[co-author: Keisha M. McClellan]
Complying with changing state-level privacy laws will be a business priority in 2020. Because the United States does not have a uniform Federal privacy law, a patchwork of state rules based on where customers live poses new challenges to companies in the New Year.
Here are seven (7) data breach updates in 2020 you should know:
The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and applies to companies that do business in California and collect personal information from California residents. Considered to be one of the broadest state-level privacy laws in U.S. history, the CCPA creates four primary consumer rights: (1) the right to know what information a company has on you; (2) the right to request companies delete information about you; (3) the right to opt-out of the sale of your information; and (4) the right to receive equal service and pricing from a business if you exercise your CCPA rights. However, the Attorney General is prohibited from initiating an enforcement action until July 1, 2020.
Effective January 1, 2020, businesses must notify the Attorney General of breaches involving more than 500 people. The notice must include a description of the nature of the breach of security or unauthorized acquisition, the date of the breach, the number of Illinois residents affected by the incident at the time of notification, and any steps the entity took or plans to take relating to the data security incident. Of note, the Attorney General may publish data collector’s names, types of personal information disclosed, and the date range of the breach.
As of January 1, 2020, the Oregon Consumer Information Protection Act expands the scope of data breach notification rules for vendors. Vendors will have to notify any contracted entity within ten (10) days of discovering a breach and notify the Attorney General if the breach involves more than 250 individuals or if the affected number of people is unknown. The law also expands the definition of personal information to include user names, or information necessary to authenticate a user, for the purpose of providing access to the consumer’s account.
Effective January 1, 2020, the amended data breach notification statute requires that notice of a breach be provided to all affected parties within sixty (60) days of determining when a breach has occurred. For incidents involving 250 Texas residents or more, notice must also be provided to the Texas Attorney General. Additionally, the bill establishes a new Texas Privacy Protection Advisory Council which will study data privacy laws in different jurisdictions.
Beginning March 1, 2020, Washington’s definition of personal information is expanded, and the window of time within which a notification of a breach must be made is reduced from 45 days to 30 days.
As of March 21, 2020, the New York Stop Hacks and Improve Electronic Data Security Act (“SHIELD”) data security requirements take effect. The Act requires specific protections of New York residents’ private information. Any person or business that owns or licenses this private information must implement a data security program which includes reasonable administrative, technical, and physical safeguards, and enumerates certain standards companies are required to implement. Previously the Act just applied to companies doing business in New York.
Effective July 1, 2020, “An Act to Protect the Privacy of Online Customer Information” will become enforceable in Maine. This Act prohibits broadband internet access providers from using, disclosing, selling or permitting access to customers’ personal information unless the customer expressly consents. It also prohibits companies from charging customers more if they do not allow access to their personal information. Under the Act, the definition of personal information includes identifiers such as web browsing history and geolocation data.
The patchwork quilt of privacy laws can be difficult for businesses to navigate and maintain compliance in the various jurisdictions, especially as various jurisdictions adopt new or revised data privacy laws or promulgate regulations regarding the specific laws.