Privacy was a hot topic throughout the U.S. in 2018. California lawmakers passed some groundbreaking legislation regarding consumer privacy and the Internet of Things (“IoT”). Several other states also began to address some important data privacy concerns. Additionally, lobbying for a federal privacy law increased. Below are some key privacy developments from 2018.
California Legislation
California is by far the leading state in consumer privacy. Most notably, the state passed the California Consumer Privacy Act (CCPA) this past June. This law addresses the longstanding issue of unprotected consumer data, which has become increasingly worse as the digital world expands. Without regulation, big tech companies have the power to collect and disseminate private consumer information for essentially any purpose. The new law aims to solve this issue by giving individual consumers more rights and power over their personal information. This includes the right to obtain information about what data is collected, reasons behind the data collection, and how organizations use and disseminate the data. Additional entitlements include data breach notification, access to view and delete data, and the option to opt out from sale and dissemination of personal data.
The CCPA will become effective in 2020. While the attorney general will have the power to enforce the law, consumers can file a civil lawsuit if their data is compromised during a breach due to an organization’s insufficient security. However, the act has already faced challenges for its unclear language and exemptions. There will likely be some amendments to the law in 2019. It will be interesting to see if any amendments limit consumer control, which would stray away from the intent of the law.
California also was the first state to pass a law that addressed IoT, which will be effective January 1, 2020. Among other things, this law requires that all manufacturers selling connected devices in California install reasonable security features on these devices that are “appropriate to the nature and function of the device; appropriate to the information it may collect, contain, or transmit; and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.” Only the state will be able to enforce this law.
Other Noteworthy State Legislation
After California passed their consumer privacy law, other states began discussing or drafting similar laws. In 2019, watch if any states pass their own consumer privacy law, whether these laws provide more protections to consumers or to tech companies, and if the language is clearer than the California law.
A digital data breach can greatly compromise private consumer information. Notably, in 2018 South Dakota and Alabama passed data breach notification statutes. They were the only two states that did not have some type of law in place mandating that organizations notify consumers after a breach compromises their personal data. Many other states amended their statutes on this topic. Key changes included clarifying when notification is warranted, what qualifies as a breach, covered entities, and what type of consumer data requires notification.
Another important data privacy development occurred in Ohio, which was the first state to pass a cyber security safe harbor law. After a breach occurs, an organization will have a defense against liability if it had a sufficient cyber security framework in place at the time of the breach. This provides an incentive for organizations doing business in Ohio to revamp their security programs and provide more consumer protections.
Federal Privacy Developments
While things were not as progressive on the federal side, there was some lobbying by big tech companies for a federal privacy law. This was surely influenced by California’s law and the fear that other states would follow suit. They want a federal law that preempts all state laws and grants more power to tech companies instead of consumers. Most importantly, these organizations want to retain discretion over how they use and disseminate consumer data. Using this data for advertising or sale makes up a significant percentage of their profits. Establishing a federal privacy law will likely be an uphill battle, as consumers and privacy advocates want a federal law that resembles California’s strict framework. While lobbying will undoubtedly continue in 2019, passage of a comprehensive federal privacy law may still be years away.
The push for a federal program regulating IoT had less traction in 2018. There is no federal law that directly applies to issues associated with the IoT. While federal lawmakers have introduced several bills on this topic, to date none have been passed into law.
Conclusion
The states undoubtedly took some big steps in data privacy legislation this year. In 2019, more states will likely follow suit and begin to address the many facets of this topic. Additionally, with the passage of the GDPR and other privacy laws throughout the world, it is clear that privacy is also becoming a very important global issue. As the states continue to tighten and reform their data privacy laws and other countries continue to explore privacy issues more closely, federal lawmakers will continue to feel pressured on all fronts to create a comprehensive data privacy law. While a federal law probably will not be on the books in 2019, it will likely be created in the near future.
