Across the globe, states, countries, and regions are instituting privacy laws to safeguard consumers and hold businesses to strict standards when collecting, storing and using customer data. In the United States, many state data privacy bills are in the legislative process. These state-level bills include a few common privacy provisions that affect consumer rights and business regulation. Here’s what you need to know to be prepared.
Common data privacy legislation provisions
Certain rights and responsibilities form the backbone of data privacy bills. Consumers have specific rights outlined in each state bill, and businesses or data controllers have their own set of responsibilities.
For consumers, the following rights are the most likely to be included in state data privacy legislation. All currently active bills contain several or all of these provisions.
- Right of access to personal information. Consumers should have the right to access personal information collected or know the categories of information collected by a business or data controller.
- Right of access to shared information. Consumers should have the right to access personal information shared by a business or data controller with third parties.
- Right to rectification. Consumers should have the right to request that any incorrect or outdated personal information be corrected or rectified.
- Right to deletion. Consumers should have the right to request deletion of their personal information. In some cases, conditions may apply.
- Right to restriction of processing. Consumers should have the right to restrict a business’s ability to process their personal information.
- Right to data portability. Consumers should have the right to request that their personal information be disclosed in a common file format for ease of access.
- Right to opt-out. Consumers should have the right to opt out of the sale of their personal information to third parties by a business or data controller.
- Right of action. Consumers should have the private right to seek civil damages if a business violates a statute.
For businesses, one or more of the following responsibilities or restrictions currently appear in active bills:
- Solely automated decision-making prohibition. Businesses cannot make decisions about a consumer based solely on an automated process. To some extent, human input is necessary.
- Age-related opt-in mandate. Businesses must provide consumers under a certain age with strict opt-in default for the sale of their personal information.
- Transparency requirement. Businesses must provide consumers with notices about certain privacy programs, privacy operations, and/or data practices.
- Obligatory breach notifications. Businesses must provide consumers and/or enforcement authorities with notification in the event of a privacy or security breach.
- Mandated risk assessments. Businesses must conduct formal risk assessments of security and/or privacy procedures or projects.
- Discrimination prohibition. Businesses cannot treat consumers who exercise their rights differently from consumers who do not exercise their rights.
- Purpose limitation. Like the European Union (EU) General Data Protection Regulation (GDPR) restrictions, this structure prohibits businesses from collecting personal information, except for a specific purpose.
- Processing limitation. Another EU GDPR-type restriction, this structure prohibits businesses from processing personal information, except for a specific purpose.
Signed state data privacy bills you need to know about
Many U.S. states are ramping up their data privacy legislation. While some states have bills that are currently pending in the legislative process, California and Virginia have passed data privacy laws. While not all of these laws are in effect, businesses need to prepare their internal processes and operations, so they are ready when these laws are officially enacted.
When the California Consumer Privacy Act (CCPA) was introduced, it set a new baseline for handling data privacy. Consumers became more aware of how their personal data was being managed and used by organizations, and in response, have requested greater transparency and control.
When the CCPA was in the legislative process, data privacy became a trending topic. Many of the new state-level data privacy laws that are being introduced mirror similar requirements and verbiage of the CCPA. The CPPA covers rights of access, deletion, portability, and opt-out. It also protects private right of action (for security violations only) and mandates opt-in (parental consent is required for users under the age of 16), transparency, and purpose/processing limitation. It was signed in 2018 and went into effect on January 1, 2020.
Not long after the CCPA was passed, the California Privacy Rights Act (CPRA) was introduced. This new bill, which was signed in 2020, covers rights of access, rectification, deletion, restriction, portability, and opt-out, prohibits discrimination and automated decision making, protects private right of action (for security violations only), and mandates opt-in (for users under 16), transparency, risk assessments, and purpose/processing limitation. Organizations must prepare for these stricter guidelines, as the CPRA will go into effect on January 1, 2023.
