Much has been written about California’s comprehensive privacy legislation, the California Consumer Privacy Act. California’s new law is a comprehensive privacy framework that doesn’t exist at the federal level. The CCPA was notable for many features, not least for the breadth of “personal information” it protects and its broad applicability to a vast swath of businesses.
But in all the fuss about CCPA, it’s easy to lose track of the other state laws coming into play for businesses, both businesses that deal directly with data about individuals and the businesses that provide services to those businesses.
Some of these laws — such as Nevada’s and New York’s — have just as much of an impact on certain companies’ privacy and security practices as CCPA. This is all the more true as more businesses have been scrambling to move operations online during the COVID-19 pandemic. For example, by the end of March, Microsoft had seen an increase of 12 million users on its Office 365 Teams collaboration platform and attributed the increased demand to the number of businesses shifting to work-from-home arrangements.
Several new laws deal not only with how states regulate the security of our data (i.e., the breach notification laws that will likely require federal intervention) but also with privacy in the more traditional sense (i.e., restrictions on how companies collect and use data about individuals and inform individuals about those uses). Although Colorado doesn’t have any new legislation on information privacy or security — Colorado last revamped its data breach statute in 2018 — several states have recently passed statutes that will impact Colorado companies’ operations.
Nevada’s new law, Senate Bill 220 (signed in May 2019; took effect Oct. 1), is the biggest deal in this group of new laws. It applies to any business that owns or operates an internet website or online service for commercial purposes and breathes a hint of commerce in the landlocked economy of the state (the statute says “consummates some transaction”). In other words, basically anything.
The law also applies to covered information, which is distinct from the state’s definition of “personal information” subject to breach disclosure requirements; “covered information” could include even an email address alone. A nonprofit operating a website seeking donors in Nevada for charitable purposes would not need to make disclosures about the information it is collecting. On the opposite end of the spectrum, a software business that offers a white paper in exchange for the individual’s email address and contact information (i.e., a transaction) potentially would.
The key distinction for Nevada is that it only regulates information collected online. In contrast, the CCPA and the state security and breach notice statutes are “method-agnostic” when it comes to how a business obtains the relevant information. But with more and more data moving online, it becomes increasingly hard to distinguish between what’s online and offline data. I may have been working from home for too long to recall, but when’s the last time anyone interacted with any business in a manner that didn’t involve the internet?
Maine’s new law, “An Act to Protect the Privacy of Online Customer Information,” was signed in June 2019 and comes into effect July 1. It applies to providers of broadband internet access service. By “access service,” the legislators mean to capture companies like AT&T, Verizon and Xfinity. (Apparently, the lobby from dial-up service providers was persuasive, as the law explicitly excludes those providers.)
Under Maine’s law the only valid basis for a BSP to sell or share customer data is to get consent. Thus, Maine’s law would require lots of companies — if they’re selling consumer data — to return to their customers and ask for express affirmative consent, and the providers cannot upcharge customers who decline to provide consent. Customers can also revoke consent at any time. The law also defines customer information to mean both information that can identify a customer personally and usage data created from a customer’s use of the broadband service. The statute also will also regulate not just data of current and future customers, but data of former customers as well. Like California, Maine’s law will require significant operational changes for a number of companies to comply.
In Texas, legislators established a new “Texas Privacy Protection Advisory Council,” which will study data privacy laws in different jurisdictions. Texas is important because it likely shows a trend taking place across many other states that have abandoned their specific mandates to set up legislative “study councils.” Such states include Connecticut, Hawaii, Louisiana, Massachusetts and North Dakota. Even before the COVID-19 pandemic, a few states were tabling their legislative privacy conversation, likely waiting to see if the U.S. Congress would take up the issue. It remains to be seen if any attention will come back to these issues this year.
Several states put some new security laws on the books recently as well. Here are some highlights:
Maine’s broadband privacy law (effective July 1) also created some changes to security statutes. Echoing the language of many state statutory requirements to implement safeguards to protect, the BSPs must “take reasonable measures to protect customer personal information from unauthorized use, disclosure or access.”
Keeping also with the approach other states have taken, the ISP measures can account for “the nature and scope” of the provider’s business as well as its size, “the sensitivity of the data” collected, and the technical feasibility of the security measures, as long as it’s “lawful.”
