By: Sedgwick Jeanite
The European Union’s General Data Protection Regulation (GDPR) governs the processing of “personal data.” Having an arguable extra-jurisdictional reach, it is perhaps the most significant change in the EU’s data protection regime in the last 20 years, and its effect has been widespread. Since May 2018, several U.S. States have proposed or enacted their own data protection laws, some of which have consumer rights and requirements that mirror rights and requirements found in GDPR. The most notable legislation is the California Consumer Privacy Act of 2018 (CCPA). Much already has been written on the legislation. Since then, several other states have proposed similar laws. Most bills have been introduced within the last few months, and are as follows:
Hawaii. Senate Bill 418 would require businesses to disclose the categories and specific pieces of identifying information collected about a consumer, to disclose the identity of third parties to which the business has sold or transferred identifying information, to publicly disclose the categories of identifying information that they collect from consumers and the purposes for collection, and to delete identifying information collected from a consumer upon verifiable request from the consumer. The bill does not include a private right of action.
Maryland. Senate Bill 613 proposes similar rights for Maryland residents as those created for California residents in the CCPA. The Maryland bill would require certain businesses that collect a consumer’s personal information to provide notice to the consumer at or before the point of collection, and it would permit a consumer to submit requests for information about the data the business collects about him or her, including requests for deletion of such data. The bill would require a business to ensure that the individuals responsible for handling certain consumer inquiries are informed regarding how to direct consumers to exercise their rights, and requires a business to comply with a consumer’s request for deletion of their personal information in a certain manner. The Maryland bill does not create a private right of action.
Massachusetts. Bill SD 341 copies much of the CCPA, but also rewrites several provisions the bill’s drafters deemed duplicative or vague. It also has fewer exceptions regarding when a covered entity can refuse to delete data and prohibits any discrimination or financial incentives where consumers have exercised their rights under the law, including the right to opt-out. The Massachusetts bill would create a private right of action for consumers who suffered a violation of the legislation.
New Jersey. Senate Bill S2834 would require operators of commercial internet websites and online services to notify customers of the collection and disclosure of their personally identifiable information. S2834 provides a broad list of categories of data elements that constitute personally identifiable information, including demographic, biometric, geographic, medical and financial data. The bill also includes as personally identifiable information data that relates to a person’s political or religious affiliations or activities. These categories of information pertain both to customers and their children. The proposed regulation does not create a private cause of action.
New York. Senate Bill No. S00224 would require transparency regarding the disclosure of personal data to third parties for marketing purposes. It would require covered entities to provide a customer with notice of the categories of information shared with third parties and the names and contact information of all third parties with whom data is shared “prior to or immediately following a disclosure.” Service providers (contracted to perform functions for the business, such as data storage and hosting) are exempted from the definition of third parties. In addition, consumers would have the right to access specific pieces of information held by the covered entity. The bill would create a private right of action. The bill also contemplates enforcement by the state attorney general, a district attorney, a city attorney or city prosecutor.
Washington. Senate Bill 5376, the Washington Privacy Act (WPA), would apply to businesses that: (1) control or process data of 100,000 or more Washington State consumers; or (2) derive fifty percent or more in gross revenue from the sale of personal information of residents of any state, and process or control personal information of 25,000 or more Washington State consumers. The Washington attorney general could bring a civil action against a controller or processor that violates the WPA but there is no private right of action in the proposed legislation.
In addition to these U.S. states, Mississippi, New Mexico, North Dakota and Rhode Island have each proposed legislation to expand data breach notification rules and mirror some of the protections provided by the CCPA and GDPR.