Virginia’s Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021, making Virginia the second state to officially enact comprehensive data privacy legislation. The CDPA has similar components to the CCPA, including rights of access, rectification, deletion, portability, and opt-out. The bill also prohibits discrimination and automated decision-making and mandates opt-in for collecting and processing sensitive data. For users under the age of 13, parental consent is required. Like the CPRA, the CDPA becomes effective on January 1, 2023.
Pending state data privacy legislation
Many U.S. states have active data privacy bills that are in some stage of the legislative process, including Alabama, Alaska, Arizona, Colorado, Connecticut, Illinois, Massachusetts, and Maryland. Most of these bills cover rights of access, deletion, portability, and opt-out, prohibit discrimination, and mandate opt-in, risk assessments, transparency, and purpose/processing limitation.
There are a few states with pending bills that are more involved than others. While you should keep all states with proposed bills on your radar, here’s a recap of prominent legislation.
In 2021, Minnesota introduced two data privacy bills: HF 36 and HF 1492. HF 36 was introduced in January and can be seen as a modified and shortened version of the CCPA, covering rights of access, deletion, portability, opt-in and opt-out, and transparency.
In February, HF 1492, known as the Minnesota Consumer Data Privacy Act, was introduced. This bill covers rights of access, rectification, deletion, portability and opt-out, prohibits discrimination and automated decision making, and mandates opt-in (for all sensitive data), transparency, risk assessments, and purpose/processing limitation.
New Jersey has introduced two data privacy bills that are currently in committee. One of those bills is the New Jersey Disclosure and Accountability Transparency Act, which covers rights of access, rectification, deletion, restriction, and portability. It also requires opt-in consent, prohibits automated decision-making, and mandates opt-in.
ab 3255 requires certain organizations to notify customers about the collection and sale of personally identifiable information. This bill also offers customers the right to opt-in to data collection and sale.
New York has proposed several data privacy bills that are all currently in committee, including the New York Privacy Act, Digital Fairness Act, and HB 567. The New York Privacy Act requires organizations to place special safeguards around data sharing and allow consumers to obtain information about entities their information is shared with.
The Digital Fairness Act covers rights of access, deletion, portability, and opt-out. This bill also limits the amount of data that organizations can collect and requires consumers’ opt-in consent before organizations can collect, use, retain, share, or monetize their personal data.
SB 567 will allow consumers the right to request from organizations which categories of personal data have been sold or disclosed to third parties.
Washington currently has the People’s Privacy Act (HB 1433) in committee and the Washington Privacy Act (SB 5062) in cross committee. While both bills have general similarities, the People’s Privacy Act is stricter and arguably provides more power to consumers. In the People’s Privacy Act, consumers can sue violators of the proposed legislation, while under the Washington Privacy Act, only the attorney general can sue violators. The punishment for violation is also heftier with the People’s Privacy Act, with a fine of up to $25,000 per violation or 4 percent of the violator’s annual revenue. The Washington Privacy Act, on the other hand, has a maximum fine of $7,500 for each violation.
The Washington Privacy Act also includes some loopholes and exemptions. For example, the legislation does not cover nonprofit corporations until 2026, government agencies, and higher learning institutions. With the Washington Privacy in cross-committee, it has made more progress than the more robust People’s Privacy Act.
Enterprises can become data privacy-forward with the right tools
Even if a bill hasn’t made it through the legislative steps yet, or there isn’t an active bill in your state, regulations will only continue to become tighter. It’s important to be aware of data privacy laws and become compliant, especially if you operate on a large scale, nationally or globally.
The Spirion Sensitive Data Platform with compliance integration helps enterprises identify data that needs to be protected across your organization, categorize it, assess and manage risk, and generate the appropriate notices required for opt-in, opt-out, consent, and transparency. Keeping up with ever-changing compliance laws can be a lot to manage, and our compliance integrations help take the manual processes and guesswork out of your processes. To learn more about how our platform works, watch a free demo here.