If you’ve kept up with privacy news, you know that five states have recently passed multiple privacy bills into legislation, and several more states have bills actively proposed in their state legislature committees.
If you haven’t kept up with the privacy news, we don’t blame you. It’s a lot of information and it’s hard to know whether it affects you or not and if so, in what ways.
That’s why we’ve broken it down for you in this blog post.
Which states have passed privacy legislation, and what do the bills include?
The following states have passed legislation and signed privacy bills into law, implementing the following requirements on businesses:
Opt-in default (requirement age): Businesses are required to respect the consumer's right to opt out of the sale of their personal information. For those under 13 or 16, depending on the bill, data cannot be sold under any circumstances.
Notice/transparency requirement: Businesses must have a privacy notice/cookie policy that clearly explains how privacy rights are met.
Prohibition on discrimination (exercising rights): Data collection cannot be used to prohibit a person from exercising their data rights or discriminate against individuals.
Risk assessments: Businesses must perform a risk assessment of data collection and use.
Purpose/processing limitation: Data collection can only be for described use at the time of collection and legally valid additional uses required for the business to perform its intended function.
The states and their respective bills are as follows:
Colorado: SB 190 goes into effect January 2023.
Connecticut: SB 6 goes into effect January 2023.
Virginia: SB 1392 goes into effect January 2023.
Utah: SB227 goes into effect December 2023.
This bill doesn't require risk assessments or purpose/processing limitations, but does implement the other three requirements above.
California:
CCPA has been in effect since January 20, 2022.
The voter passed bill called Proposition 24 goes into effect January 2023 with enforcement beginning July 2023.
One of the two major impacts of Prop. 24 is that it establishes two additional consumer rights in addition to the six previously set in place by the CCPA, as well as extends the definition of personal information covered by CCPA/CPRA to include an additional level of protected information called SPI (Sensitive Personal Information). This is not required by all businesses, but by a threshold set in CCPA.
The second major impact of Prop. 24 is that an enforcement agency for the CCPA (called the CPPA) is now established. The CPPA allows for individual complaints to trigger enforcement actions. (No other state allows private right to action in the U.S.)
Colorado, Connecticut, Virginia and Utah all limit enforcement of the bill to the attorney general. Unlike California, there is no individual enforcement ability (i.e. a person whose data was abused cannot submit a complaint to trigger an investigation).
The following states have bills that are active in the state legislature committee but not yet passed:
Active bills in state legislatures:
Massachusetts, Michigan, New Jersey, North Carolina, Ohio, and Pennsylvania.
Massachusetts has the most restrictive of the proposed laws.
New Jersey and Pennsylvania each currently have multiple bills in committee that together would implement a very strong right to data privacy in those states.
Are there any national privacy laws?
The only official national law covering data privacy directly is COPPA (passed in 1998), which restricts collecting data on children under 13. HIPAA and GLBA both restrict data usage and disclosure in some cases, but rarely with a focus on data privacy and both are very narrow in the data they cover. GLBA does require notification when protected data is sold, but there is no restriction once the notification is provided.
The U.S. House Energy and Commerce Committee recently amended and passed HR 8152, the American Data Privacy and Protection Act (ADPPA). This act is a strong national privacy law that, as currently drafted, will implement many of the consumer rights listed above as well as a required framework for private data management. The law still needs to be brought to a vote and passed by both houses of Congress, but this is certainly the closest that the federal government has come to passing a holistic privacy bill in a long time.
National enforcement of privacy rights falls under the FTC, who can investigate a company for violating the company's published privacy act. The FTC files 10-20 cases a year for privacy policy and law violations, including major cases against Zoom and Twitter in the past 2 years.
What is the risk and impact for businesses associated with the passing of these state legislations?
The biggest risk associated with the passed and proposed laws is that they are all different in what data they protect, how they protect that data, who they apply to, how they enforce failure to comply, and how they apply to businesses located elsewhere but operating in the state.
Three important things organizations need to know as a result of these bills passing:
The laws only apply to residents of the respective states and do not impact businesses located in the state interacting with residents of other states.
The location of a business doesn’t define whether they need to comply with a given state’s privacy laws or not; all of the laws are centric to the consumer. This also applies to remote employees, third-party service providers, and any other out-of-state persons of which a company may possess their data.
This is the direction that data privacy is moving, and other states will soon follow suit.
With nearly every state as well as federal regulation moving in the direction of further regulating data privacy, it may serve businesses well to consider whether it makes sense to continually track all of the states they interact with and whether they are in compliance with each state’s respective privacy requirements.
Businesses may find it to be more efficient to instead recognize the recently passed bills as a marker of where data privacy is going and put processes in place to comply broadly with all of the data requirements to which your business may be subject.
With more efficient processes in place, organizations then only have to worry about if there’s an outlying legislation that breaks the form that most of these laws have been following.
Businesses should start changing their operating procedures accordingly in response to the passed and proposed bills.
We recommend the following steps as you go through this process:
Start by figuring out what data you store, where you store it, and why you store it. It’s important to have an accurate assessment of what data your company stores, where you get it from, and why you need it in order to properly respond to the laws coming into place and how quickly you need to get into compliance.
Determine your legal purpose for processing data and legal limitations for sharing data. Figure out your company’s legal basis for processing and storing the data and the legal requirements for sharing the data. Ensure that your company is only using and sharing data in ways that are legally allowed. Knowing why you gather information, what you're supposed to do with it, and then who you are permitted to share it with is crucial.
Create a roadmap and priority order of what controls or remediations need to be addressed first. A few factors that may affect your roadmap include which controls and requirements are public-facing and which laws will be enforced the soonest. Enforcement for the majority of these laws begins in July of 2023.
If your organization needs support with knowing what privacy laws you need to be in compliance with and ensuring that you are meeting all of the privacy requirements, please contact us on our website or reach out to our privacy expert, Alyssa Ahmann, at alyssa.ahmann@craftcompliance.com.