rivacy Legislation Watch – the flurry of privacy legislation in 2019 has been intense. Eighteen states, as well as Puerto Rico, made efforts to strengthen privacy for individuals. Some met with success, others are mid-process, and still others have failed to gain traction… for now.
If your organization collects data on individuals, it is worth monitoring these developments to determine whether you must comply.
New Laws
Three states have successfully passed legislation, California, Nevada, and Maine.
Much to everyone’s surprise, Nevada’s new law, which passed in May, is set to leapfrog ahead of California and go into effect October 1, 2019. Notably, the new law provides consumers an opt-out right in the sale of covered information, but in a narrower scope than the California Consumer Protection Act. While California includes job applicants and employee data, Nevada does not go that far. Instead, it defines a “consumer” as a person seeking or acquiring goods or services.
Another key difference is the way each state defines personally identifiable information. California includes any criteria that can reasonably be used to identify an individual, such as a screen name, IP address, or unique number. Nevada focuses on identifiers that can be used to contact an individual electronically or physically, such as name, email address, or mailing address.
Meanwhile, Maine’s new privacy law applies only to Internet Service Providers and limits what they can do with customer information. This was an effort to reinstate the net neutrality rules recently deactivated by the Federal Communications Commission.
Pending Legislation
Ten states currently have some form of legislation under consideration, including Texas, New Jersey, New York, Connecticut, Florida, Maryland, Massachusetts, Rhode Island, Arizona, and Virginia.
Interestingly, Texas passed what was originally privacy legislation, but eventually punted on the privacy issue itself. At the start of the legislative session, two competing bills were proposed. One survived and made it to the governor’s desk, but in a very different format. Ultimately, the governor signed a version that updated the breach notification law and created the Texas Privacy Protection Council, which will look at other state and global privacy laws to create recommendations for next year’s session. With the council in place, we can expect Texas to try again next year.
New York is another state to watch. Their proposed law mimics the California Consumer Privacy Act by empowering consumers with a bill of rights. However, there are significant differences.
First, New York goes even further by granting individuals the right to sue businesses directly. It doesn’t take much imagination to see that many companies would be mired in class action and individual suits for years if this law passes.
Second, the bill would also apply to any size company. While California set limitations, such as a minimum $25 million in annual revenue or data on a minimum of 50,000 consumers, in New York, even the smallest mom-and-pop shop would fall under this law and be required to comply. Other states are very much in line with the general spirit of these proposed bills.
Dead Legislation (For Now)
A handful of states failed in their efforts to pass new privacy laws, including Mississippi, Washington, Hawaii, New Mexico, and North Dakota. It would be unreasonable to assume that it is finished business. In fact, most will try again in the next year or two. And more than likely, several other states will jump on the bandwagon next year.
What Can I Do?
There are a few things you can do to prepare. First, identify states where your clients reside based on the addresses in your database. Second, watch legislative efforts in those states. Third, seek legal guidance on what is necessary to comply with those laws.
If you have clients in Nevada or California, the clock is already ticking. October 1, 2019 and January 1, 2020 are your deadlines, respectively. A few others could potentially come online by the first of the year as well. Netchex will be following developments as well, so check back here for updates.
Disclaimer: The opinions expressed are those of the author(s) and do not necessarily reflect the views of Netchex or its clients. This post is for general information purposes only and is not intended to be and should not be taken as legal advice.