Data Privacy Laws in the United States and How They Affect Your Business

Published: November 27, 2019 Author Category Data Privacy & Security

Still feeling the effects of the European Union’s GDPR, the world waits for an answer from the United States. With federal-level solutions focusing on healthcare, many states have risen to the occasion, putting forward data privacy regulations of their own.

Without a comprehensive blanket solution like GDPR, states are taking it in their hands to create a patchwork that will shape the nation’s future privacy landscape. This approach poses a challenge to businesses operating within these various legal confines.

In this post we discuss some of the most recent laws, their scope, and what you can do as a company to ensure compliance.

Laws in the United States

Here’s a list of important privacy legislation, both already in effect and in progress:

The California Consumer Privacy Act (CCPA)

Effective date: January 1, 2020

California’s CCPA is the most notable piece of US legislation handling digital privacy rights to date. Inspired by GDPR, the Act gives members of the US’s most populous state unprecedented transparency and accessibility to data collected by businesses. This law focuses on information that is disclosed or sold to third parties, which distinguishes it from its European counterpart.

Source: Wikipedia

What’s the law’s scope?

The law applies to companies that process personal information from California residents and meet any of the following conditions:

  • Has a gross annual revenue of more than $25 million
  • Possesses the personal information of at least 50,000 California customers, households, or devices
  • More than half of annual revenue comes from selling personal data

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

How is “personal information” defined?

The CCPA broadly defines PI as anything that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (you can find the full definition here) including:

  • Identifiers such as real name, alias, postal address, unique personal identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Commercial information, including records of personal property, products or services purchased
  • Biometric data
  • Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement
  • Geolocation data
  • Education, professional or employment-related information

The key item on this list is “unique personal identifier”, which applies to all cookie-based analytical activities performed on a website.

According to the regulation’s text, it’s a persistent identifier that can be used to recognize a consumer or a device over time and across different services, including but not limited to, a device identifier; Internet Protocol address(es); cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.

What does the law require?

The phrase “consumer request” is all over the CCPA. Most of the actions on the business side happen after someone has submitted a formal request, but not all of them. The major requirements and provisions are:

  • Consumers can request that businesses disclose the categories and specific pieces of personal information collected from the previous 12 months. This includes the categories of third parties the info is shared with.
  • Privacy policies that inform consumers of what categories of personal information they collect and how it’s used.
  • Consumers can direct companies not to sell their personal data.
  • You should delete collected personal information upon request of the consumer.
  • California residents have the right to sue companies that use data that is stolen or acquired as a result of a breach. In addition, they can also sue companies that were negligent in the handling of their data (for instance, it was not encrypted).
  • It’s necessary to provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information.”

Actionable steps

  • Update your privacy policy – Make sure your policy meets the requirements of the CCPA and that users can easily understand what data you collect and what you and third parties do with it.
  • Map your data – A common thread in all privacy laws is the business’s responsibility to track and manage data they’ve collected. To handle data requests in a reasonable time frame, you and your business will need a mapping system you can use to find data.
  • Be scrupulous about third-party data – You will be in violation of the law if you use third-party data obtained from a breach or in another illegal manner. Make sure you always perform due diligence when sourcing from third parties to confirm their legitimacy.
  • Provide request mechanisms – The CCPA requires two methods for consumers to make data requests as well as a “Do Not Sell My Personal Information” link.

Penalties

As we mentioned in our post about global privacy regulation: the new California law also imposes sanctions on businesses that fail to comply with its provisions. The fines include:

  • In the case of a suit filed by consumers: $100-750 (or the cost of actual damages, whichever is higher) per resident and incident in the case of breaches or data theft if data was not properly protected.
  • In the case of a suit by the State Attorney General: $2,500 per violation and up to $7,500 per intentional violation of privacy.

California Consumer Privacy Act Copycats

Many states are using the California law as a guide for their own legislation. They share most of the same requirements as the CCPA, especially in regards to informing people about data collection, disclosing it upon request, and the broad definition of “personal information”. They’re similar, but not identical – other states have added their own idiosyncratic touches.

