U.S. Data Privacy Law – 2020 Update 

By now, many of you have likely heard of the California Consumer Privacy Act (the “CCPA”).  The law, passed by California’s State Legislature in 2018, became effective on January 1, 2020.  The CCPA gives California residents more control over the personal information that businesses collect about themgranting residents the right to know how businesses use/share their personal information, the right to request that a business delete their collected personal information, and the right to opt-out of the sale of their personal information.  The CCPA borrows many of its provisions from the European Union’s General Data Protection Regulation (“GDPR”) While many believed that the GDPR (adopted by the EU in 2016) would serve as a catalyst for the United States to enact similar data privacy law, the U.S. has yet to pass, or even seriously consider, any comparably comprehensive data privacy legislation at the national level.  

While several other states have passed data privacy and protection laws since 2018, arguably none have enacted laws as extensive as the CCPA.  However, due to revisions California’s legislature made to the original text of the CCPA, as well as certain language included in the Final CCPA Regulations published by California’s Office of the Attorney General (OAG) earlier this year, many Californians and consumer advocacy groups do not believe the CCPA goes far enough to protect consumers’ personal information.  Thus, on election day this year, California voters approved ballot initiative “Proposition 24”  the California Privacy Rights Act of 2020 (the “CPRA”).  The CPRA gives additional rights to California residents and further limits businesses ability to use/sell/share personal informationamending and expanding upon the CCPA.   

Most of the CPRA’s substantive provisions will not become effective until January 1, 2023.  However, businesses may begin preparing for compliance with the CPRA by familiarizing themselves with the following highlights of the new law: 

  1. Applicability – Just because the CCPA was or was not applicable to your business does not mean the same for the CPRA.  For example, the CPRA will cover businesses that buy, sell, or share over 100,000 consumers personal information (up from 50,000 under the CCPA), reducing the applicability of the law to small and midsize businesses. 
  1. Enforcement – The CCPA is currently enforced by California’s Office of the Attorney General (OAG) However, the CPRA establishes the California Privacy Protection Agency, which will have investigative, enforcement, and rulemaking powers instead of the OAG.  The CPRA also removes the 30-day cure period businesses have under the CCPA and increases maximum penalties for violations concerning minors. 
  1. New category of “sensitive personal information – The CPRA will keep the existing categories of personal information defined in the CCPA, but will add a new category for “sensitive personal information.”  Californians will have increased rights when their sensitive personal information is involved.  
  1. Expanded contractual requirements – The CPRA limits the use of personal information by service providers and contractors and adds contractual requirements regarding relationships between businesses and such third parties.   
  1. Modifying/adding new consumer rights – New rights include the CPRA’s expansion of an individuals’ private right of action for certain types of data breaches and requires that covered businesses provide consumers with two or more methods for submitting requests to correct inaccurate personal information 
  1. Regulates “sharing” in addition to “selling” personal information, to include cross-context behavioral advertising – The CPRA expands upon the CCPA’s limitations on businesses “sale” of consumers’ personal information to cover the “sharing” of consumers’ personal information even if such information is not being sold for monetary value.  Specifically, this will regulate cross-context behavioral advertising,” defined by the CPRA as the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”  Businesses that share personal information, including in the cross-context behavioral advertising context, will need to provide an opt-out choice for consumers, such as “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”    

The above highlights, as well as the other provisions of the CPRA, bring California’s data privacy laws closer to resembling the GDPR.  It will be interesting to see whether other states follow suit in 2021.  While Virginia established a task force to study data privacy issues last General Assembly session, it has not yet passed any data privacy law as comprehensive as the CCPA/CPRA.  The Commonwealth, as well as numerous other states, will likely consider data privacy legislation next year. 

In the meantime, while the effective date of the CPRA may seem far away, California’s OAG continues to publish updates to the CCPA Regulations and to enforce existing law.  For example, while the Final Text of the CCPA Regulations was published in August, the OAG released fourth set of modifications to the Regulations on December 10, 2020.  The latest modifications include further clarifications on the CCPA, including much-awaited guidance on the “Do Not Sell My Personal Information ‘Button.’”  Thus, businesses still need to regularly review their CCPA compliance while they prepare for the CPRA.  You can find more information on the CCPA, including updates, here: https://www.oag.ca.gov/privacy/ccpa.  Gavin Law Offices will continue to track data privacy-related issues in California, Virginia, and across the U.S. and abroad, and are here to help you navigate this complex field of law.  

– Courtney Reigel, Esq.

2020 Update: Data Privacy Laws in the United States

After the European Union passed the General Data Protection Regulation (“GDPR”) in 2016, the world watched to see whether the United States would adopt a similar data privacy law at the federal level.  While U.S. lawmakers, the tech industry, and consumer advocates have been working towards a federal data privacy bill, Congress has yet to pass, or even seriously consider, such legislation.  However, a federal law may finally be on the horizon – two data privacy bills have been introduced in the Senate, and a bi-partisan bill is currently being developed by a House committee.  In honor of Data Privacy Day, celebrated internationally on January 28, we explore the current status of data privacy laws in the United States.

