State Legislatures Moving to Expand Consumers’ Controlover Personal Information

FOLLOWING THE EXAMPLE SET BY THE CALIFORNIA legislature,which enacted a sweeping data privacy statute in June 2018, state legislatures have begun to enact, or at least propose, similar laws to give consumers greater control over their personal information. As states continue to put privacy statutes on the books, the result is likely to be a patchwork of standards for businesses and other entities to follow.

Background

The California Consumer Privacy Act (CCPA) was signed into law a week after its introduction and just hours after its unanimous approval by the State Assembly and Senate. The wide-ranging law gives consumers greater control over how businesses can use their personal information. Under the new law, which takes effect on January 1, 2020, consumers will have the right to request that businesses disclose how their personal information is used and to ask that personal information be deleted under some circumstances.

Approximately a dozen amendments are making their way through the legislature in advance of the statute’s January 1 effectiveness date.

Nevada

In neighboring Nevada, the legislature has passed a bill amending the state’s existing online privacy law to require entities that operate websites to establish a designated address for consumers to submit requests to opt out of the sale of personal information. The Nevada statute is narrower than the California law, limiting the definition of “sale” to the “exchange of covered information for monetary consideration by the operator to a person for the person to license and sell the covered information to additional persons.” The term “operator” is defined as a person who “(a) Owns or operates an Internet website or online service for commercial purposes; (b) Collects and maintains covered information from consumers who reside in this State and use or visit the Internet website or online service; and (c) Purposefully directs its activities toward this State, consummates some transaction with this State or a resident thereof or purposely avails itself of the privilege of conducting activities in this State, or otherwise engages in any activity that constitutes sufficient nexus with this State to satisfy the requirements of the United States Constitution.”

The statute, SB 220, was signed into law by Governor Stephen F. Sisolak on May 29 and takes effect on October 1. It does not create a private cause of action; its enforcement lies with the state Attorney General.

New York

In New York, a bill proposed by State Senator Kevin Thomas would amend the general business law to add a new article entitled New York Privacy Act. The bill contains many of the same provisions as the California law, but also imposes on companies the role of “data fiduciary,” providing as follows: “Personal data of consumers shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent. Every legal entity, or any affiliate of such entity, and every controller and data broker, which collects, sells or licenses personal information of consumers, shall exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”

The New York bill provides a private right of action for injunctive relief and monetary damages by “any person who has been injured by reason of a violation of this article.”

The bill, S5642, has been referred to committee.

Task Force Creation in Texas, Connecticut

In Texas, the Texas Consumer Privacy Act, HB 4518, which contained many of the provisions in the CCPA, failed to pass the state House of Representatives before the end of the legislative session. However, a second bill, HB 4390, which amends the Texas Identity Theft Enforcement and Provision Act by strengthening notification requirements in the event of a data privacy breach, creates the 15-member Texas Privacy Protection Advisory Council to propose data privacy legislation by September 2020. The bill was signed by Governor Gregory Abbott on June 14.

Similarly, in Connecticut, SB 1108, a bill modeled on the CCPA, was referred to committee, then amended to create a consumer privacy task force. The bill was signed by Governor Ned Lamont on July 9, 2019.

Legislators in a number of other states have introduced data privacy bills similar to the CCPA, many of them currently pending before relevant committees. Among the states with pending bills are Pennsylvania (HB 1049); Massachusetts (SB 120); Rhode Island (HB 5930); and Maryland (SB 613). Other states are expected to follow suit as consumers continue to demand greater control over their personal data, especially in the absence of federal legislation addressing the issue.

Ohio Incentivizes Protection Practices

The Ohio Data Protection Act (ODPA) provides legal safe harbor against data breach claims and incentivizes the adoption of strong cybersecurity practices rather than punishing entities for failure to adhere to specific regulations. This safe harbor is provided to entities that create, maintain and comply with a cybersecurity program conforming to an industry-recognized cybersecurity framework recognized by the ODPA. Ohio Rev. Code Ann. § 1354.02.

Initial Guidance

As more states enact laws that significantly expand consumer privacy rights, counsel should be aware of the potential impact on companies located or doing business in any of these states, including:

• The disproportionate burden and cost of compliance for small and midsized companies
• The technical challenges of reconfiguring a company’s system to process consumer requests for disclosure, delivery, and deletion of their personal information
• Incurring significantly higher litigation costs in states that allow for a private right of action by consumers
• Statutory requirements on companies to implement new workplace policies and provide internal training to employees -and-
• Anti-discrimination protections for consumers who exercise their rights under these laws

These laws are subject to further legislative amendments, agency regulations, and court challenges as both consumer and industry groups seek clarification of and consider further changes. As a result, companies need to anticipate making material revisions to their relevant compliance programs to adjust as these laws evolve.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Labor and Employment > Employment Policies > Safety and Health > Articles