At the beginning of this year, California became the most prominent state to pass a comprehensive consumer privacy law known as the California Consumer Privacy Act of 2018 (CCPA). The CCPA imposes new obligations on qualified businesses, such as creating and updating privacy notices on websites and giving consumers access, deletion, and opt-out rights related to information collected about them. A few other states have passed their own consumer privacy laws, and as expected, numerous states are in the process of enacting similar laws to California’s.
Other State Privacy Laws
Nevada (enacted): Nevada’s privacy law (SB 220) is narrower in scope than the CCPA. The most important part of SB 220 is that it provides a consumer with the right to opt out of the sale of his or her personal information. On top of this, SB 220 also requires people or entities who collect information from Nevada residents to comply with strict notice and action requirements related to a consumer’s decision to opt out.
Maine (enacted): While Maine’s privacy law may not be as comprehensive as California’s, there are a few aspects that make it more stringent. First, it is important to note that Maine’s privacy law only applies to internet service providers (ISPs) who are serving residents of Maine. The biggest difference in Maine’s privacy law, as compared to the CCPA, is that it requires ISPs to seek express opt-in consent before using, disclosing, selling, or permitting access to personal information. Further, an ISP must provide consumers with a notice at the point of sale regarding an ISP’s obligations and the consumer’s rights.
Illinois (proposed legislation): The Illinois Data Transparency and Privacy Act would implement business obligations and consumer rights that mirror the CCPA’s. It would create the following rights for consumers: the right to know, right to opt out, right to correction, and right to deletion. The Illinois law differs from the CCPA by requiring businesses, affiliates, and third parties to conduct risk assessments on each of their processing activities that involve personal information.
The above laws, including the CCPA, are the only ones that have either been enacted or are likely to be enacted in the near future. There are several other states who have implemented task forces or proposed legislation related to data privacy.
All of the above laws or bills have enforcement provisions that outline the penalties and fines that may be imposed on violators. Nevada’s attorney general may impose a $5,000 civil penalty per violation. California, on the other hand, has also provided consumers with a private right of action (penalties between $100 and $750 per consumer per incident) on top of regulatory fines ($7,500 per violation). There are also immeasurable penalties that can severely harm businesses, such as damage to a brand’s reputation as well as a reduction in consumer trust.
If these laws apply to you, it is important that you immediately take the necessary steps to ensure compliance with them. For example, the California Attorney General has made clear that enforcement of the CCPA will begin, as planned, on July 1, 2020, despite the current COVID-19 emergency. Therefore, it is imperative that businesses identify which laws apply to them and develop policies that (1) notify consumers of their rights and (2) adequately safeguard consumer data.