Data privacy and the protection of personal data will be a defining feature of 2020. States are taking matters into their own hands by passing sweeping new privacy laws, which will impact business owners and website operators across the country. Keep reading for a summary of privacy law activity that business owners may need to take action on in the new year.
The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is the first comprehensive consumer privacy law in the US and takes effect on January 1, 2020. The CCPA imposes several obligations on companies that collect personal information from consumers in California and grants to these consumers specific rights in that information.
Businesses that are covered by the CCPA must be prepared to manage the various rights granted to consumers by the new law and respond promptly to requests from consumers based on those rights. The CCPA includes the right to access or delete information and to opt-out of the sale of personal information. Covered businesses must inform consumers of the categories of personal information the company will collect, the purpose of use for that information, and their rights under the CCPA concerning that data.
Companies do not need to have a location in California in order to be covered by the CCPA. Any company that does business in California will be covered by the CCPA if it collects personal information from consumers in California and either:
- Has annual gross revenues greater than $25 million;
- Buys, collects, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes; or
- Collect 50% or more of its annual revenues from selling consumers’ personal information.
The CCPA does not define what it means to “do business” in California. A company that sells to consumers, hires vendors, or has employees or physical offices located in California will likely find itself subject to the CCPA if it meets any of the above thresholds.
New York Stop Hacks and Improve Electronic Data Security Act
The New York “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act comes into effect on March 21, 2020, and expands the scope of New York’s existing data breach notification statute. The SHIELD Act requires businesses in possession of private information of New York residents to implement and maintain reasonable administrative, technical, and physical safeguards. These safeguards are to protect the security, confidentiality, and integrity of the private information. The Act also requires companies to notify any residents of New York whose information is the subject of a data breach or any unauthorized access. Failure to comply with these notification requirements can result in fines of $10-$20 per failed notification.
The SHIELD Act is not prescriptive. It does not define what “reasonable safeguards” means, as this will vary based on the size and nature of the business, the information collected, and how the information is used, stored, and shared. Examples of safeguards that exist in most strong information security programs, and which businesses should consider implementing in their programs, include:
- designating an individual to oversee the company’s cybersecurity program;
- creating a data map that identifies all sources of data collection;
- training employees and managers on information security practices;
- setting strong passwords and enabling multi-factor authentication for email and other critical systems;
- vetting and requiring contractual protections with vendors and service providers; and
- performing an annual risk assessment and implementing controls based on the results of that assessment.
Nevada Privacy of Information Collected on the Internet from Consumers Act
Effective October 1, 2019, Nevada’s Privacy of Information Collected on the Internet from Consumers Act (NPICICA) creates obligations for companies that operate websites and do business in the state of Nevada. The NPICICA applies to individuals or companies who run websites or online services for commercial purposes and requires covered website operators to provide:
- notice to consumers of what information they collect and the third parties with whom they share the information.
- consumers with a process by which they can review and request changes to their data.
- a mechanism for consumers to opt-out of the sale of personal information, even if the company does not presently sell any personal information.
Businesses that operate websites that are viewed by and collect personal information for consumers in Nevada will have obligations under the NPICICA if they engage in activities that establish sufficient nexus with the state. These activities include intentionally directing activities toward Nevada (i.e., marketing directly to Nevada residents), consummating transactions with the state or a resident, or conducting business in the state of Nevada.
Enlist Help for Data Privacy
A company that doesn’t operate in any of the above states may still have data privacy obligations as a result of contracting with a client or service provider. Equinox attorneys can help businesses identify which privacy laws apply, to consider, design, and implement data privacy programs that comply with their various data privacy requirements. Contact Equinox today to learn more.