The digital era has brought new levels of attention to the privacy debate. From big data breaches in fortune 500 companies to small-scale fraud, it’s clear public perception is rapidly changing.
Just how much has this perception changed? In 2021, a survey by Morning Consult revealed that 83% of Americans supported the idea that the U.S. House of Representatives should create a national standard for data privacy. Additionally, 75% of voters believe this is a state-level issue.
Regardless—one takeaway was clear: the general public understands how important privacy laws are, which has led governments at all levels to start exploring how they can implement them.
So, what are the new privacy laws? What should your business know to prepare for them? And how do they fit in with the information security landscape of today?
In this article, we’ll cover the basics of US state data privacy laws, who the top states with strong privacy laws are, and what to expect in 2022.
Data Privacy in the United States: A Quick Overview
The United States has its own set of data privacy standards that businesses must follow, understand, and comply with. It’s quite a bit different from the European Union’s federal-level General Data Protection Regulation, as most of these regulations come from the states individually.
Data privacy standards are changing across the country. Now more than ever, individual states are rapidly exploring how to regulate data privacy to better protect consumers.
Because the market is shaped by these laws, it’s important for organizations to keep track of what’s happening.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Understanding Current Federal Privacy Regulations
Before we get into what the states are doing, we should cover some of the federal-level US data privacy laws first.
- The US Privacy Act of 1974: Put restrictions on the data that government agencies collected. At the time, computer databases were becoming a new technology, and lawmakers wanted to cover any potential abuses of the new resource. Citizens had the ability to see their own data held by the government, and the agencies themselves had limits on how much information they could collect and could only access data on a “need to know” basis.
- Health Insurance Portability and Accountability Act (HIPAA): Well known in the medical community as the data security standard for health insurance information. Passed in 1996, it was broken down into two main components: The Security Rule for data protection and The Privacy Rule for data confidentiality. The “data” in this case refers to protected health information (PHI). HIPAA is notoriously complex with delegating who has the permission to access PHI, so you can think of it as role-based access control.
- Gramm-Leach-Bliley Act (GLBA): Applies to the banking and financial sector to secure nonpublic personal information. However, it has received quite a bit of criticism for its poor coverage and presence of loopholes. Time will tell how GLBA will update itself to match modern-day standards.
- Children’s Online Privacy Protection Act (COPPA): As its name suggests, prevents businesses from collecting the personal information of children under the age of 13 without parental consent. COPPA has had a few data privacy updates over the years to expand its protections to email addresses, screen names, photographs, and even GPS coordinates.
While these data privacy laws apply to all the states through the federal government, the states individual do most of the heavy lifting when it comes to privacy and information security in the digital age.
#1 – California
We have to start with one of the forerunners and most comprehensive examples of online privacy regulation, the California Consumer Privacy Act (CCPA) signed in 2018. The rules include:
- A data subject access request (DSAR) where customers can see exactly what pieces of information a business has regarding the client.
- A ban on a business’s ability to sell personal information without providing an online notice.
- A requirement that customers have an opportunity to opt-out of the collection.
- Data must be deleted upon request in most cases.
- Lawsuits by customers against companies that leak data through breaches is more possible now.
CCPA applies to any business that passes the following criteria:
- Generating $25 million in annual gross revenue
- Handling records for at least 50,000 California residents
- Generating over 50% of annual revenue from consumer data sales
Keep in mind, the threshold and requirements are subject to change as data privacy laws evolve.
CCPA also has a rather broad definition of “personal information,” which includes browsing history, emails, GPS coordinates, biometric data, and basically anything that can be linked to you either directly or indirectly.
The concept of “probabilistic identifiers” states that any combination of data that has an over 50% chance of being connected with you is protected under the law, though enforcement of these identifiers is going to be subjective to attorney discretion.
In 2023, CCPA will be enhanced by another set of regulations known as the California Privacy Rights Act (CPRA), which will:
- Add extra limitations on especially sensitive information like social security numbers and driver’s license numbers.
- Provide consumers with opt-out rights in relation to “sensitive personal information.”
- Give consumers the right to make corrections to their own information.
- Close legal loopholes that allowed businesses to use consumer data for targeted advertising without proper opt-out opportunities.
Because of its comprehensiveness and lack of a federal equivalent, California’s data privacy guidelines are often used as a guiding framework by other states also looking to implement their own privacy protection laws.
#2 – New York
Arguably matching California’s solution in terms of strictness, the New York Privacy Act covers most of the bases already, including a broad definition of personal information, the right to request deletion of personal data, the ability to make corrections to your own data, and the right to know what information a business has of you.
This last point comes with the caveat that the business only has to divulge a broad category of what it shares with third parties, so getting more specific information might take more effort. At the same time, you are allowed a private right of action for any violation of this law.
Another unique aspect of New York’s approach is the data fiduciary: because the consumer still owns the data, the business is legally responsible for the data that it retains.