A lot of them are putting forward and will adopt CCPA-like solutions in the immediate future. Let’s look at three that are in progress:

Illinois Data Transparency and Privacy Act (HB 3358)

Effective date: If passed, would go into effect on April 1, 2020

Taking initiatives to protect residents’ privacy is nothing new for Illinois – the state passed the Biometric Information Privacy Act (BIPA) in 2009 and will move forward in implementing this comprehensive CCPA look-alike in the near future.

Source: Wikipedia

How’s it different from the CCPA?

There are two aspects that make HB 3358 more lenient:

  • It has no requirement for deleting personal data upon request
  • It makes no mention of companies that use stolen personal information

You will still need to manage deletion requests from residents of other states, so keep your request mechanisms in place.

Massachusetts Consumer Privacy Bill (S.120)

Effective date: If passed, would go into effect on January 1, 2023

This state is no stranger to issues with data security: in 2017 alone 1,889 entities reported data breaches affecting 3,337,646 residents (Massachusetts data breach notification reports). Anyone doing business in Massachusetts should think twice about privacy protocols, or face the financial consequences.

Source: Wikipedia

How’s it different from the CCPA?

This bill is almost identical to its California predecessor: they share the same scope, business requirements, and definitions of personal information. S 120, on the other hand, puts more power in the hands of the people.

Consumers have the right to take legal action against a company for any infraction. This means Massachusetts residents can sue businesses that violate the safety of their personal information (Mass. S. 120).

New York Privacy Act (S5642)

Effective date: Not passed yet.

New York, home of the NYSE, Yankees, and over 8 million residents. That’s enough potential privacy lawsuits to scare any business. The law shares many similarities with the CCPA but has features that make it significantly stricter.

Source: Wikipedia

How’s it different from the CCPA?

The New York Privacy Act:

  • applies to any entity that does business in New York, there are no other criteria.
  • establishes that residents can take private action against companies that violate any part of the New York Privacy Act.
  • forbids sending personal data to third parties without express and documented consumer consent.

This wide scope of businesses combined with stricter regulations and the ability for individuals to take action against companies poses a huge threat to those unprepared to securely collect and store personal data.

If you want to gather personal data and share it with third parties, even analytics platforms, you will need a way to get permission. Consent managers can automate the process and provide peace of mind.

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

Other privacy laws in the United States

Other states share the enthusiasm shown by California to protect their residents’ privacy rights and are creating their own unique legislation to accomplish this goal. Let’s look at the laws Nevada and Vermont are rolling out:

Nevada Chapter 603A Security and Privacy of Personal Information and SB 220

Effective date: July 1, 2017 (SB 220 – October 1, 2019)

Nevada’s laws are already in place: 603A passed in 2017, and in 2019 the state passed amendment SB 220 to deal with the issue of data sold to third parties.
We can break down Nevada’s 603A and amendment SB 220 into three sections:

Source: Wikipedia

1. Security of information maintained by data collectors and other businesses

Section 1 applies to data collectors, defined as: any business entity or association that, for any purpose handles, collects, disseminates or otherwise deals with nonpublic personal information.

The key takeaway is that companies which handle or store personal information need to take reasonable security measures towards ensuring the safety of people’s data and destroying it if no longer in use.

The law defines Personal information as a person’s first name and last name (unencrypted) along with any of the following:

  • username or email address and password that would grant access to an online account
  • social security number
  • driver’s license or identification number
  • combination of account number and password allowing access to a financial account
  • medical ID or insurance number

A business that handles Nevada residents’ information within this scope of NRS-603A is required to:

  • take reasonable steps towards destroying records containing personal information that are no longer needed
  • maintain security measures to prevent unauthorized access to personal information
  • notify those affected in the event of a data breach

2. Notice regarding the privacy of information collected from consumers

This section establishes the need for a privacy policy that clearly states how you process users’ data. The law requires operators to provide consumers with an understandable explanation of what covered information the website gathers (see definitions below).

