State legislatures are making their mark with new consumer protection legislation, most notably in Vermont, where the state enacted the first law regulating data brokers, and in Colorado, where lawmakers passed a new privacy and cybersecurity measure.

Looming on the horizon: a potential ballot initiative in California that would establish significant requirements with regard to consumer privacy and data collection.

What happened

Partly in response to recent discoveries of widespread sharing of individual information by social media companies and others, state legislatures appear to be working overtime to enact new consumer protection laws that could have a major impact on financial institutions and others nationwide.

Vermont became the first state in the country to pass legislation to regulate data brokers, mandating registration and security standards. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”

Data brokers that buy and sell personal information must pay a $100 annual fee to register with the state. The companies must then disclose to consumers the data that is collected and provide clear instructions for consumers to opt out of having their data collected, when that option exists.

All registered data brokers will be required to establish a minimum level of security standards and provide notice to authorities in the event of a breach. The law also provides state regulators with enforcement power (creating an actionable offense if data brokers use their data for criminal purposes such as fraud) and eliminated fees for freezing credit reports and lifting the freeze, providing Vermont residents with free access to control their accounts.

In Colorado, lawmakers took a different approach with a new privacy measure. The bill mandates that companies that maintain, own or license the personal identifying information (PII) of a Colorado resident must implement and maintain reasonable security procedures and practices that are “appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.”

Businesses are also required to take protective measures when transferring PII—broadly defined to include biometric data, a Social Security number or a password, among many other identifiers—and to require the third parties they work with to implement and maintain their own reasonable security procedures and practices.

If the company maintains either electronic or paper documents that contain PII, it must develop a written policy for the destruction of such documents when they are no longer needed.

The new law also amended Colorado’s data breach notification statute, requiring that covered entities notify affected individuals within 30 days of determining that a security breach occurred that resulted in, or is likely to result in, the misuse of personal information. In addition, the new law expanded the definition of “personal information,” broadening the notification obligation if such data is compromised.

Details on what must be included in the notice are included in the new law. If the company provides notice to 500 or more Colorado residents, the state Attorney General’s Office must also be notified of the breach (with additional notice given to credit reporting agencies if more than 1,000 residents are affected).

The AG’s Office was tasked with enforcement and authorized to bring suit to recover damages for any violations of the law, which takes effect on Sept. 1, 2018.

California is also making headlines with a proposed ballot initiative establishing consumer privacy rights that seems likely to appear on the November ballot after backers gathered roughly 625,000 signatures in support, more than twice what is necessary. The California Consumer Privacy Act of 2018 would apply to companies that conduct substantial business in California (even if they are located out of state) and collect personal information about their customers.

Pursuant to the initiative, “personal information” includes identifiers such as real name and alias, postal address, and Internet protocol address, as well as information relating to characteristics of protected classifications under California or federal law, commercial information (including property records or consuming histories), biometric data, Internet activity data (search history, for example, or interaction with an application), and geolocation data.

The initiative would grant consumers the right to request all personal information collected about them—both online and off—for the prior 12 months, as well as information on all third parties that purchased the data. Companies would also be required to provide consumers with the ability to opt out of any sale or sharing of their personal information to a third party.

The ballot initiative contains significant penalties. The failure to comply with an opt-out request could cost a company from $1,000 up to $7,500 per violation. Similar fines are applicable in the event of a data breach.

To read the Vermont law, click here.

To read the Colorado law, click here.

To read the California ballot initiative, click here.

Why it matters

The flurry of activity in state legislatures with regard to privacy and data protection can be traced at least in part to last year’s massive data breach of a consumer credit reporting agency and revelations regarding the exploitation of personal data from social media companies. For businesses, the prospect of a patchwork of state laws with different requirements and standards across the country presents an onerous compliance challenge, particularly if the laws in Vermont and Colorado launch a trend and the California ballot initiative is successful. In addition, financial institutions will find the rules even more complex, as these institutions are already subject to privacy rules with respect to consumer financial information, including under the Gramm–Leach–Bliley Act.