After GDPR: U.S. States Begin Rolling Out Data Privacy Laws

At this time last year, we were talking about the EU’s General Data Protection Regulation (GDPR), the big revamp of data privacy regulations that went into effect in May 2019. It was big news and a potentially big roadblock for the companies affected — non-compliant companies faced penalties in the millions (Euros or dollars).

Though focused on EU companies and organizations, U.S. businesses that receive and process data from customers who are EU individuals must also comply or face the same penalties. The big takeaway from GDPR is that data remains with the individual, not the company collecting it — a vastly different perspective than existing laws, including those in the U.S. It was good training ground for what’s next, since now several U.S. states have their own version of data privacy regulations pending or enacted. Here’s a quick and dirty rundown of what some of those entail:

California: Effective January 2020

It was, perhaps, not surprising that California was the first U.S. state to pass regulations similar to GDPR. The California Consumer Privacy Act (CCPA), which passed on June 28, 2018, is slated to go into effect January 1, 2020. It is designed to give Californians virtually the same type of control over their personal data as the GDPR, including the right to know what personal information businesses collect, request that the data be deleted, know who the data has been shared with, and require businesses to stop sharing their information.

Who has to comply? Any company that provides services to California residents with at least $25 million in annual revenue, as well as companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data, regardless of where they are based.

Looking for resources on CCPA as the deadline approaches? Californians for Consumer Privacy, as the name suggests, is designed to inform consumers of their rights but offers resources useful to both sides. PwC has a readiness roadmap,  and data firm Jebbit has a dedicated resource center.

Nevada: Effective October 2019

Although California was the first state to pass stricter data privacy legislation, it is actually not the first to enact it. That honor goes to Nevada. Senate Bill 220, introduced in February and enacted Oct. 1, is slightly less comprehensive than the CCPA. While the CCPA applies to both online and brick-and-mortar businesses, SB 220 applies to operators of online businesses only.

Notably, the Nevada law excludes those financial institutions subject to Gramm-Leach Bliley and entities subject to HIPAA, as well as those who manufacture, service or repair motor vehicles. It requires website operators to provide a way for consumers to submit their opt-out requests; operators must respond to the verified requests no later than 90 days.

Maine: Effective July 2020

Maine’s “Act to Protect the Privacy of Online Consumer Information” was signed into law in June of this year. Its scope is much narrower than California’s, as it only applies to broadband providers in Maine providing services to physical residents of the state. It is more stringent though, in that rather than allowing customers an opt-out right, it requires businesses to have them opt in. It is scheduled to take effect in July 2020.

Pennsylvania: TBD

Pennsylvania House Bill 1049 is a bit closer to California’s regulations — nearly identical, in fact. It would allow customers to opt out of having their information sold, and even allow them to have the information deleted. However, it would apply to businesses with $10 million and up in revenue; a much lower threshold than California’s $25 million. It is currently in committee but would be enacted immediately upon passing.

More states are examining their current laws or drafting new ones, so it’s almost certain we’ll see more before 2020 is over. Regardless, it’s likely that no matter where you’re located you are affected by some or all of these laws, so stay up to date and make sure you’re covered.