In the absence of a comprehensive federal law, numerous states across the U.S. have passed their own data privacy legislation, including, perhaps most notably, California.  The California Consumer Privacy Act of 2018 (“CCPA”) became effective on January 1, 2020, creating new obligations for covered businesses regarding privacy notices and the handling of California consumers’ personal information.  The CCPA only protects Californians’ personal information but may apply to companies that do business in California even if they are not physically located in the state.  Businesses continue to scramble to understand and comply with the CCPA, which is only one of many state and industry-specific laws forming the current patchwork of data privacy laws in the U.S.

However, a federal solution may be on the horizon.  In November 2019, two data privacy bills were introduced in the Senate – the Consumer Online Privacy Rights Act (COPRA) and the United States Consumer Data Privacy Act (CDPA).  The bills share many similarities, including enforcement by the Federal Trade Commission, and would provide individuals with new rights regarding their personal information.  However, COPRA (introduced by Sen. Maria Cantwell, D-Wash.) and the CDPA (introduced by Sen. Roger Wicker, R-Miss.) vary on some important points, leading many to wonder whether either bill could make it through Congress.  For example, COPRA would preempt only state laws that expressly conflict with the Act, leaving state laws that provide additional protection to consumers intact, whereas the CDPA would preempt all state laws regarding data privacy (except for data breach notification provisions), including the CCPA.  COPRA would also allow for an individual private right of action, similar to the CCPA, while the CDPA would not.

Additionally, the House Energy & Commerce Committee recently released an initial draft of a bi-partisan data privacy bill.  Bi-partisan support will be critical for Congress to enact a federal data privacy law, but the initial House bill does little to reconcile the differences between the two introduced Senate bills.  Further, while this federal legislation is pending, numerous states are actively considering data privacy bills themselves.  Specifically, multiple states are in the process of considering data privacy legislation mirroring the CCPA.  In other states, such as Virginia (where the Virginia Privacy Act was introduced earlier this month), representatives have pulled provisions from the CCPA as well as the GDPR to create a more tailored bill for their state legislature to consider.  With many states in their legislative sessions and various federal bills pending, 2020 is already shaping up to be an exciting year for data privacy in the United States.

-Courtney Reigel, Esq.

Patchwork of State Privacy Laws

Earlier this year, we wrote about the European Union’s General Data Protection Regulation (GDPR) and how California was following suit by passing the California Consumer Privacy Act (CCPA). This law will come into effect on January 1, 2020. 

The CCPA protects California residents by providing heightened privacy rights and consumer protection regarding the collection of their personal data online.  While California residents are the protected class, businesses nationwide will be affected by the CCPA.  Any company whose website is accessed by California residents is subject to the requirements of the CCPA.  Potential damages for violation of the CCPA include statutory or actual damages, as well as fines for intentional and unintentional violations; therefore, it is imperative that businesses ensure their websites, privacy policies, and data collection procedures are compliant with the CCPA as soon as possible.

Additionally, a patchwork of states have started drafting and passing privacy laws in the CCPA’s wake. The infographic above shows which states are proposing and passing new legislation.

One of the two states that has officially passed a data privacy law is Nevada.  Although only passed in May of this year, it will be effective a full three months earlier than the CCPA, October 1, 2019.  This law appears narrower than the CCPA, as it specifically addresses a consumer’s right to opt out of the sale of their personal information, while the CCPA covers the whole gamut of an individual’s rights to data.  Additionally, this bill does not include a private right of action, but rather relies on the Attorney General to enforce it. We are not at all shocked that Nevada would be one of the earliest adopters of additional privacy legislation, however. What happens in Vegas, stays in Vegas.

The other early actor is Maine, whose governor signed one of the strictest internet privacy protection bills into law just this month. Maine’s new privacy law, which goes into effect on July 1, 2020, will require internet service providers to seek consent from their consumers before selling or sharing their personal information with any third party.  Critics have attacked this law on various grounds, arguing that the law conflicts with federal laws, the U.S. Constitution’s Interstate Commerce Clause, and even the right of free speech.  Yikes.  We’re interested to see how these challenges will play out in the courts.

Five additional states have proposed legislation.  All of these proposed bills have pros and cons, but we will look into them in more depth as they progress.

