The adoption of the General Data Protection Regulation in 2018 and the California Consumer Privacy Act in 2020 have pushed other nation states and U.S. states to prioritize data privacy bills. Many countries are joining the conversation about national or regional privacy standards. If you do business online, new and rapidly evolving state and international legislation will impact you sooner or later. Let’s dive into the latest developments.
International Conversation Proceeds–Without the U.S.
China, Canada, Brazil, and India are taking cues from the GDPR. But they’re also expanding the conversation. They won’t be instituting full on copycats of the EU legislation. The result will be a vast expansion of protections for personal data and a rapidly-changing (maybe expensive) environment for companies to navigate.
Meanwhile, the U.S. remains deadlocked on a federal standard, effectively counting the country out from the international conversation. The result for the U.S. is a patchwork of state laws. A lack of a national consensus effectively means that the United States will have little influence on international norms.
What Is Happening Stateside?
California, Nevada, and Maine have all enacted data privacy laws in the last few years. Five other states are currently considering new legislation similar to CCPA. And at least five additional states have assembled task forces to study the issue.
The International Association of Privacy Professionals (IAPP) has compiled a comprehensive tracker that captures what each state is considering in terms of data privacy bills. It includes both active bills and past bills, with the text of all the bills linked for review.
Themes in States’ Bills
IAPP has identified sixteen common privacy provisions in two main categories: consumer rights and business obligations.
The bills that have become law in California are focused heavily on consumer rights. While Maine and Nevada split their requirements between consumer rights and business obligations, with their bills being significantly less comprehensive than either California law.
The provisions by type:
- Right of Access
- Right of Rectification
- Right of Deletion
- Right of Restriction
- Right of Portability
- Right of Opt-Out
- Right Against Automated Decision Making
- Private Right of Action
- Strict Age Opt-in for Prohibition of Sale of Information
- Notice/Transparency Requirement
- Data Breach Notification
- Risk Assessments
- Prohibition on Discrimination (exercising rights)
- Purpose Limitation
- Processing Limitations
- Fiduciary Duty
The right of opt-out and notice/transparency requirement are present in every state bill that has become law.
The prohibition on discrimination is law in three of four states with comprehensive bills.
Both California and Maine require the right of restriction.
In February 2021, the Oklahoma House of Representatives Committee on Technology voted to advance a bipartisan bill that requires opt-in consent for the collection and sale of data. It has provisions comparable to the CCPA.
Popular Consumer Rights Provisions
The most popular consumer rights provisions considered by states are right of access (31 bills included); right of deletion (27 bills); and right of opt-out (35 bills).
How do these provisions aim to protect consumers and how can you become compliant?
Right of Opt-Out
Right of opt-out enables consumers to tell a business not to sell their personal information to a third party. In California, this provision applies to consumers age 16 or older. A “Do Not Sell My Personal Information” logo or link must appear on homepages of websites operating in states that have the law.
Right of Deletion
Right of deletion is an individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data. Under GDPR, individuals can request deletion of information that came from any source, whether it was obtained directly from the individual or from a third party. State laws are similar but vary by jurisdiction. Deletion requests can be very challenging and require structured data and organized storage.
Right of Access
Right of access is the right to request and receive personal data from a business or organization. Data controllers need to be prepared to receive and process these requests. Here’s some advice on how to handle right of access under GDPR.
Popular Business Obligation Provisions
The most popular business obligation provisions considered by states are notice/transparency requirement (34 bills included); strict age opt-in for prohibition of sale of information (17 bills); and prohibition on discrimination (27 bills).
So what are these commonly included provisions and what could they mean for your business?
The notice/transparency requirement typically requires a privacy notice that is easily accessible with clear, concise, plain language.
Strict Age Opt-In for Sale of Information
Sale of information as defined by CCPA includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumers’ personal information by the business to another business or a third party for monetary or other valuable consideration.”
Like California, many states are considering an age minimum for allowing consumers to opt-in to allowing their information to be “sold.” While Virginia’s current bill sets this age at 13, most states have matched California at age 16.
Prohibition on Discrimination
Prohibition on discrimination (exercising rights) prohibits operators from discriminating against or penalizing any customer who elects to opt out of the disclosure or their personal information.
How Do We Do Business In This Environment?
Operating in the online space is becoming increasingly complicated. Disparate, overlapping, and contradictory state and international privacy laws require adequate staff or excellent consultants to stay on top of new developments.
Larger companies like Facebook, Twitter, and AirBNB have recently opened new positions on their teams to monitor data privacy developments in the Asia-Pacific region. It’s a serious issue that deserves serious attention.
Use the tracker provided by IAPP to monitor the privacy legislation in your state and the states where you do business. The U.S. conversation around privacy laws is very much ongoing and needs more voices as we sort out the best way to protect citizens while still doing business.