While at the federal level security and privacy legislation are lost in a morass of partisan politics and corporate lobbying delays, states have been moving ahead to push through an impressive number of important bills that help fill in the gaps. A search of the Legiscan database reveals that hundreds of bills that address privacy, cybersecurity and data breaches are pending across the 50 states, territories and the District of Columbia.
The most comprehensive piece of state-level legislation across these often-intertwined categories that has been enacted over the past two years is the sweeping California Consumer Privacy Act (CCPA), enacted and signed into law on June 28, 2018. Inspired by the EU’s groundbreaking General Privacy Data Protection Regulation (GDPR), the legislation aims to give the state’s consumers greater control over how businesses collect and use their personal data. In November 2020, California voters approved the California Privacy Rights Act (CPRA), which creates a new consumer privacy agency and aligns privacy regulations more closely with the GDPR.
The CCPA is slated to take effect on January 1, 2020, giving those who believe the bill was too broad or too narrow time enough to limit or expand its scope. So far two bills have been introduced in the California Assembly to expand the scope of CCPA, while nine draft bills seek to limit its impact.
In the sections below, we summarize the current provisions of the CCPA, along with other major pieces of state legislation that have been recently enacted and signed into law. Each of these recently adopted measures in its own way significantly impacts privacy, data security, cybersecurity or data breach notification requirements in the respective states.
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Nevada Senate Bill 220 Online Privacy Law
- Maine Act to Protect the Privacy of Online Consumer Information
California Consumer Privacy Act (CCPA)
The CCPA incorporated many of the GDPR-inspired provisions in what had previously been a ballot measure in the state called the Consumer Right to Privacy Act of 2018. The legislation’s provisions “grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”
The law applies to applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information.
Among some of the more noteworthy of the many expansive provisions in the law are sections that:
- Require a business to make disclosures about the personal information it collects and the purposes for which it is used.
- Grant a consumer the right to request deletion of personal information and require the business to delete that information upon receipt of a verified request.
- Grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of third parties to which the information was sold or disclosed. Businesses will be required to provide this information in response to verifiable consumer requests.
- Authorize a consumer to opt out of the sale of personal information by a business and prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
- Require businesses that disclose personal data to deliver that data free of charge to verifiable consumers upon request.
- Grant consumers the right to control selling their information to third parties via a “Do Not Sell My Personal Information” link in their privacy policies.
- Give individuals the ability to direct businesses to delete their information.
- Prohibit businesses from selling information about consumers between the ages of 13 and 16 without their explicit consent and require them to obtain parental consent before selling information about a consumer under the age of 13.
- Expand the definition of personal information to include such things as IP addresses, device IDs, cookie IDS, and psychographic profiles based on customers’ preferences, characteristics, behavior, interests and many other variables.
California Privacy Rights Act (CPRA)
California voters approved this ballot measure in November, making it law effective on January 1, 2023, though with a six-month grace period on enforcement. The CPRA mandates the creation of a consumer privacy agency, which takes responsibility for privacy law violations away from the state’s attorney general.
The most significant changes from the CCPA are:
- Companies serving fewer than 100,000 California residents or households are not subject to the privacy regulations. The CCPA’s threshold is 50,000 and includes devices.
- Companies must delete personal information once it is no longer necessary. How regulators will define “necessary” is open to interpretation.
- Consumers may force a company to correct inaccuate personal data.
- Companies must ensure that any third parties with whom they share personal data comply with the CPRA.
- Consumers may opt out of companies sharing their data. Under the CCPA, consumers can only opt out of their data being sold.
- Breach liability now includes exposure of email addresses combined with security questions.
- If a breach includes personal data of minors, fines may be tripled.
- Companies might still be subject to private rights of action and statutory damages after a breach even if they fix what caused the breach.
- Consumers no longer need to show harm to be able to sue for a breach.
Nevada Senate Bill 220 Online Privacy Law
While California’s CCPA grabbed all the headlines, Nevada quietly passed its own tougher online privacy law, Senate Bill 220, which was signed into law by the governor on May 30, 2019. The bill amended Nevada’s existing privacy law by requiring businesses to offer consumers an opt-out regarding the sale of their personal information, with some exceptions. The bill goes into effect on October 1, 2019 prior to the effective date of CCPA, making Nevada’s legislation the first in the U.S. to grant consumers a right to opt out of the sale of their personal data.
Unlike CCPA and GDPR, Nevada’s bill does not add any new notice requirements for website operators but does require them to post certain items of information in their privacy policies, including the categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices.
Organizations that violate these terms may be subject to a penalty up to $5,000 per violation as well as a temporary or permanent injunction. Under the law, the attorney general’s office will have the power to bring actions for violations but must allow offenders a 30-day period to fix violations other than those that deal with opt-out rights.
Maine Act to Protect the Privacy of Online Consumer Information
On June 7, 2019, Maine Governor Janet Mills signed a bill to protect the privacy of online consumer information. The bill goes into effect on July 1, 2020. The legislation specifically bars broadband internet access providers from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access,” with some exceptions.
The bill also prohibits broadband providers from refusing to serve a customer or charging them more if they don’t consent to the use, disclosure, sale or access of their personal data.
