Motivated by the GDPR and high profile privacy scandals and data breaches, data privacy and cybersecurity laws are quickly changing in the United States. Without a comprehensive data privacy law at the Federal level, the states are taking data privacy and security regulation into their own hands. Congress is currently considering a number of proposals to create a more uniform standard but it is far from clear whether Congress will ultimately act and, if it does, what that result will look like.
Background
The United States federal government has taken a segmented approach to regulating data privacy and cybersecurity. Data privacy is regulated primarily through a sectoral approach, with separate laws applying to financial institutions, healthcare providers, and educational providers for example, with additional laws applying to areas such as email communications and children’s online privacy. Outside of these segments, federal regulation of data privacy and cybersecurity is primarily accomplished through the Federal Trade Commission’s broad power to prosecute “unfair or deceptive acts or practices.”
Until recently, with some exceptions, the states have generally enacted minimal data privacy and security regulations that often mirror the types of conduct already regulated at the federal level by the Federal Trade Commission. All 50 states have enacted data breach notification statutes requiring organizations to notify individuals and, in certain circumstances, regulators following the discovery of a data breach. Prompted by the comprehensive data privacy regulations contained in the GDPR, and without action by Congress to impose a national standard, the states are taking the lead in protecting their residents’ privacy. For organizations that operate in more than one state or country, this patchwork of regulations is becoming increasingly difficult to navigate.
Recent State Data Privacy Law Changes or Proposals
California
California continues to lead the nation in data privacy regulation after being the first state to require commercial websites to post privacy policies in 2003. California has now become the first state to enact a more comprehensive data privacy law with protections similar, but not identical to, the European Union’s GDPR. Effective 1 January 2020, the California Consumer Privacy Act (the “CCPA”) will require companies that meet certain thresholds to allow California residents to exercise more control over the collection and use of their personal information (which is very broadly defined).
The CCPA will require new disclosures regarding consumer personal information. For example, a business may be required to disclose the purposes for which it collects or sells personal information, the categories of personal information that it collects, the sources from which that information is collected, and the categories of third parties with which the information is shared.
The CCPA grants consumers new rights similar to the GDPR’s data subject rights, including the right to access personal data, the right to opt out of the sale of their personal information, the right to erasure, and the right to data portability. Subject to certain exceptions, the law will prevent a business from charging a consumer who “opts-out” of disclosing personal information a different price, or providing a different quality of service.
The law will also prevent the sale of personal information of a consumer under the age of 16, unless affirmatively authorized through an “opt-in.” For individuals under the age of 13, parental consent will also be required.
The CCPA contains both a private right of action and governmental enforcement mechanisms. Currently the CCPA allows individuals whose information was disclosed or accessed without authorization (e.g. a data breach) to recover either statutory damages of up to $750 per incident or actual damages, whichever is greater. The attorney general enforces the CCPA and can impose civil penalties of up to $7,500 per violation, subject to a 30-day cure period. Recent proposed amendments would, if adopted, expand the private right of action to include claims for any violation of the CCPA, rather than only for claims related to data breaches and would remove the 30-day cure period for suits filed by the attorney general.
Washington
The state of Washington is poised to enact a comprehensive data privacy law with many similarities to the GDPR. The Washington state senate passed the Washington Privacy Act on March 6, 2019, sending the bill to the Washington house for consideration. The Act would adopt the controller and processor terminology familiar to GDPR practitioners. Businesses that meet certain thresholds must provide Washington residents with certain rights in their data, including the rights to access, correct, delete, or move their personal data. Residents can also object to, or restrict, the processing of their personal information.
Businesses must post transparent privacy notices and must conduct risk assessments similar to the data protection impact assessments required under the GDPR. Unlike the CCPA, the Washington Privacy Act would not apply to employment records. Also, unlike the CCPA, the Washington Privacy Act does not allow individuals to sue companies for violations. Rather, the attorney general has the right to enforce the Act and assess penalties after giving violators a 30-day cure period.
Biometric Data Protections
Three states (Illinois (2008), Texas (2009), and Washington (2017)) have enacted laws requiring organizations to obtain a person’s informed consent before collecting their biometric information. Biometric information can include retina or iris scans, fingerprints, voiceprint, or facial scans. The Washington Privacy Act, which has not yet been enacted, would require additional restrictions on facial recognition systems, including the posting of public notices and the use of human review prior to making profiling decisions.