Note that covered information is not the same as the personal information.

The definitions of these three terms are:

Operator – Owns a website for commercial purposes, or that collects “covered information”

Consumer – A person who seeks or acquires any good, service, for personal, family or household purposes from the website or online service of an operator

Covered information – A broad scope of data that includes any of the following:

  • first and last name
  • physical address
  • email address
  • telephone number
  • social security number
  • an identifier that allows a specific person to be contacted either physically or online
  • any other information concerning a person collected via the website or online service and stored in combination with an identifier that makes the information personally identifiable

3. SB 220: an amendment to the law

In February 2019 an addition to 603A was introduced to address businesses selling covered information to third parties. The bill gives residents of Nevada the right to opt-out by stating:

A consumer may, at any time, submit a notice to an operator directing the operator not to sell any covered information the operator has collected or will collect about the consumer (SB-220).

The bill does not clarify whether a business has to implement any opt-out mechanism on their website, but many companies have preemptively added them to ensure compliance with the law. Here’s an example:

Source: Best Buy privacy policy

Actionable steps

Nevada’s law demands a lot. Here’s what can you do to meet the challenge:

  • Update your privacy policy – When it comes to getting yours “up to code,” the required information is similar to CCPA or GDPR. Companies need to clarify what categories of covered information they collect, describe how users can review/request changes, and disclose any third parties with access. Here you can also provide a “do not sell my data” opt-out.
  • Increase security – Incorporating measures that protect your data collection and storage activities is crucial. By encrypting data, it’s no longer considered personal information. You should use data encryption systematically and work to prevent any data breaches.
  • Map your data – A common thread in all privacy regulations is the business’s responsibility to track and manage users’ data. To handle data requests in a reasonable time frame, you and your business will need a mapping system that locates data quickly.

Penalties

Enforcement is the responsibility of the Nevada Attorney General, not individuals. According to the law any operator that directly or indirectly violates NRS 603A may face:

  • a civil penalty not to exceed $5,000 for each violation
  • a temporary or permanent injunction

With any reasonably successful website having thousands of visitors a month, it’s easy to imagine $5,000 per violation quickly adding up to an astronomical sum.

Vermont Act 171 Data broker regulation

Effective date: January 1, 2019

The first of its kind to establish a set of rules for data brokers – companies that gather and sell consumer data to third parties. This Vermont regulation is breaking new ground. Let’s see what it’s about:

How is a data broker defined?

A data broker is a company, or part of it, that collects and sells brokered personal information of a Vermont consumer that they do not have a direct relationship with.

Source: Wikipedia

If you answer “yes” to any of these questions, you should scrutinize your business practices to see if the law defines your business as a data broker:

  • Does the business handle the data of consumers with whom they do not have a direct relationship?
  • Does the business both collect and sell or license the data?
  • Is the data about consumers who are Vermont residents?
  • Is the data brokered personal information? (see definition below)

What is “brokered personal information?”

The regulation considers data as brokered personal information (BPI) if it is computerized and organized or categorized in some way as preparation for being sold to another business. For example, categorized data such as “people interested in used cars” or “people in Vermont aged 20-30.”

Data or information on paper retained by a business with no intention of selling it doesn’t fall under the definition of BPI.

Act 171 states that data which is digital, ready for sale, and contains one or more of the following is BPI:

  • name
  • address
  • date or place of birth
  • mother’s maiden name
  • biometric information
  • name or address of immediate family member
  • social security or other government-issued ID number
  • other information that would allow consumer identification with reasonable certainty

What does the law require of data brokers?

Data brokers need to take two actions to be in compliance with Vermont’s Act 171:

  • Register with the Vermont Secretary of State annually
  • Maintain certain minimum data security standards

Any business that operated as a Data Broker in 2018 was required to register by January 31, 2019.

Source: ago.vermont.gov

The law also holds businesses that plan to sell Vermont-sourced BPI to a certain standard of security. Brokers need to develop, implement and maintain a comprehensive program that performs risk assessments, detects system failures, encrypts personal data, and more.

