On November 26, 2019, U.S. Senators launched a new effort to pass comprehensive federal privacy legislation. The new bill, the Consumer Online Privacy Rights Act (COPRA), would, among other things, require companies to collect as little information as possible about consumers, obtain explicit consent when sharing consumer data with third parties, and implement processes for correcting and deleting inaccurate information about consumers.
However, while legislators have long agreed that the U.S. needs a comprehensive federal privacy statute, historically they have not been able to agree on what to include in that statute. While the introduction of COPRA is an ambitious and noteworthy step towards that goal, it’s not clear that this new bill will have what it takes to succeed where earlier bills have failed. Notably, the current bill would not preempt state privacy laws, though lack of preemption has been a stumbling block that has hobbled prior bills.
In the meantime, states are pushing ahead with their own rules. The California Consumer Privacy Act (CCPA), a sweeping law inspired by comprehensive data protection legislation enacted in Europe, is slated to take effect on January 1, 2020. In Nevada, Senate Bill 220 (SB-220) went into effect on October 1, 2019, giving Nevadans the right to opt out of the sale of certain personally identifiable information. The Maine Act to Protect the Privacy of Online Consumer Information, a more limited law focused on the privacy practices of internet broadband providers, is not far behind, going into effect on July 1, 2020.
With several other states poised to follow suit, what should business owners and company decision-makers be doing to prepare?
1) Educate yourself about each new law.
Determine what is covered, what is required, and how you are affected. While there are many similarities between all of these laws, there are also meaningful differences. For instance, while both Californians and Nevadans will have the right to opt out of the sale of their personal information, the time businesses have to respond to a consumer’s request to opt out differs. In Nevada, businesses have 60 days; in California, only 45 days. Moreover, don’t presume that by complying with the “toughest” law, you will undoubtedly be in compliance with the others. Take the time to learn and understand how each law applies to your business.
2) Inventory and Map Your Data.
Under the forthcoming laws, covered businesses are generally required to disclose what categories of personal data they collect, from whom they collect the data, and how the data is used and shared. In certain circumstances, they must also be prepared to quickly identify what data they hold on an individual consumer and amend or delete that data at a consumer’s request. To do this, businesses must have a solid understanding of the array of information they hold and the ways in which they process that information. Inventorying and mapping your data holdings will allow you to draft compliant privacy notices, quickly respond to consumer requests for data access or deletion, and quickly respond in the event of a data breach.
3) Develop a Compliance Plan.
There are four main readiness tasks that most businesses will need to undertake to ensure they are in compliance with the CCPA, SB-220, and most pending state privacy bills: (a) updating privacy notices to ensure they accurately describe the ways in which your business collects and processes consumer data and informs consumers about their rights with respect to that data; (b) revising third-party contracts to ensure they adequately safeguard information that will be shared and anticipate the possibility of consumer data access or deletion requests; (c) developing a process to efficiently handle consumer data requests; and (d) implementing new training and policies to govern employee handling of consumer data. With a well-developed compliance plan that addresses these four main readiness tasks, you will be prepared to adapt when, as is now likely, further state and even federal privacy laws are enacted in the coming months and years.
Perhaps the single most important thing business owners and company decision-makers can do though is start early. States generally provide a grace period before the law goes into effect or before they begin enforcing it in order to give businesses time to get up to speed on the new law, assess what changes they need to make, and implement those changes. Resist the urge to use this grace period to put off tackling compliance.
How CGL can help:
• Determine whether and how state privacy laws apply to your business.
• Conduct gap assessments of your current practices against those laws.
• Prepare compliance plans.
• Review and revise privacy notices.
• Review and revise contracts with third parties to ensure compliance.
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.