With the California Consumer Privacy Act now in effect as of January 1, 2020 and hogging most of the headlines, it’s important to know and be aware of the other states also passing privacy laws. These states have not had the same amount of media exposure as the CCPA, but nonetheless this list will look at states from coast to coast and show all of America is concerned about their data privacy and not just California.
Maine: Maine’s Act to Protect the Privacy of Online Customer Information will come into effect July 1, 2020. The statute applies only to broadband internet service providers (ISPs), defined as any “mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints.” Companies with war chests of consumer data such as Verizon or Comcast are the ones specifically targeted by this legislation. Companies such as Facebook and Google though are excluded because they do not actually provide internet service. You can use the internet without browsing Facebook or searching something on Google, but there is no access to the internet if you don’t have a provider like Verizon. The CCPA differs from Maine’s law because it requires consumers to request that their provider not sell their data.
Nevada: Nevada has already adopted Senate Bill 220, a new piece of data privacy legislation. It was among the very first in the country as it came into effect on 1 October 2019, three months before California implemented their CCPA. Many experts and data privacy skeptics believe Nevada’s laws to be much more burdensome and complicated than California’s. Of course in some aspects Nevada’s Senate Bill 220 may be more lenient compared to the CCPA, but the per violation fine amount is more than double California’s being $5,000 per fine in Nevada. Compliance in Nevada could save or cost companies dealing with data a lot of money.
Vermont: Vermont was among the first states in America to pass any sort of privacy law. On January 1, 2019 they passed a law which allows them to regulate “data brokers”. A “data broker” in their words is, “a business or unit/s of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” So if this company has a direct relationship with the consumer, for example selling directly to people online like clothes or anything, they’re not bound to the restraints of “data brokers”. Vermont’s law is not the most encompassing, but if your company is considered a “data broker” the regulations and restraints are very tough.
Colorado: Colorado was the very first State to pass a new law on digital privacy. HB 18-1128 allows organizations to establish regulations on the protection of Personally Identifiable Information (PII). Companies who store PII are held accountable for the destruction of physical and electronic materials that contain PII, and are responsible for investigating and notifying of any sort of data breach.
New York: New York signed the SHIELD Act into law on July 25, 2019, but the bulk of its regulations came into effect on October 23, 2019. New York’s SHIELD Act varies from the other states because New York’s concern with this legislation is not about opt-out rights or even day to day online activity, but instead it focuses on dealing with data breaches. The SHIELD Act extends the scope of the subject information to include biometric information and the range of possible breach or hacking scenarios. The SHIELD Act updates the protocols companies are required to follow in the case of a data breach.
All of these states have passed data privacy related laws and regulations, and there will be plenty of others in the upcoming months and years. This list is by no means a definitive list of all privacy regulations in America, but the purpose is to show that not only the west coast cares about data privacy. If you live or your business is located in any of these states it is important to not only keep your eye on the CCPA, but of your own states’ previous and future data privacy legislation.