United States: State Legislators Joining The Consumer Privacy Protection Party: Introduced CCPA-Like Bills

In 2018, the California legislature made headlines with its game-changing data protection law: the California Consumer Privacy Act of 2018. Other state legislators across the country appear to be hot on its heels as a flurry of CCPA-like bills have been introduced across the United States. While it is too early to predict which of these bills, if any, will be enacted, this increased focus on privacy in the state legislatures is clearly a sign that the privacy landscape預nd consequent compliance challenges for companies擁s going to get more complicated.

Overview of the California Consumer Privacy Act

The California Consumer Privacy Act of 2018 (the "CCPA"), as amended by California Senate Bill SB 1121, regulates the collection, use, sale and disclosure of California residents' personal information by qualifying businesses. This newly enacted legislation, set to become effective on January 1, 2020, introduces significant legal risks and considerations for companies across the United States due to its expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, non-insignificant statutory fines and its creation of a private right of action for consumers in relation to certain data breaches. You can read more about the CCPA and its amendment here (discussing the law itself) and here (discussing the amendment), as well as its impact on breach litigation here. The CCPA is far from finalized. Last month, California Attorney General Becerra and State Senator Jackson introduced SB 561 proposing further amendments which, among other things, expands the consumers' right to bring a private action for violations of the statute. Additionally, the Office of the Attorney General is expected to release a draft of implementing rules in the fall of 2019 and is in the process of holding public forums and receiving comments.

Summary of Introduced CCPA-Like Bills

The 2019 state legislative sessions saw several privacy and data security bills (some like the CCPA) being introduced in no fewer than ten states across the United States. Those most like the CCPA in breadth and potential impact are summarized briefly below. Please see the attached chart here for a summary of the key provisions of these state initiatives in comparison to the CCPA.

1) Hawaii SB 418 (Status: In Senate)

Hawaii's proposed law would provide similar rights to Hawaii consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the proposed law could potentially have even broader impact than the CCPA because it likely applies to any business entity, regardless of size, that collects identifying information about an individual who interacts with a business within the state of Hawaii. The proposed law does not include a private right of action for consumers and does not enumerate the penalties that may be imposed by the Hawaii Office of Consumer Protection.

2) Maryland SB 613 (Status: In Senate)

Maryland's proposed law would provide similar rights to Maryland consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the right to opt out may be more expansive under the proposed law because it applies to any disclosure of personal information to third parties, rather than just data sales. In addition, the proposed law contains a complete prohibition on the "knowing" disclosure of children's personal information (under the age of 18) without exception. The proposed law does not include a private right of action for consumers.

3) Massachusetts SD 341 (In Senate)

Massachusetts's proposed law would provide similar rights to Massachusetts consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the right to opt out may be more expansive under the proposed law because it applies to any disclosure of personal information to third parties, rather than just data sales. In addition, the proposed law contains a complete prohibition on the knowing disclosure of children's personal information (under the age of 18) without exception. The proposed law provides a private right of action for consumers who have suffered any violation of the proposed law. Except for the private right of action, Massachusetts's proposed law is very similar to Maryland's proposed law.

4) Mississippi HS 1253 (Dead)

Mississippi's proposed law nearly mirrors the consumer rights and personal information obligations found in the CCPA. However, the proposed law failed to pass committee review and is no longer being considered by the state legislature.

5) Nevada SB 220 (In Senate)

Nevada's proposed law amends the state's existing requirement for any person who owns or operates an Internet website or online service for a commercial purpose with a sufficient nexus to Nevada to provide notice to consumers regarding covered information collected by the operator. The amendment borrows the CCPA's right to opt out by permitting a consumer to submit a notice to an operator directing the operator not to sell his or her covered information. However, it does not expand the notice obligation to include all the components required under the CCPA, such as notice relating to the sale of information, and does not provide the other consumer rights granted under the CCPA, such as the right to deletion. The proposed law provides a private right of action for any person injured by a violation of the new right to opt out or the existing obligations to provide notice.

6) North Dakota HB 1485 (Replaced by a Legislative Management Study)

North Dakota's proposed law represents the furthest departure from the CCPA. Unlike the CCPA, it does not contain general notice obligations other than in response to a consumer request. However, it generally prohibits the disclosure of personal information to a third party without the express written consent of the consumer. Moreover, it provides for large fines in the event a covered entity violates a cease and desist order issued by the attorney general (up to $100,000 per violation or $250,000 per intentional violation of the cease and desist order). The proposed law also includes a private right of action for consumers whose personal information is purchased, received, sold or shared in violation of the bill. However, the proposed law has been replaced in its entirety with a bill authorizing a legislative management study of consumer personal data disclosures (see here for the revised bill).

