States to Watch for Data Privacy and Protection Laws

State Data Protection April 2, 2019 By: Matt Dumiak

Following on the heels of the European Union’s General Data Protection Regulation, several states have either passed or are considering new laws that give citizens greater access to and control over their personal data.

States like California, Hawaii, and Washington have passed or proposed new laws that provide their citizens with greater transparency and control over personal data. Much like the European Union’s General Data Protection Regulation that took effect in May 2018, these laws allow consumers to see what data is collected on them and what the data will be used.

To recognize what this new consumer awareness and movement toward data privacy and protection laws mean for companies and consumers alike, it helps to have a strong understanding of what GDPR entails.

GDPR is still considered by many to be the gold standard for data rights and is essentially a set of rules designed to give European citizens greater control over their personal data. It tries to decrease the confusion surrounding the regulatory environment for business, so both citizens and corporations can fully benefit from the digital economy.

These reforms are designed to reflect our technological age and provides legal obligations around personal data, privacy, and consent management. This means that any organization that has access to personal information about customers—such as their name, birth date, credit card information, or social security number—has an obligation to keep information safe and to be compliant with how they collect and store that data.

Since GDPR went into effect, many states have followed suit with similar regulations. Here’s what the current national landscape looks like for data privacy and protection laws.

California. The California Consumer Privacy Act (CCPA), which was passed in June 2018, goes beyond breach notification and may require organizations to make significant changes in their data-processing operations. That includes honoring opt-outs of selling data and notification requirements surrounding data-sharing practices.

The law provides California residents with the right to:

  • Know what information is being collected.
  • Know whether personal information has been sold or disclosed and where.
  • Refuse the sale of personal information.
  • Access personal data and information collected by organizations.

California is the first state to implement a privacy regulation that looks like GDPR. With the passage of CCPA, enforcement actions are set to begin in July 2020, and organizations will have until January to prepare.

States to watch. Hawaii and Washington recently proposed bills that are modeled on CCPA and GDPR. Hawaii has notice and transparency requirements that organizations must make to consumers. The proposed law also establishes a broad definition of personal data. However, no breach requirements are included.

Meanwhile, Washington has proposed a bill that contains several notice requirements and consumer rights that are targeted at organizations within the state, as well as organizations targeting state residents with goods and services.

As increased awareness, interest, and concern around consumer data continues to increase, there’s no doubt we will see more privacy laws, especially at the state level.

That’s why it’s vital that associations make the necessary adjustments to not only comply with these new regulations but also to protect their brand and reputation by honoring consumers’ requests to protect personal data.

And as more states adopt data protection laws, it can only be assumed that discussions around data privacy will increase at the federal level as well

Matt Dumiak

Matt Dumiak is director of privacy services and customer engagement compliance at CompliancePoint in Atlanta.