Login | April 19, 2024
On the horizon: pending state privacy laws
RICHARD WEINER
Technology for Lawyers
Published: April 3, 2020
Well, CCPA is out of the way. California, home to many of the largest tech companies in the country, has a privacy law that sorta kind looks like GDPR.
And it is very clear that Congress won’t be passing national privacy laws any time soon.
So-- on to the next states to pass privacy laws.
Actually, CCPA is far from out of the way. It doesn’t actually take effect until June 1, although there is a look-back clause to January 1. But—the Cali AG is still passing around regulations to the various businesses to look at, so no regs yet. And Facebook recently declared that CCPA doesn’t apply to them. So lots of fun to come in California. We’ll keep ya posted.
But since imitation is the sincerest form of flattery, and everybody wants to be California, a few states have taken steps to institute their own privacy laws.
First, all 50 states have some kind of breach notification law, and those laws are technically data privacy laws.
But very few actually have anything like CCPA. A few are trying.
Massachusetts has a few limited data privacy laws and very strong breach laws. Like a few states, they have a law that requires companies to develop a highly detailed data security plan, but no guidance or real enforcement. They have a stronger data privacy law in committee in the legislature.
Nevada has a data privacy law, but it only applies to owners of websites.
Maine has a data privacy law that only applies to ISP’s. Illinois has a unique biometrics privacy law that just cost Facebook $550 million.
The following have some kind of data privacy laws pending in the state legislatures.
The New York Privacy Act, in committee, is a CCPA/GDPR mirror with even stronger protections and redresses than CCPA. For instance, it creates a fiduciary duty for data storage services.
Other states with pending data privacy legislation are Washington State (which includes facial recognition privacy); The Hawaii Consumer Privacy Protection Act also takes its cues from CCPA but is just getting started. Also new on the books is the Maryland Online Consumer Protection Act, CCPA-like and very expansive on definitions of personal data. And the North Dakota Privacy Bill only restricts websites from selling information.
We’ll keep you all posted as the privacy horizon inches closer and closer.