The European Union exemplifies the “gold standard of data privacy laws” with the expansive GDPR passed in April 2016. While the United States has not passed such a comprehensive bill, there are federal privacy laws, new state laws, and a number of initiatives geared toward bolstering consumer protections.
The California Consumer Protection Act (CCPA) went into effect on Jan 1, 2020, and many other states are ramping up their data privacy laws and task force initiatives. The momentum to protect consumers has never been greater. Therefore, it is worth looking at the next generation of consumer privacy bills to consider what this might mean for law firms and their clients.
A Brief History of U.S. Data Privacy Laws
Along with advances in computer technology came a series of U.S. laws intended to prevent the misuse of personal data.
U.S. data privacy laws enacted by the federal government include:
- The U.S. Privacy Act of 1974 – The act grants U.S. citizens the right to access, correct, and receive a copy of all data held by the federal government. It encourages agencies to collect only data that is “relevant and necessary” and share with personnel on a need-to-know basis. It also restricts sharing the data with other federal and non-federal agencies.
- HIPAA (1996) – The Health Insurance Portability and Accountability Act is a sophisticated collection of data privacy and security rules that lay down specific confidentiality requirements affecting medical care providers. Health organizations must have safeguards in place to limit “unnecessary or inappropriate access” to personal health information.
- Financial Modernization Act of 1999 – Also known as the Gramm-Leach-Bliley Act or GLBA, this overarching banking and finance law includes protections for nonpublic personal information. Banks must periodically mail out privacy statements, explaining what data is being collected, who it is shared with, and how to opt-out of data sharing with non-affiliated third parties. One very noteworthy loophole is that consumers have no legal privacy controls to restrict the sharing of nonpublic personal information within “corporate families.”
- COPPA (2000) - The Children’s Online Privacy Protection Act prohibits online companies from asking for personal identifying information from children 12 and under without verifiable parental consent. More recent updates in 2012 expanded protections to screen names, email addresses, photographs, video chat names, audio files, and geolocation coordinates. Web operators must take “reasonable steps” to release children’s data only to “service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.”
How is Privacy on the Internet Handled?
The Internet itself is a primarily deregulated space. Companies that operate on the web tend to create and abide by their own privacy standards. The Federal Trade Commission (FTC) has limited authority to police the misrepresentations internet companies make about collected consumer data. Conversely, some states have passed new privacy laws. As an example of such state protections, the CCPA in California is an attempt to modernize how businesses and organizations handle customer data, including data collected and stored digitally. Lawyers are relying on these new state privacy laws to bring data privacy class lawsuits on behalf of consumers.
New U.S. State Data Privacy Laws
Data privacy laws across the United States share many rights and obligations.
The following consumer rights are common to most data privacy legislation:
- To access one’s own personal information that has been collected or shared.
- Request that incorrect or outdated personal information be corrected.
- To request the deletion of personal information under certain conditions.
- To restrict a business’s ability to process personal information.
- To request personal information in a common file format.
- To opt out of the sale of their personal information to third parties.
- To prevent businesses from automating decisions based on consumer data.
- To seek civil damages when data privacy statutes are violated.
Businesses are obligated to:
- Provide notice of data practices and privacy programs.
- Notify consumers and authorities of a security breach.
- Conduct formal risk assessments on security procedures.
- Treat consumers fairly, regardless of opting in or opting out.
- Collect and process only essential personal information.
- Exercise a duty of consumer care, loyalty, and confidentiality.
Specific Data Privacy Laws by State
Some data privacy laws and proposed laws by state:
- California Consumer Privacy Act (CCPA) – Signed into law in 2018 and enacted in 2020, the CCPA represents the most comprehensive data privacy legislation in the U.S., comparable perhaps only to Europe’s GDPA. California consumers have a right to access their own data collected by businesses. Businesses cannot sell personal information without providing notice and an opportunity to opt-out. Consumers have a “right to delete” their personal information upon request and a right to sue for data breaches. Violations of the CCPA are enforced by the California Attorney General’s Office, which can seek civil penalties of $2,500 for each violation, or $7,500 for each intentional violation after notice and a 30-day opportunity to cure have been provided. Personal information is explicitly spelled out as email, employment information, browsing history, biometrics, geolocation data, and any “probabilistic information” that gives a greater than 50% chance of identifying someone. Companies are called upon to “implement and maintain reasonable security procedures.” California’s state government considered the security frameworks established by the Center of Internet Security and the National Institute for Standards and Technology, which provide broader context for California’s new rules. View our CCPA Compliance checklist for businesses.
- Maine Privacy Law (LD 946) – This law, passed in June 2019, requires broadband internet service providers to get express consent from a customer before sharing their data with a third-party. This law is seen as one of the most strict in the nation, as it requires consumers to opt-in to the agreement rather than opt-out. However, law only regulates internet services providers serving customers physically located and billed in Maine.
- Massachusetts Data Privacy Law (in Senate) (S-120) – This law shares language with the CCPA by requiring consumer access to personal information, the right to delete, explicit notification of privacy rights, and the opportunity to opt out of third-party data sales. Personal information is broadly defined, using probabilistic identifiers. Unlike the CCPA, consumers “need not suffer a loss of money or property” as a result of a data privacy breach in order to bring an action. Plaintiffs can recover up to $750 per consumer.
- Nevada Internet Privacy (SB 220) – This law expands upon existing laws which requires operators of a website or online service who collection personally identifiable information about Nevada consumers to include a notice of how that information privacy is stored and protected. SB 220 further defines an operator and requires operators to include a designated formally request address for consumers to request the operator not sell their information to third parties.
- New York Privacy Act (in Senate Committee) (S-5642) – Like the CCPA, the list of identifying information is broad, and consumers retain the right to request and delete personal data held by companies. Organizations must disclose broad categories of information shared with third parties. Like Massachusetts, New York allows a private right of action for any violation of the law made by businesses of any size. Like the GDPR, consumers own their data and can correct inaccurate information.
- North Dakota (HB 1485) – Websites are wholly restricted from sharing information with third parties without consent. However, consumers do not have the right to remove or delete data once consent has been given.
Looking for a Partner?
Kroll Settlement Administration handles consumer, data breach, and mass tort matters across the country. We are fully versed in all United States data privacy laws that may affect your clients and your notification protocols. Contact us to discuss your class action administration needs.