Regulation: California Consumer Privacy Act (CCPA)
Date in effect: January 1, 2020
Coverage area:
- Among other things, CCPA confers the following rights upon California residents. These rights also confer corresponding obligations and rights upon businesses and third parties who receive the information.
- The consumer right to request that businesses disclose the categories and specific pieces of personal information the business has collected, along with the sources of that information, the business or commercial purpose for collecting the information, and the categories of third parties that the business shares personal information with.
- The consumer right to request that the business delete any personal information it has collected about the consumer
- The consumer right to request that businesses that sell the consumer’s information disclose the categories of personal information collected, the categories of personal information sold, the categories of third-party information the information was sold to, and if the business has not sold the consumer’s information.
- The consumer right to opt out. At any time, the consumer may direct a business that sells personal information about the consumer to third parties, not to sell the consumer’s personal information
- Third parties shall not sell personal information about a consumer that has been sold to the third party by a business, unless the consumer provides explicit notice and is provided the right to opt out.
- Businesses may not discriminate against a consumer who exercises any of the rights defined under this law.
- Businesses shall comply with consumer rights in a form that is readily accessible to consumers and satisfies the mandates of the law.
- For the purposes of this law, the state of California provided definitions for consumers, businesses, third parties, personal information, and many other items.
- Business obligations in this law should not prevent businesses from complying with other federal, state, and local laws and situations, as listed in the section 1798.145.
- Any consumer whose information is subject to “…an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices…may institute a civil action…”
- The state created a special fund called the Consumer Privacy Fund, to offset any costs incurred in the State courts or by the Attorney General in carrying out duties under this title.
- The CCPA is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agencies regarding the collection and sale of consumers’ personal information by a business.
- Any provisions of a contract or agreement that purports to waive or limit in any way a consumer’s rights under this title shall be deemed contrary to public policy and shall be void and unenforceable.
Regulation: Illinois Personal Information Protection (PIPA), amended by
Public Act 101-0343
Date in effect: January 1, 2017—Original
January 1, 2020—Amended
Coverage area:
- Notification of data breaches for any data collector that owns or licenses personal information concerning an Illinois resident.
- Requires data collectors to also notify the Office of the Attorney General of any breach affecting more than 500 Illinois residents, along with details of steps taken related to the incident.
- The Illinois Attorney General will be allowed to publish breach information.
Regulation: Maine–An Act to Protect the Privacy of Online Customer Information
Date in effect: July 1, 2020
Coverage area:
- Prohibits providers of broadband Internet access services from disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale, or access.
Regulation: Maryland Personal Information Protection Act (MPIPA), amended by Maryland HB 1154
Date in effect: January 1, 2018—Original
October 1, 2019—Amended
Coverage area:
- Attempts to ensure that Maryland consumers’ personal identifying information (PII) is reasonably protected. If their PII is compromised, the customer must be notified.
- The amendment also requires that reasonable security measures be taken to protect PII and retention times for incident record keeping.
- Information owners are prohibited from using information relating to a security breach for any purpose other than a) providing notification; protecting or securing personal information; or b) providing notification to national security organizations to alert or avert any expanded or new breaches.
- The amendment expands the law’s scope to include businesses that own, license, or maintain PII for Maryland residents.
Regulation: Massachusetts H.4806—An Act Relative to Consumer Protection from Security Breaches
Date in effect: April 11, 2019 Requires consumer consent for any third party to obtain consumer credit reports for most non-credit purposes.
Coverage area:
- Provides for customers to place no cost “security freezes” on credit reports, and prohibits credit agency from charging consumers to lift or remove a credit freeze.
- Enhances reporting requirements for security breaches, requires free credit monitoring in some circumstances, and provides continued access to credit reporting for state agencies and courts that are required by law to review consumer credit information.
Regulation: New Jersey S.52
Date in effect: September 1, 2019
Coverage area:
- Enhanced disclosure requirements for breach of security for an online account. Expands the definition of personal information to include an individual’s first name (or first initial)/last name linked with a) a username, email address, or other account holder information in combination with b) any password or security question and answer that would provide access to an online account.
- Any business or public entity doing business in New Jersey shall disclose any breach of security following discovery to any customer who is a resident of New Jersey whose personal information was disclosed or believed to be disclosed.
- If a breach occurs, using written or electronic notice, businesses are required to direct the individual to promptly change their log-in credentials associated with that business and any other accounts in which the individual uses the same username or email address, password, or security questions/answers.
- The business may not send electronic security breach notifications to an email address that has been involved in the security breach.
Regulation: New York SB.5575B/A.5635—Stop Hacks and Improve Electronic Data Security Act (SHIELD ACT)
Date in effect: March 21, 2020—240 days after it was signed into law on July 25, 2019
Coverage area:
- Broadens the scope of information covered for data security breaches to include biometric information and email addresses, along with their corresponding security questions and answers.
- Updates the notification requirements and procedures that businesses and state entities must follow when a security breach occurs.
- Extends notification requirements to any person or entity who collects private information of a New York resident, not just those who do business in the state.
- Expands the definition of a data breach to include unauthorized access to private information. Creates “reasonable” data security requirements tailored to the size of the business.
