States Increase Data Privacy Regulation and New Federal Legislation May Pass in 2021

States Increase Data Privacy Regulation and New Federal Legislation May Pass in 2021

In the absence of federal privacy regulations, states continue to push forward with their own efforts, introducing bills to address consumer privacy, data breach notification, and cybersecurity...

In the absence of federal privacy regulations, states continue to push forward with their own efforts, introducing bills to address consumer privacy, data breach notification, and cybersecurity. For example, in the Biometric Information Privacy area, states have cloned the legislation enacted by Illinois (Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et. seq. ‘BIPA’). These state-level regulations pose significant challenges for businesses and make it imperative to monitor developments and be ready to respond to this rapidly evolving area of law. A recent N.Y. Times editorial[1] was critical of Virginia’s recently enacted Consumer Data Protection Act, (as well as other state laws that lack sufficient opt-in defaults) as being a “business-friendly package”, placing the onus on consumers to opt out of most data collection, with an exception for the most sensitive personal details. The Times concluded that federal legislation is urgently needed to remedy the lack of consumer-focused legislative protections, especially when faced with “Big Tech’s” power disparity. 

Survey of Current and Proposed State Privacy Legislation

• California continues to lead the country with regard to data privacy oversight. Signed into law in 2018 and made effective January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) grants consumers the right to request that a business disclose how it uses their personal information, including the categories of personal information (PI) it has collected about that consumer;  sources from which the personal information is collected; the business or commercial purpose for collecting or selling personal information; the third parties with whom the business shares personal information; and the specific pieces of personal information it has collected about that consumer. The CCPA also includes a number of other data protections for consumers, including the right to request deletion of personal information and the right to opt out of the sale of personal information by a business.[2]

The CCPA applies to for-profit business entities that conduct business in California, collect consumers’ personal information, alone or jointly with others determine the purposes or means of processing of that data, and meet one or more of the following criteria: (1) have annual gross revenues greater than $25 million; (2) buy, receive, sell, or share personal information of 50,000 or more consumers annually; or (3) derive 50 percent or more of its annual revenues from selling consumers’ personal information.

Violations of the CCPA can result in penalties of up to $7,500 for intentional violations, but penalties only apply if businesses fail to address the violation within 30 days of being notified of the violation. The CCPA also includes a private right of action. When a breach of personal information occurs due to a business’ failure to implement and maintain reasonable safeguards to protect that information, the law entitles aggrieved consumers to pursue statutory damages of no less than $100 and no more than $750 per consumer per incident, or actual damages, whichever is greater.[3]

On November 3, 2020, California voted to pass Proposition 24 ballot initiative, significantly amending the CCPA. The California Privacy Rights and Enforcement Act of 2020 (CPRA), which became law with the passage of Proposition 24, establishes the California Privacy Protection Agency (CPPA) to oversee and enforce the state’s consumer privacy laws. To give businesses time to comply, the majority of the changes mandated under the CPRA are not slated to take effect until January 1, 2023. In the meantime, businesses must still comply with the existing CCPA and its implementing regulations. CPRA also amends the criteria for determining whether businesses are covered under the data privacy law. As amended, the requirements will apply to a business that (1) has greater than $25 million in annual revenue; (2) buys, sells or shares PI of 100,000+ consumers or households; or (3) derives at least 50% of annual revenue from selling or sharing consumer personal information. The CPRA increases the annual threshold to 100,000 or more consumers or households, which will exempt some small businesses.

The CPRA makes a number of significant amendments to the CCPA. It establishes a new penalty of up to $7,500 for violations involving the consumer privacy rights of minors and eliminates the ability of businesses to avoid penalties by addressing violations within 30 days.

• Maine: The Act to Protect the Privacy of Online Consumer Information, effective on July 1, 2020, prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access. The law also prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access of their personal information.

• Nevada: Senate Bill 220, “An Act relating to Internet privacy,”  effective October 1, 2019, applies to website “operators,” which are defined as persons who own or operate websites or online services for commercial purposes that (1) collect and maintain “Covered Information,” which includes common categories of personally identifiable information (PII), and (2) purposefully directs its activities toward Nevada, consummates a transaction with Nevada or a Nevada resident, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in activities that establish a sufficient nexus with the state of Nevada. Entities that fall under the above definition must allow consumers to opt out of the sale of personal information to third parties and provide a free mechanism (toll-free telephone number, online form, etc.) to do so. There is no private right of action, but entities that fail to comply with the law face a penalty of up to $5,000 per violation.

• New Jersey: Senate Bill 52, effective September 1, 2019, strengthened New Jersey’s data breach notification law by requiring entities that compile or maintain computerized records that include information permitting access to an online account to disclose to consumers any breach of security of the information. Under New Jersey’s prior law, businesses and public entities were required to disclose breaches involving personal information such as Social Security numbers, driver’s license numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. This amendment to New Jersey’s data breach notification law added user names, email addresses, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account, to the list of breaches requiring disclosure. Senate Bill 52 requires that disclosures must be made in the “most expedient time possible and without unreasonable delay,” consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. 

