With the world’s attention on the California Consumer Privacy Act (CCPA), it’s easy to overlook the privacy storm that is brewing throughout the rest of the country. As of February 10th, eleven other states (in addition to California and Nevada) have either released new or revived old data privacy and protection bills that did not pass during last year’s legislative sessions. Although the status of the majority of these bills is uncertain – as many legislative sessions have just kicked off for 2020 – if passed, they would significantly change the privacy landscape in the U.S. and further complicate compliance efforts for the many companies that are still trying to understand and address the CCPA and prepare for the release of the final CCPA regulations.
Significant differences between laws
Although these news laws are all purportedly aimed at protecting the privacy and security of personal information, the actual content of the bills can only be described as a multijurisdictional medley of ideas, with concepts borrowed from both the EU General Data Protection Regulation (GDPR) and the CCPA, and entirely new concepts being introduced for the first time.
- Varying definition of “sale.” Under the CCPA, the traditional concept of “sale” was significantly expanded to include an exchange for monetary or other valuable consideration. The practical implication of this broad definition has been that companies continue to struggle to understand in many circumstances what constitutes a sale of personal information and what does not. Regardless, some of the new bills have copycatted this concept and replicated the CCPA’s definition exactly (e.g., Hawaii). Other bills, by contrast, limit “sale” to the more traditional definition of exchange for monetary consideration (e.g., Illinois), which is more closely aligned the Nevada privacy bill which went into force last year. At the other end of the spectrum are the bills that focus on an even more expansive concept – the mere disclosure of personal information to another party – and give consumers the right to opt-out of such disclosures (e.g., Maryland).
- Differing scope. The scope of individuals covered by the bills range from one end of the spectrum to the other – from covering a limited subset of traditional consumers (i.e., end-users), to covering all individual residents of a particular state, including business contacts and personnel (i.e., employees, contractors, and job applicants). For those bills that have a less expansive scope, the scope is often established by carve-outs that are not always entirely clear. For example, New York’s bill excludes from its application ‘information used for employment records purposes’ but offers little clarity on whether job applicants or corporate officers are included in this carve-out.
- Unclear exemptions for other laws. Like the CCPA, most bills contain exemptions related to the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), among others. However, these exemptions are not clearly defined, with some bills carving out entire entities (e.g., Covered Entities under HIPAA) and some carving out a particular subset of information (e.g., information collected pursuant to GLBA).
- New concepts. Perhaps most notable are some of the new concepts introduced by these eleven bills. For example, a few of the bills contain a “risk assessment” requirement – a borrowed concept from the GDPR’s data protection impact assessments. Generally, the bills require companies to conduct risk assessments for all processing activities, and additional risk assessments any time there is a change in processing that materially increases the risk to consumers. Moreover, New York’s bill introduces the concept of a “data fiduciary”, which creates an express obligation for companies to act in the best interest of their consumers with respect to their data and states that this fiduciary duty supersedes any duty owed to owners or shareholders of the company. Beyond the implementation of the requirement, though, the law in its current form provides very little guidance regarding what it is intended to achieve or how it is meant to be applied in practice.
- Private right of action. Less than half of these draft bills afford consumers a private right of action. Notably, though, the Massachusetts’ bill affords consumers the private right of action for any violation of the law (i.e., unlike CCPA, which limits this right to data breaches), with monetary damages not greater than $750 per consumer per incident, or actual damages. Moreover, potential penalties imposed by each state Attorney General are quite significant under some of the proposed laws.
What should companies do to prepare?
The first step in beginning to prepare for the onslaught of privacy bills will be for companies to perform an assessment or gap analysis between the requirements of these new bills and work they have already completed for CCPA, GDPR or other privacy laws. For example, since business contact information is not carved out from most of these draft bills, but is currently exempt from CCPA (but as of now, expected to come into scope of the CCPA on January 1, 2021), companies would want to build this type of information into their privacy diligence and privacy efforts. Companies should also identify and prioritize their most significant risks, either from location of relevant individuals or most significant types of individuals about whom they hold personal information (or some combination of the two), and develop an organized plan for tackling these new rules in a balanced and risk based manner that can practically be supported by the organization. This will be particularly important during a time when organizations are battling “privacy fatigue” and will really need to justify the people and financial resources needed to tackle these complex new laws. Finally, companies should continue to monitor state legislative developments as well as those at the federal level and calibrate their approaches.