With Focus On GDPR, Don’t Lose Sight of Domestic Privacy Developments

Companies gearing up for the European Union’s implementation of the General Data Protection Regulation — which introduces significant new obligations on any business processing the personal data of individuals in the EU — should not lose sight of significant obligations imposed by U.S. state legislatures, which are quite active in the privacy sphere.

The domestic privacy regime offers a patchwork of requirements affecting businesses in every sector. Companies can be caught unaware when state laws addressing the same topic mandate different requirements. For example, both Arizona and Virginia have privacy laws specifically applicable to the insurance industry, and both states require insurers to provide a notice of information practices to applicants and policyholders. For policy renewals, however, Arizona requires the insurer to provide the notice annually, whereas Virginia provides an exception in cases where personal information is collected only from the policyholder or from public records. Compliance — even just keeping up with new requirements — can be challenging.

When data breach notification laws come into effect in South Dakota on July 1, all 50 states and the District of Columbia will require disclosures of a breach. But the type, timing and target of notification varies from state to state. States even differ on how they treat violations. Texas, for example, imposes civil fines of up to $50,000 per violation. California permits class actions. Georgia imposes no penalty at all.

Recent high-profile breaches and scandals involving companies such as Equifax and Facebook have moved state legislatures to take action to protect consumers. Several states, including Kentucky (S.B. 33), Massachusetts (S. 2455), and Minnesota (S.F. 3881),have introduced legislation to prohibit consumer reporting agencies from charging consumers to place or remove a credit freeze if the need for a freeze was caused by the consumer reporting agency. Oregon also recently passed such legislation (2018 Or. Laws ch 10). In addition to eliminating fees charged by credit reporting agencies, the Oregon law specifies that if a company offers to provide free credit monitoring services, it must not condition the offer on a consumer providing credit card information. And if the company offers to provide such services for a fee, that fact must be conspicuously disclosed.

Oregon’s law also updates its data breach notification provisions, requiring companies to give notice of a breach within 45 days of discovery. Prior to the amendment, notice was to be given “in the most expeditious manner possible, without unreasonable delay.” Arizona also recently amended its breach provisions by expanding the definition of personal information and imposing more detailed notification requirements in the event of a data breach (2018 Ariz. Sess. Laws Ch. 177).

Consumer protection concerns are not only on the minds of state legislators, however. There have long been calls for a federal data breach notification bill that would give organizations one set of rules to follow in the U.S. And recently, Reps. Blaine Luetkemeyer, R-MO, and Carolyn Maloney, D-N.Y., circulated a discussion draft of a proposed federal law — the Data Acquisition and Technology Accountability and Security Act — that would preempt state breach notification laws. In response, 32 attorneys general sent a letter to House Committee leaders voicing their objections to the proposal. Among other things, they noted that the proposed law would preempt laws that require notices to consumers and state attorney generals, and instead allows entities suffering breaches “to determine whether to notify consumers of a breach based on their own judgment …”

Another area in which states are taking the initiative is broadband privacy. Many states have responded to a shift in federal priorities with bills addressing the data handling practices of internet service providers. After the Trump Administration rolled back Obama era regulations on broadband privacy, Nevada, for example, enacted a law requiring website operators and online service providers to provide notice of their information collection practices to consumers (2017 Nev. Laws ch. 570), and Connecticut has established a working group to examine the issues and make recommendations regarding broadband consumer data privacy (Conn. Pub. Acts 17-2, Sec. 555). Roughly 20 other states are considering similar measures.

Navigating this thicket of laws and regulations and gaining a working knowledge of each state’s statutes, regulatory authorities, and enforcement environment takes constant, informed scrutiny. Browsing multiple sources, often for inconsistent terms applied by varying enforcement bodies, is a real time sink.

Bloomberg Law has developed a new Domestic Privacy Profile series to eliminate those obstacles.

The Domestic Privacy Profiles provide in-depth coverage of state privacy laws, organized by type of regulation, type of data, and sector. They provide information that is both comprehensive and easy to apply. Further, each profile shares a uniform table of contents, enabling simple comparisons between jurisdictions. And practicing in-state experts curate each profile, applying a working knowledge of each state’s enforcement environment and practical experience applying the relevant legal provisions.

With the publication of the Domestic Privacy Profiles, privacy professionals now have at their disposal a one-stop-shop with the information necessary to evaluate the legislative burdens in each state, the risks of expanding business, notice of emerging state-wide and national trends, and any overlaps between federal and state regulation. Download the California state profile here.

– Mark Smith is deputy editorial director for privacy and data security for Bloomberg Law. He has extensive experience covering privacy & data security, cyberlaw, and intellectual property issues and is a member of the International Association of Privacy Professionals. Certified Information Privacy Professional (CIPP/US and CIPP/C). He can be reached at mark.smith@bloomberglaw.com.