In 2018, the California legislature made headlines with its game-changing data protection law: the California Consumer Privacy Act of 2018. Other state legislators across the country appear to be hot on its heels as a flurry of CCPA-like bills have been introduced across the United States. While it is too early to predict which of these bills, if any, will be enacted, this increased focus on privacy in the state legislatures is clearly a sign that the privacy landscape—and consequent compliance challenges for companies—is going to get more complicated.
Overview of the California Consumer Privacy Act
The California Consumer Privacy Act of 2018 (the “CCPA”), as amended by California Senate Bill SB 1121, regulates the collection, use, sale and disclosure of California residents’ personal information by qualifying businesses. This newly enacted legislation, set to become effective on January 1, 2020, introduces significant legal risks and considerations for companies across the United States due to its expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, non-insignificant statutory fines and its creation of a private right of action for consumers in relation to certain data breaches. You can read more about the CCPA and its amendment here (discussing the law itself) and here (discussing the amendment), as well as its impact on breach litigation here. The CCPA is far from finalized. Last month, California Attorney General Becerra and State Senator Jackson introduced SB 561 proposing further amendments which, among other things, expands the consumers’ right to bring a private action for violations of the statute. Additionally, the Office of the Attorney General is expected to release a draft of implementing rules in the fall of 2019 and is in the process of holding public forums and receiving comments.
Summary of Introduced CCPA-Like Bills
The 2019 state legislative sessions saw several privacy and data security bills (some like the CCPA) being introduced in no fewer than ten states across the United States. Those most like the CCPA in breadth and potential impact are summarized briefly below. Please see the attached chart here for a summary of the key provisions of these state initiatives in comparison to the CCPA.
1) Hawaii SB 418 (Status: In Senate)
Hawaii’s proposed law would provide similar rights to Hawaii consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the proposed law could potentially have even broader impact than the CCPA because it likely applies to any business entity, regardless of size, that collects identifying information about an individual who interacts with a business within the state of Hawaii. The proposed law does not include a private right of action for consumers and does not enumerate the penalties that may be imposed by the Hawaii Office of Consumer Protection.
2) Maryland SB 613 (Status: In Senate)
Maryland’s proposed law would provide similar rights to Maryland consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the right to opt out may be more expansive under the proposed law because it applies to any disclosure of personal information to third parties, rather than just data sales. In addition, the proposed law contains a complete prohibition on the “knowing” disclosure of children’s personal information (under the age of 18) without exception. The proposed law does not include a private right of action for consumers.
3) Massachusetts SD 341 (In Senate)
Massachusetts’s proposed law would provide similar rights to Massachusetts consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the right to opt out may be more expansive under the proposed law because it applies to any disclosure of personal information to third parties, rather than just data sales. In addition, the proposed law contains a complete prohibition on the knowing disclosure of children’s personal information (under the age of 18) without exception. The proposed law provides a private right of action for consumers who have suffered any violation of the proposed law. Except for the private right of action, Massachusetts’s proposed law is very similar to Maryland’s proposed law.
4) Mississippi HS 1253 (Dead)
Mississippi’s proposed law nearly mirrors the consumer rights and personal information obligations found in the CCPA. However, the proposed law failed to pass committee review and is no longer being considered by the state legislature.
5) Nevada SB 220 (In Senate)
Nevada’s proposed law amends the state’s existing requirement for any person who owns or operates an Internet website or online service for a commercial purpose with a sufficient nexus to Nevada to provide notice to consumers regarding covered information collected by the operator. The amendment borrows the CCPA’s right to opt out by permitting a consumer to submit a notice to an operator directing the operator not to sell his or her covered information. However, it does not expand the notice obligation to include all the components required under the CCPA, such as notice relating to the sale of information, and does not provide the other consumer rights granted under the CCPA, such as the right to deletion. The proposed law provides a private right of action for any person injured by a violation of the new right to opt out or the existing obligations to provide notice.
6) North Dakota HB 1485 (Replaced by a Legislative Management Study)
North Dakota’s proposed law represents the furthest departure from the CCPA. Unlike the CCPA, it does not contain general notice obligations other than in response to a consumer request. However, it generally prohibits the disclosure of personal information to a third party without the express written consent of the consumer. Moreover, it provides for large fines in the event a covered entity violates a cease and desist order issued by the attorney general (up to $100,000 per violation or $250,000 per intentional violation of the cease and desist order). The proposed law also includes a private right of action for consumers whose personal information is purchased, received, sold or shared in violation of the bill. However, the proposed law has been replaced in its entirety with a bill authorizing a legislative management study of consumer personal data disclosures (see here for the revised bill).
