Privacy has been a hot topic for state legislatures in the first month of the year. Legislators in nine states have introduced draft bills that would impose broad obligations on businesses to provide consumers with transparency and control of personal data. If passed, these laws will impact nearly any type of entity that operates in the state, even if the business has no physical presence in the state. Though the California Consumer Privacy Act (CCPA)—which was passed in the course of a week with little legislative debate—has been criticized for containing provisions that are inoperable, legislators in other states have embraced both the structure and specific language of that law.
Of the nine states, six follow the full model established in the CCPA, and two approach only certain issues addressed by the CCPA. The ninth state is Washington, which is debating a privacy bill modeled after the GDPR (our analysis of the Washington Privacy Act is available here). A tenth state, New Jersey has a draft privacy bill that was introduced last July but has not moved out of committee.
Draft State Laws, In a Nutshell
Hawaii (SB 418): The Hawaii bill has a potentially broader reach than the CCPA because it does not define a business, thus extending applicability to all businesses operating in Hawaii. The bill, oddly, does not specify any penalties for violation and does not include a private right of action.
Maryland (SB0613): Though the consumer rights offered in Maryland’s draft bill are the same as those in the CCPA, there are some notable differences in execution. The deletion right is expansive, allowing consumers to demand deletion of any personal data a covered entity maintains, whereas other states merely allow consumers to demand deletion of data only they have provided; there are also no broad exceptions for a business’s internal use reasonably expected by consumers. The draft Maryland bill does not address data belonging to minors and does not create a private right of action.
Massachusetts (SD 341): Massachusetts’s draft law copies the CCPA, but unlike several other states, rewrites several provisions that were duplicative or vague by using clearer language. The substantive requirements are largely the same; however, Massachusetts has fewer exceptions regarding when a covered entity can refuse to delete data, and prohibits any discrimination or financial incentives where consumers have exercised their rights under the law, including the right to opt-out. Massachusetts would also allow private lawsuits to be brought for any violation of the law.
Mississippi (HB 2153): Mississippi’s draft bill hews so closely to the CCPA that it copies the duplicative statements of access rights and similarly fragments the notice requirements. The enumerated categories of data that constitute personal information are slightly different (for example, probabilistic identifiers are missing). And, the private right of action is not limited to data covered by the breach notification law (which is a separate category of more sensitive data)—any unauthorized access of any personal information could give rise to a lawsuit. Mississippi’s bill died in Committee on February 5, 2019, but we have included it for comparison purposes.
New Mexico (SB 176): Sen. Michael Padilla, D-Albuquerque, the bill’s sponsor, is quoted as saying that in drafting the New Mexico’s Consumer Information Privacy Act, “I tried to throw as much spaghetti on the wall” as possible. Padilla’s spaghetti looks a lot like the CCPA, though more clearly structured. The bill also contemplates a significant rulemaking by the NM Attorney General starting in July 1, 2019, with regulations to be promulgated within a year and updated annually.
New York (S00224): New York’s bill is more like California’s Shine the Light Law, which requires transparency regarding the disclosure of personal data to third parties for marketing purposes, although its obligations are much more onerous. The New York Consumer Privacy Act of 2019 would require covered entities to provide a customer with notice of the categories of information shared with third parties and the names and contact information of all third parties with whom data is shared “prior to or immediately following a disclosure.” Service providers (contracted to perform functions for the business, such as data storage and hosting)) are exempted from the definition of third parties. Consumers would also have the right to access specific pieces of information held by the covered entity.
North Dakota (HB 1485): North Dakota’s minimalist bill contains only one substantive requirement: covered entities are prohibited from disclosing an individual’s personal information to anyone other than the individual without the “express written consent” of the individual. To obtain consent, the entity must send a brief, one to two page summary of its privacy practices to the individual by “mail or electronic mail” and receive an affirmative response. While the other states’ draft bills account for a category of third parties who receive data in the context of providing a service to the primary covered entity, the North Dakota law would not allow for sharing with service providers without this consent.
