An Overview of States Passing Privacy Laws

An Overview of States Passing Privacy Laws

Any Intro to Civics course teaches that lawmakers exist to enact the will of the people. Moreover, since “the people” have recently become very concerned with the security of their data and the privacy of their online activity, it’s perhaps reassuring to see the recent nationwide bloom of state-based digital privacy legislation.

California’s CCPA got the headlines because of the size of the market and the easy comparison to Europe’s GDPR. However, in other states across the country, legislators have quietly passed, or are in the late stages of passing bills that parallel California’s Privacy Law. In some cases, the measures are even more far-reaching. This article examines recent legislative updates in Nevada, New York, Vermont, South Carolina, and Colorado. It demonstrates how privacy regulation is not confining to the West Coast and is very much concern US-wide.

DISCLAIMER: It’s important to note that the landscape is rapidly evolving in the area of privacy regulation. It’s a dynamic, exciting area. So even though what follows is an accurate synopsis of the state of play in late September 2019, don’t be surprised if this list gets dated quickly. As always, this article shouldn’t get interpreted as actual legal advice!

Nevada: Senate Bill 220

Nevada has already passed a new piece of privacy legislation, Senate Bill 220. It will go into effect on October 1, 2019, three months before it’s better-known neighbors enact their CCPA. Many observers believe Nevada’s law is more onerous. It requires a broader range of businesses to offer consumers an opt-out regarding the sale of their personal information. Since it’s going into effect before the CCPA, this will make Senate Bill 220 the first in the U.S. to grant opt-out rights to consumers.

In some aspects, Nevada’s bill is a little more lenient than the CCPA; for instance, it doesn’t add new notice requirements for website owners. However, the per-violation fine amount is $5,000 – twice as high as California’s. So getting privacy wrong in Nevada state lines could prove even more costly to a business.

New York: Stop Hacks and Improve Electronic Security (SHIELD) Act

New York signed the SHIELD Act into law on July 25, 2019, and the bulk of its provisions go into effect on October 23, 2019. The SHIELD Act is more incremental in scope than the other pieces discussed previously. It doesn’t carry any language around opt-out rights, and it’s less concerned with day-to-day online activities. Instead, it focuses on defining and setting processes around actual data breach events.

To this end, the SHIELD Act expands the scope of information subject (to include biometric information) and the scope of possible breach scenarios. It also updates the procedures that companies must follow in the event of a data breach. Lastly, the SHIELD Act creates data security requirements that scale according to the size of the business. This part of the Act goes into effect on March 21, 2020.

Conscious NYPA is dead/on hold right now but probably worth mentioning? HERE is a good summary of the main points that were considered even more aggressive than CCPA and also why it got killed by lobbyists.

Vermont

Vermont became the first state in the union to regulate “data brokers” with a piece of legislation. It came into effect on January 1, 2019. Vermont’s law has a comparatively narrow application. In their case, “data broker” denotes “a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” This direct relationship provision means that if a business is, for example, selling directly to consumers online, they’re not bounding by the constraints of this law.

That said, once an entity is considered a data broker, there are quite rigorous processes that must get followed. Data brokers must register annually with the Vermont Secretary of State for a fee of $100 and provide a substantial amount of information to the state regarding the robustness and security of its data operation. Failure to do so can result in a fine up to a maximum of $10,000 per year. 

South Carolina

South Carolina also joined the cohort of states taking data protection into its own hands, with a law that came into effect on January 1, 2019. The South Carolina Insurance Data Security Act is focused on the insurance sector and seeks to establish standards and processes that insurers – deemed licensees – must follow in the event of a cybersecurity breach. 

Licensees are now legally required to formally document a data security program. Upon conducting a thorough audit and risk assessment of their operation, the plan must cover risk management. Additionally, it must cover cybersecurity event investigation and reporting, notification, and ongoing compliance certification. 

Colorado

Lastly, we come to Colorado, which was the very first state to put a signature modern digital privacy law into effect. HB 18-1128 requires organizations to put controls in place for managing PII (including biometric data). The commands needed fall under these broad areas:

  • The storage of PII
  • The destruction of physical and electronic materials that contain PII
  • Investigation and notification in the event of data breaches
  • Liaising with the Colorado attorney general in the investigation and reporting in certain data breach circumstances

Conclusion

This brief overview shows that data privacy isn’t just a concern for businesses operating in California, despite what the news headlines would lead one to believe. Data privacy should be treated as a United States-wide concern for any business, as the trend is very visibly towards state-by-state regulation, each with broad thematic consistency but essential variations in focus and scope. The complexity will only increase as more states get up to speed on the topic. Worth mentioning that state by state is the trend in the short term, but the conversation for a federal law has already started to avoid more complex state by state regulations. 

