As Congress stalls, states take charge — GCN
INDUSTRY INSIGHT
DIY data protection: As Congress stalls, states take charge
With so much focus on federal data protection regulation, it would be easy to miss the tectonic shifts underway at state capitols. Last year alone, more than 90 different data protection, security and privacy proposals were introduced. The California Consumer Privacy Act (CCPA), which went into effect in January, has been the most far-reaching, but it is not alone. From Florida to Maine to Texas, states are taking the lead in innovating data protection regulation. By the end of 2019, more than half the states either proposed new privacy legislation or established a task force to do so. Absent any progress at the federal level, states will continue to push for greater data protection and regulation, augmenting security and privacy while also increasing complexity to an already dynamic landscape.
Choose your own privacy adventure
While there has been growing interest in data protection in the United States, there was a significant inflection point in 2018 as several forces combined to create the perfect privacy storm. First, the steady flow of data leaks continued as Marriott, British Airways, T-Mobile, MyHeritage, and countless other corporate breaches exposed sensitive personal data. Second, the European Union’s General Data Protection Regulation (GDPR) introduced sweeping data protection that impacted any company with European Union citizen data. Finally, and arguably the most impactful, the Cambridge Analytica data sharing scandal awoke public awareness about the vast implications of data monetization and sharing.
This confluence of events dramatically shifted public opinion in the United States and helped drive momentum and the rapid passage of the CCPA. Numerous other states are now similarly approaching data privacy through overarching omnibus legislation: integrating numerous data protection requirements under a single regulatory umbrella. New York’s proposal last summer built upon the CCPA momentum, but it differs in a few key areas. Instead of relying on the attorney general for enforcement, the New York proposal includes a private right of action and applies to any organization with New York resident data as opposed to the $25 million in annual revenue cutoff in the CCPA. The New York bill also includes data fiduciaries, which prohibit businesses from using data to the benefit of the business and the detriment of the individual.
Other states similarly integrate aspects of the CCPA, while customizing as well. Nevada’s law, for instance, does not have opt-in requirements, while opt out applies to a narrower scope of information. It also includes less time to respond to data requests and defines the sale of data differently. Nebraska’s recent proposal, in contrast, maintains more similarities to the CCPA with its focus on personal information and the right to know what is collected, how it is used, who accesses it, as well as the right to deletion and opt out. They both also include fines up to $7,500 for each violation. Finally, Florida’s proposed Consumer Data Privacy Act shares some common features with both the CCPA and Nevada’s privacy legislation, including a focus on the right to opt out of sales of personal data and a notice of what data is collected. Proposals in Maryland and Massachusetts are similar to the CCPA, but opt out includes any data disclosures, not just sales. Maryland chose enforcement by its attorney general, while the Massachusetts law has a robust private right of action.
These are a few examples of an omnibus approach to data privacy, and additional proposals are likely to emerge over the next few years absent a federal privacy law. At the same time, several states are opting for point solutions to data privacy instead of taking the omnibus approach. That is, they are focused on narrowly addressing a specific data privacy issue. For instance, last year Vermont passed the country’s first law targeting data brokers -- those entities that gather data from a wide range of sources. The new law requires data brokers to register, uphold baseline security practices and notify if a breach occurs. It also prohibits the use of the data for criminal purposes.
Maine opted instead to focus on internet service providers. Coming into effect on July 1 of this year, the Maine law bars ISPs from, “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access.”
Gloss