Passed unanimously, and introduced on 1 January this year, the California Consumer Privacy Act (CCPA) is the first comprehensive legislation that focuses on consumer data and privacy in the US. Similar to the EU’s General Data Protection Regulation (GDPR), the CCPA has forced most businesses operating in the state to make structural changes to their privacy programs. Residents in California now have new rights over their data, including visibility over the data companies have gathered on them, as well as the option to have that data deleted, or prevent their data being sold to third parties.
The CCPA has already triggered a number of other data security and privacy regulations at state level, but how long will it take before we see federal data privacy and protection laws implemented in the US?
The impact of CCPA on other states
CCPA has had a big influence on a number of other states’ legislative stance on privacy. This year, we’re likely to see several other states follow California’s lead and implement new data protection laws and consumer privacy policies. So far, New York, New Hampshire and Washington, are just a number of states who have introduced legislation. Washington’s State Privacy Act bill subsequently died.
New Hampshire’s bill, which addresses how personal information is collected by businesses, has been drafted almost in exact accordance with California’s law, with only minor differences in the bill’s initial draft. If it is given the green light, it will take effect at the beginning of January next year and enforced as soon as 1 July, 2021.
The New York Privacy Act (NYPA), differs from CCPA in regard to the scope of companies who conduct business in New York. CCPA is restricted to companies doing business in California or businesses that have a minimum of $25 million in gross annual revenue or handle personal information of 50,000 consumer or more. New York’s legislation would apply to any entity operating in the state, irrespective of its size. The bill, as it’s written, would require businesses to state how personal information is de-identified, to allow consumers to know exactly who their information is being shared with, and to implement “special safeguards” around data sharing.
While under the proposed law the state’s Attorney General can bring litigation, the bill also contains one provision called “private right of action”, which gives individual consumers the right to sue a company who have violated terms of the legislation. One argument against the new legislation is that violations leading to private right of action could impoverish many small businesses financially.
Section §1102 of the NYPA, includes a “data fiduciary” provision requiring organizations to “act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”
Moving in the right direction: COPRA & Online Privacy Act
Despite individual states taking these steps forward in order to safeguard citizen’s data privacy and security, 50 separate consumer privacy laws will create chaos for organisations to comply with. A comprehensive consumer privacy and data protection law is needed at the federal level, which contains the minimum security requirements for organisations to implement in order to protect their customers data.
The Consumer Online Privacy Act (COPRA) was introduced to the Senate in December last year and has many similarities to GDPR and CCPA in the respect that it demands companies provide a record of the data collected on an individual when they request it. In many instances, individuals will ask for their data to be deleted, but in some cases, individuals can correct any inaccuracies of the data stored. COPRA also incorporates biometric data, which includes facial recognition and geolocation as sensitive information.
Also introduced last year was the Online Privacy Act into the U.S. House of Representatives. This bill had many similarities to the Senate bill and includes the creation of a Digital Privacy Agency. The DPA will become an independent federal agency to police privacy protections and any alleged mishandlings. As written, the bill also includes penalties and enforcement details for any violations, which state attorneys will have the power to enforce. In addition, like the New York Privacy Act, individual consumers involved will be able to bring class action lawsuits against organisations.
When will we see federal data privacy & protection legislation?
As we live through the COVID-19 pandemic, data privacy and data protection are even more important. This year we will see even more states join California in introducing their own data security and privacy laws, which will be a key driver for similar laws with national scope. While it’s unlikely that COPRA will become a federal law this year, we’re going to see lawmakers take large steps toward a nationwide legislation that is designed to protect consumer data privacy and security, thanks to the initial steps taken by the state of California introducing CCPA.
By Michael Magrath, Director, Global Standards & Regulations, OneSpan