Rhode Island (S0234): The Rhode Island Consumer Privacy Act of 2019 also takes its inspiration from the CCPA, including listing the access right three times. One notable difference, however, is that the bill does not contemplate a role for the state Attorney General, either in rulemaking or enforcement. Thus, provisions that have been criticized as unclear or inoperable in the CCPA, such as what constitutes a verifiable consumer request and the restriction on differentiation in services where consumers have exercised rights unless “reasonably related to the value provided to the consumer,” would not receive further elucidation.
What Trends are Emerging?
Washington is the outlier in modeling its bill after GDPR rather than CCPA (our analysis of the Washington Privacy Act is available here). Most other states are copying CCPA—in the case of Mississippi, almost verbatim. Only New York and North Dakota fail to follow the structure of CCPA, but incorporate much of the same wording. This widespread adoption of the CCPA language means that a number of concepts are now emerging as the potential norm in privacy policy:
-
The focus of the laws is on consumer rights, not organizational practices. The GDPR concepts of lawful basis for processing, data minimization, and privacy-by-design—which would provide more comprehensive privacy benefits across all consumers—have not caught on in the US, even in Washington which models its law after the GDPR.
-
Consumers have broad rights to demand access to specific pieces of information about themselves “upon verifiable request”; however, what constitutes a verifiable request is not defined. The draft laws also give consumers the right to demand deletion of data they have provided to businesses in certain circumstances, and to opt out of disclosures to third parties, other than service providers.
-
The definition of consumer information is greatly expanded. Though the wording varies slightly from state to state, personal information now is generally thought to include any information that identifies or reasonably could identify a person. This construction sweeps in biometric information, unique identifiers besides a name, Internet activity, audio recordings, and inferences about an individual’s likely preferences.
-
Employee and business contact data is considered personal data, even though the risks related to processing and disclosure of employee and business contact data are drastically different from consumer risks.
-
Even businesses that only collect information via the Internet must designate multiple methods for consumers to submit requests, including a toll-free number. A “Do Not Sell My Personal Information” hyperlink is required on company websites.
None of the copycat CCPA state laws tackles issues related to artificial intelligence, unlike the WPA which follows the GDPR in merging potential discrimination risks associated with automated processing with other privacy risks.
Key Points of Variation
Though a majority of the new laws copy the structure of the CCPA, there are some notable places where they diverge, further complicating prospective compliance efforts. The most critical area is enforcement. CCPA provides a private right of action only for the unauthorized disclosure of unencrypted, sensitive data. Massachusetts would extend the private right of action to any violation of its privacy law. Three of the state laws (Mississippi, New Mexico, and Rhode Island) extend a private right of action to any unauthorized disclosure of personal information, regardless of sensitivity of the data and potential risk to consumer.
Similarly, while all these new state laws protect consumer privacy, the degree of specificity and format requirements vary, which will likely increase criticisms that privacy policies are written in legalese and too difficult to understand. All these draft laws require disclosure of the specific rights available to consumers. Two states (Hawaii and New Mexico) require disclosures regarding data collected and shared to be matched against certain enumerated categories of the statute, which differ in each law. And Hawaii names the opt-out link “Do Not Sell My Identifying Information” as opposed to Personal Information. The result is that businesses may have to implement multiple layers of protection in privacy policies for consumers in different states, even when the underlying data practices are the same nationally.
Hawaii, Maryland, Massachusetts, and Mississippi
For a PDF version of this chart, click here.