Regulation: New York A.2374/S.3582—Identity Theft Protection and Mitigation Services
Date in effect: September 23, 2019—60 days after it was signed into law on July 25, 2019 Coverage area:
- Establishes minimum requirements for long-term protections to consumers who are affected by a data breach from a credit reporting agency.
- Requires credit reporting agencies to provide five-year identity theft protection to affected users, along with identity theft mitigation services, when applicable.
- Requires credit agencies to inform consumers on credit freezes and provide consumers with the right to freeze their credit at no cost.
Regulation: Nevada SB 220—Revises provisions relating to Internet privacy (BDR 52-920)
Date in effect: October 1, 2019
Coverage area:
- Only applies to operators owning or operating an Internet Web site or online service for commercial purposes.
- Businesses must provide an on-line mechanism (or toll-free number) that allows customers to opt-out of the sale of their personal information.
- The amendment excludes the following entities from the scope of the law: 1) Financial institutions subject to the Gramm-Leach-Bliley act of 1999; 2) Entities covered under the Health Insurance Portability and Accountability Act (HIPAA); and 3) Some motor vehicle manufacturers and servicers.
Regulation: Oregon SB 684—the Oregon Consumer Information Protection Act (OCIPA)
Date in effect: January 1, 2020
Coverage area:
- Breach of security definition now covers “…an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information that a person maintains or possesses” (previous versions only covered personal information a person maintains).
- The definition of personal information now includes “…(B) A user name or other means of identifying a consumer for the purpose of permitting access to the consumer’s account, together with any other method necessary to authenticate the user name or means of identification.” Usernames and authentication methods are now considered personal information in Oregon, and their disclosure can trigger breach notification obligations.
- New definitions for covered entities and vendors. The covered entity definition replaces cumbersome language from the previous definition, while a vendor refers to a person whom the covered entity contracts with to provide services to or on behalf of the covered entity.
- Vendors have expanded obligations to inform the covered entity as soon as is practicable or within 10 days after they discover the breach or believe the breach has occurred. Vendors must contact any vendor they are working with that also has a contract with the covered entity, if a breach of security occurs. Vendors also have an obligation to notify the Attorney General if a breach affects more than 250 consumers or an indeterminate number of consumers, unless the covered entity that suffered the breach has notified the Attorney General.
- Specifies several exceptions where breach notification is not required including a covered entity or vendor who complies with Title V of the Gramm-Leach-Bliley act of 1999; or complies with the Health Insurance Portability Act of 1999 (HIPAA) and the Health Information Technology and Clinical Health Act of 2009.
- Requires safeguards that protect the security, confidentiality, and integrity of personal information, including safeguards that continue to protect the information when the covered entity or vendor disposes of the personal information.
Regulation: Texas HB 4390—Amendments to the Texas Identity Theft Enforcement and Protection Act
Date in effect: January 1, 2020
Coverage area:
- Requires breach disclosures to be sent to individuals whose personal information was, or is reasonably believed to have been acquired by an unauthorized person. “Disclosures shall be made without unreasonable delay and in each case not later than the 60th day after the date on which the person determines the breach occurred”, whereas the prior language only specified disclosures should be made as quickly as possible.
- Notifications must be sent to the Attorney General if the breach affected more than 250 residents of the state. Specific requirements are included for these notifications.
- The amendments create the Texas Privacy Protection Authority Council, which is created to study privacy laws in the state, other states, and relevant foreign jurisdictions. The Council will be abolished and the section of the amendment authorizing the council will expire on December 31, 2020.
Regulation: Utah HB57—The Electronic Information or Data Privacy Act
Date in effect: May 14, 2019
Coverage area:
- Defines that electronic information or data “…means information or data including a sign, signal, writing, image, sound, or intelligence of a nature transmitted or stored in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photo-optical system … includes the location information, stored data, or transmitted data of an electronic device.”
- Electronic information or data does not include “… (i) a wire or oral communication; (ii) a communication made through a tone-only paging device; or (iii) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage of money.”
- Except for a criminal investigation or prosecution, law enforcement may not obtain Utahns’ electronic information and data, without a search warrant issued by a court upon probable cause.
- Requires notification when someone’s electronic data and information has been obtained through a warrant, within 14 days, with some exceptions for a delay of notification when there is reasonable cause for the delay (such as in cases of personal safety, when the targeted individual may flee, witness intimidation, or when notification would otherwise seriously jeopardize an investigation).
- Electronic information and data obtained without a search warrant will be excluded from consideration in legal cases.
Regulation: Washington HB 1071—Protecting Personal Information
Date in effect: March 1, 2010
Coverage area:
- Expands requirements for public breach notifications.
- Organizations must notify consumers if a digital attacker obtains a user’s name in conjunction with several other personal identification information, such as full birth dates, medical history, ID numbers (including health insurance ID, student ID, military ID, passport ID, etc.), user names, passwords, biometric data, and electronic signatures.
- Notification letters must specifically identify the data types exposed, along with the security incident date, the discovery date, breach duration, and estimated number of Washingtonians involved. The bill also shrinks the breach notification window from 45 days to 30 days.
