With the ever-changing landscape of data privacy, leaders need to stay updated on U.S. data privacy activity. We’ve seen the passing of the CCPA and NY SHIELD Act, and 2020 has seen a significant amount of activity and continued momentum going into next year.
We have been keeping a close eye on the proposed changes coming in California, Washington, and New York to provide you with insight on what to expect in 2021.
The CCPA went into effect and enforcement this year and has already seen changes through a final set of regulations, which now faces proposed modifications.
The final set of CCPA regulations went into effect on August 14, 2020, adding additional business compliance checklist needs. One stand-out rule that rolled out in August affects the consumer notification point on websites. Companies are now required to provide consumers with their online privacy practices at, or before, the point of collection. They must be accessible to consumers with disabilities regardless if the ADA covers that business or not. What does this mean for your business?
For your business to follow the CCPA privacy practice notification regulation, your privacy notice must include:
Now, do not forget that California also has proposed modifications to these regulations. If these modifications are implemented, it will mean your business will be required to:
While the ink is still drying on the CCPA, California is keeping busy with the latest consumer rights bill, dubbed the California Privacy Rights Act (CPRA). The CPRA goes into effect on January 1, 2023, and closely resembles the European Union’s General Data Protection Regulation (GDPR). The CPRA differs from the CCPA with the most significant differences, including:
The CPRA provides that the Act covers a business if it meets at least one of three threshold tests:
The CPRA creates a new subcategory of personal information — “sensitive personal information” (SPI) – which has a similar meaning to its equivalent in the GDPR. SPI includes:
The CPRA creates a new enforcement agency – the California Privacy Protection Agency – and removes the 30 days cure period that the CCPA provides for alleged noncompliance instances.
For the 3rd year in a row, the Evergreen State is attempting to pass its consumer privacy legislation. The act previously failed due to an inability to agree on whether consumers should be afforded the ability to file civil suits against businesses that violate the WPA.
This year, the WPA looks like proposed versions seen in prior years, with a few fundamental changes. As in previous years, the proposed WPA shares features found in both the GDPR and CCPA. Parts of the proposed WPA include:
The next legislative session is scheduled to convene on January 11, 2021. If the WPA passes, it will go into effect 120 days after enactment.
New York has proposed two significant pieces of consumer privacy legislation: the New York Privacy Act (NYPA) and the It’s Your Data Act (IYDA). Either bill, if passed, would become the most protective consumer privacy legislation in the country.
For example, the NYPA cites a fiduciary duty to consumers for any businesses that collect consumer personal information and further required “opt-in” consent instead of an opt-out option.
Similarly, the IYDA creates a civil “right of privacy” for all consumers in the state of New York. This rule would require prior written consent before collecting, storing, or using personal information for any commercial purpose. Consumers would be empowered to file suit for injunction and damages. Furthermore, violation of the right of privacy would constitute a misdemeanor.
It remains to be determined if either of these bills will make meaningful progress through the New York legislature.
Legal Disclaimer: This article contains general information. Do not view this article as legal advice. Talk with counsel familiar with your unique business needs before taking or refraining from any action.
By submitting this form, you are consenting to receive marketing emails from: Equinox Business Law Group PLLC, 11130 NE 33rd PL, Suite 120, Bellevue, WA, 98004, US, http://www.equinoxbusinesslaw.com.