As the proliferation of connected devices, applications and other technology continues, the opportunities for the use and misuse of consumer data have also grown. With new and massive data breaches constantly entering the news cycle, lawmakers are responding to demands for privacy and data security.

The recent focus of privacy professionals in the United States has overwhelmingly been on the California Consumer Privacy Act (CCPA), particularly the release of the final regulations implementing the CCPA.

Amid the attention-grabbing CCPA headlines, businesses must not lose sight of other state laws that have recently passed, as well as legislation on the horizon. As reported by the National Conference of State Legislatures, more than half of U.S. states introduced consumer data privacy legislation and 43 states considered bills addressing cybersecurity in 2019.

Some of the new laws and proposed bills are summarized below and represent broader legislative trends that will likely continue into the new decade.

Nevada SB 220: Nevada was the first to follow California's lead when it passed SB 220. The Nevada law, which went into effect on October 1, 2019, provides Nevada residents with a right to opt-out of the monetary sale of certain data collected online to a person that makes an onward transfer or sale of the data.

New York SHIELD Act: New York passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which amended New York's data breach notification law and requires businesses that hold information about New Yorkers to develop a data security program to protect that information. The SHIELD Act's data security requirements took effect on March 21, 2020.

California Data Broker Registration Law: Upon passing AB 1202, California became the second state, after Vermont, to require data broker registration. Borrowing heavily from the terminology of the CCPA, the California law defines data brokers as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. Data brokers must register no later than January 31 each year.

Pending Legislation

New York Privacy Act (SB S5642): The New York Privacy Act (NYPA), which was reintroduced in January 2020, goes further than the CCPA in many ways. In particular, the NYPA requires express and documented consent before using or transferring personal data and creates fiduciary duties of care and loyalty to the consumer. The NYPA also requires entities collecting personal data to act in the consumer's best interest, and creates a private right of action.

California Privacy Rights Act of 2020: The California Privacy Rights Act (CPRA) is a new California ballot initiative (sometimes referred to as CCPA 2.0) that qualified for the November 2020 ballot in California. If California voters pass CPRA into law, it would significantly makeover the CCPA. Some of the notable changes would include a requirement to provide consumers with the right to opt-out of personal information sharing for "cross-context behavioral advertising" and to correct inaccurate personal information, obligations on service providers to assist businesses with compliance and to enter into contracts with their sub-processors, a new definition for "sensitive personal information" and an expanded "publicly available" information carve-out from personal information.

Key Takeaways:

  • Although legislative priorities have shifted due to the COVID-19 pandemic, the CCPA and other state laws that follow will continue to change privacy compliance across the United States, and also (potentially) drive the discussion around privacy at the federal level.
  • Companies that process personal information must adapt to the complex and ever-changing privacy regime that has now become the norm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.