  • New York has proposed a broadly worded bill regarding privacy that includes imposing an obligation on companies as a “data fiduciary” and allows for a private right of action. We expect such an aggressive bill to get some pushback, as a fiduciary duty is a very high obligation.
  • Maryland’s proposal incorporates the CCPA’s prohibition on discriminating against those who exercise their individual rights to data access or deletion (which was one of the big changes from the GDPR to the CCPA) and shares many characteristics with the CCPA. This bill does not allow for a private right of action.
  • Massachusetts’ proposed bill allows for a private right of action for consumers who have had their personal information “improperly collected.” It also prohibits discrimination where consumers have exercised their associated privacy rights.
  • Hawaii’s proposed legislation currently has no definition for “business,” which will hopefully be remedied before its passage. It also does not include a private right of action . . . or any penalties for violations.
  • New Mexico’s proposed bill includes many key individual rights addressed in the CCPA, such as the right to access and deletion of personal information.

Additionally, Mississippi, Washington, and Texas all attempted to pass legislation this year that addressed consumer privacy.  While these bills did not make it through the legislatures, these states are participating in active discussions, which is just more inspiration for the remaining states.

A federal law may soon address this developing patchwork of state laws.  As early as November 2018, various House and Senate Committees held hearings and drafted federal legislation regarding consumer data protection. We expect to hear more from Washington D.C. by August 2019, but again, we’ll keep you posted.

– Kat Gavin, Esq.

GDPR update: 1 Year Later

One of the most significant data privacy laws enacted, the European Union’s General Data Protection Regulation (GDPR), brought substantial changes for organizations which are located in the EU or process the personal data of individuals residing in the EU.  In light of the one year “anniversary” of the GDPR, which came into force a year ago on May 25, 2018. Here is a short overview of the current global data privacy law climate and noted some upcoming changes and trends that may impact businesses internationally.

 

1) Europe – The General Data Protection Regulation (GDPR):

  • The GDPR was designed to harmonize data privacy laws across Europe and give greater rights to individuals residing in the EU in terms of their personal data.  Last year, businesses around the world scrambled to comply with the GDPR, in part due to fines for non-compliance.  While the expected fines have generally yet to materialize (the largest fine for violating the GDPR was issued by France’s regulatory agency against Google for 50 million Euros earlier this year), industry experts note that enforcement of the GDPR is just getting started.  The process of investigating violations and issuing fines can take time, and many EU member states are reportedly struggling to staff their regulatory offices.
  • The GDPR requires certain businesses to appoint a data protection officer, a role new to many organizations, and includes data breach reporting guidelines.  As a result, the International Association of Privacy Professionals (IAPP) reports that over 500,000 organizations have registered data privacy officers in the past year, shedding light on the rapid growth of the privacy profession due largely in part to the GDPR.  Additionally, according to the European Data Protection Board, over 65,000 data breach notifications have been initiated by businesses as a result of the GDPR.  Businesses generally appear to be using the GDPR’s framework to update their data privacy policies and procedures, and to be cooperating with regulators.
  • The GDPR launched a dialogue about data privacy laws around the world, causing countries such as Brazil, China, India, Japan, South Korea, Thailand, and Australia to pass or propose new legislation, or consider changes to existing laws, that would bring their privacy regulations into closer alignment with the GDPR.

2) The United States – The California Consumer Privacy Act (CCPA) & Other State Laws:

  • Currently, the United States has no federal data privacy law as large in scope as the GDPR, but rather a patchwork of state data privacy laws.  Many businesses that were required to comply with the GDPR will also need to comply with the CCPA, California’s new data privacy law, which will come into effect on January 1, 2020.
    • The CCPA applies to businesses that receive personal data from California residents and exceed one of these three thresholds: (1) annual gross revenues of $25 million; (2) obtains personal information of 50,000 or more California residents, households, or devices annually; or (3) makes 50% or more of its annual revenue from selling California residents’ personal information.
  • The CCPA is a broad privacy law that expands the definition of “personal information,” and grants additional rights and protections to California residents regarding the use of their personal information by covered businesses.  California residents will be able to request that businesses provide them with information about how their individual personal information is being used, and may request that businesses stop selling their personal information.
  • Covered businesses should ensure that their websites and privacy policies are compliant with the new requirements of the CCPA.  It is important to note that just because a business is GDPR compliant, does not mean it will be CCPA compliant.
  • Other states in the U.S. are considering legislation that closely mirrors the CCPA and the GDPR, showing a trend for laws which expand the privacy rights of consumers.  Changes to the CCPA are still occurring – for example, a California bill that would have added a sweeping and unrestricted private right of action for any violation of the CCPA died in an appropriations committee earlier this month.  Also, lobbyists across various industries have been asking Congress to pass a federal data privacy law, which would preempt the new law in California and other states that are trying to follow suit, stating that the patchwork of laws in the U.S. will be too difficult for businesses to follow.

Based on the above, we anticipate that new data privacy laws and changes to existing data privacy laws will continue to emerge.  Frequently, countries’ motivation for passing or updating legislation is to enjoy the privileges of transferring personal information between themselves and the EU under the GDPR.  While many believe the GDPR has not been enforced as zealously as they anticipated, the law has clearly impacted privacy laws on a global scale in its first year.

– Courtney Reigel, Esq.