Skip to main content
Blog Post

Data privacy regulatory revolution

From California to the New York Island — these laws were made for you and me

Risk & Analytics|Cyber Risk Management
N/A

By Gamelah Palagonia | August 1, 2019

In the first half 2019, a trove of data privacy legislation was introduced across the U.S., most notably in New York, Maine and Nevada.

Last year was pivotal for data privacy, as the European Union’s Global Data Protection Regulation (GDPR) went into force in May, and, only a month later in the U.S., California Governor Jerry Brown signed Assembly Bill 375, now known as the California Consumer Privacy Act (CCPA) of 2018, which will become effective on January 1, 2020. Before the year was out, we also saw a federal privacy bill, the Data Care Act of 2018, introduced in the Senate.

The pace continued in 2019, as a trove of data privacy legislation was introduced across the U.S., with several states proposing legislation similar to California’s law, commonly referred to as CCPA Copycats. However, New York’s Privacy Act - Senate Bill S5642, introduced on May 9, 2019 is more than just a CCPA Copycat upping the ante on damages and liabilities.

Like the CCPA, the New York Privacy Act requires companies to disclose their methods of de-identifying personal data, place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. In contrast, the CCPA allows consumers to recover the greater of either actual damages or statutory damages of between $100 and $750 per consumer/per incident only for data security violations that lead to data breaches with no cap on total damages. The NY Privacy Act contains a private right of action, which gives New Yorkers the right to sue companies directly for any violation of the law, and not only just in the context of a data breach. While California’s law applies only to businesses with more than $25 million in annual revenue, New York’s bill would apply to all companies regardless of size.

Another difference, New York’s bill also includes a requirement for businesses to act as data fiduciaries, which creates an inherent conflict, particularly for the public technology and media sectors. Boards of directors have a duty to act in the best interest of shareholders, but, as data fiduciaries, they would have to act in the best interest of consumers as well. The New York Privacy Act also expands the definition of personal data to include consumer profiles if correlations can be drawn from the personal information that is collected from New Yorkers.

As state legislators departed the Capitol in Albany on June 21, 2019, a number of bills, including the New York Privacy Act, were left on the table and stalled until the next session in 2020. It is worth noting that if the New York Privacy Act passes in the next session, it will likely follow the CCPA and legislators will amend it several times before it eventually becomes law.

Another New York bill

While the New York Privacy Act was stalled, the Stop Hacks and Improve Electronic Data Security Act, known as The Shield Act S.5575A, passed the New York Senate on June 5, 2019.This Act:

  • Expands the scope of information subject to the current data breach notification law to include biometric information, email addresses and their corresponding passwords or security questions and answers, and protected health information as defined under the Health Insurance Portability and Accountability Act (HIPAA).
  • Broadens the definition of a data breach to include unauthorized access to private information. It applies the notification requirement to any person or entity with the private information of a New York resident, not just to those that conduct business in New York State.
  • Updates the notification procedures companies and state entities must follow when there has been a breach of private information.
  • Creates reasonable data security requirements tailored to the size of a business and provides protection from liability for certain entities that take steps to verify their safeguarding of private information.

Other notable copycats

Other states including Maine and Nevada passed the following laws effective July 1, 2019 and October 1, 2019 respectively:

  • Maine’s Act to Protect the Privacy of Online Consumer Information prohibits any Internet Service Providers (ISP) in Maine from refusing to serve a customer, penalizing them or offering a discount in order to pressure consumers into allowing the ISP to sell their data. Some privacy advocates consider Maine’s law stronger than the CCPA in that it mandates that ISP’s require explicit consent from customers to sell their personal data, while the CCPA requires consumers to request that their data not be sold.
  • Nevada’s Senate Bill 220 (SB-220) requires businesses or “operators” to offer consumers the right to opt-out of the sale of their personal information through an online email, a toll-free phone number, or a website mechanism. While January 1, 2020 was the date that many businesses were prepared to provide notice of consumers’ right to opt-out of the sale of their personal information to comply with California’s Consumer Privacy Act, Nevada advanced that date to October 1, 2019. Businesses that sell personal information should thoroughly evaluate their data collection, data processing, and data sharing processes and develop methods of compliance to meet the notice and opt-out requirements of Nevada’s law.

All of these new state privacy laws come at a time when lawmakers on Capitol Hill are seeking to hammer out the nation’s first comprehensive privacy bill. The Technology/Digital Media sectors are in favor of a federal law that would override or pre-empt state laws. Industry lobbyists have argued that the existing patchwork of state laws are too difficult for technology companies to manage. Democrats have said they are open to pre-empting state laws as long as a federal law offers strong privacy protections with no dilutions.

Managing privacy risk is complex and expensive; it requires a budget and strategic planning.

The way businesses and organizations collect and use personal data has never been under as much scrutiny as it is now. Every industry is waking up to a new dawn of powerful data privacy regulatory compliance risks.

A need for meaningful solutions

All of the existing and proposed data privacy laws present operational risks and complexities. To lessen these risk complexities and mitigate huge potential damages, businesses need to focus on developing meaningful risk management solutions to reduce the likelihood and severity of data privacy risk.

Managing privacy risk is complex and expensive; it requires a budget and strategic planning. Data security is related but it differs significantly from data privacy. Data security controls and training may be pushed and/or disseminated digitally and remotely. Effective data privacy management is about people and requires conversations about risk, products, customer service and seeking balance between legal compliance, business needs and the interests of the consumers, employees, and other stakeholders. Privacy professionals need board endorsement and partnerships with all operational teams that use personal information, including security, legal, risk management, marketing and advertising and customer service.

No doubt, regulatory scrutiny will continue to challenge businesses through 2019 and beyond. The principles of data privacy include ethics, trust, transparency, lawfulness and fairness, themes that are entwined throughout all the proposed data privacy laws. The positive takeaway is that responsible use of personal information benefits individuals and society as a whole across every sector of the global economy.

Contact

FIP, CIPM, CIPT, CIPP/E, CIPP/US, CIPP/G

Senior Vice President for Network Security, Data Privacy and Technology Errors & Omissions


Contact Us