States continue to push forward with privacy laws, with new statutes in Nevada and Maine and a proposal currently pending in New York, which would impose requirements similar to those found in the California Consumer Privacy Act (CCPA).

California kicked off the state privacy law trend last year with passage of the CCPA, set to take effect on Jan. 1, 2020. Nevada followed up with SB 220, whereby consumers can prevent website operators and online service providers from selling specified personal data (name, address, email address, phone number, Social Security number, individual identifiers and any other information that becomes personally identifiable when combined with an identifier).

Although it has a narrower scope than the CCPA, Nevada’s new law takes effect sooner, on Oct. 1, 2019.

Maine recently passed its own privacy law, largely reinstating the net neutrality rules enacted by the Federal Communications Commission that were later reversed under Chairman Ajit Pai’s direction. Pursuant to the Act to Protect the Privacy of Online Customer Information, Internet service providers (ISPs) are required to obtain opt-in consent prior to “using, disclosing, selling or permitting access to [a consumer’s] prohibited personal information.”

LD 946 broadly defined “personal information” to cover web-browsing history, geolocation information, IP addresses and device identifiers, among other data. A nondiscrimination provision prohibits ISPs from refusing service to customers who do not provide their consent or from charging a penalty or offering a discount based on the customer’s choice.

Limited exceptions to the consent requirement are provided for ISPs to use, disclose, sell or permit access to customer personal information to advertise or market the ISPs’ communications-related services to the customer, to provide the service from which such information is derived, and to comply with a lawful court order or provide geolocation information in emergency and safety situations.

Maine’s new law is set to take effect on July 1, 2020.

New York also stepped into the privacy conversation with the proposed New York Privacy Act. SB 5642 would mandate opt-in consent before companies could use consumers’ personal data—defined to include web activity and online search history—for ad targeting.

Under the bill, consumers could also learn what data companies have collected about them and with whom that data is shared, and request that the information be corrected or deleted.

The proposed law also features a private right of action for violations, and unlike the CCPA, which applies only to businesses that make more than $25 million in annual gross revenue, the New York law would apply to companies of all sizes and revenues.

A key provision of the New York bill is the requirement that businesses act as a “data fiduciary” of consumer data. Specifically, the proposal provides that “[e]very legal entity, or any affiliate of such entity, and every controller and data broker, which collects, sells or licenses personal information of consumers, shall exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”

To read Maine’s Act to Protect the Privacy of Online Customer Information, click here.

To read the New York Privacy Act, click here.

Why it matters: As more and more states work toward passage of their own privacy laws, the advertising industry has intensified its push for an overarching national law. Referencing the new Maine law, Dan Jaffe, executive vice president for government relations at the Association of National Advertisers, called it “another example of how we’re going to get a totally balkanized regulatory framework” and “an ever-greater regulatory nightmare for people who are operating on the internet.” Jaffe told MediaPost, “This drip by drip approach to privacy is going to be counterproductive for everybody.”