The bill further requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. Under the bill, personal information is defined as (a) “personally identifiable customer information” about the customer and (b) information derived from the customer’s use of broadband internet access services such as web browsing history, geolocation data, device identifiers and a number of other technical data points that can be used to identify individuals.
Cybersecurity, data security and data breach notification laws
- New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500)
- New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
- Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
- New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
- Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
- Oregon Consumer Information Protection Act (OCIPA) SB 684
- Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
- Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)
New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500)
Regulators at the New York Department of Financial Services (DFS) adopted new rules, 23 NYCRR 500, on February 16, 2017 that place certain minimum cybersecurity requirements on all covered financial institutions. These rules require each company to assess its specific risk profile and design a program that addresses its risks in a robust manner.
The deadline for certain required regulatory activities under the new rules was March 2019. Under the requirements, any DFS-regulated entity that meets certain criteria (more than 10 employees, more than $5 million a year in revenue and year-end assets exceeding $10 million) that is doing business in New York is required to establish an internal cybersecurity program to protect information assets under their control.
Smaller entities have to meet other obligations, including limiting access to information, assessing their risk, implementing policies related to third-party data control, and their own data disposition. All regulated entities are obliged to report data breaches, regardless of size.
The rules further require covered entities to designate a Chief Information Security Officer, and maintain audit trails, among a host of other good cybersecurity practices spelled out in the regulation.
New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (Senate Bill S5575B), which expands the state’s current data breach law and imposes affirmative cybersecurity obligations on covered entities.
Among other things, the bill:
- Expands the scope of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers.
- Broadens the definition of a data breach to include unauthorized access to private information.
- Applies the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State.
- Updates the notification procedures companies and state entities must follow when there has been a breach of private information.
- Creates data security requirements tailored to the size of a business.
The first four provisions go into effect on October 23, 2019 while the last one mandating security requirements goes into effect on March 21, 2020.
Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
Signed into law by Governor Charlie Baker on January 10, 2019 and effective as of April 11, 2019, the new law:
- Amends the content requirements for breach notifications to state residents by requiring disclosure of the parent company of the entity breached
- Requires businesses to offer free credit monitoring services for at least 18 months to residents whose social security numbers have been affected by a breach and the breached entity must provide all necessary information for enrolling in credit monitoring services. The breached entity cannot condition the services on the resident’s waiver of his or her right to a private right of action.
- Requires a range of new content requirements for breach notifications, including the disclosure of the person responsible for the breach in breach notifications, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents.
- Stipulates that breach notification may not be delayed on grounds that the total number of residents affected is not yet ascertained.
New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
Approved by Governor Phil Murphy on May 10, 2019 and effective as of September 1, 2019, the bill treats credentials for any online account, including a personal account, as personal information subject to state breach notification laws.
Specifically, the bill treats any of the following as personal information:
- Social Security number;
- driver’s license number or state identification card number;
- account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
- username, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.
- Dissociated data that, if linked, would constitute personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data.
The law also clarifies that any relevant entity may not provide data breach notifications through email accounts that have been affected by a security breach and must find some other notification method.
Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
Approved by Governor Larry Hogan on April 30, 2019 and effective as of October 1, 2019, the law extends the state’s existing data breach requirements to personal information maintained by a business in addition to personal information owned or licensed by a business. These businesses are also now required to conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach.
Those businesses that simply maintain personal data may not charge the owner or licensee a fee for providing the information needed to notify Maryland residents. The law also places certain limitations on information relative to the breach.
Oregon Consumer Information Protection Act (OCIPA) SB 684
Signed into law by Governor Kate Brown on May 24, 2019 and effective as of October 1, 2019, the legislation amends state law by expanding the definition of personal information under the statute to include online account credentials on their own. The bill also creates, with some exceptions, additional notification obligations for “vendors” that maintain or process personal information on behalf of other businesses, who will also be required to notify the Oregon Attorney General if the personal information of more than 250 residents (or an indeterminate number of residents) is involved. However, all vendors must notify the relevant business, and a sub-vendor must notify the relevant vendor, within 10 days of discovering or having reason to believe a security breach occurred.
Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
Signed by Governor Greg Abbott on June 14, 2019 and effective as of January 1, 2020, the legislation amends state law to change the time period for breach notification from “as quickly as possible” to “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” If the breach affects more than 250 residents of the state, a person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred.
The notification must also contain a detailed description of the breach, the number of affected Texas residents, the measures taken by the breached entity in response to the incident and whether law enforcement has been engaged.
Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)
Approved by Governor Jay Inslee on May 7, 2019 and effective as of March 1, 2020, the law expands the scope of Washington’s existing data breach law by revising the statutory definition of personal information to include an individual’s first name or initial and last name in combination with other data elements such as full date of birth, student ID number, passport number, health insurance policy or identification number, private key that is unique to an individual and that is used to authenticate or sign an electronic record, medical information and biometric information.
Under the amended law, businesses now only have 30 days, rather than 45 days, to deliver the required notifications. Notifications must include a timeframe of exposure, if known, including the date of the breach and the date of the discovery of the breach, the types of personal information affected, a summary of steps taken to contain the breach, and a sample copy of the breach notification sent to Washington residents. A business must update the attorney general if all this information is unknown at the time of the breach.
Editor’s note: This article, originally published on August 8, 2020, has been updated to include information on the CPRA.