The future of personal data privacy is here.
The modern consumer has grown more privacy-conscious and lawmakers around the world are introducing privacy laws to satisfy consumers’ increasing demand for protection of their personal information. According to Gartner, “more than 60 jurisdictions around the world have enacted or proposed postmodern privacy and data protection laws”, and by 2023, modern privacy regulations will protect 65% of individuals around the world.
The world of data privacy and security is constantly evolving, and as your growing business continues to collect and process personal information, you must stay on your toes and keep up with the latest privacy laws and regulations.
Check out these state privacy laws that are shaping the United States (U.S.) privacy landscape and changing the way growing businesses address data protection across the nation.
WHERE IT ALL BEGAN
Since the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect, most countries (and some U.S. states) have enacted or are considering their own version of data privacy laws. As for the U.S., multiple states have passed and proposed privacy and data protection legislation to protect their residents’ rights and keep up with the evolution of data privacy and protection in the digital era.
Of the 50 U.S. states, California was the first to introduce and pass the California Consumer Privacy Act (CCPA) — a comprehensive state privacy law. This consumer-driven law took effect on January 1, 2020, with enforcement beginning on July 1, 2020. The CCPA introduces new rights for California residents and provides them with an enhanced set of online privacy protections that impact how businesses handle California consumer personal information. These rights include:
- The right to know and access information about the collection, sharing, and selling of personal information
- The right to opt-out of the sale of personal information to third parties
- The right to request deletion of personal data
- The right not to be discriminated against by a business for exercising their consumer rights
- A direct private right of action for security breaches involving nonencrypted or nonredacted personal information
Since the CCPA, other U.S. states have introduced their own privacy laws, including Nevada, Washington, Maine, and Illinois.
Nevada’s privacy law, formally known as Senate Bill 220 (SB-220), is familiar to some but new to others. Similar to the CCPA, SB-220 requires online businesses and other website owners and operators that collect personal information from Nevada residents to provide them with the right to opt-out of the sale of personal information. However, it also has its own unique requirements. For example, Nevada’s law doesn’t require consumers to opt-in to the sale of their personal information after opting-out and, in place of a “Do Not Sell” button, the law requires businesses to provide consumers with an email address, a toll-free phone number, or an internet website to submit verified opt-out requests.
Washington has introduced several bills to safeguard personal information, but the Washington Privacy Act (WPA) is probably one of the most comprehensive. This law would apply to businesses operating in Washington or targeting Washington residents with product and service offerings. Similar to Nevada’s privacy law, the WPA closely resembles the EU’s GDPR and includes elements of the CCPA as it provides Washington residents with the right to access, correct, or delete their personal data, in addition to the right to data portability and the right to opt-out. Although the WPA failed to pass this year, businesses should continue to take notice of Washington’s future attempts to enact a privacy law.
New York’s Privacy Act (NYPA) is another privacy initiative that has been proposed, but not yet passed. However, it’s still one to watch as legislators plan to introduce a similar bill in the near future. The NYPA would have been another groundbreaking consumer privacy law. The NYPA would have introduced the concept of a data fiduciary, requiring businesses that handle personal information to exercise the duty of care, loyalty, and confidentiality. The proposed law would have granted New York residents more control over their personal information and ensures that businesses obtain consumers’ consent before sharing or selling their personal information. Again, there are notable similarities to the GDPR as the NYPA would have provided New York residents with the right to correct, delete, and restrict the processing of personal data, in addition to a restriction on profiling.
Finally, the Illinois Senate Bill 2330 for the Data Transparency and Privacy Act (‘the DTPA’) is the latest act to make its debut. Introduced on January 8, 2020, the DTPA requires businesses that process personal information or de-identified information of Illinois consumers to provide notice prior to processing. If passed, the bill will provide the following rights to consumers:
- The right to know
- The right to opt-out of the sale, processing, or disclosure of personal information to third parties, as well as processing
- The right to request the correction of inaccurate personal information
- The right to delete personal information
- Private right of action for consumers affected by a data breach
Once again, the future of data privacy in the U.S. is here and growing businesses must prepare to comply with both global and jurisdictional data privacy requirements. In addition to the four states above, several other states are preparing to introduce and pass their own U.S. data privacy legislation. At that, federal lawmakers have proposed multiple nation-wide data privacy bills over the past few years. As you prepare your growing business for these developing privacy laws and regulations, it’s crucial that you prioritize data privacy and security to ensure that your organization and the personal information you handle stays protected.