The California Consumer Protection Act (CCPA) grabs most of the attention, but other state privacy laws are cropping up across the nation.
More than a dozen states either have new data protection regulations on the books or in committee, from Nevada, Maine, Pennsylvania and Connecticut to Massachusetts, New Jersey, Illinois and Maryland, said Gary Kibel, a partner at Davis & Gilbert, LLP.
“And there’s a likelihood that we’ll see more coming,” he said. “States are looking at what’s happening in California and thinking, ‘Huh, we could do something like that, too.’”
Although the California law is by far the most robust and wide ranging, marketers and ad tech companies shouldn’t assume that if they’re ready to comply with the CCPA they’ll automatically be safe across the board.
“Some people are doing that, and it’s to their detriment,” Kibel said. “People need to take a closer look at each one of these other laws to see if there’s something unique that applies to their business.”
Here’s a quick and dirty guide to the privacy laws coming to a state near you.
California (goes into effect on Jan. 1, 2020)
The CCPA is an opt-out law, other than for the personal information of children under 16, which requires an opt-in.
The law has a broad definition of what constitutes personal data – it includes IP address, browsing history and geolocation – and applies to any business with $25 million or more in revenue that derives over half of that revenue from buying, selling, receiving for sharing the personal information of 50,000 or more consumers. Consumers are defined as residents of California as per the state tax code.
Starting on Jan. 1, 2020, businesses that are subject to the law will have to start providing a prominent “Do Not Sell My Data” button on their homepage. Consumers also have a right of access and deletion. Companies will have 45 days to comply with these requests.
Mess up and a business could be on the hook for up to $2,500 for each unintentional violation and $7,500 for each intentional abuse.
“The California law puts a big focus on ad tech and the broader reach of companies that might use ad tech, like retailers,” said Dominique Shelton Leipzig, a partner at Perkins Coie. “In a sense, it’s like the whole ad tech ecosystem is on display here.”
Several amendments to the law are still outstanding and lobbyists continue to push for late-in-the-day changes before the effective date hits.
Nevada (Goes into effect on Oct. 1, 2019, three months before CCPA)
Nevada’s law gives consumers the right to prevent online service providers and website owners from selling specific types of personal information about them to third parties, including their name, address, email, phone number and pseudonymous data, which is data that’s been anonymized but can be reidentified without a huge amount of effort.
The scope of the Nevada law is more limited than CCPA. California, for example, applies to any online and offline business that touches a California resident’s data, while Nevada only applies to online businesses that purposely direct their activities at Nevada residents.
But the penalties are no joke. The Nevada attorney can levy up to $5,000 per violation.
Maine (Goes into effect on July 1, 2020)
Maine’s law is narrow, but it’s a big deal for internet service providers. Any ISP located in Maine that provides broadband service to a customer physically located in the state has to get clear opt-in before using, disclosing, selling or giving access to a customer’s personal information, and a consumer has the right to take away consent at any time.
Pennsylvania (Introduced in April, referred to the Pennsylvania state House, will take effect immediately if passed)
Almost identical to the CCPA, the Pennsylvania law requires full disclosure of what data a business collects and gives consumers the right to request deletion and opt out of the collection and sale of personal information. The main difference is that Pennsylvania also applies to businesses with $10 million in revenue, far less than the $25 million threshold under CCPA.
What about the rest?
Other states are in various different stages with their own privacy and data security laws.
Some states, like Oregon and New Jersey, are updating their existing information protection laws to clarify the difference between controllers and processors, for example, or to shore up their breach notification requirements.
Other states, such as Maryland, have drafted online consumer protection acts that are still in limbo waiting for the legislature to come back into session.
What to do?
There are a lot of moving parts to keep track of, which is why it’s vital for companies to create a “topline compliance program,” which should help them comply with whatever comes down the pike without major disruption, said Shelton Leipzig.
“It’s better than lurching from privacy law to privacy law every time a new one comes out,” she said.
Step one, designate someone in the company whose job it is to be in charge of privacy and data management. Second, conduct an internal audit to inventory every piece of personal data that the business touches, from IP addresses to device IDs.
“Spoiler alert, it’s all considered to be personal information under these laws,” Shelton Leipzig said.
Next, do a data privacy risk assessment followed by an impact assessment of any high-risk data processing, like location data, health data or children’s data. Phase five involves developing a mitigation plan complete with external policies and procedures, privacy notices, disclosures, cookie policies and internal data governance documents.
Last, companies should keep an auditable record of everything that they do – and then keep going through the steps at least annually and after any major product launch, Shelton Leipzig said
“Once you have a program like that in place, when a new state passes a law you can more easily make tweaks,” she said. “It’s the only way to tackle it, otherwise you’re just putting Band-Aids on and constantly waiting for the other shoe to drop.”