Setting the Stage
In 2018, Europe’s General Data Protection Regulation (GDPR) set the precedent for data and privacy regulations across Europe and other geographies. Back home, the California Consumer Privacy Act (CCPA) took effect on January 1st, 2020. Other states and countries are sure to follow with similar data protection legislation.
Significantly, the GDPR extended the EU’s jurisdiction beyond its borders. Thus, any business that sells to EU customers is subject to the GDPR, regardless of location.
One of the broadest online privacy laws in the U.S., the CCPA regulates organizations nationwide that do business with California residents. In 2019, Nevada and Maine enacted consumer privacy protections similar to the CCPA.
In July 2019, New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. The law establishes more data security requirements for companies that collect data on New York residents.
Federal Data Protection Legislation
Forward to September 2020. As several states work their way through proposed data and privacy regulations, federal data protection legislation remains stalled.
Just days before the lockdowns began, Congress introduced the “Consumer Data Privacy and Security Act of 2020” (CDPSA). The CDPSA integrates themes from the CCPA and GDPR. In addition, corrects some of their shortcomings (e.g. the CDPSA excludes employee data from the definition of personal data).
More favorable to small and midsize businesses than the CCPA and GDPR, the CDPSA includes favorable “small business” thresholds and omits a private right of action. It also exempts “small businesses” from certain compliance obligations such as an individual’s rights to access or correct. It strikes a balance between the protections afforded consumers and the costs of compliance for small business.
2020 State Data Protection Legislation
Compared to 2019, state data protection bills increased in 2020 with additional legislation addressing the collection and use of biometric or facial recognition data. However, since the Covid-19 crisis disrupted legislative sessions, few bills have been enacted.
In 2020, at least 30 states and Puerto Rico introduced bills. The proposed state legislation covers everything from the privacy of consumer data, online privacy, and data broker regulation to biometric data, and other consumer privacy concerns.
States Enacting Data Protection Legislation
Michigan – Enacted a bill that modifies requirements for insurers providing privacy policies to customers. One measure is pending re the collection of PI from a driver’s license or ID card.
Virginia – Enacted one measure which allows merchant DRL identity verification. Two measures pending re consumer privacy, data access and disclosure of sale, and children’s protection.
Data Protection Legislation Pending
Twelve states launched data protection legislation still pending this year. Some of these measures may later become law.
California – Several measures pending re data brokers fees. Furthermore, exceptions and revisions to the CCPA, opt-in consent for minor’s personal information, genetic information privacy and consumer data sharing.
Hawaii – Five measures pending, including rules surrounding electronic proof of purchase, privacy, disclosure upon request, ticketing disclosures and notice of personal data sale.
Illinois – Several measures pending re notification of PI data collection, data broker registration, genetic information privacy, and intellectual property rights re use of PI. In addition, biometric information privacy, regulation of the use and sale of data, smart speaker data use and others.
Massachusetts – Seven measures pending re protection of personal identity, Internet advertising, online collection of PI from minors, data collection and use of PI by telecom and ISPs, net neutrality, and consumer protection.
New Hampshire – Several measures pending.
Nebraska – Pending the Nebraska Consumer Data Privacy Act.
New Jersey – Several measures pending re posting privacy policies, notification and opt-out, geolocation data, voice recognition, opt-in to collection and sale of PI, consumer reporting agencies protection of PI, and storing mag-stripe data.
Pennsylvania – One measure pending re consumer data privacy and collection of PI.
Rhode Island – Two measures pending.
South Carolina – One measure pending re biometric data privacy.
Vermont – Two measures pending.
Failed State Data Protection Legislation
Fifteen states considered one or more measures that ultimately failed to pass, including Connecticut, Florida, Idaho, Louisiana, Maryland (9), Maine, Minnesota, Missouri, Mississippi, South Dakota, Tennessee, Utah, Washington (8), Wisconsin, and West Virginia.
International Data Protection Legislation
Still a big year for international data protection legislation, 2020 welcomes new regulations that take effect in Brazil and Thailand. Moreover, India and South Korea aggressively seek their own stricter data protection laws.
Brazil’s Lei Geral de Proteção de Dados (LGPD), which closely models the EU’s GDPR, took effect last month. It applies to all businesses that collect the PI of Brazilian residents, whether inside the country or out.
Including some of the GDPR’s toughest requirements, Thailand’s Personal Data Protection Act (PDPA) incorporates greater protection for sensitive data categories and applies worldwide. Hence, violators face the risk of fines plus the threat of criminal prosecution with imprisonment up to one year.
Several data protection initiatives, including India’s Personal Data Protection Bill (PDPB) were slated for final approval in 2020.
Data Protection Experts
Organizations that seek to navigate the complicated landscape of data protection regulations turn to the information governance experts at Messaging Architects. With decades of IG and data compliance experience, they guide IG policy formulation and implementation in a close partnership with internal teams.