Dec 24th 2019
Proposed Data Privacy Laws by State: It’s Not Just About California
Following is a brief update on the status of other data
protection laws in the United States.
Federal: U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., introduced a federal statute, The Online Privacy Act of 2019, H.R. 4978, patterned after the CCPA. The federal bill would establish the same fundamental rights to data privacy contained in the CCPA on a national level. The proposed federal law is an "opt-in" statute and includes a new fundamental right to have a human decision of any automated act. Enforcement would include a new federal administrative agency titled the United States Digital Privacy Agency. More details are available in this quick summary of the bill.
Nevada: Nevada recently amended its data
privacy law in Senate Bill (S.B.) 220 to add an
"opt-out" provision similar to the CCPA. The prior Nevada data
privacy law applied to "operators," who were defined as websites or
online services collecting data for commercial purposes on Nevada residents.
Existing Nevada law already provided for transparency by requiring these
"operators" to disclose to consumers both the nature and scope of the
data that they collect. The recent amendment, S.B. 220, took effect Oct. 1,
2019, and now also requires these "operators" to allow consumers to
prevent the sale of their data to third parties through an "opt-out"
procedure patterned after the CCPA's.
Maine: Maine's new law, Act to Protect the Privacy of Online Customer Information, takes
effect July 1, 2020. This statute was designed to specifically protect the
privacy of broadband internet consumers. Similar to the CCPA, it requires
covered internet service providers to obtain "opt-in" consent from
consumers before using, disclosing, or selling their personal information.
New York: The New York Stop Hacks and Improve Electronic Security Data Act (SHIELD
Act) takes effect on March 21, 2020. The SHIELD law amends the current New York
breach notification statute and increases data security protections. The act
greatly expands the types of protected personal and private information and
data that trigger the New York breach notification legal requirements when
lost. The SHIELD Act also requires data collectors to develop, implement, and
maintain reasonable safeguards to protect the security, confidentiality, and
integrity of the private information. The safeguards mentioned within the act
closely mirror the National Institute of Standards and Technology's Cyber Security Framework. Most noteworthy, however, is the New York law's expansive
application to any person or business that owns or licenses computerized data
that includes private information of New York residents, even if that person or
business does not conduct business in New York. This statute suggests that the
state law applies to any data collector possessing or transacting the data of
New York residents regardless of location.
Proposed legislation pending in other states: Several
other states have proposed data privacy statutes that are pending and awaiting
potential passage. Examples are Massachusetts's S.D. 341, and Maryland's Online Consumer Protection Act, S.B. 613/H.B. 901, both
allowing consumers to "opt out" of the disclosure of their data to
third parties and the right to prevent the sale of their data, similar to the
Kerry Myers, J.D., CFE