Hawaii |
Maryland |
Massachusetts |
Mississippi |
|
| Effective Date | Upon approval | January 1, 2021 | January 1, 2023 | July 1, 2019 |
| Overall Approach | Modeled after CCPA, but eliminates duplicative obligations. | Modeled after CCPA, but some departures. | Modeled after CCPA, but eliminates duplicative obligations. Strict non-discrimination provision. | Near-duplicate of CCPA. |
| Scope of Application: | Business is not defined; law seems to apply to all companies. | Any for-profit legal entity that meets one of the following criteria: (1) has $25M+ revenue (2) Collects PI from more than 100,000 consumers (3) More than 1/2 of revenue is from third party disclosure of PI. Also covers businesses that share common branding and are controlled by a covered entity. | Any for-profit legal entity that collects PI from MA residents and meets one of the following criteria: (1) has $10M+ revenue (2) More than 50% of revenue is from third party disclosure of PI. Also covers businesses that share common branding and are controlled by a covered entity. | Any for-profit legal entity that meets one of the following criteria: (1) has $25M+ revenue (2) Collects PI from more than 50,000 consumers (3) More than 50% of revenue is from third party disclosure of PI. Also covers businesses that share common branding and are controlled by a covered entity. |
| Definition of Consumer: | Any individual who interacts with a business within the State. | An individual who resides in the state. | Natural person who is a resident of the Commonwealth; however law does not apply to employee data collected by business in its capacity as employer. | Natural person who is a Mississippi resident |
| Consumer Rights | Access; deletion in certain circumstances; opt-out. | Access; deletion in certain circumstances; opt-out. Access rights include names of third parties to whom data has been sold. | Access; deletion in certain circumstances; opt-out of third party disclosure | Access; deletion in certain circumstances; opt-out. |
| Notice Requirements | Must notify consumer at, or before collection, of the categories of information to be collected, and the business purpose of the collection; must disclose additional information upon request about categories of information sold to third parties and categories of third parties to whom it was sold. | Must notify consumer at, or before collection, of the categories of information to be collected, the business purpose of the collection, third parties and business purpose behind disclosure to third parties, and consumers’ rights. | Must notify consumer at, or before collection, of the categories of information to be collected, the business purpose of the collection, third parties and business purpose behind disclosure to third parties, and consumers’ rights. | Must notify consumer at, or before collection, of the categories of information to be collected and business purposes of the collection. Must also disclose in online privacy policy the categories of information collected aligned to enumerated categories of the PI definition, categories of information sold to third parties, and categories disclosed for a business purpose and explain consumer's rights. |
| Limitations on Differentiation of Services for the Provision of PI | Prohibited unless reasonably related to the value provided to the consumer by the consumer's data, but may offer financial incentives. | No discrimination for exercise of rights; no exceptions and no ability to offer financial incentives. | No discrimination for exercise of rights; no exceptions and no ability to offer financial incentives. | Prohibited unless reasonably related to the value provided to the consumer by the consumer's data, but may offer financial incentives. |
| Requirements Related to Data of Minors | Opt-in consent required for consumers less than 16 years old. | None | Business may not disclosure information to third party if consumer is under 18; no allowance for opt-in consent. | Opt-in consent for sale of PI for consumers between 13-16; opt-in consent from legal guardians for under 13. |
| Private Right of Action | None | None | Allows for civil lawsuit for any violation of the statute. Damages of up to $750 or actual damages, whatever is greater. | Allows for civil lawsuit if any personal information is subject to unauthorized access due to failure of business to implement reasonable security. Damages of $100-$750 per consumer. |
| Penalties (AG Enforcement) | Not specified. | $2500 per violation, $7500 if intentional. | $2500 per violation, $7500 if intentional. | $7500 per violation. |
| Interaction With Federal Privacy Laws: | No exemptions. | Data collected pursuant to a number of federal sectoral privacy laws is exempt. | Data collected pursuant to a number of federal sectoral privacy laws is exempt. | Data collected pursuant to a number of federal sectoral privacy laws is exempt. |
| Likelihood of Passing | High. Democrats control both chambers of legislature and governor's office. | Uncertain. Mass. has a divided government. | None. Bill died in Committee two weeks after being introduced. | High. Democrats control both chambers of legislature and governor's office. |
New Mexico, New York, North Dakota, and Rhode Island
For a PDF version of this chart, click here.