Published from our Privacy Magazine – To read more, visit privacy .dev

Governments & Privacy

Governments & Privacy

When the words “government” and “privacy” get put side-by-side, the knee-jerk reaction is usually harmful. Since the days of Orwell, governments have been poking their noses into citizens’ business. History suggests the association is not without merit.

Protectors of Privacy Rights

In the last decade, whistleblowers like Edward Snowden have shown the communication boom of the internet era accompanied by an increase in government monitoring and privacy abuses. For example, by the likes of the NSA, the Department of Homeland Security, and other bureaus. A charitable explanation of these practices is that, like many during the era, these actors didn’t fully grasp the full cost and legal implications of the shiny new toys they could access. The less charitable explanation is that they did grasp, but didn’t care enough to stop.

Nevertheless, the truth remains that government institutions are the most important protectors of the digital privacy rights of individual citizens. Businesses must play by the rules that governments make. Also, digital privacy has become a critical governmental concern in recent years. It directly reflects the concerns of the general populace.

A high-profile case in point was Mark Zuckerberg’s congressional testimony in April 2018. Zuckerberg was called in front of Congress to speak on his company’s questionable data practices, particularly relating to the 2016 presidential election. The hearings made two things clear: first, there was a newfound abundance of concern and regulatory intention from the elected officials questioning Mr. Zuckerberg. Second, there was a striking lack of understanding or technical know-how from the same officials. The majority of these legislators are not digital natives, and even if they were, understanding the fine-grains of digital privacy in this day and age requires time and attention to detail that no legislator could realistically afford to spend.

Future-proof Data

At Ethyca, we accept that warts and all, governments are the chief protectors of digital privacy. However, in the fast-moving technology sector, they will always be playing catch up. For SMEs, particularly those that aren’t digital-first, this creates a nightmare scenario of repeated, costly infrastructure overhauls. Doing a one-time, future-proof data infrastructure upgrade is an investment that, over more extended periods, can prove very shrewd indeed.

Published from our Privacy Magazine – To read more, visit privacy .dev

How Online Experience Varies by Purchasing Power

How Online Experience Varies by Purchasing Power

When people discuss issues with data privacy, class ranking is rarely part of the conversation. Even though the internet has been a markedly business-driven project for some years now, the old perception endures that URL life isn’t getting marked by the same dividing lines that mark IRL society. However, this is false. The realization that data privacy gets inextricably tied to economic status is becoming more widely accepted.

Predatory Advertising

As the old technology adage goes: when the product is free, you are the product. Nowhere is this truer than online. Those with less disposable income are prone to having data leveraged in a more aggressive and potentially predatory fashion. Moreso than those who are affluent. Under previous lax data regulation, the robust flow of third-party data meant that advertisers could know with near-certainty the sort of online users that might be vulnerable to risky purchase propositions. In other words, they could target and exploit weak consumers with impunity.

A recent New Republic article highlighted some of the industries that are engaged in predatory online advertising practices. Among the culprits are bookmakers, payday loan companies, and for-profit colleges. It cites author Cathy O’Neil’s claim in the book Weapons of Math Destruction. “A potential student’s first click on a for-profit college website only comes after a vast industrial process has laid the groundwork.”

Advertisers can use anything from Google search history to educational questionnaire data. It data used to target individuals at their moment of peak susceptibility. It’s not that advertisers couldn’t use these techniques to target more affluent consumers. It’s that more affluent consumers are less driven to make such risky purchases, which get often borne from economic desperation. Furthermore, poorer consumers are more likely to have their information washing around ad-targeting databases. It’s because they’re more likely to fork over data for free access. The net result is, in the words of Michael Fertik, “the rich see a different internet than the poor.”

Higher Standards of Privacy

Through this lens, one begins to understand the impact of recent and forthcoming data regulation. It’s not a flat line across classes. It should work to disproportionately decrease the vulnerability of poorer online consumers. Especially because they are the most vulnerable to exploitation in the first place. Governments will continue increasing control over the use of data, and there will be the decreasing ability of companies to license third-party data without consumers’ knowledge. Combine both of those with increased penalties for data processors that violate their rights, and consumers will be less susceptible to predatory advertising and more in control of the data that they hand to companies.

Of course, no one assumes that new data regulation will magically turn profit-seeking enterprises into virtuous pursuers of the highest common good. However, we at Ethyca believe that organizations showing commitment to a higher standard of privacy protection will be rewarded in the long run by increasingly data-savvy consumers. With this in mind, beyond legally-required data practices, we recommend that companies make an effort to spell out all the data processing activities that they undertake on owned properties – to actively educate, in other words. Here at Ethyca, we settled on a “Nutrition Table”-style visualization that we think is crisp and instructive. Got a better idea to keep users informed? Feel free to describe in the comments! 

Published from our Privacy Magazine – To read more, visit privacy .dev