New York and Massachusetts may soon follow in California’s footsteps

The California Consumer Privacy Act (CCPA) is just one of a “coming tsunami” of state-level US privacy laws that will substantially impact how organizations collect and use personal data in 2020 and beyond.

This is according to David Oberly, associate at US law firm Blank Rome, who noted that, although the CCPA was “by far the most significant development” to have taken place in the US over recent years, several other states are gearing up for changes of their own.

What is CCPA?

The California Consumer Privacy Act (CCPA) is legislation that provides consumers with new rights relating to the access to, deletion of, and sharing of their personal information that is collected by businesses.

The CCPA came into force on January 1, 2020, and includes the following requirements:

  • Businesses must disclose data collection and sharing practices to consumers
  • Consumers have a right to request that their data be deleted
  • Consumers have a right to opt out of the sale or sharing of their personal information
  • Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent

“Knowledge is power, and in the internet age, knowledge is derived from data,” said California Attorney General Xavier Becerra.

“Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private.”

The California Consumer Privacy Act came into force on January 1, 2020The CCPA came into force on January 1, 2020

Other states follow California’s lead

Likened by some to the EU’s General Data Protection Regulation (GDPR), the CCPA has attracted no small amount of attention from privacy advocates and organizations with a Californian customer base.

However, looking ahead to 2020 and beyond, Oberly said it’s not only the Golden State that’s ushering in changes to its privacy legislation.

“The CCPA is the first of a coming tsunami of state-level privacy laws which, together, will radically shift how businesses collect, use, and protect personal data,” Oberly told The Daily Swig.

“In 2019, several other states wasted no time jumping on the CCPA bandwagon, following in California’s footsteps by enacting similar privacy laws of their own. First, Nevada enacted Senate Bill 220 (SB-220), which amends the state’s existing online privacy law, and went into effect on October 1, 2019.”

READ MORE GDPR vs. CCPA: Which goes further to protect personal data?

“SB-220 grants consumers the right to opt out of the sale of their personal data, and requires covered entities to offer an online email address, toll-free telephone number, or website function to facilitate that right. In addition, covered entities are also required to satisfy consumer opt-out requests within the 60-day time period mandated by the law.

“In addition, New York enacted its Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act, which provides key changes to the state’s data security and data breach notification laws,” said Oberly.

“Most importantly, the SHIELD Act sets forth a new mandate that requires businesses to implement and maintain strong defensive data security safeguards to protect sensitive personal information from improper disclosure, access, or acquisition.

“At the same time, the law also substantially expands the scope and reach of the state’s breach notification law as well.”

New privacy legislation for 2020?

Robert Cattanach, partner at the international law firm Dorsey & Whitney, said the CCPA will impact companies of all sizes around the globe.

“While the impact of CCPA on most companies is likely to be less burdensome than was the case for [GDPR], some of the ‘lighter touch’ aspects of the CCPA may actually create hidden, but significant, challenges for many companies, regardless of their size,” Cattanach says.

“CCPA creates private enforcement rights for data breaches, which GDPR does not include. This is likely to create massive liabilities for US companies – but only for those unfortunate enough to suffer a data breach.”

Importantly, however, Oberly noted that the CCPA may soon be joined by a proliferation of similar new privacy laws, as additional state legislatures seek to implement their own privacy statutes.

Many of these, he said, would be modeled off the “burdensome” CCPA.

“With respect to states to watch in 2020, Massachusetts and New York are the two main focus points for potential CCPA-like laws for 2020,” Oberly said.

“Massachusetts currently has pending in its legislature a CCPA-like bill, ‘An Act Relative to Consumer Data Privacy’, which would create a comprehensive consumer privacy regime in the Bay State.

“Similarly, New York also has pending its New York Privacy Act (NYPA), which would far surpass the CCPA both in terms of the rights granted to consumers with respect to their data, as well as with respect to the corresponding obligations placed on covered entities. At this time, both consumer privacy bills remain pending in their respective state legislatures.”

Rapidly changing legal landscape

In his summary of the US privacy legislation landscape over the past 12 months, Oberly said: “2019 brought with it the enactment of numerous laws focused on greater regulation over personal data, including comprehensive consumer privacy laws, data broker laws, and IoT security laws, just to name a few.”

“While it remains to be seen how 2020 will pan out in terms of the specific new laws that will come online over the course of the next year, one thing can be certain – that 2020 will bring with it a host of new privacy compliance obligations, hurdles, and challenges that companies will need to be ready to address in a swift and effective fashion.

“In addition to complying with the laws that are currently on the books, companies also need to ensure that they are able to quickly adapt to the to the rapidly changing legal landscape of consumer privacy law in 2020, which is sure to see many significant changes over the course of the year.”

RELATED California expands data breach notification law to include passport and biometric data