Illinois allows individuals to sue for violations of the law while Texas and Washington do not. A January, 2019 Illinois Supreme Court decision recently validated the broad scope of the private right of action available under Illinois law. Individuals can sue companies that violate the state’s restriction on the collection and biometric data even if they have not suffered any concrete injury beyond the violation of their rights under the Illinois statute. The Illinois law authorizes individuals to recover statutory damages of $1,000 per negligent violation of the law, $5,000 for reckless or intentional violations of the law, or actual damages (whichever is greater), and reasonable attorney fees. Permitting individuals to recover damages for violations of a data privacy law, even without alleging any concrete injury, allows plaintiffs to overcome a significant hurdle often found when seeking damages for privacy violations.
Recent State Cybersecurity Law Changes
Colorado
Colorado recently amended state law to expressly require the protection of personal information. Companies that own or maintain the personal information of Colorado residents must implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, use, or disclosure. The organization must develop and maintain written policies governing the disposal of collected personal information, whether paper or electronic. If the organization discloses information to a third-party service provider, the service provider must agree to maintain reasonable security procedures to protect the disclosed information.
Nebraska recently enacted similar statutes requiring organizations and their third-party vendors to maintain reasonable security procedures to protected personal information.
Massachusetts
All fifty states require organizations to notify impacted individuals and, in some states, the attorney general or other regulators, in the event of a data breach. Effective April 11, 2019, Massachusetts will require organizations involved in a data breach to notify the Massachusetts Attorney General and the Massachusetts Director of Consumer Affairs and Business Regulation of, among other things, whether the organization had implemented a written information security program. This new provision is important because Massachusetts law has long required all organizations that collect personal data about Massachusetts residents to implement a written information security program designed to avoid data breaches. Organizations that did not implement a written information security program may face increased scrutiny from the Massachusetts regulators when this fact is exposed during the organization’s mandatory post-breach reporting.
California
Effective January 1 2020, California law requires manufacturers of devices capable of connecting to the internet (e.g. the internet of things) to equip the devices with reasonable security features designed to protect against unauthorized access to the device and any information collected by it. If the device is accessible remotely but requires a password, the preprogrammed password should be unique to each device or must require the user to generate a new password before access is granted.
Federal Data Privacy Legislation Under Consideration
As the data privacy and security regulations between the states become more varied, Congress is increasingly discussing the possible enactment of federal data privacy legislation. A number of different pieces of data privacy legislation have been introduced and are under discussion. Legislators appear divided regarding whether a federal law would provide the floor (allowing states to impose additional requirements) or the ceiling (pre-empting all state data privacy laws) for U.S. privacy law protections. Senators like Sen. Diane Feinstein have indicated they would not support legislation that pre-empted state law without providing protections at least as strong as the CCPA.
Some bills, like the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act and the Transparency and Personal Data Control Act would establish an opt-in system in which consumers must provide informed affirmative consent before service providers could collect, use, or disclose their sensitive personal information. Most other proposals, including the Social Media Privacy Protection and Consumer Rights Act of 2018 and the Consumer Data Protection Act, contain some form of an opt-out system, where the consumer can opt-out of the collection, use, or disclosure of certain personal information after certain disclosures are provided.
Generally, the proposals require the FTC to enforce the law and do not provide a private right of action for individuals.
The Social Media Privacy Protection and Consumer Rights Act of 2018 would require notification of a data breach within 72 hours after the breach is discovered, as is currently required under the GDPR. Included within the scope of the data breach would be any use or transfer of data that is inconsistent with the organization’s privacy policy or the consumer’s expressed preferences.
Several bills, including the Consumer Data Protection Act, require covered organizations to undergo periodic privacy audits and report the results. This Act also requires the FTC to create a “do not track list” for internet tracking similar to the “do not call list” currently used for telephone calls. The Act also provides consumer certain rights to access and change their personal information.
Looking Ahead
The legal landscape for data privacy in the U.S. will continue changing. California is likely to continue to amend the CCPA before it goes into effect. If Washington adopts the Washington Privacy Act, there will be at least two models for other states to copy. Federal data privacy legislation is likely to happen at some point, but it is very early to predict when that occurs and what the final legislation will look like.
Liz Harding is a dual-qualified attorney in Colorado and the United Kingdom who counsels clients on data privacy, advertising and technology licensing matters at Polsinelli https://www.polsinelli.com/professionals/eharding