In New Jersey, two privacy bills were introduced in 2020 and remain in committee. Assembly Bill 2188 would require commercial Internet websites and online services to notify customers of collection and disclosure of personally identifiable information and allow customers to opt out. Assembly Bill 3255 would require certain businesses to notify customers of certain information concerning the collection and sale of personally identifiable information (PII) and allow customers to opt into the collection and sale of such information. The bill would also prohibit businesses from collecting a consumer’s PII unless the consumer affirmatively opts in to the collection; ban businesses from requiring that the consumer create an account in order to direct the business not to sell their PII; and grant consumers the right to request that a business that collects their PII is to, at or before the point of collection, inform them as to the categories of PII to be collected and the purposes for which it will be used.

• New York: In 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which amended the state’s existing data breach notification law to impose an affirmative duty on covered entities to implement reasonable data security measures to protect the “private information” of New York residents. The law, which fully took effect on March 21, 2020, provides that “any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” Small businesses, defined as those with less than 50 employees and under $3 million in gross revenue, or less than $5 million in assets, are deemed compliant if they “implement and maintain reasonable safeguards that are appropriate to the size and complexity of the small business to protect the security, confidentiality and integrity of the private information.” The SHIELD Act also broadened the scope of information covered under New York’s existing data breach notification law to include additional data, such as biometric information and email addresses, and expanded the definition of a data breach to include unauthorized access to private information.

The New York legislative ‘pipeline’ includes Governor Andrew Cuomo’s recently proposed comprehensive data privacy legislation, entitled the “New York Data Accountability and Transparency Act” (NYDAT), as part of his FY 2022 budget. In January, the New York Assembly reintroduced the New York Privacy Act (NYPA). Both bills would further regulate how businesses can collect, use, and share consumer personal information. Notably, the NYPA includes a private right of action, while the NYDAT would empower the attorney general to enforce the law. On the New York legislature’s first session day, Assembly Bill 27 (AB27), the Biometric Privacy Act (BPA) was proposed.  New York’s BPA would provide consumer safeguards to be used by private organizations that process biometric identifiers or biometric information (collectively “biometric data”).  Companies would need (a) a written retention policy and (b) guidelines for destruction of biometric data.  Individual written consent for collection of biometric data would also be required.[4]

• Oregon: The Oregon Consumer Information Protection Act (OCIPA), effective on January 1, 2020, enhanced the data breach notification requirements for covered entities that own, license, maintain, store, manage, collect, process, acquire or otherwise possess personal information. It also extended data breach notification obligations to vendors that provide services to covered entities. OCIPA also added an individual’s account username and password to the definition of “personal information” sufficient to trigger the state’s breach notification requirements.

Data Privacy Under Biden Administration – Federal Enforcement?

In an April 2020 report, the Congressional Research Service found that bills introduced in the 116^th Congress shared several common elements in that each regulates the use of personal information by: (1) recognizing individuals’ rights to control their personal information; (2) requiring a defined class of entities to take steps to respect those rights; and (3) creating procedures to enforce those requirements. The proposals differed, however, in three key respects: (1) which federal agency would have enforcement power; (2) whether to preempt state privacy laws; and (3) whether to provide a private right of action.

National Consumer Data Privacy Legislation Introduced

Rep. Suzan DelBene recently introduced the Information Transparency and Personal Data Control Act (ITPDCA), which would create a national data privacy standard. The federal legislation would preempt the existing patchwork of state privacy regulations.  This is not the first time that Congress has considered federal data privacy legislation. Several bills have been introduced by both Republicans and Democrats in recent years. None, however, have been able to garner the widespread bipartisan support needed to cross the finish line.

“Data privacy is a 21^st Century issue of civil rights, civil liberties, and human rights and the U.S. has no policy to protect our most sensitive personal information from abuse. With states understandably advancing their own legislation in the absence of federal policy, Congress needs to prioritize creating a strong national standard to protect all Americans. This bill will create those critical protections,” Rep. DelBene said in a press statement. “This is an international issue as much as it is a domestic concern. If we do not have a clear domestic policy, we will not be able to shape standards abroad, and risk letting others, like the European Union, drive global policy.”[5]

Supporters of a national data privacy law note that the lack of federal legislation puts both companies and consumers at a disadvantage. Corporations must comply with numerous, and often divergent, local laws rather than one federal standard, while consumers are often unsure how and if their rights are protected.

ITPDCA Summary

The Act is the first privacy bill introduced in the current session of Congress. The proposed law would govern how companies collect, use, and store “sensitive personal information,” broadly defined as: (i) financial account numbers; (ii) health information; (iii) genetic data; (iv) any information pertaining to children  under 13 years of age; (v) Social Security numbers; (vi) unique government-issued identifiers; (vii) authentication credentials for a financial account, such as a username and  password; (viii) precise geolocation information; (ix) content of a personal wire communication, oral communication, or electronic communication such as e-mail or  direct messaging with respect to any entity that is not the intended recipient of the  communication; (x) call detail records for calls conducted in a personal and not a business capacity; (xi) biometric information; (xii) sexual orientation, gender identity, or intersex status; (xiii) citizenship or immigration status; (xiv) mental or physical health diagnosis; (xv) religious beliefs; or (xvi) web browsing history, application  usage history, and the functional equivalent of either.

