If your business is located in the United States or does business there, allow us to introduce you to the alphabet soup of regulators that have some impact or authority on data privacy. Pay close attention and memorize the following. (There will be a quiz!)
ADA, ADEA, APA, BCR, BITAG, BSA, CALEA, CALOPPA, CAN-SPAM, CARU, CCPA, CFPB, CISA, CMIA, COBRA, COPPA, CPBR, CPEA, CPNI, CRA, DAA, DMA, DNC, DNT, DODD-FRANK, DPA, EBR, ECOA, ECPA, EEOC, EHR, EPIC, EPPA, ERISA, ESI, ESRB, FACTA, FATCA, FBI, FCC, FCRA, FDCPA, FERPA, FINCEN, FIPP, FIRREA, FISA, FISC, FLSA, FMLA, FOIA, FTC, GINA, GLBA, GPEN, HHS, HIPAA, HITECH, HITRUST, ICRAA, IRCA, IRS, MSCM, NHTSA, NIH, NIST, NLRA, NLRB, NSA, NSF, NSL, NTIA, PCI-DSS, PCLOB, PHI, PI, PII, PPRA, QPO, RFPA, SAR, SCA, SCC, SOX, TCPA, TSR, UDAP, USA FREEDOM ACT, USA PATRIOT ACT, and, VPPA.
We know what you’re thinking: Really?!
Yes, really. Every acronym on that list has some direct or indirect regulatory effect or authority over data privacy in the United States. And that’s just at the federal level. The fun really starts at the state level, where—in the absence of a federal preemptive privacy regulation—the local legislators have stepped in and created state-specific regulations. If you’re doing business in multiple states, you can expect to spend hours of uninterrupted fun making sure that your business complies with each and every one of those as well.
So what do we do about this?
That is the exact same question that all companies have been asking. Tech giants in particular have been miffed, put out, and disappointed about having to deal with all these state regulations. For once, they have been “begging” for a federal law to preempt them and simplify everything. Washington keeps promising (or threatening) to create one, but don’t hold your breath—especially for the “preemptive” part. In general, federal regulations set a baseline but allow for stricter state versions to preempt them. So, yes, a federal US privacy law is coming, but it is unlikely to make anybody’s life much easier. In cases where state regs are stronger, you will still need to deal with them.
United States Privacy Regulations
For now, you need to think of privacy regulation in the United States as having two distinct steps. First you have to ask, “Which federal regulations apply to my business?” and then, “Which state regulations do I also need to comply with?”
The only way to stop big data from becoming big brother is introduce privacy laws that protect the basic human rights online.
1. Federal Regulations.
When you confront federal regulations, what you’re confronting are industry-specific, or legal-area-specific rules. Using the table, identify the areas for federal regulation that may apply to your business.
Some of these regulations are intended to ensure that your company takes appropriate steps to protect PII, be it employee PII or consumer PII. Others clarify the extent of governmental power and reach when requesting PII from your company. Either way, you’re on the hook.
One area that affects basically all businesses is employee privacy. Compliance with these laws is a company-wide responsibility, but the day-to-day nitty gritty of compliance rests primarily with your human resources department. They are a common denominator across all businesses in the United States. You will be working closely with HR on complying with these. Focus on the ones that specifically apply to the kind of business you’re in.
Once that exercise is complete, you’re ready for the next step: state regulations.
2. State Privacy Regulations.
As we discussed, in the absence of federal law, the states have stepped in with their own legislation, most prominently California with the California Consumer Protection Act, Maine with the Maine Act to Protect the Privacy of Online Consumer Information, and Nevada with the Nevada Senate Bill 220 Online Privacy Law.
These are in addition to a slew of cybersecurity-specific legislation such as the Maryland Personal Information Protection Act, the Massachusetts Bill H.4806, the infamous New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) Act, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, and the Oregon Consumer Information Protection Act (OCIPA).
But wait. There’s more! Additional states are working on their own privacy legislation—some inspired by the California language but some not. We recommend checking out the International Association of Privacy Professionals (IAPP) to get the most up-to-date information on privacy legislation status across each state and around the world.
As of this writing, the following states have privacy laws that are either already in effect or will be going into effect in 2023: California, Colorado, Connecticut, Utah, and Virginia. Other states are currently working on their own regulations, including (but not limited to, since this changes often!): Michigan, Ohio, New Jersey, and Pennsylvania.
