A quick glance at the current state of US privacy laws

March 22, 2021

Confused about the state of play when it comes to the varying United States’ privacy laws? Here is an at-a-glance reminder of where we are in several states ahead of PrivSec Global’s panel, US Privacy: The Year for Change?

California Consumer Privacy Act / California Privacy Rights Act

In 2020, the California Consumer Privacy Act (CCPA) became the first United States (US) comprehensive data privacy law to come into effect. Modelled largely against the General Data Protection Regulation (GDPR), the law seeks to provide Californian consumers and employees with a right to know what personal data is being collected about them, whether their personal data is sold or disclosed and to whom and restrict the sale of their personal data.

Following Californians voting in favour of Proposition 24, the California Privacy Rights Act (CPRA) is set to be a remodelled version of the CCPA which seeks to close loopholes in the original law. Passed in December 2020, the CPRA is expected to become law in 2023 but businesses will need to show that they are compliant with both laws by next year.

The new Act notably establishes the California Privacy Protection Agency, a independent authority that will be empowered to hold hearings, hand out fines for privacy breaches and hold businesses to account for their compliance. Last week the five inaugural board members were named.

The act also allows consumers to prevent businesses from sharing personal data, amend their personal data, and limit the use of “sensitive personal information” such as precise geolocation, race, ethnicity and health information. Companies would need to apply data minimisation and consumers are able to find out the length their data will be retained.

Additionally, under the CCPA, businesses may be fined up to $2,500 for each violation of the Act and up to $7,500 for each intentional violation. The CPRA increases the penalty for unintentional violations involving the personal information of persons under the age of 16 from $2,500 to $7,500 per violation.

Virginia’s Consumer Data Protection Act

Governor of Virginia, Ralph Northam, signed the state’s Consumer Data Protection Act into law in March 2021, making it the second US state to enact a comprehensive data privacy law.

The Act provides more control and transparency to consumers over what data is held about them and how their data will be used. Using an automated system, customers can request to see the personal data that companies hold on them, amend it, or request that it is deleted from their databases.

Consumers can also choose to not have their personal data shared for marketing purposes and can request information on which third parties have access to their data and how they are using it. Customers are also given the power to refuse the sale of their data to third parties, which may restrict their access to goods and services from a company.

Companies have 45 days to respond to a request, but this can be extended within reason. The Act carries a penalty of up to $7,500 per affected individual but can be avoided if the problem is resolved within 30 days of the state notifying them.

The law will come into effect on 1 January 2023.

New York Privacy Act

The New York Privacy Act failed to pass legislative sessions in 2019 along with many other proposed bills, but NY Governor Andrew Cuomo’s recently published 2022 budget included a proposal for a comprehensive data privacy bill. The New York assembly has also recently reintroduced the Act.

Two bills known as S567 and A680, which, if passed, would enact the NY Privacy Act. The first would grant consumers the right to request a business to disclose the categories and specific pieces of personal information that it collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

The second enacts the NY Privacy Act and would require businesses to disclose their methods of de-identifying personal information, place special safeguards around data sharing and to allow consumers to obtain the names of all entities that their data has been shared with.

Washington Privacy Act (WPA)

This year, a third version of the WPA will be put before the state’s Senate Ways and Means Committee. The updated proposal includes a larger scope and added provisions. It is unknown if these latest amendments will be enough to reach consensus in the House of Representatives. However, some changes such as broader scope and the lowering of the revenue threshold for covered entities from 50% to 25% have been made in accordance with the House’s requests.

The WPA would give consumers the right to request and know what data businesses have collected about them, the right to delete data and the right to refuse the sharing of sensitive data to third parties. However, the WPA is proving difficult to bring to consensus as it is argued that the burden lies too much with the consumer to opt out.

Advocates for the law are calling for it to follow a similar route to the CCPA with provisions for global opt-outs.

Federal Privacy Bill

For close to a decade the US has discussed the formation of a federal privacy law and to date it hasn’t happened. However, with mounting pressure from nation states enacting their own privacy law, we may well see a fresh drive for a comprehensive law in the coming months and years.

Democratic representative Suzan DelBene attempted to kick-start the process earlier this month by reintroducing the Information Transparency and Personal Data Control Act to create a national standard for digital privacy rights.

The bill proposes stricter guidelines for sensitive data such as social security numbers and health data than for less sensitive information like names and emails.

As envisaged under the bill, consumers must explicitly opt in to allow a company to sell or share their sensitive personal information, but they can opt out of sharing of their non-sensitive personal information.

DelBene foresees her bill serving as a baseline which can be built upon with more targeted bills covering artificial intelligence, facial recognition technology and other matters. DelBene’s bill would pre-empt California’s and other states’ laws in order to create a uniform standard across the country.

The updated version also bolsters resources for the Federal Trade Commission (FTC), which would be tasked with enforcing the law. It would be allowed to hire 500 new full-time employees focused on privacy and security, rather than 50, and funding is increased ten-fold to $350m (€291m).

Although it is unlikely to be adopted in its current form, it should kickstart a conversation about the direction of privacy policy.

DelBene argues:“I understand why states are moving forward in the absence of the federal government moving, but I think it is much better to have a federal law versus a patchwork of laws,” she was quoted as saying by broadcaster CNBC.

She told Recode, “We’re focused on opt-in so that privacy is the default.”

Watch ”US Privacy: The Year for Change?” at 5pm on 23 March at PrivSec Global