Over a year has passed since the EU’s data privacy law, the General Data Protection Regulation (GDPR), was enacted. Unlike the European Union, the United States has declined to take a federal stance on the subject of data privacy and has left the matter up to individual states to decide. From a business standpoint, it would be easier if there were a federal statute like GDPR that applied across the board, however, for now, companies must comply with differing state data privacy laws—where they exist—which can make compliance confusing and burdensome.
Some companies are taking the introduction of state-specific data privacy laws as an opportunity to apply the same standards for customers across all fifty states, however other companies will take a decidedly more piecemeal approach, becoming compliant only when new laws are passed. While the following states have either considered or effectively passed data privacy laws, it is likely that more states will continue to follow.
California data privacy law
As the world’s fifth-largest economy, California has a long history of leading the nation in protecting its citizens—even amending the state constitution to guarantee a right to privacy. Recently, the state has taken an extra step in protecting its residents by enacting the California Consumer Protection Act (CCPA). This new law comes into effect on January 1, 2020, but there will be a grace period of six months before the CA Attorney General starts enforcing it.
Nevada online privacy
Nevada’s online privacy law quietly went into effect on October 1, 2019. Nevada’s law focuses more on allowing consumers to prevent the sale of their personal information to third-parties. While its opt-out provision is more narrow than the CCPA, the Nevada law impacts a wider range of businesses. Only one of the following criteria need to be met: The business owns or operates an Internet website for commercial purposes that 1) collects personal data from Nevada consumers, or 2) positions itself to do business in Nevada.
Washington online data regulation
Washington also passed a law regulating online data but failed to pass its privacy bill. The online data regulations will allow consumers to know what data companies are gathering about them. Similar to the CCPA and the GDPR, state citizens can also submit requests for data deletion. The failed privacy bill had contentious parts regarding a ban on facial recognition technology and failed to provide individual rights to sue in civil court.
New York data breach reporting
New York attempted to pass a data privacy law that was going to be more stringent than the CCPA, but the New York Privacy Act (NYPA) failed in the state Assembly. That said, NY Governor Andrew Cuomo did sign into law two pieces of legislation that expand the state’s current data breach reporting law. The Stop Hacks and Improve Electronic Data Security Act (“SHIELD”) and the Identity Theft Protection and Mitigation Services Act jointly broaden the scope of personal information covered by the state’s data privacy laws and imposes stricter security measures.
This is likely just the first wave of consumer data privacy laws that we will see enacted in the coming years.