With the ever-changing landscape of data privacy, leaders need to stay updated on U.S. data privacy activity. We’ve seen the passing of the CCPA and NY SHIELD Act, and 2020 has seen a significant amount of activity and continued momentum going into next year.
We have been keeping a close eye on the proposed changes coming in California, Washington, and New York to provide you with insight on what to expect in 2021.
California Consumer Privacy Act (CCPA)
The CCPA went into effect and enforcement this year and has already seen changes through a final set of regulations, which now faces proposed modifications.
The final set of CCPA regulations went into effect on August 14, 2020, adding additional business compliance checklist needs. One stand-out rule that rolled out in August affects the consumer notification point on websites. Companies are now required to provide consumers with their online privacy practices at, or before, the point of collection. They must be accessible to consumers with disabilities regardless if the ADA covers that business or not. What does this mean for your business?
For your business to follow the CCPA privacy practice notification regulation, your privacy notice must include:
- a list of the categories of personal information collected,
- the purposes for which types of information will be used,
- if the business “sells” personal information, a link to a “Do Not Sell My Personal Information” page allowing the consumer to opt-out of the sale of their data.
Now, do not forget that California also has proposed modifications to these regulations. If these modifications are implemented, it will mean your business will be required to:
- Interact with consumers offline to provide notice of the right to opt-out through an offline method;
- Provide an easy, minimal step method for submitting opt-out requests; and
- Clarify the mechanisms for verifying requests from consumers and authorized agents.
California Privacy Rights Act (CPRA)
While the ink is still drying on the CCPA, California is keeping busy with the latest consumer rights bill, dubbed the California Privacy Rights Act (CPRA). The CPRA goes into effect on January 1, 2023, and closely resembles the European Union’s General Data Protection Regulation (GDPR). The CPRA differs from the CCPA with the most significant differences, including:
Act Thresholds Tests
The CPRA provides that the Act covers a business if it meets at least one of three threshold tests:
- annual gross revenue exceeds $25 million;
- collects personal information of more than 50,000 consumers, households, or devices; or
- Note: The collection threshold above has been narrowed and increased to 100,000 consumers or households (devices has been removed). The other two threshold tests remain the same.
- receives 50% or more of annual revenues from selling or sharing personal information
Categorization of Personal Information
The CPRA creates a new subcategory of personal information — “sensitive personal information” (SPI) – which has a similar meaning to its equivalent in the GDPR. SPI includes:
- Sensitive information such as social security, driver license, passport, or financial account numbers;
- Information about race, ethnicity, religion, sexual orientation, or union membership; and
- Personal communications, genetic data, biometric information, or health information. Consumers will have additional rights in their SPI collected by covered businesses.
The CPRA creates a new enforcement agency – the California Privacy Protection Agency – and removes the 30 days cure period that the CCPA provides for alleged noncompliance instances.
Washington Privacy Act (WPA)
For the 3rd year in a row, the Evergreen State is attempting to pass its consumer privacy legislation. The act previously failed due to an inability to agree on whether consumers should be afforded the ability to file civil suits against businesses that violate the WPA.
This year, the WPA looks like proposed versions seen in prior years, with a few fundamental changes. As in previous years, the proposed WPA shares features found in both the GDPR and CCPA. Parts of the proposed WPA include:
- The definition of a covered business is similar to that seen in the CPRA, except that there is no threshold test related to a business’ annual revenue.
- Consumer rights to access, correction, deletion, and portability of data.
- Consume the right to opt-out of specific processing of personal data.
- Subcategory of “sensitive data,” which is defined similarly to what we see in the GDPR and CPRA, requires express consent before processing.
- Roles and responsibilities that apply to controllers and processors, which are reminiscent of requirements seen in the GDPR.
- Requirement for controllers to conduct
- A 30-day period for a controller to cure a violation after receiving written notice of the violation from the Attorney General.
- Enforcement of the WPA is entrusted to the Washington Attorney General’s office.
The next legislative session is scheduled to convene on January 11, 2021. If the WPA passes, it will go into effect 120 days after enactment.
New York Privacy Act (NYPA) and It’s Your Data Act (IYDA)
New York has proposed two significant pieces of consumer privacy legislation: the New York Privacy Act (NYPA) and the It’s Your Data Act (IYDA). Either bill, if passed, would become the most protective consumer privacy legislation in the country.
For example, the NYPA cites a fiduciary duty to consumers for any businesses that collect consumer personal information and further required “opt-in” consent instead of an opt-out option.
Similarly, the IYDA creates a civil “right of privacy” for all consumers in the state of New York. This rule would require prior written consent before collecting, storing, or using personal information for any commercial purpose. Consumers would be empowered to file suit for injunction and damages. Furthermore, violation of the right of privacy would constitute a misdemeanor.
It remains to be determined if either of these bills will make meaningful progress through the New York legislature.
Legal Disclaimer: This article contains general information. Do not view this article as legal advice. Talk with counsel familiar with your unique business needs before taking or refraining from any action.