New Mexico |
New York |
North Dakota |
Rhode Island |
|
| Effective Date | July 1, 2020 | Upon approval | Not specified | Upon approval |
| Overall Approach | Modeled after CCPA, but eliminates duplicative obligations. | Requires disclosure regarding sharing of data to third parties and creates an access right. | Prohibits disclosure of personal information without express written consent from data subject. | Modeled after CCPA but does contemplate AG rulemaking or AG enforcement. |
| Scope of Application: | Any corporation, joint venture, limited liability company, partnership, limited partnership, limited liability partnership, real estate investment trust or sole proprietor; or any entity that shares common branding and is controlled by such an organization. | Any entity doing business in NY. | Any legal entity that meets one of the following criteria: (1) has $25M+ revenue (2) collects PI from 50,000 consumers, households, or devices (3) More than 50% of revenue is from selling PI. | Any for-profit legal entity that meets one of the following criteria: (1) has $5M+ revenue (2) Collects PI from more than 50,000 consumers (3) More than 50% of revenue is from third party disclosure of PI. Also covers businesses that share common branding and are controlled by a covered entity. |
| Definition of Consumer: | Not defined. | Individual who is a resident of New York who provides PI to a business in course of commercial transaction, including "advertising or any other content." | Not defined. | Natural person who is a Rhode Island resident. |
| Consumer Rights | Access; deletion in certain circumstances; opt-out. | Access (specific information held by entity AND names and third parties who have received the information). | Access | Access; deletion in certain circumstances; opt-out. |
| Notice Requirements | Must notify consumer at, or before collection, of the categories of information to be collected, the business purpose of the collection, whether the information will be sold and that the consumer has a right to opt-out, and two designated methods for exercising rights. Must also disclose in online privacy policy the categories of information collected, categories of information sold to third parties, and categories disclosed for a business purpose. | Businesses must provide notice prior to or immediately following the disclosure of PI to a third party; online privacy policies must explain consumer's rights under law. | None | Businesses must provide notice prior to or immediately following the disclosure of PI to a third party; online privacy policies must explain consumers' rights under law. |
| Limitations on Differentiation of Services for the Provision of PI | Prohibited, but business may offer financial incentives or differentiate if directly related to the value derived from the consumer's data. | None | None | Prohibited unless reasonably related to the value provided to the consumer by the consumer's data, but may offer financial incentives. |
| Requirements Related to Data of Minors | Business may not disclose information to third party if consumer is a minor, unless the legal guardian has opted-in. | None | Legal guardians must provide consent where the individual is under 18 years old. | None |
| Private Right of Action | Allows for civil lawsuit if any personal information is subject to unauthorized access due to failure of business to implement reasonable security. Damages of $750 per consumer. | Allows for civil lawsuit for any violation of the statute. | Allows for civil lawsuit if information is purchased, received, sold, or shared without consent. Individual can recover "damages, costs and fees, including reasonable attorney's fees." | Allows for civil lawsuit if any personal information is subject to unauthorized access due to failure of business to implement reasonable security. Damages of $100-$750 per consumer. |
| Penalties (AG Enforcement) | $10,000 per violation. | Not specified. | Initial remedy is cease and desist order; violation of order has penalty of $100,000-$250,000. | Not specified. |
| Interaction With Federal Privacy Laws: | Exemption only if the provisions of the state law conflict with federal law. | No exemptions. | No exemptions. | No exemptions. |
| Likelihood of Passing | High. Democrats control both chambers of legislature and governor's office. | High. Democrats control both chambers of legislature and governor's office. | Uncertain. Republicans control legislative and executive branch, and bill was introduced by Republican sponsors. | High. Democrats control both chambers of legislature and governor's office. |