If you do business in any or all of these states, well, best get ready to figure out where your exposure is state-by-state, and what to do about it. We’re told the line starts in Sacramento, and it’s currently looping around downtown Boston!
All joking aside, this is a serious problem for any size business. It’s not only the Fortune 5000 companies that need to be compliant to all these regulations. Hundreds of thousands of mid-market and small businesses interact with consumers, vendors, partners, freelancers, and traffic business-to-business data across state lines, and all of them are affected. Worse, even if they could find certified privacy professionals, the vast majority couldn’t afford them or keep them for long.
Which brings us back to you and your allies. You, one step at the time, will have to identify each state that you do business in, understand their privacy requirements, determine if your company is affected, and, if so, add this law to your Company Privacy Profile and to your eventual privacy program constraints list.
Due to the vast size of The Golden State, California’s CCPA is the single most influential state-level regulation passed so far. So let’s take a closer look at the CCPA. It is likely that other regulations will echo California’s rules to some extent.
State of California, effective January 1, 2020.
The California Consumer Privacy Act (“CCPA”) was introduced in the California legislature in June 2018 and was signed into law a few days later by Governor Jerry Brown. It was rushed through the legislature for an interesting reason. If the legislature had not passed it in that session, the bill would have reappeared as a ballot initiative in November of the same year. Had it passed in ballot initiative form (as expected), the legislature would not be able to amend the law, because here is a very convoluted process that governs changes to enacted ballot initiatives. At least by passing the law as a law, the legislators will be able to fine-tune it. Indeed, numerous amendments have already been considered.
3. CCPA Intent and Major Provisions
The CCPA establishes the following rights:
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
4. PII Definition.
Under CCPA, personally identifiable information (PII) is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The act goes on to elaborate on PII, by defining such things as identifiers, biometrics, protected classifications, online activity, geolocation, educational data, and “Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.”
According to the CCPA, the law applies to:
- A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
- Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
The act excludes companies that do not do business in California, have collected data of California residents while the resident was outside the state, or if the PII is not being trafficked in California. Furthermore, nonprofits, small businesses, and those that do not traffic a significant volume of PII are excluded. Additional clarifications and guidance from the Attorney General are expected to further clarify several of the law’s provisions.
CCPA provides for its enforcement by the California Attorney General, and also provides for a private right to action “in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information.”
CCPA provides for a $7,500 penalty per violation. There is a 30-day cure period.
The complete text for the CCPA can be found here.
But wait—as usual—there’s more! A whole host of amendments have been introduced to the CCPA in the current legislative session. Should they pass, those amendments could change how the regulations impact your business. It’s worth keeping an eye on these developments, and fortunately our friends at IASCA are on top of it. Here is a recent compilation of news about the amendments.
California is the most-populated state and has the country’s highest GDP, followed by Texas and New York. Therefore, it is no surprise that legislation such as the CCPA affects business across the United States as well as the world. No business can afford to “fence off” their California operations. As a result, companies are likely to implement California’s standards across the board, essentially making this law a de facto national standard, pending any preemptive federal legislation.
Data Protection in the United States: Conclusions
Different states make their own decisions about regulations. However, there is general consensus beginning to develop when it comes to the definition of PII. You should expect California’s definition to propagate into an eventual federal privacy statute.
Unfortunately, that tends to be where the consensus ends. States take differing views on the appropriate reach of privacy regulation, on what is included and excluded, and on the penalties for violating the laws. When it comes to a federal statute, these policy differences are likely to remain contentious between the warring factions of lobbyists in DC.
That said, the likelihood of a federal law preempting the state laws is not very great. To be sure, the federal law will fill the vacuum in states that do not have any regulations at all. But the feds are likely to yield the right to the states to impose stricter conditions.
It is safe to assume that the California Consumer Privacy Act will serve as a federal template. What does this mean for you? Clearly, you’ll need to ensure CCPA compliance. With that in place, you will be very well positioned to tackle any additional legislation coming your way in the months and years ahead.
Keep yourself informed with IAPP’s US Federal Privacy Legislation Tracker and US State Privacy Legislation Tracker. Those regularly updated pages will let you know the latest.