Home Privacy California Isn’t The Only State Getting Busy With New Privacy Laws

California Isn’t The Only State Getting Busy With New Privacy Laws

SHARE:

The California Consumer Privacy Act (CCPA) grabs most of the attention, but other state privacy laws are cropping up across the nation.

More than a dozen states either have new data protection regulations on the books or in committee, from Nevada, Maine, Pennsylvania and Connecticut to Massachusetts, New Jersey, Illinois and Maryland, said Gary Kibel, a partner at Davis & Gilbert, LLP.

“And there’s a likelihood that we’ll see more coming,” he said. “States are looking at what’s happening in California and thinking, ‘Huh, we could do something like that, too.’”

Although the California law is by far the most robust and wide ranging, marketers and ad tech companies shouldn’t assume that if they’re ready to comply with the CCPA they’ll automatically be safe across the board.

“Some people are doing that, and it’s to their detriment,” Kibel said. “People need to take a closer look at each one of these other laws to see if there’s something unique that applies to their business.”

Here’s a quick and dirty guide to the privacy laws coming to a state near you.

California (goes into effect on Jan. 1, 2020)

The CCPA is an opt-out law, other than for the personal information of children under 16, which requires an opt-in.

The law has a broad definition of what constitutes personal data – it includes IP address, browsing history and geolocation – and applies to any business with $25 million or more in revenue that derives over half of that revenue from buying, selling, receiving for sharing the personal information of 50,000 or more consumers. Consumers are defined as residents of California as per the state tax code.

Starting on Jan. 1, 2020, businesses that are subject to the law will have to start providing a prominent “Do Not Sell My Data” button on their homepage. Consumers also have a right of access and deletion. Companies will have 45 days to comply with these requests.

Mess up and a business could be on the hook for up to $2,500 for each unintentional violation and $7,500 for each intentional abuse.

“The California law puts a big focus on ad tech and the broader reach of companies that might use ad tech, like retailers,” said Dominique Shelton Leipzig, a partner at Perkins Coie. “In a sense, it’s like the whole ad tech ecosystem is on display here.”

Several amendments to the law are still outstanding and lobbyists continue to push for late-in-the-day changes before the effective date hits.

Nevada (Goes into effect on Oct. 1, 2019, three months before CCPA)

Nevada’s law gives consumers the right to prevent online service providers and website owners from selling specific types of personal information about them to third parties, including their name, address, email, phone number and pseudonymous data, which is data that’s been anonymized but can be reidentified without a huge amount of effort.

The scope of the Nevada law is more limited than CCPA. California, for example, applies to any online and offline business that touches a California resident’s data, while Nevada only applies to online businesses that purposely direct their activities at Nevada residents.

But the penalties are no joke. The Nevada attorney can levy up to $5,000 per violation.

Maine (Goes into effect on July 1, 2020)

Maine’s law is narrow, but it’s a big deal for internet service providers. Any ISP located in Maine that provides broadband service to a customer physically located in the state has to get clear opt-in before using, disclosing, selling or giving access to a customer’s personal information, and a consumer has the right to take away consent at any time.

The law echoes the now defunct ISP privacy rules passed by the Federal Communications Commission that were later repealed in 2017 by President Trump.

Pennsylvania (Introduced in April, referred to the Pennsylvania state House, will take effect immediately if passed)

Almost identical to the CCPA, the Pennsylvania law requires full disclosure of what data a business collects and gives consumers the right to request deletion and opt out of the collection and sale of personal information. The main difference is that Pennsylvania also applies to businesses with $10 million in revenue, far less than the $25 million threshold under CCPA.

What about the rest?

Other states are in various different stages with their own privacy and data security laws.

Some states, like Oregon and New Jersey, are updating their existing information protection laws to clarify the difference between controllers and processors, for example, or to shore up their breach notification requirements.

Other states, such as Maryland, have drafted online consumer protection acts that are still in limbo waiting for the legislature to come back into session.

What to do?

There are a lot of moving parts to keep track of, which is why it’s vital for companies to create a “topline compliance program,” which should help them comply with whatever comes down the pike without major disruption, said Shelton Leipzig.

“It’s better than lurching from privacy law to privacy law every time a new one comes out,” she said.

Step one, designate someone in the company whose job it is to be in charge of privacy and data management. Second, conduct an internal audit to inventory every piece of personal data that the business touches, from IP addresses to device IDs.

“Spoiler alert, it’s all considered to be personal information under these laws,” Shelton Leipzig said.

Next, do a data privacy risk assessment followed by an impact assessment of any high-risk data processing, like location data, health data or children’s data. Phase five involves developing a mitigation plan complete with external policies and procedures, privacy notices, disclosures, cookie policies and internal data governance documents.

Last, companies should keep an auditable record of everything that they do – and then keep going through the steps at least annually and after any major product launch, Shelton Leipzig said

“Once you have a program like that in place, when a new state passes a law you can more easily make tweaks,” she said. “It’s the only way to tackle it, otherwise you’re just putting Band-Aids on and constantly waiting for the other shoe to drop.”

Must Read

Why Media Mergers And Spin-Offs Don’t Always Keep Their Promises

With media megamergers, acquisitions and spin-offs left and right, the media landscape is changing at a pace that is difficult to keep up with.

TransUnion is partnering with Blockgraph so that advertisers can use its identity data to target, reach and measure TV households across channels.

How This Disaster Relief Nonprofit Tapped First-Party Data To Reach Donors Year-Round

Staying top of mind for potential donors is an ongoing challenge for Direct Relief. Nexxen’s audience curation helped it spread and sustain awareness.

Why Major UK Publishers Are Finally Joining Forces To Curate Ad Inventory

Atria’s collective approach is a response to growing monetization challenges and the need to protect the value of human journalism in the AI era.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Toronto Canada pride parade includes a crowd waving pride flags

Ad Performance And Politics Steered Brand Dollars Away From LGBTQ+ Communities – But The Pendulum Will Swing Back

The current administration has discouraged many marketers and organizations from showing support for the LGBTQ+ community, including during Pride month.

How AI Can Enhance Content Without Generating It

As much as consumers complain about AI-generated content, advertising experts say AI still has an important place in video creation and production, including for ads. But using AI in content without turning off consumers is a tricky dance.

How Tovala Banks On Subscriptions And Incrementality – But Not Ads – To Profit From Its Oven

Smart TVs, refrigerators and other home appliances may pester you with marketing, but at least the hardware is cheap. Another startup taking a different approach to the same theory is Tovala, which was founded in 2015 and combines a standalone countertop oven with a weekly meal kit subscription.