. For example, the requirement of Article 30 to complete a records of processing inventory is a powerful foundation for many requirements including:
- Mapping your processing activities
- Identifying owners of activities
- Identifying data being transferred to third parties
- Identifying third party vendors
- Identifying relevant information required to respond to a consumer request
- Identifying third parties that may need to be contacted to fulfill deletion requests and for compliant privacy notices
You can easily extend your records of processing inventory to cover other specific elements under state laws, such as whether the data is sold to third parties. Even if you did not have to complete this exercise for the GDPR, this is another great place to get started.