The new statute in Illinois (Senate Bill 1624) became effective Jan. 1. It requires “data collectors,” i.e., businesses handling personal data, to provide notice of a breach to the state attorney general. That requirement alone isn’t remarkable; many states have this requirement, including Colorado. Illinois law adds some heft, however, in expressly permitting the AG to publicly disclose certain elements of the notice, including the data collector’s names, types of personal information disclosed and the date range of the breach, potentially adding to bad publicity. Oregon recently passed the Oregon Consumer Information Protection Act, which became effective on Jan. 1 (Senate Bill 684). It changes the law from protecting individuals against identity theft, specifically to one that is broadly aimed at safeguarding their “information,” and the title was changed accordingly.
The key change from Oregon is that it creates a clear distinction between “covered entity” and “vendor” of a covered entity. While the covered entity might own, license, or possess personal information in the course of business, a vendor is an individual or entity “with which a covered entity contracts” to handle that information while providing services to or on behalf of the covered entity.
The key here is that Oregon requires vendors to notify their clients and customers no more than 10 days following the discovery of the breach or a suspected breach. This is the shortest fuse in the state breach laws. For example, in the event of a breach of a law firm’s email records, the lawyers would have 10 days to notify their business clients. This requirement may be more of an aspirational suggestion in practice for some businesses. The statute also permits some time to take account of which clients’ data was actually compromised, often one of the most time-consuming aspects of any real-life breach situation. Nevertheless, for clients with businesses that aren’t complex or where there’s little question over the actual acquisition of the protected information, a 10-day time frame will be tough to meet absent a decent level of preparedness.
Further, while many states require attorney general notification only if the number of affected persons exceeds a certain number, Oregon took a different track. Businesses in Oregon are required to notify the attorney general if the breach crosses the 250-person threshold as well as if the affected number of people is unknown. This means companies can’t defend themselves through failure to notify just because counting seems hard. Oregon also fixed a scope issue in their definition of breach to clarify it’s not just information the entity “maintains,” but also information it possesses. We can expect some debate over this.
New York’s “SHIELD” Act (SHIELD is a pseudo-acronym for Stop Hacks and Improve Electronic Data Security) brought about several new provisions that are coming into effect in waves. Certain provisions are effective already, and a few others come into effect in a few months on July 1. Not unlike Nevada’s new privacy law, which regulates data collected through an online business process, New York’s law regulates the type of data itself (i.e., computerized data). Regardless, it is tough to see how any modern businesses could escape the broad reach of this definition.
New York’s law is a big deal largely because the definition of “private information” is a now broader than in many other states, and encompasses biometric information. The law also ropes in businesses that own, license, or even maintain New York residents’ private information, regardless of if the entity actually conducts business in New York state. And if the business experiences a data breach affecting the private information of New York residents, it must notify all affected persons. The SHIELD Act also requires businesses to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” To define these “safeguards,” the SHIELD Act provides guidelines that largely mirror preexisting standards such as the National Institute for Standards and Technology Cybersecurity Framework, a set of widely recognized voluntary best practices. Smaller businesses must also comply with the requirement, in that “reasonable safeguards,” for smaller businesses can be shaped by and made appropriate for the size and nature of the business and sensitivity of the data. To qualify for that flexibility, however, New York sets firm thresholds based on the number of employees (fewer than 50), amount of annual revenue over the trailing three years (less than $3M), or year-end assets in the bank (less than $5M).
In Texas, newly enacted requirements were modest but evidence a trend. First, changes to the breach law mean that now a notifying party must give notice of a breach to “all affected parties” within 60 days of determining when a breach has occurred. And, for incidents involving 250 Texas residents or more, notice must also be provided to the Texas attorney general. Notable, too, is that Nevada’s Senate Bill 220 also placed new data security requirements on government agencies that are collecting data, specifically requiring that those agencies comply with the current version of the Center for internet Security’s Controls or the corresponding NIST standards “to the extent practicable.” This requirement may be more aspirational than substantive, but by keying the statutory requirement to a preexisting standard, the legislature at least avoided creating a completely new set of standards that organizations must decipher and implement. As these new laws show, states are enhancing laws that regulate consumer information not just in the event of a breach but also where the sale or sharing of that data is concerned. The growing patchwork of cybersecurity and privacy laws will continue to pose challenges for businesses operating across state lines — highlighting the importance of knowing exactly which consumer data the business has and how it’s being used.
— Larkin Reynolds is a Denver-based attorney focusing on technology businesses and data privacy. She can be reached at [email protected] or 303-335-0135.