States Tightening Grip on Privacy With More European Regs Coming

With every new data breach revelation making headlines comes new concerns and, in many cases, rules about privacy in the United States and in Europe affecting organizations in this country.

Digital Guardian in its “Definitive Guide to U.S. State Data Breach Laws” pointed out entities that conduct business in the U.S. must be familiar with not only federal regulations, but also individual state laws that apply to any agency or entity collecting, storing, or processing data of residents in that state.

The guide said, “According to the National Conference of State Legislatures, legislation has been enacted by all 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands that requires private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information.”

The Digital Guardian report indicated these laws typically define what is PII in each state, entities required to comply, what specifically constitutes a breach, the timing and method of notice required to individuals and regulatory agencies, and consumer credit reporting agencies, and any exemptions that apply, such as exemptions for encrypted data.

Digital Guardian provided a state-by-state guide with a detailed synopsis of existing data breach laws, notification requirements, penalties for violations, and pending legislation. For example, most states require immediate notification (some allow electronic notifications) without unreasonable delay but nine states must receive notification within 45 days, one within 60 days, and one within 90 days.

Meanwhile the California Consumer Privacy Act of 2018, passed into law reportedly will provide Californians with a level of protection for their personal information, comparable with the EU’s GDPR, which now rules over data protection and privacy for all individuals within the European Union.

CCPA does apply to credit unions, banks, savings and loans, credit card companies, insurance companies and other financial service companies; and allows consumers to put limits on what financial companies can do with personal financial information

According to the law firm BakerHostetler, businesses should start planning for CCPA’s implementation, since its goes into effect on January 1, 2020, but requires recordkeeping as of January 1, 2019.

In a comprehensive review of CCPA, BakerHostetler partner Alan Friel explained compliance with the CCPA will be mandatory for any businesses with gross revenue of more than $25 million or that annually buy, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or that derive 50% or more of their annual revenues from the sale of consumers’ personal information. “In short, all Californians will have the right to demand that a covered business provide them with a transportable copy of their PI, delete their PI, not sell their PI, and provide them with both generic and consumer-specific information about PI collection and sharing,”

In Europe a new wide-reaching ePrivacy Regulation, expected to be adopted towards the end of this year, or the beginning of next, could affect companies in the U.S. more than GDPR, according to law firm Morrison & Foerster.

ePrivacy targets, among other areas, the right to confidentiality and data privacy on all electronic communications including emails, texts, the internet, WhatsApp, Skype, online messaging, VoIP, the Internet of Things, apps, online advertising networks, and telecommunications. Metadata, as well as the contents of communications, is guaranteed privacy. When it comes to PI in electronic communications, ePrivacy even overrides GDPR.

Morrison & Foerster privacy and data security group global co-chair Alex van der Wolk said: “Regulating electronic direct marketing, cookies, beacon technology and a host of other specific electronic uses of personal information, the ePrivacy overhaul is expected to have yet another big impact on companies.”

Julie O’Neill, a Morrison & Foerster partner and former Federal Trade Commission) staff attorney, pointed out, “U.S. companies that thought they were done thinking about European privacy law may be in for a surprise. The upcoming ePrivacy Regulation is likely to affect companies’ online advertising campaigns and analytics solutions.”

Added, Morrison & Foerster Brussels-based counsel Alja Poler De Zwart. “The ePrivacy Regulation could be a more turbulent journey for the marketing and advertising industry than the GDPR, and should therefore not be underestimated.”