Other elements of the Act include:

• Plain English: Companies must provide their privacy policies in “plain English.” 
• Opt-in: Companies must allow users to “opt-in” before companies can use a consumer’s most sensitive private information in ways they might not expect. 
• Disclosure: Companies must disclose if and with whom consumers’ personal information will be shared and the purpose of sharing the information. 
• Preemption: The legislation creates a unified national standard by preempting conflicting state laws.
• Audits: Companies would be required to submit privacy audits every 2 years from a neutral third party. 
• Enforcement:  The Federal Trade Commission (FTC) would be authorized to enact and enforce implementing regulations. A violation of the Act (or a regulation promulgated under it) would be treated as a violation of the FTC Act’s provisions regarding unfair or deceptive acts or practices. Additionally, state attorneys general may bring lawsuits on behalf of their residents alleging violations of the data privacy requirements and seeking injunctive relief.  Notably, the bill does not include a private right of action.[6]

According to Rep. DelBene, the data privacy legislation is intended to be simple and straightforward, as well as give the FTC the flexibility needed to adapt to new and changing technology. “I wrote this bill as being very foundational,” DelBene explained. “We do need to expand beyond this. … If we don’t have fundamental privacy policy, then how are we going to address all the issues that are built on top of that? So we really are starting out making sure that we’re building the infrastructure we need to make sure we’re protecting consumer rights in the digital world.”

Is There a Likelihood of Establishing a National Data Privacy Law that Supplements the Patch Work of State Laws?  Only Time Will Tell.

Narrow democratic majorities in both the House and Senate make it more likely that consumer privacy legislation can be passed. However, Rep. DelBene is likely to have some competition. Sen. Kirsten Gillibrand (D-NY) is planning the reintroduction of her Data Protection Act, and Sen. Sherrod Brown (D-OH) is planning to reintroduce his Data Accountability and Transparency Act. Ron Wyden (D-OR) has stated that he plans to introduce a new version of his 2019 Mind Your Own Business Act.

Key Takeaways for Businesses:

Because it preempts state laws and does not include a private right of action, the ITPDCA may garner the most widespread support. The U.S. Chamber of Commerce has already come out in support of the bill. “The Information Transparency & Personal Data Control Act is a much-needed step in the right direction toward protecting the privacy of all Americans equally,” the Chamber wrote in a letter to Rep. DelBene. “This bill would enhance certainty by offering consumers clear and meaningful rights and would enable the business community to continue innovating.  The bill would ensure that consumers are afforded meaningful transparency that enables them to direct how personal information is used, collected, and shared.”

The data privacy landscape is actively evolving, both at the state and federal levels with legislative sponsors utilizing the measures of early state enactments. We encourage businesses that operate across state lines to monitor the legal developments in all states where they operate. Given that the insurance market has not kept pace with the evolving cyber and data privacy risks and recent class action litigation, businesses should remain cognizant of developments in coverage matters. Failing to understand your obligations with regard to consumer rights, data sharing, BIPA, and cybersecurity can lead to costly liability.

Focused efforts should involve review and revisions to existing firm data collection and privacy rights in order to prevent noncompliance, penalties, and adverse reputational harm.  The potential consequences of both state and Federal legislation should not be ignored. 

Scarinci Hollenbeck’s cybersecurity and data privacy attorneys will continue to track the status of the Information Transparency & Personal Data Control Act, along with any other federal privacy legislation that is introduced. We encourage you to check back regularly for updates.

If you have questions, please contact us

If you have any questions or if you would like to discuss these issues further, please contact Paul A. Lieberman or Maryam M. Meseha, Co-Chairs: Cyber Security & Data Privacy Practice, at (201) 896-4100.

[1] Sunday, March 7, 2021.

[2] See following discussion of CPRA 2020.

[3] Illinois and New York BIPA statutory damages provisions allow up to $1,000 for each negligent violation and $5,000 for each reckless or intentional violation.  Accordingly, businesses should have up to date Data Privacy and BIPA policies and procedures.

[4] States are also beginning to regulate how entities collect, retain, disclose, and destroy biometric identifiers, such as a retina or iris scan, fingerprint, voiceprint, handprint, facial geometry, or other unique biological patterns or characteristics that identify a specific individual. Illinois, Texas, and Washington are the three states that currently have laws in place. Illinois’ Biometric Information Privacy Act (BIPA) is the only law that includes a private right action. 

[5] The European Union enacted the General Data Protection Regulation (GDPR) in 2016.

[6] Illinois BIPA is currently the only state law that includes a private right of action against “an offending party” with recovery features.  See, e.g. West Bend Mutual Insurance Co. v. Krishna Schaumberg Tan Inc.