New privacy bills, amended bills, bills not making it out of committee, bills in debate in State Houses and Senates. The privacy regulatory environment in the US is changing on an almost daily basis. This is creating anxiety amongst privacy professionals resulting in many companies taking a “wait and see” approach to this uncertain sea of pending State legislation. However, there are many commonalities amongst the various requirements and getting started now will alleviate a lot of unnecessary stress when amendments and bills do pass. In this blog post we will look at the status of the CCPA and other US State regulations as well as ways to get started to minimize your time to compliance.
The CCPA and US State Privacy Legislation: Current State
At the time of publishing there were 15 States with consumer privacy laws and bills on the table, with perhaps the most important being California (CCPA) and Nevada (Act Relating to Internet Privacy).
The CCPA is the first law in the US to be enacted with direct and encompassing consumer privacy rights. While it was adopted last year, the amendment process is ongoing with several amendments under discussion including:
- For insurance companies, a consumer’s right to request the business to delete or not sell their information for the CCPA will be eliminated If it is necessary to complete a consumer transaction requested by the consumer for insurance related.
- For incentive programs, the CCPA contains a non-discrimination principle, but will not apply to consumers who voluntarily participate in incentive programs such as loyalty programs or club membership.
- In the case of a legal defense, the CCPA will allow a business to process personal information if it relates to legal claims.
There is one additional, significant change making its way through the California Senate and House committees with decisions expected before the end of the summer:
- The definition of a consumer would not include employees. Therefore, employee data would be excluded from the CCPA.
- The private right of action extension is still on the table allowing consumers to launch civil action if a company violates any of the rights under CCPA.
Nevada's Act Relating to Internet Privacy passed without opposition in both chambers of the legislature and comes into effect on October 1st, 2019. It is similar to the CCPA when it comes to the right to opt-out and the obligation to provide a "do not sell" link. Beyond this point, definitions in Nevada are narrower than in the CCPA. Exemptions apply to:
- Financial institutions subject to the Gramm-Leach-Bliley Act
- Entities subject to the Health Insurance Portability and Accountability Act, and
- Vehicle manufacturers and vehicle service and repair entities that collect covered information from vehicles through connected or subscription services.
The office of the Attorney General will oversee enforcement. Conversely, the law does not provide for a private right of action.
Louisiana and Vermont are also recent additions to the sea of US consumer privacy legislation under consideration. The Louisiana bill focuses on protection of consumers online when using the internet and social media. While this may seem narrow, one of the definitions of the law seems to cover anybody operating a commercial website in the state of Louisiana, which would have significant implications for a large amount of organizations.
Vermont has tabled a general data privacy and consumer protection bill which has passed in Senate and if adopted by the House will apply July 1, 2019. The bill contains a broadened definition of personally identifiable information, which will include biometric, genetic and, health data as well as login credentials, passport numbers and, specific limitations on the use of student data.
Bills in Hawaii and New Mexico were withdrawn from consideration due to a lack of traction with their respective legislatures.
And perhaps the biggest news has been, despite the Washington State Senate being largely in favour of a consumer privacy act, their bill did not make it out of committee in the State House in the current session. Some members of the legislature of have indicated they will bring the bill back in the next sessions.
How to get started in the face of regulatory uncertainty
The US is not unique in introducing consumer data privacy rights. Approximately 113 countries and regions have data subject rights requirements as part of their laws. Many rights are common around the world and figure in well over 100 laws. These include transparency rights, correction requests, the right of access, and right of deletion.
While many companies are nervous and want to wait to see what changes come through the various State governments, the reality is there are several elements that are not going to change. Further, those elements will also share common characteristics across State legislation as well as with global laws such as GDPR.
If the GDPR taught us anything, preparing for compliance is critical and there are several easy ways to get started in order to minimize the time it takes to achieve compliance and, most importantly, minimize risk to your business.
Although there will be nuances from State to State, the core consumer rights around access, correction and deletion will be the common denominator and the perfect place to get started.
Another lesson we learned from the GDPR is that companies spent too much time and budget on assessing their gaps before moving ahead with remediation tasks. Most organizations can determine if there are existing policies and procedures in place and whether they need to be enhanced, or if there are gaps. There are some simple questions to start with:
- Do you have a high-level policy of your company’s commitment to fulfill an individual’s request regarding their data?
- Do you have existing procedures that you can leverage or enhance?
- Is this the time to consider automated tools in preparation for a dramatic increase in the volume of requests?
Leveraging GDPR Work
If your company is required to be GDPR compliant, you likely already have key foundational elements that can be leveraged in CCPA compliance and other state laws dealing with data subject requests. For example, under Article 30 of the GDPR you would have had to complete a records of processing inventory (ROPI). This has become a powerful foundation for many CCPA requirements including:
- Mapping your processing activities
- Identify owners of activities
- Identify data being transferred to third parties
- Identify third party vendors
- Identify relevant information required to respond to a consumer request
- Identify third parties that may need to be contacted to fulfill deletion requests and for CCPA compliant privacy notices
Capturing this data under GDPR - the purposes of processing, categories of individuals, categories of personal data – can also be repeated for compliance with the CCPA, even though a full inventory is not required by law. You can easily use your ROPA established under the GDPR to extend to cover CCPA specific elements such as whether the data is sold to third parties. Even if you have not completed this exercise for the GDPR, it is another great place to start for preparing for State legislation.
The advantage of this approach is the ability to communicate to the business in a language they will understand, simplifying the process of identifying the data, the purpose, and what data they need for the purpose of processing (for example, payroll and benefits).
Preparing for CCPA and other State regulations does not (and should not) be a “wait and see” approach. There are a number of things you can do today to get ahead of the game and mitigate risk for your organization and ultimately minimize your time to compliance. Nymity has a number of tools and resources to help you stay on top of regulatory change, leverage your existing privacy policies and procedures for compliance, and get started.