Consumer Privacy Laws
With data breaches on the rise, many new data protection regulations have been enacted. The European Union’s (EU) General Data Protection Regulation (GDPR) is the first and most well-known of these. This opened a floodgate of action in the US. Several new or bolstered laws have gone into effect in the United States to protect the privacy of its citizens.
GDPR went into effect on May 25, 2018. This framework replaced the previous regulation known as the Data Protection Directive. GDPR expanded and more specifically defined the requirements that an organization had to fulfill to be permitted to store, transmit, or process the personal information of EU citizens.
GDPR has several significant requirements including:
- Notification of subjects of how their personal data will be used
- Data subjects have access to their collected personal data
- An explicit “opt in” rather than an “opt out” consent requirement for data collection and processing
- User agreements must be clear and easily understood
- The right if users to demand that an organization destroy all collected personal data
- Data breaches must be reported within 72 hours of discovery
- Certain organizations must appoint a Data Protection Officer
GDPR also increased the maximum penalties that an organization could incur from non-compliance. This is now up to 4% of global turnover or €20 million, whichever is greater. Many organizations that were non-compliant with GDPR have already been penalized. This includes Google, which received a $57 million penalty for failure to describe how personal data was being used to serve targeted advertising.
Privacy Regulation in the US
The United States does not have a unified national privacy regulation. At the federal level, privacy protection is industry-dependent. Regulations like HIPAA and PCI-DSS protect certain types of personal data under certain circumstances.
However, some states have independently decided to follow the lead of the EU and pass consumer privacy-protecting regulations. In 2018, 12 of the 50 states passed consumer privacy regulations that provide at least some of the protections provided to EU citizens by the GDPR.
Alabama’s data breach notification law went into effect June 1, 2018. It prevents organizations from collecting personal data in electronic form without authorization. The consumer privacy regulation:
- Defines what is considered personal data
- Requires that an organization properly secure and dispose of collected data
- Includes a “risk of harm” provision
- Imposes penalties of up to $500,000 per breach in the event that an organization knowingly violates the regulation.
Arizona previously had a breach notification law but updated it in April of 2018 to increase the protection for consumers. The new consumer privacy law:
- Expands the definition of personal data
- Decreases the notification period for users to 45 days
- Specifies when regulatory authorities must be notified of a breach
- Includes a risk of harm provision
- Imposes penalties of up to $500,000 per breach if an organization knowingly violates the regulation
The California Consumer Privacy Act (CCPA) is probably the most famous of the new state-specific privacy regulations in the US. The CCPA was passed in 2018 and is schedules to go into effect January 1, 2020. However, lawmakers have already used it as a basis for adding new regulations and protections.
The CCPA allows consumers to:
- Know what data is being collected about them
- Know about and prevent the sale of their data to other companies
- Access their personal data held by organizations
- Have access to the same level of service if privacy rights are exercised
The CCPA defines personal data. It levies fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. The offender may be forced to pay damages in the event of a breach of up to $750 per California resident or actual damages, whichever is greater.
Colorado’s breach notification law went into effect on September 1, 2018. It defines “covered entities” as persons who “maintain, own, or license” PII for business purposes.
Covered entities are required to properly secure and dispose of collected PII. They must notify affected parties and regulators of any data breach of more than 500 Colorado residents. If a covered entity outsources data storage or processing to a third-party vendor, it is required to oversee and ensure the protection of the data in the vendor’s possession.
Iowa’s privacy protection law (which went into effect July 1, 2018) is designed to protect school-age children. Organizations are prohibited from using students’ information for certain purposes and must appropriately protect the data in their possession.
Louisiana updated their data protection laws effective August 1, 2018. Under the new laws, additional types of data are protected, data breach notifications are required within 60 days, a “risk of harm” provision is included, and an organization is required to properly destroy information of which they plan to dispose.
Nebraska’s data protection laws require organizations to appropriately protect collected personal information. They must also have any third-party vendors do the same.
Oregon expanded its existing data protection law scope effective June 2,2018. The new law:
- Requires anyone possessing personal data to
- Report breaches to affected users within 45 days
- Send a copy of consumer data breach notification to the attorney general
- Protects additional types of personal information
- Prohibits free credit or identity theft monitoring services to require registering payment card information or a fee
The South Carolina Insurance Data Security Act became effective January 1, 2019. This law requires insurance companies to have incident response plans and cybersecurity programs, and to provide breach notifications within 72 days.
South Dakota’s new data protection law protects individuals against unauthorized disclosure of a wide variety of personal information. Individuals and Consumer Reporting Agencies (CRAs) must be notified of a breach within 60 days. This carries a penalty of up to $10,000 per day. The attorney general must be notified of any breach involving more than 250 affected South Dakota residents.
Vermont’s breach notification law is designed to regulate data brokers. These data brokers must:
- Register with the attorney general and pay a $100 fee
- Report annually to the attorney general on data protection policies and breaches
- Have a comprehensive information security policies and procedures
Virginia previously had a data protection law, but it has been revised to protect against tax fraud. Under the new law, tax preparers are required to report the suspicion that their client’s information was accessed by an unauthorized party.
Ensuring Compliance with Privacy Regulations
The consumer privacy regulation space has become fragmented. It may be difficult to determine which regulations your organization must comply with and how to do so. Many privacy regulations have identical or similar terms. Enacting a policy that is compliant with all of them can be difficult but a good step for security.
Fulfilling compliance can be a daunting task for companies to take on themselves. Organizations often do not have the time, resources, or skill set to ensure their compliance.