Patchwork of State Privacy Laws

Earlier this year, we wrote about the European Union’s General Data Protection Regulation (GDPR) and how California was following suit by passing the California Consumer Privacy Act (CCPA). This law will come into effect on January 1, 2020. 

The CCPA protects California residents by providing heightened privacy rights and consumer protection regarding the collection of their personal data online.  While California residents are the protected class, businesses nationwide will be affected by the CCPA.  Any company whose website is accessed by California residents is subject to the requirements of the CCPA.  Potential damages for violation of the CCPA include statutory or actual damages, as well as fines for intentional and unintentional violations; therefore, it is imperative that businesses ensure their websites, privacy policies, and data collection procedures are compliant with the CCPA as soon as possible.

Additionally, a patchwork of states have started drafting and passing privacy laws in the CCPA’s wake. The infographic above shows which states are proposing and passing new legislation.

One of the two states that has officially passed a data privacy law is Nevada.  Although only passed in May of this year, it will be effective a full three months earlier than the CCPA, October 1, 2019.  This law appears narrower than the CCPA, as it specifically addresses a consumer’s right to opt out of the sale of their personal information, while the CCPA covers the whole gamut of an individual’s rights to data.  Additionally, this bill does not include a private right of action, but rather relies on the Attorney General to enforce it. We are not at all shocked that Nevada would be one of the earliest adopters of additional privacy legislation, however. What happens in Vegas, stays in Vegas.

The other early actor is Maine, whose governor signed one of the strictest internet privacy protection bills into law just this month. Maine’s new privacy law, which goes into effect on July 1, 2020, will require internet service providers to seek consent from their consumers before selling or sharing their personal information with any third party.  Critics have attacked this law on various grounds, arguing that the law conflicts with federal laws, the U.S. Constitution’s Interstate Commerce Clause, and even the right of free speech.  Yikes.  We’re interested to see how these challenges will play out in the courts.

Five additional states have proposed legislation.  All of these proposed bills have pros and cons, but we will look into them in more depth as they progress.

  • New York has proposed a broadly worded bill regarding privacy that includes imposing an obligation on companies as a “data fiduciary” and allows for a private right of action. We expect such an aggressive bill to get some pushback, as a fiduciary duty is a very high obligation.
  • Maryland’s proposal incorporates the CCPA’s prohibition on discriminating against those who exercise their individual rights to data access or deletion (which was one of the big changes from the GDPR to the CCPA) and shares many characteristics with the CCPA. This bill does not allow for a private right of action.
  • Massachusetts’ proposed bill allows for a private right of action for consumers who have had their personal information “improperly collected.” It also prohibits discrimination where consumers have exercised their associated privacy rights.
  • Hawaii’s proposed legislation currently has no definition for “business,” which will hopefully be remedied before its passage. It also does not include a private right of action . . . or any penalties for violations.
  • New Mexico’s proposed bill includes many key individual rights addressed in the CCPA, such as the right to access and deletion of personal information.

Additionally, Mississippi, Washington, and Texas all attempted to pass legislation this year that addressed consumer privacy.  While these bills did not make it through the legislatures, these states are participating in active discussions, which is just more inspiration for the remaining states.

A federal law may soon address this developing patchwork of state laws.  As early as November 2018, various House and Senate Committees held hearings and drafted federal legislation regarding consumer data protection. We expect to hear more from Washington D.C. by August 2019, but again, we’ll keep you posted.

– Kat Gavin, Esq.

GDPR update: 1 Year Later

One of the most significant data privacy laws enacted, the European Union’s General Data Protection Regulation (GDPR), brought substantial changes for organizations which are located in the EU or process the personal data of individuals residing in the EU.  In light of the one year “anniversary” of the GDPR, which came into force a year ago on May 25, 2018. Here is a short overview of the current global data privacy law climate and noted some upcoming changes and trends that may impact businesses internationally.

 

1) Europe – The General Data Protection Regulation (GDPR):

  • The GDPR was designed to harmonize data privacy laws across Europe and give greater rights to individuals residing in the EU in terms of their personal data.  Last year, businesses around the world scrambled to comply with the GDPR, in part due to fines for non-compliance.  While the expected fines have generally yet to materialize (the largest fine for violating the GDPR was issued by France’s regulatory agency against Google for 50 million Euros earlier this year), industry experts note that enforcement of the GDPR is just getting started.  The process of investigating violations and issuing fines can take time, and many EU member states are reportedly struggling to staff their regulatory offices.
  • The GDPR requires certain businesses to appoint a data protection officer, a role new to many organizations, and includes data breach reporting guidelines.  As a result, the International Association of Privacy Professionals (IAPP) reports that over 500,000 organizations have registered data privacy officers in the past year, shedding light on the rapid growth of the privacy profession due largely in part to the GDPR.  Additionally, according to the European Data Protection Board, over 65,000 data breach notifications have been initiated by businesses as a result of the GDPR.  Businesses generally appear to be using the GDPR’s framework to update their data privacy policies and procedures, and to be cooperating with regulators.
  • The GDPR launched a dialogue about data privacy laws around the world, causing countries such as Brazil, China, India, Japan, South Korea, Thailand, and Australia to pass or propose new legislation, or consider changes to existing laws, that would bring their privacy regulations into closer alignment with the GDPR.

