Introducing state privacy legislation amidst national privacy law discussions
Several states recently presented and passed data privacy legislation
introducing individual consumer rights as well as data breach notification
rules which in some ways reflect the protections afforded by Europe’s General
Data Protection Regulation (GDPR). Like their European counterparts, U.S states
such as California, Hawaii, and Washington have passed or proposed laws that
are designed to provide customers with greater transparency and control over
their personal data.
California’s Consumer Protection Act (CCPA) even goes beyond
breach notification and may require organizations to make significant changes
in their data processing operations including honoring opt-outs of selling data
and notification requirements surrounding sharing practices. However, to
recognize what this new consumer awareness and movement towards data privacy
and protection laws mean for companies and consumers alike, it helps to have a
strong understanding of what the GDPR laws entail.
The General Data Protection Regulation is considered the
gold standard in regard to consumer data rights by many and is essentially a
set of rules designed to give European citizens control over their personal
data. It aims to reduce the confusion surrounding the regulatory environment
for business, so both citizens and corporations can fully benefit from the
digital economy. These reforms are designed to reflect our technological age,
and provides legal obligations around personal data, privacy and consent management.
This means that any organization that has in-scope personal information about a
customer such as their name, birthdate, credit card or social security number
has to be compliant with these laws regarding how they collect, store and
approach their obligation to keep that information safe.
California is the first of the 50 states to implement a
similar privacy regulation, with the passing of the CCPA. Organizations have until January 1, 2020 to prepare,
and enforcement actions will begin in July of 2020. Several states have proposed similar
legislation following the announcement of California’s CCPA law.
Hawaii and Washington recently proposed bills that are
closed modeled after the CCPA and GDPR. Hawaii has notice or transparency
requirements that organizations must make to consumers and sets a broad
definition of personal data. However, no breach requirements are included.
Washington politicians proposed a bill which provides several notice
requirements, consumer rights, and is targeted at organizations within
Washington state but also those organizations targeting Washington residents to
offer goods and services.
As increased awareness, interest, and concern around
consumer data privacy continues to rise across the nation, there’s no doubt
that we will see more and more privacy laws, especially as legislation at the
state level is implemented. As new state laws become enforceable in 2020, it is
vital that organizations realize how seriously consumers are beginning to be
about their data privacy rights and how vital it is that organizations make the
necessary adjustments to not only comply with these regulations, but also
protect their brand reputation by honoring their consumers demands to protect
their information. As more and more individual
states adopt these policies, it can be assumed that discussions around privacy
will only increase at the federal level as well.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint
Gloss