Companies gearing up for the European Union’s implementation of the General Data Protection Regulation — which introduces significant new obligations on any business processing the personal data of individuals in the EU — should not lose sight of significant obligations imposed by U.S. state legislatures, which are quite active in the privacy sphere.
The domestic privacy regime offers a patchwork of requirements affecting businesses in every sector. Companies can be caught unaware when state laws addressing the same topic mandate different requirements. For example, both Arizona and Virginia have privacy laws specifically applicable to the insurance industry, and both states require insurers to provide a notice of information practices to applicants and policyholders. For policy renewals, however, Arizona requires the insurer to provide the notice annually, whereas Virginia provides an exception in cases where personal information is collected only from the policyholder or from public records. Compliance — even just keeping up with new requirements — can be challenging.
When data breach notification laws come into effect in South Dakota July 1, all 50 states and the District of Columbia will require disclosures of a breach. But the type, timing and target of notification varies from state to state. States even differ on how they treat violations. Texas, for example, imposes civil fines of up to $50,000 per violation. California permits class actions. Georgia imposes no penalty at all.
For help navigating these varied breach notification laws, check out the IAPP-RADAR Incident Response Center in the IAPP Resource Center.
Recent high-profile breaches and scandals involving companies such as Equifax and Facebook have moved state legislatures to take action to protect consumers. Several states, including Kentucky (S.B. 33), Massachusetts (S. 2455), and Minnesota (S.F. 3881),have introduced legislation to prohibit consumer reporting agencies from charging consumers to place or remove a credit freeze if the need for a freeze was caused by the consumer reporting agency. Oregon also recently passed such legislation (2018 Or. Laws ch 10). In addition to eliminating fees charged by credit reporting agencies, the Oregon law specifies that if a company offers to provide free credit monitoring services, it must not condition the offer on a consumer providing credit card information. And if the company offers to provide such services for a fee, that fact must be conspicuously disclosed.
Oregon’s law also updates its data breach notification provisions, requiring companies to give notice of a breach within 45 days of discovery. Prior to the amendment, notice was to be given "in the most expeditious manner possible, without unreasonable delay." Arizona also recently amended its breach provisions by expanding the definition of personal information and imposing more detailed notification requirements in the event of a data breach (2018 Ariz. Sess. Laws Ch. 177).
Consumer protection concerns are not only on the minds of state legislators, however. There have long been calls for a federal data breach notification bill that would give organizations one set of rules to follow in the U.S. And recently, Reps. Blaine Luetkemeyer, R-MO, and Carolyn Maloney, D-N.Y., circulated a discussion draft of a proposed federal law — the Data Acquisition and Technology Accountability and Security Act — that would preempt state breach notification laws. In response, 32 attorneys general sent a letter to House Committee leaders voicing their objections to the proposal. Among other things, they noted that the proposed law would preempt laws that require notices to consumers and state attorney generals, and instead allows entities suffering breaches “to determine whether to notify consumers of a breach based on their own judgment …”
Another area in which states are taking the initiative is broadband privacy. Many states have responded to a shift in federal priorities with bills addressing the data handling practices of internet service providers. After the Trump Administration rolled back Obama era regulations on broadband privacy, Nevada, for example, enacted a law requiring website operators and online service providers to provide notice of their information collection practices to consumers (2017 Nev. Laws ch. 570), and Connecticut has established a working group to examine the issues and make recommendations regarding broadband consumer data privacy (Conn. Pub. Acts 17-2, Sec. 555). Roughly 20 other states are considering similar measures.
Photo credit: Erlinda Olvera