The last few years have seen a significant shift in privacy—and the next few years are guaranteed to see more efforts on that front.
- The European Union’s General Data Protection Regulation (GDPR) kicked things off in May 2018 with a global reach to protect EU citizens’ data.
- The California Consumer Privacy Act (CCPA) is set to go into effect on January 1, 2020.
- Nevada’s new privacy law went live on October 1, 2019.
- At least fifteen other states considered new privacy legislation in 2019.
As previously discussed, California has set the bar high with several specific requirements for businesses. Many states modeled their legislative attempts after the CCPA, while others chose to follow the lead of GDPR.
In either case, trends have emerged that are likely to be prominent as states move forward. It behooves companies, organizations, and other private sector entities to start preparing for the future now.
What are the trends?
The primary goal of states’ legislative efforts is to give consumers control over their own information. Businesses have been collecting data on consumers through a variety of means for several decades with practically no rules for how they safeguard, use, or distribute that information. The individual has had no say in how their personal information spreads across web and makes its way into the hands of unscrupulous and malicious people. States are finally attempting to empower consumers with rights to control their own information.
The definition of personal information is clearly expanding. Whereas, it used to be name, social security number, address, and other basic information to identify a person, many states are now broadening it to include less obvious indicators, such as IP addresses, biometric data, internet activity, etc.
One key element of giving consumers control over their information is the right to opt out. The individual must have the ability to tell an organization that they do not allow their information to be distributed. State legislators are defining distribution more broadly. For example, under the California law, “selling” is defined as selling, renting, releasing, disclosing, trading for monetary or other valuable consideration, disseminating, making available, transferring and, lastly, communicating orally, in writing, or electronically. Other states define may define it differently, but the trend is present across most states.
The last emerging trend is the private right to action. Several states are permitting the individual to skip the bureaucracy of consumer agencies and take a business straight to court when a violation of their privacy has occurred. State attorneys general and other offices are unable to handle the workload, so in most cases, the states are skipping the middleman. As one might imagine, class action attorneys are salivating at the idea.
It is also worth noting that state privacy laws are reaching across borders. Businesses with data on California consumers, for example, are obliged to comply even if they are in Florida. The same will apply for other states.
While the specifics may vary, the general direction is clear. States are taking control of privacy matters from businesses and putting them back into the hands of consumers. Now is the time to prepare for these changes whether they get voted into law in 2020 or beyond.