2) The United States – The California Consumer Privacy Act (CCPA) & Other State Laws:

  • Currently, the United States has no federal data privacy law as large in scope as the GDPR, but rather a patchwork of state data privacy laws.  Many businesses that were required to comply with the GDPR will also need to comply with the CCPA, California’s new data privacy law, which will come into effect on January 1, 2020.
    • The CCPA applies to businesses that receive personal data from California residents and exceed one of these three thresholds: (1) annual gross revenues of $25 million; (2) obtains personal information of 50,000 or more California residents, households, or devices annually; or (3) makes 50% or more of its annual revenue from selling California residents’ personal information.
  • The CCPA is a broad privacy law that expands the definition of “personal information,” and grants additional rights and protections to California residents regarding the use of their personal information by covered businesses.  California residents will be able to request that businesses provide them with information about how their individual personal information is being used, and may request that businesses stop selling their personal information.
  • Covered businesses should ensure that their websites and privacy policies are compliant with the new requirements of the CCPA.  It is important to note that just because a business is GDPR compliant, does not mean it will be CCPA compliant.
  • Other states in the U.S. are considering legislation that closely mirrors the CCPA and the GDPR, showing a trend for laws which expand the privacy rights of consumers.  Changes to the CCPA are still occurring – for example, a California bill that would have added a sweeping and unrestricted private right of action for any violation of the CCPA died in an appropriations committee earlier this month.  Also, lobbyists across various industries have been asking Congress to pass a federal data privacy law, which would preempt the new law in California and other states that are trying to follow suit, stating that the patchwork of laws in the U.S. will be too difficult for businesses to follow.

Based on the above, we anticipate that new data privacy laws and changes to existing data privacy laws will continue to emerge.  Frequently, countries’ motivation for passing or updating legislation is to enjoy the privileges of transferring personal information between themselves and the EU under the GDPR.  While many believe the GDPR has not been enforced as zealously as they anticipated, the law has clearly impacted privacy laws on a global scale in its first year.

– Courtney Reigel, Esq.

Data Privacy


Data Privacy

For businesses, data privacy and protection has become an important aspect of everyday operations.  Data breaches, such as those seen in the news at large companies including Target and Equifax, can result in costly regulatory compliance requirements and damage to a brand’s reputation.  Businesses that wish to adopt data protection “best practices” need to be aware of the software their company uses and how that software could contribute to a disaster such as a data breach.  A lack of proper policies and procedures governing the use and maintenance of software products can lead to serious consequences down the line.

First, what is Open Source Software?

Open Source Software is the byproduct of a movement in the software development community that wants software development to be an open and collaborative process.  Anyone can access and edit the source code for open source software—source code is the text used by software developers to create and edit a program.  Most commercial software products (or “proprietary software”) do not allow users to access or edit the software’s source code.  Consumers that purchase a proprietary software product are usually required to sign or electronically “accept” a license stating that they will not copy, edit, or perform any other restricted actions to the software.  For example, think of purchasing Microsoft Office (a proprietary software product), and the long list of restrictions in the license a user must accept in order to use the program.  In contrast, open source software products usually have less restrictive licenses, and many open source software programs are free to use.

Open source software is usually free? That sounds great!

Open source software does have many benefits: it is often free to download, users can modify the software to fit their particular needs, and an extensive community of developers work on open source software programs.  Many people use open source software without even knowing it, including popular programs such as WordPress and Mozilla Firefox.  The open source community works to monitor for any hackers and attempts to quickly fix and update open source software programs, but even this is not enough to mitigate all threats. 

So, there are risks associated with using Open Source Software? 

Yes.  A misconception exists that since open source software is usually free, that there are no strings attached to using such software.  In reality, open source software requires quite a bit of maintenance. 

  • Users need to monitor for announcements about security-related issues or updates to their open source software products.  Open source software users who do not understand this responsibility, or who ignore notices and updates, make themselves vulnerable to hackers. 
  • Because of the open and collaborative nature of open source software, the source code is available to the public.  This means that hackers can access the code and make malicious changes, or a well meaning developer can make a mistake for a hacker to exploit. 
  • Users need to understand the open source software’s licenses and comply with any requirements.  Failing to comply with an open source license can result in a lawsuit.  
  • Open source software typically does not offer warranties or indemnification, any legal risk associated with using the open source software product traces back to the user himself.

Are there any examples of open source software leading to a data privacy or security issue? 

Yes.  A hacker can wreak havoc regardless of the type of software.  The significant difference is that a company using open source software is responsible for vigilantly checking for any issues with the software and making fixes themselves. A company using proprietary software company, however, has accept to customer support and security updates.  Equifax’s historic 2017 data breach was traced back to a vulnerability in open source software they used.  Equifax saw the notice about the software’s vulnerability and information about how to fix it, but left the problem unresolved for too long.   Hackers noticed the open source software had not been updated and took advantage of this vulnerability to access the personal information (including social security numbers and addresses) of over 150 million U.S. citizens. 

What can be done to mitigate the risks of using open source software?

Open source software can be a great resource for businesses, but it needs to be used properly.  Hiring employees who understand all the requirements and risks associated with using open source software can be expensive, but a lawsuit or security issue like a data breach could be even more costly.  Businesses who use open source software should have policies and procedures that require all open source software usage to be tracked, all notices and updates to be monitored, any relevant changes or updates to be made correctly and quickly, and for all license requirements to be complied with.  At Gavin Law, our attorneys can help users understand licenses and license requirements as well as draft these crucial policies and procedures for employees.