12 new state privacy and security laws explained: Is your business ready?

States from Maine to California have recently enacted privacy, data security, cybersecurity, and data breach notification laws. We break down what each of these laws entails.

While at the federal level security and privacy legislation are lost in a morass of partisan politics and corporate lobbying delays, states have been moving ahead to push through an impressive number of important bills that help fill in the gaps. A search of the Legiscan database reveals that hundreds of bills that address privacy, cybersecurity and data breaches are pending across the 50 states, territories and the District of Columbia.

The most comprehensive piece of state-level legislation across these often-intertwined categories that has been enacted over the past two years is the sweeping California Consumer Privacy Act (CCPA), enacted and signed into law on June 28, 2018. Inspired by the EU’s groundbreaking General Privacy Data Protection Regulation (GDPR), the legislation aims to give the state’s consumers greater control over how businesses collect and use their personal data. In November 2020, California voters approved the California Privacy Rights Act (CPRA), which creates a new consumer privacy agency and aligns privacy regulations more closely with the GDPR.

The CCPA is slated to take effect on January 1, 2020, giving those who believe the bill was too broad or too narrow time enough to limit or expand its scope. So far two bills have been introduced in the California Assembly to expand the scope of CCPA, while nine draft bills seek to limit its impact.

In the sections below, we summarize the current provisions of the CCPA, along with other major pieces of state legislation that have been recently enacted and signed into law. Each of these recently adopted measures in its own way significantly impacts privacy, data security, cybersecurity or data breach notification requirements in the respective states.

Privacy laws

• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• Nevada Senate Bill 220 Online Privacy Law
• Maine Act to Protect the Privacy of Online Consumer Information

California Consumer Privacy Act (CCPA)

The CCPA incorporated many of the GDPR-inspired provisions in what had previously been a ballot measure in the state called the Consumer Right to Privacy Act of 2018. The legislation’s provisions “grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.”

The law applies to applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information.

Among some of the more noteworthy of the many expansive provisions in the law are sections that:

• Require a business to make disclosures about the personal information it collects and the purposes for which it is used.
• Grant a consumer the right to request deletion of personal information and require the business to delete that information upon receipt of a verified request.
• Grant a consumer a right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of third parties to which the information was sold or disclosed. Businesses will be required to provide this information in response to verifiable consumer requests.
• Authorize a consumer to opt out of the sale of personal information by a business and prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
• Require businesses that disclose personal data to deliver that data free of charge to verifiable consumers upon request.
• Grant consumers the right to control selling their information to third parties via a “Do Not Sell My Personal Information” link in their privacy policies.
• Give individuals the ability to direct businesses to delete their information.
• Prohibit businesses from selling information about consumers between the ages of 13 and 16 without their explicit consent and require them to obtain parental consent before selling information about a consumer under the age of 13.
• Expand the definition of personal information to include such things as IP addresses, device IDs, cookie IDS, and psychographic profiles based on customers’ preferences, characteristics, behavior, interests and many other variables.

California Privacy Rights Act (CPRA)

California voters approved this ballot measure in November, making it law effective on January 1, 2023, though with a six-month grace period on enforcement. The CPRA mandates the creation of a consumer privacy agency, which takes responsibility for privacy law violations away from the state's attorney general.

The most significant changes from the CCPA are:

• Companies serving fewer than 100,000 California residents or households are not subject to the privacy regulations. The CCPA's threshold is 50,000 and includes devices.
• Companies must delete personal information once it is no longer necessary. How regulators will define "necessary" is open to interpretation.
• Consumers may force a company to correct inaccuate personal data. 
• Companies must ensure that any third parties with whom they share personal data comply with the CPRA. 
• Consumers may opt out of companies sharing their data. Under the CCPA, consumers can only opt out of their data being sold.
• Breach liability now includes exposure of email addresses combined with security questions.
• If a breach includes personal data of minors, fines may be tripled.
• Companies might still be subject to private rights of action and statutory damages after a breach even if they fix what caused the breach.
• Consumers no longer need to show harm to be able to sue for a breach.

Nevada Senate Bill 220 Online Privacy Law

While California’s CCPA grabbed all the headlines, Nevada quietly passed its own tougher online privacy law, Senate Bill 220, which was signed into law by the governor on May 30, 2019. The bill amended Nevada’s existing privacy law by requiring businesses to offer consumers an opt-out regarding the sale of their personal information, with some exceptions. The bill goes into effect on October 1, 2019 prior to the effective date of CCPA, making Nevada’s legislation the first in the U.S. to grant consumers a right to opt out of the sale of their personal data.

Unlike CCPA and GDPR, Nevada’s bill does not add any new notice requirements for website operators but does require them to post certain items of information in their privacy policies, including the categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices.

Organizations that violate these terms may be subject to a penalty up to $5,000 per violation as well as a temporary or permanent injunction.  Under the law, the attorney general’s office will have the power to bring actions for violations but must allow offenders a 30-day period to fix violations other than those that deal with opt-out rights.

Maine Act to Protect the Privacy of Online Consumer Information

On June 7, 2019, Maine Governor Janet Mills signed a bill to protect the privacy of online consumer information. The bill goes into effect on July 1, 2020. The legislation specifically bars broadband internet access providers from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access,” with some exceptions.

The bill also prohibits broadband providers from refusing to serve a customer or charging them more if they don’t consent to the use, disclosure, sale or access of their personal data.

The bill further requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. Under the bill, personal information is defined as (a) “personally identifiable customer information” about the customer and (b) information derived from the customer’s use of broadband internet access services such as web browsing history, geolocation data, device identifiers and a number of other technical data points that can be used to identify individuals.

Cybersecurity, data security and data breach notification laws

• New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500)
• New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
• Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
• New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
• Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
• Oregon Consumer Information Protection Act (OCIPA) SB 684
• Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
• Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)

New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies ( 23 NYCRR 500)

Regulators at the New York Department of Financial Services (DFS) adopted new rules, 23 NYCRR 500,  on February 16, 2017 that place certain minimum cybersecurity requirements on all covered financial institutions. These rules require each company to assess its specific risk profile and design a program that addresses its risks in a robust manner.

The deadline for certain required regulatory activities under the new rules was March 2019. Under the requirements, any DFS-regulated entity that meets certain criteria (more than 10 employees, more than $5 million a year in revenue and year-end assets exceeding $10 million) that is doing business in New York is required to establish an internal cybersecurity program to protect information assets under their control.

Smaller entities have to meet other obligations, including limiting access to information, assessing their risk, implementing policies related to third-party data control, and their own data disposition. All regulated entities are obliged to report data breaches, regardless of size.

The rules further require covered entities to designate a Chief Information Security Officer, and maintain audit trails, among a host of other good cybersecurity practices spelled out in the regulation.

New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (Senate Bill S5575B), which expands the state’s current data breach law and imposes affirmative cybersecurity obligations on covered entities.

Among other things, the bill:

• Expands the scope of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers.
• Broadens the definition of a data breach to include unauthorized access to private information.
• Applies the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State.
• Updates the notification procedures companies and state entities must follow when there has been a breach of private information.
• Creates data security requirements tailored to the size of a business.

The first four provisions go into effect on October 23, 2019 while the last one mandating security requirements goes into effect on March 21, 2020.

Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches

Signed into law by Governor Charlie Baker on January 10, 2019 and effective as of April 11, 2019, the new law: