2018 was a landmark year in state consumer privacy legislation – the most important in recent memory. The year began with states updating – or in two cases passing their first – data breach notification statutes. But the June passage of California's omnibus privacy law, the California Consumer Privacy Act (CCPA), was a first at the state or federal level. Passage of this law raises the prospect of other omnibus privacy laws passing in other states and has driven consensus in the business community on the need to enact some sort of comprehensive federal privacy law.

Elsewhere, first-in-the-nation privacy laws included Ohio establishing a cybersecurity safe harbor, Vermont imposing state registration and data security requirements on data brokers, and California passing the first Internet of Things data security law. This action-packed year portends even more activity as legislators return for the 2019 session.

Omnibus consumer privacy

California Consumer Privacy Act

June saw the passage of CA AB375, a landmark law that fundamentally altered the US privacy landscape. The CCPA is the first cross-sector law in the US to grant consumers a range of rights over an extremely broad range of personal and even household data, to create data breach statutory damage class action risk, or to restrict use of personal data that discriminates against individuals.

Notable updates to other state breach statutes included the following:

  • Oregon (SB 1551) modified its statute in a number of ways that increase the difficulty of compliance, but particularly with the addition of the term "possesses," which requires an entity that merely "possesses" personal information and suffers a breach to notify the resident and the state Attorney General. The legislature also added an ambiguous catch-all in the definition of personal information to reach "any other information or combination of information that a person reasonably knows or should know would permit access to the consumer's financial account." The entity required to give notice must do so "no later than 45 days from discovering or receiving notification of the breach of security."
  • Colorado (HB 1128) expanded its breach notice law significantly and added data security requirements for both breach notice covered entities and vendors. The breach notice obligations expanded by adding biometric data, health information and online credentials information to the list of breach notice personal information, as well as imposing a 30-day notice requirement from the date of determination to the state Attorney General and to affected residents, "consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." It requires that all covered entities in the state that "maintain[s] paper or electronic documents during the course of business that contain personal identifying information" create a written policy for the destruction of the personal identifying information when that information is no longer needed. It further requires the covered entity to render the information unusable through shredding, erasing or other type of modification.