Move Aside, CCPA?

It’s been about 2 months since we have posted about data privacy, and with the speed in which this ever-changing topic moves, that is far overdue. This article will highlight some of the latest developments in data privacy, including the scope of the legislation in Maine, Nevada, and New York, and how companies can control the chaos that is data privacy.   

The Era of Data Privacy

With 11 states passing legislation related to consumer notifications of data breaches that involve personal data, the Cambridge Analytica scandal that erupted in March, and the first comprehensive regulation was passed in the U.S. by California (CCPA) in late June, 2018 was truly the beginning of the era of data privacy. Following a fast start to an area full of uncertainty, ambiguity and a whole new set of business risks, progress has not stopped in 2019. Washington State nearly passed legislation, Nevada has new laws as of May 29th that go into effect October 1st, 2019, Maine passed their own legislation on June 6th and behind the scenes, New York is working on passing one of the strictest laws proposed to-date. There are a myriad of other states working on similar legislation, and the International Association of Privacy Professionals (IAPP) has a great table tracking the progress of data privacy rights across the country:

https://iapp.org/news/a/us-state-comprehensive-privacy-law-comparison/

Nevada and Maine

Taking a deeper dive into the most imminent laws, Nevada and Maine, both state takes a different approach adding to the patchwork for state laws. As can be surmised from the table above, Nevada’s law doesn’t have nearly the scope as other states. The core requirements allow consumers to opt out of the sale of data, require disclosures about personal data, and implement a data breach notification clause. The Nevada law is going live later this year, many merchants will have to quickly solve for the “opt-out” requirement, as well as update privacy policies and have a breach notification strategy. Maine includes the same provisions but also has restrictions on the processing of consumer data. This legislature proposes an “opt-in” model for the selling of personal data, and includes a non-discrimination clause similar to CCPA. This law goes into effect July 1, 2020, the same time it is expected CCPA will start being enforced.

The New York Privacy Act (NYPA)

On the heels of CCPA there have been many states proposing their own twist on data privacy legislation, but none as ­­­­­­intimidating as the New York Privacy Act (NYPA). NYPA is very similar to CCPA (if you need a refresher on CCPA, take a look at our data privacy whitepaper: https://www.wcapra.com/whitepaper-data-privacy/, but when analyzing the key differences it is actually more strict.. Most importantly, depending on if, and when, this legislation passes, it’s possible that it will be enforced even before CCPA is enforced. For merchants making plans to comply with CCPA, it’s time to start evaluating the impacts of NYPA and thinking about fast tracking your data privacy project.

While NY is among many other laws still going through the legislative process, I wanted to highlight it because it is most strict law proposed of any state, applies to any company that has PI data, and goes into effect 180 days after signing, meaning it could potentially jump ahead of CCPA depending on how quickly the NY legislature moves. NYPA shares the majority of qualities found in CCPA but also includes numerous new rights and requirements:

  • Consumer right to opt out of the processing of personal data
  • Consumer right to rectify incorrect information
  • Requires human review of automated processing of personal data
  • Requires business to act as data “fiduciaries”
  • Consumer right to file personal law suits against companies directly

The most significant clause is the threat of personal lawsuit, NYPA allows  “Any person who has been injured by reason of a violation of this article may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her actual damages, or both such actions” (NYPA). The individual right to sue will surely become a headache for large companies that will be flooded with privacy lawsuits.

Preparing to Comply with Regulations

              Does your organization have the budget, adequate resourcing, and expertise to adhere to the constant stream of new data privacy requirements? Are you assessing the impact of upcoming legislative requirements against your inflight projects? Scoping and building requirements for data privacy is a project in itself, and that project is growing every day with the addition of new legislature. The short lead-time before the laws to go into effect means data privacy must be high on the priority list. For businesses that haven’t started paying attention to data privacy, the time to start is now, before you are too far behind to keep up with the changing data privacy regulation landscape.

For further discussion around data privacy including how to ensure compliance with the various state laws, contact Danny Omiliak at domiliak@wcapra.com.