Navigating the Privacy Law Mess in the U.S.A
2020 & 2021, especially with COVID-19 monitoring, is likely to bring an avalanche of privacy legislation in the U.S. In the absence of comprehensive federal legislation, individual states pass their own laws. For businesses operating in multiple states, this is a problem as they are forced by different jurisdictions to comply with various (and sometimes conflicting) sets of privacy acts. Arguably, one solution is to determine the state with the strictest privacy laws and adhere accordingly. Unfortunately, with more than 50 evolving landscapes and different state legislatures convening on different schedules, focusing on the strictest privacy law will provide a static and inaccurate answer. And, with certain federal laws affecting privacy matters in targeted industries, a focus on state laws alone will create gaps in compliance.
A better solution for businesses to track privacy laws is to have an attorney conduct and provide an annual trifurcated analysis: (1) Federal Privacy Laws; (2) Notable State Privacy Laws; and (3) Floating Privacy Issues. For those mumbling “trifurcated?!?” – it’s a word. Here is a simplistic example:
A. Federal Privacy Laws
FTC Regs & Fines: The Federal Trade Commission is the de facto enforcement agency for entities that engage in deceptive or unfair practices against consumers, including privacy practices. See Code of Federal Regulations for potential fines and Section 5 of FTC Act for Regulations on Security and Privacy.
Gramm-Leach-Bliley: For financial institutions, the FTC has a compliance step-by-step guide pertaining to the privacy rule.
PCI-DSS: Payment Card Industry Data Security Standards are available online, with several guides and updates, again with step-by-step compliance manuals and resources.
HIPAA/FERPA/COPPA: All industry specific, but .gov, .org, or individual law firms can provide materials with relevant privacy information specific to individual businesses.
B. Notable State Privacy Laws
All States: All 50 states have data breach notification laws. In the event of a data breach, see the National Conference of State Legislators Quick Reference Guide for statutory references by state to find deadlines for reporting and definitions of “breach.”
California: The California Consumer Privacy Act (CCPA) protects consumers (CA residents) and requires companies that gather personal information to provide and annually update an Online Data Privacy Notice and/or paper notice (depending on how information is collected) that has 6 elements: (1) a description of a consumer's privacy rights; (2) a list of the categories of personal data collected; (3) a list of the categories of personal data that it has sold/disclosed; or if not sold/disclosed; (4) instructs the consumer of his/her rights to privacy, and how to exercise them (opt out/delete the info/access the info/correct the info); (5) the types of entities with whom the data was shared; and (6) the business purpose to which the private data will be used. Consumers have "The Right to Know" and may request what data is being collected about them. A business must delete a consumer's private information (PI) upon request. This is referred to as "The Right to Delete.” Companies cannot discriminate against consumers exercising their privacy rights and consumers can sue for damages related to a data breach.
Illinois: The Illinois Biometric Privacy Act (BIPA) imposes requirements on businesses that collect or keep biometric info such as facial scans or fingerprints. To comply, businesses must receive written consent from individuals before obtaining their biometric data, and businesses must disclose policies for usage, retention, and safely destroy content after a period. Several other states copycatted BIPA, but what makes IL’s BIPA so interesting and scary is that IL’s state Supreme Court and the United States 9th Circuit held that individuals may sue for businesses violations of BIPA absent evidence of actual financial damages. For negligent violations, individuals can recover the greater of $1,000 or their actual losses. For reckless violations, the award is up to is $5,000.
Maine: Directed at broadband internet service providers and effective July 1, 2020, Maine’s Act To Protect the Privacy of Online Customer Information prohibits these ISPs from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. Further, the Acts prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount for such privileges associated with his/her PI. Maine’s definition of “customer personal information” includes traditional PII as well as browsing history, location, IP address, and communications, etc. derived from web traffic. Exceptions to the Act are affirmative consumer consent, as well as information services necessary for handling emergencies, collecting payment, or fraud protection. Reasonable security measures are also included in the Act.
Nevada: The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) requires “operators” of Internet websites and online services to follow a consumer’s direction not to sell his or her personal data if the website can verify the authenticity of the request/consumer using reasonable means. “Operators” subject to the NPICICA are owners or operators of commercial websites that (1) Collect and maintain “Covered Information” from consumers who reside in Nevada; and (2) Engage in activities that establish a sufficient nexus with the State (targeting activities towards Nevada residents/businesses). The NPICICA requires the website to comply with the consumer requests within 60 days (optional 30-day extension). There is no consumer right of access, right to delete, or right against discrimination. There is also no private right of action for consumers. The Nevada Attorney General’s Office can seek injunction or impose civil penalties against violators.
New York: Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") requires businesses collecting PII on New Yorkers to institute certain cybersecurity protections with exceptions for small businesses of fewer than 50 employees, less than $3 million in gross revenues in each of last three (3) fiscal years, or less than $5 million in year-end total assets (further exceptions for businesses subject to GLB and HIPAA). To comply with the SHIELD Act, a business must implement administrative, technical, and physical safeguards to protect PII. Specifically, a company must implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal. The definition of “Private Information” (NY’s PII) was significantly expanded to include biometric information, username/email address in combination with a password or security questions and answers, an account number or credit/debit card number, access code, or password (pending certain circumstances).
Oregon: Not a privacy law per se, but rather a notable expansion of breach notification law to include “vendors,” which is defined as an entity contracted “to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.” The “vendor” must notify Oregon’s Attorney General of breaches affecting more than 250 Oregon consumers (or affected number is indeterminable). Exception exists when covered entity already provided notification. Vendors must notify their business customers within 10 days of a breach. The definition of personal information was also expanded to include usernames when combined with authentication factors.
Texas: Initially intended to be far more comprehensive per state legislative filings, the Texas Privacy Protection Act was whittled down into 2 parts: (1) updated notification requirements to the Texas Identity Theft Enforcement and Protection Act (breaches must be reported within 60 days and Texas Attorney General must be notified if more than 250 Texas residents affected); and (2) the creation of the Texas Privacy Protection Advisory Council. The Council will consist of 15 members appointed by the legislature and is tasked to study the data and privacy needs of Texas residents and make recommendations for the legislature in 2021. The establishment of similar councils in other states is expected.
C. Floating Privacy Issues
U.S. Congressional/Senate Bills (Example: multiple, previous bills submitted to create a federal “Data Protection Agency” or similar entity).
State legislative bills for new laws.
Bulletins/Guidelines from Department of Health and Human Services (HIPAA), SEC, FTC, CISA, etc. on upcoming changes or announcements on new interpretations of existing laws.