#3 – Massachusetts
The Baked Bean State has the descriptively-named Data Privacy Law that adopts many of the same elements from the CCPA, such as:
- Consumer access to personal information
- Deletion of data upon request
- Opt-out options for third-party information access
- A broad definition of what constitutes “personal data”
- Probabilistic identifiers
Massachusetts also guarantees a right to bring class action lawsuits against companies that suffer data breaches, and customers can expect up to $750 each. In fact, the client does not have to suffer a monetary loss as a result of the breach to be part of the lawsuit.
#4 – Maryland
The Online Consumer Protection Act expands upon California’s rendition of data privacy regulations. While the requirement to disclose the type of information used isn’t as extensive as it is in California, consumers do have the “probabilistic identifier” right as described before.
What sets Maryland apart from other states, however, is the need to disclose the third-party usage of personal data. With many other states, such a notice is only necessary if the data is being sold for a price. Under Maryland law, any transfer of information free or paid must be disclosed. On top of that, information belonging to children must never be shared.
#5 – Nevada
While not attracting as much fanfare as CCPA, Nevada did create and pass its own Senate Bill 220 for the same purpose first. The Silver State actually became the first to allow customers to opt out of having their personal information sold.
The bill details what companies must include in their privacy policies:
- Type of information collected
- Types of third parties that will receive the data
- How clients can request changes to their own information
- A notice that third-party businesses may track the online activities of users
The attorney general’s office administers penalties for noncompliance but also allows a 30-day period to fix certain violations first. Because these fines can add up to $5,000 per violation, it’s more vital than ever for Nevada-based businesses to focus on privacy law compliance.
This law applies to any business that interacts with PII of Nevada consumers, has Nevada customers, or “directs its activities towards Nevada.”
#6 – Maine
A unique aspect of Maine’s approach to the situation is that it targets broadband Internet providers specifically. These vendors cannot share or sell customer personal information unless given expressed permission in most cases. They also cannot deny service if a client refuses to consent.
The bill makes it clear that the business itself is largely responsible for protecting the data, which can include web browsing history, geolocation coordinates, and device identifiers.
#7 – Hawaii
You’re probably seeing a pattern here already. Hawaii’s SB 418 shares many parts with California’s ruling, but there’s one exception that will likely get patched out in the near future. While other states usually only apply these regulations to companies doing business within the state borders, Hawaii’s laws technically apply to any company in the world.
It’s highly likely that this bill will interact with any form of data that relates to Hawaii, its residents, or activities occurring in relation to the state. Keep yourself posted on new developments in Hawaii if you’re serious about data privacy laws and compliance.
#8 – Virginia
Virginia citizens have the right to access, correct, remove their own data from a business, as well as opt out of collection entirely. One major distinction is that Virginia law also adds an exception for information used to fulfill contracts between the customer and the company.
Marketing departments should pay special attention to Virginia, as the regulations there often give them more opportunities for the use of consumer data compared to other states. But, once again, always keep a lookout for new changes.
#9 – North Dakota
While one of the lightest bills we’ve discussed so far, North Dakota makes a valiant first effort with HB 1485, which restricts the sharing of personal information to third parties without client consent.
Other features common to other states like removing personal data upon request are not available yet, but we should expect more developments to come out of North Dakota in the future as data privacy becomes a more popular topic.
#10 – New Jersey
New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) was brought to the attention of the Assembly Science, Innovation, and Technology Committee in early 2021. This framework deals with data processing, consumers’ rights, and even requirements around automated decision-making.
The use of personal information is essentially allowed when the “legitimate interests” of both parties are involved, and any data collected can only be used for no more than the intended purpose. Consumers can also choose to object to personal data processing for direct marketing, profiling, and other uses.
Finally, the bill establishes a new Office of Data Protection and Responsible Uses in the Division of Consumer Affairs to oversee enforcement. Of course, the exact details are far more complicated, so consult the text for a more comprehensive understanding.
Is Your Business Prepared for Enhanced Privacy Laws?
What we can learn from all these state laws regarding online data privacy is that the United States has a diverse but also fragmented approach to personal information protection. While the federal government does have regulations in place for the healthcare and finance industries (as well as for children’s data), there is no equivalent to the EU’s GDPR yet.
However, California’s CCPA can be considered an alternative since it does have several protections in place that many other states are looking to copy in some form. It will be up to state legislatures to decide how they want to balance consumer privacy with business flexibility.
As for the business manager, keeping track of the ever-changing legal landscape for data privacy laws should be the top priority. New bills are being launched, debated on, passed, and shot down in multiple states, so finding out how you can stay compliant and work with new regulations is your best response.
Are you looking to stay compliant with emerging state data privacy laws? Centraleyes team of analysts tracks the latest state data privacy laws with 24/7/365 coverage. Book a demo today and see why companies rely on Centraleyes’s platform to stay up to speed on rapidly changing state privacy laws.