Does Act 171 affect how I acquire data?

Vermont took actions to regulate the illegal acquisition and use of BPI. The law states clearly that it is against the law for any business to:

  1. Acquire brokered personal information through fraudulent means
  2. Acquire brokered personal information for:
    1. Stalking or harassing someone
    2. Committing fraud, including identity theft, financial fraud, or e-mail fraud
    3. Engaging in unlawful discrimination, including employment discrimination and housing discrimination

Overview and scoring of how websites have adapted to data privacy regulations

Download FREE Report

Actionable steps

  • If you’re a data broker, register with the state of Vermont: Every year data brokers must register their business at this page and pay a fee of $100. This is the easiest way to protect yourself from trouble in the future if you deal in the sale of brokered personal information in Vermont.
  • Make sure your systems are secure: Confirm that your business meets the requirements of this law. Data encryption, training, and routine checks are the best ways to keep data safe and stay out of hot water.

Penalties

Failure to register as a data broker can result in a fine of up to $10,000 per year. A business or individual who acquires or uses brokered personal information illegally faces the same fine.

Data breach notification laws

All 50 states have adopted legislation that makes it mandatory for companies to inform affected individuals of data breaches that may compromise their personal information. These regulations vary from state to state, with discrepancies in the definition of personal information or notification methods and deadlines.

One breach can leave you grasping at straws trying to assess the damage done and comply with legislation in every state affected.

What’s important is the growing need for companies to adopt a data responsibility mindset.

What general measures should you take?

As you can see, these laws are not the same and there’s no “one size fits all” approach to finding a solution to keep your business protected. There are, however, common themes and aspects in all of them and you can take general measures that will help.

  • Appoint a data protection officer – A DPO is responsible for your company’s compliance with laws protecting individuals’ personal data. You need one if you want to be aligned with GDPR, and they can also guide you through the US privacy landscape. It’s a great player to have on your team, and such a complex, high-risk task deserves a specialized employee.
  • Be transparent – You need to be open when it comes to collecting data from people. Get consent and provide clear opt-out options before you gather or share anyone’s personal information (you can customize a consent manager for each state depending on the law). Also, rethink and update your privacy policy. It should clarify how you collect and share data, how to opt-out of selling, and how to access data for correction or deletion.
  • Establish standards for collecting and storing data – When it comes to data and analytics, “the more the merrier” is usually how we think we should operate. This needs to be rethought. Collecting or holding data, especially PI, that you’re not using is potentially risky and has no business benefit. Strategize: only take and keep what you can use.
  • Beef up your security – If you suffer a leak of unencrypted personal information, legally you will be responsible. Encryption is a great step, after this your data is not personal or identifiable. Make sure third parties that you cooperate with hold themselves to the same security measures as your business (companies certified under ISO 27001 for example). You need to conduct due diligence before passing information on to other entities.
  • Apply a privacy by design framework – Moving forward, you need to integrate privacy into the product and service development process. Building with privacy in mind is a proactive step that will keep you out of trouble instead of deploying reactionary measures after it’s too late. This mindset also applies to employee training and office culture. If you handle sensitive data, your staff should operate accordingly.
  • Cyber Insurance – vetting your suppliers and establishing organizational measures to protect your customer’s data may not be enough. It’s always a good practice to put cybersecurity insurance in place and require the same from your vendor. Remember that purchasing cyber insurance is only one of many protective measures you should take.

Conclusion

Europe took the first step but America is not far behind. Privacy has become a pressing issue that affects everyone. As more and more states and countries enact legislation protecting citizens, it will become almost impossible to move forward without caring for consumer rights. The best thing to do is to take action and be prepared, as this new wave of legislation appears to be a natural progression rather than a mere trend. For more information about staying compliant with global privacy laws, reach out to us.

Author:

Peter Curac-Dahl, Content Marketer

Dog petting Wikipedia peruser bound by the universal laws of coffee. Consumer of all info tech and business related. Producing useful insights with concise thought-provoking material.

See more posts of this author

Share