Strategy, privacy, and risk

State privacy laws: 2020 highs and lows

2020 is shaping up to be another interesting year for data privacy, especially given that public health agencies, private companies, and states are now working feverishly to create contact tracing apps and programs while still preserving privacy. Being thoughtful and accountable about data privacy is more important than ever, as some states have made very public mistakes in the rush to roll things out. Momentum continues to build for more privacy legislation, building on California’s Consumer Privacy Act of 2018 (CCPA) and Nevada’s SB 220 of 2019. In the last two years, more than 25 states have considered or passed privacy legislation (including Texas, New York, Massachusetts, Vermont, and Illinois), and there seem to be no signs of slowing down. As there has been little movement (other than a few hearings and discussion drafts) on the federal level, increasingly, states are moving to regulate data privacy themselves.

Here are a few of the notable efforts Coalfire has been keeping an eye on:

California

The CCPA went into effect January 1st of this year, a fact you likely noticed from the flood of email privacy policy updates. Organizations doing business in California and collecting or selling the information of California residents should now be in compliance with CCPA, even though final regulations are not due from the California Attorney General’s Office until July.

Organizations should be making every effort to comply, as California Attorney General Xavier Becerra told reporters in December, “We will look kindly, given that we are an agency with limited resources, and we will look kindly on those that... demonstrate an effort to comply.” On the other hand, he said, “If they are not [operating properly]... I will descend on them and make an example of them, to show that if you don’t do it the right way, this is what is going to happen to you.”

Even though the final regulations for CCPA are still awaiting approval, enforcement has begun as of July 1st. There was a concerted push from various trade groups to delay enforcement due to the pandemic, but Becerra’s office has held firm. An advisor to the California AG reportedly said in March that, “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first. We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

California may see even more movement on privacy this year as the California Privacy Rights Act (CPRA) has qualified for the November ballot. The CPRA is from the same group, Californians for Consumer Privacy, which was behind the ballot initiative that culminated in CCPA. This new initiative would strengthen existing provisions in the CCPA and would create a dedicated state agency whose sole focus would be protecting online consumer privacy. Barring legislative intervention, we’ll see how California voters feel about this in the fall.

Washington

Last year, Washington nearly joined California’s ranks in regulating privacy at the state level with the Washington Privacy Act. After another attempt early this year, the Washington Privacy Act failed again. Reportedly, lawmakers couldn’t agree on a private right of action (the ability for individual consumers to sue companies that break the rules). A private right of action was one of the biggest sticking points in 2019 and clearly still continues to vex the legislature.

The 2020 draft of the Washington Privacy Act was released on January 10, 2020. In it are clear influences both from Europe’s General Data Protection Regulation (GDPR) and California’s CCPA. Like CCPA, the Washington Privacy Act would grant consumers a variety of rights, including the right of access to personal data, the right to deletion, the right to correction, and the right to opt-out. As under the GDPR, the Washington Privacy Act would incorporate data protection assessments to weigh risks associated with processing personal information.

New Hampshire

New Hampshire’s HB 1680-FN (which did not make it through this year’s legislative session before they adjourned) is nearly identical to the CCPA, including its private right of action and consumer rights.

New York

The New York Privacy Act (a version of which was introduced last year but did not ultimately end up passing) was back this year, and like the Washington Privacy Act, also died in the legislature. The New York Privacy Act was similar to CCPA, and in some ways was even bolder. It introduced the concept of a “data fiduciary,” where businesses would be obliged to act “in the best interests of the consumer, without regard to the interest of the entity, controller or data broker.” Controllers would have to exercise duties of care, loyalty, and confidentiality, and would have to ensure that any of their processors would also have to exercise the same duties. While the concept of a data fiduciary is not novel, this is the first time it has been seen in state-level legislation.

Virginia

Like the Washington Privacy Act, the Virginia Privacy Act also died in the legislature early this year. The Virginia Privacy Act combined aspects of the GDPR and CCPA, creating consumer rights of access, correction, deletion, and data portability, among others, along with requiring privacy risk assessments. Virginia’s bill would have allowed for private right of action, unlike Washington’s.

While many of these bills have died in the legislature this year, there is little doubt that similar versions will be reintroduced next year. The time is now to develop a robust privacy program that helps build customer trust and streamline compliance. The move to regulate data privacy shows little signs of slowing down.

How can we help?