Sweeping new data privacy laws in several states – California, New York, and Nevada – could impact your business. However, you may not be aware that your business may be covered under these privacy laws, even if it does not have a presence in these states.
You can take action now by determining whether and how it applies to you and your company. You likely will need to review your privacy policies and practices, provide training, and establish processes to respond to CCPA requests. Equinox attorneys can help you understand your obligations and implement the right solutions.
The California Consumer Privacy Act (CCPA)
What is it? California’s new privacy law, the CCPA, grants consumers new rights that will require businesses to:
- respond promptly to consumer requests to opt-out of the sale and deletion of personal information, and
- Inform consumers of the types and use of personal information they will collect and their rights concerning that data under the CCPA.
When does it take effect? January 1, 2020
Am I affected? The CCPA covers a for-profit company that does business in California (does not need to be located in CA) if they collect personal information from consumers in California and either:
- Has annual gross revenues greater than $25 million;
- Buys, collects, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes; or
- Collect 50% or more of its annual revenues from selling consumers’ personal information.
The CCPA broadly defines “Personal information” to include any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It does specifically include IP addresses, email addresses, browsing history, search history, geolocation data, and information regarding a consumer’s interaction with a website.
Some examples of “doing business” include selling products and services to California consumers, hiring California vendors, or having employees whose physical location is in California.
What’s the risk to me? Failure to comply with the CCPA could result in civil penalties up to $2,500 per violation or $7,500 for each intentional violation not remedied within 30 days of notice from the state. Enforcement will begin on July 1, 2020.
New York Stop Hacks and Improve Electronic Data Security Act (SHIELD)
What is it? New York’s new privacy law requires businesses to implement and maintain certain safeguards of resident’s private information.
Businesses in possession of private information of New York residents are required to implement and maintain reasonable administrative, technical, and physical safeguards to protect such private information. While the SHIELD Act does not define what constitutes “reasonable safeguards,” some examples of “safeguards” include:
- Designating an individual to oversee the company’s cybersecurity program;
- Creating a data map that identifies all sources of data collection;
- Training employees and managers on information security practices;
- Setting strong passwords and enabling multi-factor authentication for email and other critical systems;
- Vetting and requiring contractual protections with vendors and service providers;
- Creating an incident response plan to ensure your company is prepared to respond to a potential breach; and
- Performing an annual risk assessment and implementing controls based on the results of that assessment.
When does it take effect? The data security requirements take effect on March 21, 2020. The data breach notification requirements have been in effect since October 23, 2019.
Am I affected? Your business is covered under the SHIELD Act if it collects or otherwise stores the private information of New York residents.
“Private information” includes social security number; driver’s license or state ID card number; account number or credit/debit card number, together with any password or code permitting access to an account; biometric information (i.e., fingerprint, voice print, retina scan); and username or email address, together with a password or security question and answer that would permit access to an account.
What’s the risk to me? A knowing or reckless violation of the Act could result in civil penalties of up to $20 per violation, with a maximum penalty of $250,000.
Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA)
What is it? Nevada’s new privacy, the NPICICA, requires covered website operators and online service providers that collect and maintain covered information from Nevada residents to provide:
- Notice to consumers of what information they collect and the third parties with whom they share the information;
- Consumers with a process by which they can review and request changes to their data;
- A mechanism for consumers to opt-out of the sale of personal information, even if the company does not presently sell any personal information; and
- Covered information includes name, address, email address, phone number, SSN. Any other identifier that pinpoints a person or allows contact of a person either physically or online is also covered information.
When did it take effect? October 1, 2019
Am I affected? The NPICICA applies to businesses and individuals who operate commercial websites and purposefully direct their activities toward the state of Nevada. A company may fall into consideration of purposefully directing its activities toward Nevada if it sells or transacts with Nevada residents or otherwise “avails itself” of the privilege of conducting business in the state.
The definition of “avail itself” is vague; this could include marketing directly to Nevada residents, hiring vendors in the state of Nevada, or having employees located in Nevada.
What’s the risk to me? The attorney general may seek an injunction or civil penalty up to $5,000 per violation.
Stay Up To Date on New & Changing Laws
States across the US will continue to pass new laws in the continued effort to empower consumers to protect their personal information. Washington, Massachusetts, Florida, and Illinois have all seen proposals for new privacy legislation in 2020. The new proposals are hoping to gain more traction on the heels of the CCPA. Stay tuned to our blog and legal alerts for updates on data privacy activity.