7) New Mexico SB 176 (In Senate)

New Mexico's proposed law would provide similar rights to New Mexico consumers and impose similar, though more limited, disclosure obligations as those found in the CCPA. However, the proposed law does not narrowly define the term "business, "consumer" or "minor," and could thus be broader in scope than the CCPA, potentially applying to any business entity that collects personal information of a New Mexico consumer. The proposed law does not identify the limit for penalties per violation that the attorney general may impose but does cap penalties for intentional violations at $10,000 per violation.

8) New York SB S224 (In Senate)

New York's proposed law focuses on the transparency of the disclosure of personal information without granting the other significant consumer rights (including the right to deletion) found in the CCPA. A business is required to make available to the customer the categories of personal information disclosed to third parties and the names and contact information of all the third parties that received the customer's personal information from the business. This proposed law is drafted broader than the CCPA because it applies to any person or entity that does business in New York. In addition, the proposed law permits a "customer" of a business, the New York attorney general, a district attorney, a city attorney, or a city prosecutor to bring a civil action to recover "penalties" for violations of the bill.

9) Rhode Island SB 234 (In Senate)

Rhode Island's proposed law would provide similar rights to Rhode Island consumers and impose similar, though more limited, disclosure obligations as those found in the CCPA. Despite adopting the CCPA's private right of action for certain breaches, the proposed law does not specify whether the RI attorney general has authority to enforce the proposed law and any fines that may be imposed.

10) Washington SB 5376 (Passed Senate, In House)

Washington's proposed law incorporates several concepts from the European Union's General Data Protection Regulation ("GDPR") into the general framework of the CCPA (e.g., controller vs. processor obligations, risk assessment obligations). The proposed law applies to entities that conduct business in Washington or produce products or services that are intentionally targeted to Washington residents and that meet one of two thresholds like those contained in the CCPA. The proposed law requires a business to make available a privacy notice disclosing the categories of personal data collected, the purposes for which personal data are used, and information relating to the sharing and sale of personal data. The rights provided to consumers more nearly reflect the rights made available under the GDPR: the right to knowledge and access to personal data, the right to the correction of personal data, the right to the deletion of personal data, the right to restrict or object to the processing of personal data and the prohibition against certain decisions based solely on profiling from facial recognition.

The law grants the Washington attorney general the ability to use its enforcement authority under Washington's consumer protection act for violations of the law, as well as to seek injunction or civil penalty up to $2,500 per violation or $7,500 per intentional violation. However, it does not grant any private right of action for consumers. The proposed law passed the Senate on March 6, 2019. There is now less than two months left in the 2019 Regular Session, so it is likely that additional news about this proposed law will be announced in the coming weeks.

Takeaways

Although it is too early to predict whether these laws will be enacted, there are a few key takeaways from this flurry of legislative activity:

  • The CCPA is unlikely to be the only state-specific general consumer privacy protection law that will be enacted in the United States. State legislatures are keenly interested in data protection and privacy regulation, which has bipartisan support in many state houses. A common denominator across the various state proposals is the provision of GDPR- and CCPA-style consumer rights of access, opt-out and deletion, though there are some differences in the breadth of application and impact of such rights. In addition, the applicability of these state proposals varies, including the available exemptions that may bring a business outside the scope of the proposed law. As just one example, while the CCPA provides a broad exemption for data covered by the Gramm-Leach-Bliley Act, only three of the eight proposed bills still under consideration have a similar exemption as currently drafted.
  • The increased state-level privacy regulation activity has led to a renewed push for federal legislation. Businesses should keep an eye out for initiatives at the federal level aimed at preempting, harmonizing or standardizing certain aspects of state consumer privacy laws.
  • Businesses that are currently subject to the GDPR and/or will be subject to the CCPA when it becomes effective in 2020 should consider whether their current or proposed privacy and data security compliance programs are flexible enough to adapt to new laws that are likely to join the privacy landscape in the near future.
  • Businesses that are not subject to the GDPR and will likely not be subject to the CCPA should consider whether they have in place an appropriate privacy and data security governance structure to anticipate the impact that any new laws may have on their business operations and to chart a path to credible compliance in the event they become subject to such a law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
29 May 2019, Seminar, New York, United States

Details for this Orrick Library Seminar Series event are available in Japanese: JCAAによる仲裁規則の改正・3つの規則のポイント解説

30 May 2019, Speaking Engagement, New York, United States

Orrick Partner Lisa Lupion will serve as a speaker at the 2019 Professional Liability Roundtable event sponsored by the IADC Professional Liability Committee.

6 Jun 2019, Webinar, New York, United States

Please join Orrick痴 Howard Ullman in The Knowledge Group痴 live webinar, Antitrust Enforcement Trends in 2019: Practical Guide for Businesses.

Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq痴 use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor痴 own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq痴 Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq痴 Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq痴 right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions