By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.
Ready or not, the strictest data privacy law the United States has ever seen, the California Consumer Privacy Act (CCPA), is coming January 1, 2020. And, other states are following California by enacting their own data privacy regulations which may include rights for data subjects comparable to the EU’s General Data Protection Regulation (GDPR). And, if that weren’t enough, Congress dragging CEOs into hearings and questioning them about how they hoard and exploit the personal information of millions of Americans the momentum is finally shifting toward passing a federal law.
Accountability falls on who’s shoulders? Organizations and their vendors!
The EU’s global privacy standard is the GDPR forcing global companies to examine and alter their practices in order to comply with the Regulation thereby avoiding a potential fine of up to 4% of their global revenue.
After many publicly reported, shocking revelations of companies’ data breaches and other privacy abuses involving Americans’ personal information – a free-for-all to monitor Americans’ behavior, collecting their information across the internet and from the real world usually without their knowledge of the collection, and the manipulation of their personal information taking place behind the scenes (Facebook, Google, Equifax) – it is no wonder consumer advocacy groups are pushing individual states and Congress to propose and enact stricter legislative measures to strengthen Americans’ privacy rights.
A few states that have passed laws, in some form or another targeting the issue of consumer privacy rights, are:
States’ legislatures have proposed bills that would offer American consumers GDPR-like privacy rights, such as, companies to inform users about their data practices, receive explicit permission before collection of any personal information, expands the definition of personal information to include the text “any other identifiers capable of being or could be reasonably linked directly or indirectly with a particular consumer…”, data access requests, right to opt-out, right to delete personal information, the business cannot discriminate against the consumer who exercises their rights. Some of these laws provide attorney generals enforcement authority to seek civil penalties and allows consumers the right to bring a civil action.
Consumer’s Private Right of Action, AG’s Actions Against Violators, and There’s More…
A “private right of action” meaning the ability for consumers to sue companies for violations of the law.
New York’s SB224 applies to “any person, proprietorship, firm, partnership, association, cooperative, nonprofit organization or corporation organized or existing under the laws of this state or any other state, and doing business in this state…” The proposed bill allows for civil action to be brought by a consumer, the New York attorney general, a district attorney, city attorney or prosecutor to recover penalties for violations.
North Dakota’s HB1485 applies to entities with annual gross revenues in excess of $25 million; derives at least 50% of its annual revenues from selling personal information; or annually buys, receives, sells or shares personal information of at least 50,000 consumers, households or devices. The attorney general has enforcement authority seeking civil penalties between $100,000 and $250,000 for each violation of a cease and desist order, bring action in district court to recover penalties, attorney’s fees and costs. Consumers have the right to bring a civil action to recover damages, fees and costs.
New Mexico’s SB176, if passed, mandates employees must be “appropriately trained in compliance”.
Washington’s SB5376 applies to private entities conducting business in the state, or who provide products and services to Washington residents, who control or process data of 100,000 or more consumers or derive over 50% of their gross revenue from the sale of personal information and who possess or control personal information of 250,000 or more consumers. The proposed bill would require data owners (“Controllers”) to conduct and document annual risk assessment of the processing of personal information or when there is a change in the processing that would impact the risk to individuals.
Federal Privacy Laws – Better Late Than … Never
You may have realized by now, there is a federal privacy legislation power struggle going on in Congress. Senators and House Representative along with consumer privacy groups have introduced federal privacy laws that would either pre-empt state law and roll back data privacy and protections that individuals would receive under passed state legislation versus proposed bills that do not contain pre-emption clauses and includes similarities to the CCPA and the GDPR. The proposed bills could include but are not limited to:
Other federal privacy bills aim at alleviating the harmful effects of data collection of consumers by creating a Do Not Track system which would be administered by the FTC. In other words, commercial websites would be legally prohibited from harvesting unnecessary data from consumers who have Do Not Track turned on.
Yet another federal privacy bill would require tech companies to test their artificial intelligence systems for biases including racial discrimination and to fix those biases.
