Corporate TIPS: Efforts to Protect Personal Data Continue in 2020 Creating An Ever Complex Maze of Rules for Businesses
By Craig S. Horbus & Joseph K. Cole on January 08, 2020
By now, many in the legal and corporate worlds have heard of the EU’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) which took effect on January 1, 2020. These regulations are part of a growing body of laws both internationally and in the U.S. regarding data privacy and security. Given the number of high-profile data breaches and the resulting heightened concern about how our personal data is used, shared, and stored, it is likely we will see additional regulations in 2020 and beyond.
Several states have either passed new laws or amended existing laws primarily to (1) expand the scope of private information covered; (2) modify who is covered by the law and the security requirements necessary to comply; and/or (3) modify the notification requirements in the event of a breach. As we begin 2020, below is a brief summary of some of the new or amended state laws.
Maine – An “Act to Protect the Privacy of Online Consumer Information” is set to go into effect on July 1, 2020 and prevents internet providers from using or selling consumers’ browsing data and certain other data without consent. It further bans providers from refusing to serve consumers who do not consent or from offering consumers a discount in exchange for their consent.
Nevada – The Senate Bill 220 took effect on October 1, 2019 and amends an existing law by allowing Nevada residents to opt out of the sale of their personal data. The law differs from the CCPA in a few notable ways. First, it more narrowly defines “sale” as the exchange of protected information for monetary consideration as opposed to “for monetary or other valuable consideration” under the CCPA. Second, the law only applies to operators of internet websites and online services unlike the CCPA that applies to both online and offline businesses.
New York – The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) takes full effect on March 21, 2020 and requires companies in possession of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” The Act applies to any person or business which owns or licenses computerized data that includes private information of New York residents. The act includes amendments that took effect on October 23, 2019 to the existing breach notification law that, in part:
- Expands the scope of “private information” that triggers a notification obligation to include: (1) biometric information (fingerprints, retina or iris scans, voice prints, or other unique physical representation or digital representation of biometric data) and (2) user names and email addresses if coupled with passwords or other information that would allow access to online accounts.
- Expands the definition of “breach of the security of the system” to include not only unauthorized acquisition of private information, but also unauthorized access to such information.
- Modifies the notification requirements in the event of a breach.
Oregon – The renamed Oregon Consumer Information Protection Act took effect on January 1, 2020 and requires covered entities that discover a breach of security to notify the owners of the personal data as soon as possible but no later than 10 days after discovery. If the covered entity has to notify more than 250 consumers of a breach, the Attorney General must also be notified. The Act expands the definition of “personal information” to include a user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.
Washington – Set to take effect on March 1, 2020, Washington amended its data breach notification law to expand the definition of personal information to include, among other items, biometric data. The amendment also shortens the notification deadline from 45 days to 30 days and sets forth the minimum content required in notices to consumers, including telling consumers how long their data was exposed.
Navigating these new and amended laws can be daunting, and the civil fines and penalties for violations can be costly. At Brouse McDowell our Cybersecurity and Data Privacy team can help your company navigate the rules and will partner with you to develop a plan to address your data privacy and security needs.