More and more U.S. data privacy laws are going on the books. Here's what you need to know.
The United States doesn't yet have a comprehensive federal data privacy law. Outside of the children’s online privacy law (COPPA) and industry-specific regulations that include data privacy measures (e.g., HIPAA), data privacy issues at the federal level are generally handled by the Federal Trade Commission (FTC), whenever it decides to intervene.
However, a few comprehensive data privacy laws have been enacted at the state level. And whether or not they apply to your business today, you should familiarize yourself with these laws to prepare for more widespread regulation in the future.
Let's take a look at the U.S. data privacy laws that may be harbingers of things to come.
The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) took effect on January 1, 2020 and is by far the most important and influential data privacy law ever passed in the United States. Inspired in large part by the EU’s landmark General Data Protection Regulation (GDPR), the CCPA regulates company’s data privacy practices and enshrines state residents with new rights, including:
The right to know what personal information is collected
The right to opt out of the sale of personal information
The right to delete personal information upon request
The right to equal service and price (i.e., consumers may not be penalized for exercising rights under the CCPA)
The CCPA defines personal information as data that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." The bill also includes biometric, geolocation, and numerous other types of data, creating a truly comprehensive definition of personal information.
The CCPA applies to any company that meets one or more of the following criteria:
Has gross annual revenue exceeding $25 million
Annually processes the personal information of 50,000 or more California consumers
Earns more than half of their annual revenue by selling personal information
Businesses of all sizes and locations need to pay particular attention to that second bullet point. The law's broad definition of personal information means a covered entity could take numerous forms, including an IP address. Even small businesses can quickly (and fairly easily) collect information on 50,000 California consumers.
CCPA fines reach up to $7,500 per record violated, and the law also allows consumers to sue in response to violations (known as a private right of action). Enforcement went into effect on July 1; the wait is on to see how strictly the law will be applied.
Watch for: The California Privacy Rights Act
In November 2020 the California Privacy Rights Act (CPRA) will appear on the state ballot. If approved, the CPRA will significantly expand—and essentially replace—the CCPA by broadening the definition of protected data and establish a new consumer right to correct personal information. Additionally, the legislation would create a new state data protection agency with CPRA enforcement powers—the first ever agency dedicated to consumer data privacy protections in the U.S.
Maine’s data protection law
Known as An Act To Protect the Privacy of Online Customer Information, Maine’s data protection law (LD 946) took effect on July 1, 2020 and focuses on internet service providers (ISPs). Maine’s law takes a relatively unique opt in approach to data privacy (versus the typical opt out approach). In other words: consumers must opt in to allowing their data to be sold. Taking no action means data cannot be sold.
LD 946 defines personal information as identifying details such as name and government identification number. The bill also includes internet usage such as browsing history, application usage, equipment identifiers, and IP addresses that could identify an individual.
The law prohibits ISPs from penalizing customers who deny consent and forbids ISPs from offering incentives, such as a free month of service, in exchange for providing consent. The law is not specific about a private right of action, an issue that Maine’s courts will eventually decide.
Nevada’s opt-out law
Nevada’s opt-out law (SB220) went into effect in October 2019 and regulates websites and online services that process the data of Nevada consumers. Consumers must be provided with an option to opt out of companies selling their personal information; responses to opt-out requests must be made within 60 days.
SB220 updated Nevada's 603A data breach law, which defines personal information as the consumer’s name in combination with other specified unencrypted data elements (e.g., government identification numbers, medical information, or other information that would allow access to an online account).
Nevada’s attorney general may seek an injunction or issue a penalty of $5,000 per violation. The law specifically disallows a private right of action.
Vermont’s data broker law
While not exactly comprehensive, Vermont’s H764 was the first U.S. data privacy legislation enacted solely to govern data brokers. Enacted in May 2018, the law defines data brokers as any company that “knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
Other than a few exceptions, any business that fits the data broker definition must register with the state or face penalties of up to $10,000/year. The law prohibits the acquisition of personal data “through fraudulent means or with the intent to commit wrongful acts” and makes it illegal to charge for credit freezes following a data breach.
H764 improves data broker security standards and provides a generous definition of personal information that includes biometric data, the information of immediate family members, and any information that could reasonably identify a consumer. It doesn't allow consumer opt-out rights or a private right of action.
Emerging U.S. data privacy laws and what to do about them
A new generation of data privacy laws aimed at reigning in technologies based on artificial intelligence and machine learning are springing up across the U.S.
Illinois recently enacted legislation regulating the use of AI in the hiring process, while Washington state passed a law regulating the use of facial recognition by state and local government agencies. If it passes, California’s CPRA will govern automated decision-making technology and require disclosure of the logic used to make a variety of automated decisions.
Even if your business isn't yet subject to any of these data privacy laws, we recommend viewing them as a preview of similar local, state, or federal laws that will eventually affect all U.S. businesses.
Here are some recommendations to make compliance easier when the time comes:
Audit your systems to identify what types of consumer data you collect, where it is stored, and who has access to it.
Because many U.S. privacy laws are derived from GDPR practices, look for software that offers GDPR compliance.
Appoint a data protection officer to help navigate your business through continually changing privacy regulations.
Review emerging and proposed data privacy laws before adopting new technology such as biometric authentication or AI recruiting software.
Regularly review, update, and distribute your company’s privacy policies.