As several authorities have been updating their guidance on cookies (already published in the case of France, Germany, Ireland and the UK, and soon others such as Denmark), it is likely that the cookie provisions will give rise to further discussions.1 Organizations embarking on significant Internet-of-Things projects may wish to take into account secrecy of electronic communications, so as to avoid having to stop or redesign the project in a year or two. Any organization contemplating a new flagship website or application may also wish to reconsider widespread use of tags rather than cookies if the intent was to avoid applicability of the cookie rules, as the rules will at some point be the same.2
Most of the proposed federal privacy laws include cybersecurity standards and require some type of platform for breach notification and timeframe for the notification. Cyberattacks can be created by linking services. The spike in data breach incidents over the past few years suggests that we will likely see an increase in services offering personal profiles; thus, an increase in the number and kinds of attacks that use personal profiles.3
Data Access Requests – A Timely Topic
The current state of proposed laws mandate that entities provide to consumers the right to access and request details regarding their personal information that the entity collects, stores and shares. Unless the law specifies an exception, the entity must provide a response to the individual within a specified timeframe, such as, 30 days or 45 days and at no charge to the individual.
The data access request provision is not a new legal concept but has become more visible due to the spotlight on privacy rights.
Under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), a Federal law that protects the privacy of student education records, gives parents and “eligible students” the right to inspect and review the student’s educational records, correct inaccurate or misleading records, the right to a hearing upon the denial of amending a record and the right to place a contestation statement about the contested information.
HIPAA’s Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity, including:
The CCPA, when it goes into effect on January 1, 2020, mandates that residents can access and transmit their personal information in a readily usable format which enables the transfer to third parties without issues and they can request deletion of their data or bring it with them to alternative service providers. A business must respond to a consumer’s data access request within 45 days.
Vendor Verification and Validation
Alabama Code § 8-38 requires that the third-party agent that has been contracted to maintain, store, process or permitted to access sensitive personal information on behalf of a covered entity must implement and maintain reasonable security measures to protect the sensitive personal information against a breach of security and dispose or arrange disposal of records containing sensitive personal information that is within its custody or control when the records are no to be retrained pursuant to applicable law, regulations or business needs.
Under Oregon’s SB684, in the event of a breach of security or suspected breach involving a vendor under contract with a covered entity, the vendor is required to notify the covered entity of the breach as soon as practicable, but no later than ten (10) days after discovering the breach or suspected breach. Similarly, if the covered entity’s contracted vendor subcontracts with another vendor, the subcontracted vendor is required to notify its vendor about the breach within ten (10) days after discovering the breach or suspected breach. Vendors will also be required to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information including when disposing of the personal information.
Illinois (815 ILCS 530/40) states that a covered entity may contract with a third party to dispose materials containing personal information. Any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. A third party who violates this Section is subject to a civil penalty of not more than $100 for each individual with respect to whom personal information is disposed of in violation of this Section. The Attorney General may impose a civil penalty, may file a civil action in the circuit court to recover any penalty imposed under this Section and may bring an action in the circuit court to remedy a violation of this Section, seeking any appropriate relief.
New York’s recently passed SHIELD Act requires businesses who own or license computerized data which includes private information of New York residents to implement and maintain specific administrative, technical and physical safeguards which includes vendor management through due diligence and contracts. Non-compliance with the new data protection and security requirements will be considered deceptive acts and practices with civil penalties up to $5,000 per violation. This portion of the bill will go into effect on March 21, 2020.
The growing consensus is that Congress must take action to address Americans’ data privacy, and any national law must provide clear and consistent protections that both consumers and businesses will understand.
1 DLA Piper, EUROPE: E-PRIVACY REGULATION – CHANGES REGARDING ELECTRONIC COMMUNICATIONS AND DIGITAL MARKETING, Aug. 2019 @ https://blogs.dlapiper.com/privacymatters/europe-e-privacy-regulation-changes-regarding-electronic-communications-and-digital-marketing/.
3 MITSloan Management Review, Casting the Dark Web in a New Light, K. Huang, M. Siegel, K. Pearlson, S. Madnick, July 15, 2019
4 Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, General Right @ https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html