Data Privacy – The Saga Continues

The same way Lucasfilm continues to release Star Wars movie after Star Wars movie with no end in sight, the United States continues to draft and propose laws surrounding data privacy. The trend seems to have taken off with the announcement of last year’s General Data Protection Regulation (GDPR) announcement, and will witness continued data policy changes and implementations. GDPR established modern standards for data protection in 2018 for Europe and the United States, due to specifications on EU citizens purchasing U.S.-based products and services. 2019 has already seen 151 privacy bill proposals in the U.S. alone, with 2020 projected to see similar upheaval.

The National Conference of State Legislatures (NCSL) published an in-depth review of all the new data privacy legislation across the United States, including those that were passed, vetoed, and failed. Roger West has been keeping an eye on data privacy and is here to give you the skinny on these bloated laws. If you own or participate in any United States related business - it’s imperative to familiarize yourself with these laws to maintain operational compliance. Likewise, if you spend any time on the Internet, as a user or consumer - these laws will help safeguard your personal information. Here’s the breakdown on the newly enacted laws by state:

Connecticut:

• A task force will examine what information businesses in Connecticut should be required to disclose to consumers concerning consumers' personal information. This is information that is retained or sold by such businesses and includes retargeting efforts by businesses. This is similar to California’s Consumer Privacy Act for 2020 data privacy regulations but is a little bit looser in its enforcement.

Illinois:

• The term “genetic testing” must include direct-to-consumer commercial genetic testing, and any company providing such services is prohibited from sharing any genetic test information or personally identifiable information (PII) about a consumer who has health or life insurance without the consumer’s written consent. This will protect all those ancestry.com or 23andMe tests from being used by the forces of darkness, and will prevent the public from seeing your bloodline or genetic testing results.

Maine:

• Prohibits broadband Internet providers from using, disclosing, selling, or granting access to a customer’s personal information without explicit consent from said customer. Exceptions under which a provider may use, disclose, sell, or permit access to customer’s personal information, prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount. This law includes information that is derived from a customer's internet usage, application usage, web browsing history, etc. This means that internet providers, big or small, are now going to have to all take reasonable measures to protect their customer’s personal information to be compliant.

North Dakota:

• There will be a legislative management study of consumer personal disclosures, protections, remedies, and enforcement procedures. The study must include a comprehensive review of the privacy laws of other states and applicable federal laws. Findings will be reported along with recommendations to the state’s 67th legislative assembly.

Nevada:

• A revision of provisions relating to Internet privacy (NV SB 220, Chap. 211) gives consumers the right to opt-out of the sale of their PII. This law went into effect on October 1st, 2019 and businesses now must provide an email, toll-free number, or website address that allows consumers to opt-out. This will affect companies that are dependent on data as a revenue source.

Texas:

• The newly formed Texas Privacy Protection Advisory Council will revise provisions relating to security breaches. This law makes it mandatory for Texas attorney general to disclose residents affected by the breach, measures taken, and if law enforcement is involved.

Honorable Mentions

The following two states deserve recognition for their consumer data privacy efforts, despite not enacting any new policies. In some instances, territories will forgo enacting or proposing entirely new laws in favor of adopting, strengthening, or abiding by existing laws.

Louisiana:

• Louisiana didn’t enact any new laws, but it did adopt one. The Louisiana Public Service Commission is now expected to establish a task force focused on studying the effects of the sale of consumer information by an Internet access service provider, social media company (Facebook, Twitter, etc.), or search engine (Google, Bing, Yahoo!, etc.). This law will have future implications that Louisiana-based businesses and consumers need to begin preparing for.

Hawaii:

• The second state to adopt a new policy is Hawaii, who adopted an act that proposes the assembly of a task force to examine and recommend laws and regulations while updating their privacy policies. Buckle up Hawaii, your data privacy future awaits.

Now that you’ve made your way through this list, grab a cup of coffee. You’ve earned it, and you’re going to need it to survive the coming changes. State and federal laws are making lead generation via data collection incredibly difficult, but Roger West can help you generate leads without sacrificing compliance.

Let’s talk.