7) New Mexico SB 176 (In Senate)
New Mexico’s proposed law would provide similar rights to New Mexico consumers and impose similar, though more limited, disclosure obligations as those found in the CCPA. However, the proposed law does not narrowly define the term “business, “consumer” or “minor,” and could thus be broader in scope than the CCPA, potentially applying to any business entity that collects personal information of a New Mexico consumer. The proposed law does not identify the limit for penalties per violation that the attorney general may impose but does cap penalties for intentional violations at $10,000 per violation.
8) New York SB S224 (In Senate)
New York’s proposed law focuses on the transparency of the disclosure of personal information without granting the other significant consumer rights (including the right to deletion) found in the CCPA. A business is required to make available to the customer the categories of personal information disclosed to third parties and the names and contact information of all the third parties that received the customer’s personal information from the business. This proposed law is drafted broader than the CCPA because it applies to any person or entity that does business in New York. In addition, the proposed law permits a “customer” of a business, the New York attorney general, a district attorney, a city attorney, or a city prosecutor to bring a civil action to recover “penalties” for violations of the bill.
9) Rhode Island SB 234 (In Senate)
Rhode Island’s proposed law would provide similar rights to Rhode Island consumers and impose similar, though more limited, disclosure obligations as those found in the CCPA. Despite adopting the CCPA’s private right of action for certain breaches, the proposed law does not specify whether the RI attorney general has authority to enforce the proposed law and any fines that may be imposed.
10) Washington SB 5376 (Passed Senate, In House)
Washington’s proposed law incorporates several concepts from the European Union’s General Data Protection Regulation (“GDPR”) into the general framework of the CCPA (e.g., controller vs. processor obligations, risk assessment obligations). The proposed law applies to entities that conduct business in Washington or produce products or services that are intentionally targeted to Washington residents and that meet one of two thresholds like those contained in the CCPA. The proposed law requires a business to make available a privacy notice disclosing the categories of personal data collected, the purposes for which personal data are used, and information relating to the sharing and sale of personal data. The rights provided to consumers more nearly reflect the rights made available under the GDPR: the right to knowledge and access to personal data, the right to the correction of personal data, the right to the deletion of personal data, the right to restrict or object to the processing of personal data and the prohibition against certain decisions based solely on profiling from facial recognition.
The law grants the Washington attorney general the ability to use its enforcement authority under Washington’s consumer protection act for violations of the law, as well as to seek injunction or civil penalty up to $2,500 per violation or $7,500 per intentional violation. However, it does not grant any private right of action for consumers. The proposed law passed the Senate on March 6, 2019. There is now less than two months left in the 2019 Regular Session, so it is likely that additional news about this proposed law will be announced in the coming weeks.
Although it is too early to predict whether these laws will be enacted, there are a few key takeaways from this flurry of legislative activity:
- The CCPA is unlikely to be the only state-specific general consumer privacy protection law that will be enacted in the United States. State legislatures are keenly interested in data protection and privacy regulation, which has bipartisan support in many state houses. A common denominator across the various state proposals is the provision of GDPR- and CCPA-style consumer rights of access, opt-out and deletion, though there are some differences in the breadth of application and impact of such rights. In addition, the applicability of these state proposals varies, including the available exemptions that may bring a business outside the scope of the proposed law. As just one example, while the CCPA provides a broad exemption for data covered by the Gramm-Leach-Bliley Act, only three of the eight proposed bills still under consideration have a similar exemption as currently drafted.
- The increased state-level privacy regulation activity has led to a renewed push for federal legislation. Businesses should keep an eye out for initiatives at the federal level aimed at preempting, harmonizing or standardizing certain aspects of state consumer privacy laws.
- Businesses that are currently subject to the GDPR and/or will be subject to the CCPA when it becomes effective in 2020 should consider whether their current or proposed privacy and data security compliance programs are flexible enough to adapt to new laws that are likely to join the privacy landscape in the near future.
- Businesses that are not subject to the GDPR and will likely not be subject to the CCPA should consider whether they have in place an appropriate privacy and data security governance structure to anticipate the impact that any new laws may have on their business operations and to chart a path to credible compliance in the event they become subject to such a law.
Are you ready for the CCPA? Take Orrick’s CCPA Readiness Assessment.
- Assess your company against CCPA provisions.
- Receive a complimentary report summarizing the likely key impacts.
- Use the report to development to develop your CCPA project plan.