Halfway through the second month of 2019, lawmakers in nine states have already introduced privacy bills that follow on the heels of last year’s California Consumer Privacy Act (CCPA). These bills, if passed, will affect businesses that operate within the given state, even if the business does not have a physical presence there. Much of the language in the nine bills adheres closely to the language found in the CCPA and the European Union’s General Data Protection Regulation (GDPR).
Six of the nine states incorporate all of the CCPA’s requirements, while two take a more limited approach. The state of Washington’s privacy legislation differs in that it more closely aligns with the GDPR. A closer look at the proposed language in the bills reveals similarities and differences that portend a compliance nightmare.
Some of the proposals would mandate that consumers be allowed to access information about them, opt out of disclosures to third parties and, in certain circumstances, demand deletion of their personal data.
The definition of personally identifiable information (PII) could expand to include not only data that could be used to identify an individual, but also that could be reasonably linked to an individual. This is much broader than the definition currently espoused in the Fair Information Practice Principles. Of particular concern to the security industry is the inclusion in the expanded definition of PII of employee and business contact data, much of which is found in access control databases.
One critical difference in the new privacy laws concerns the private right of action. The CCPA provides for a private right of action only for the unauthorized disclosure of unencrypted sensitive data. In contrast, Massachusetts would allow it for any violation of its privacy law, while Mississippi, Rhode Island and New Mexico would allow it when any unauthorized disclosure of personal information occurs, regardless of the sensitivity of the data or potential harm to a consumer.
For SIA members, the bottom line is that compliance with a patchwork of state privacy laws will demand significant resources. Proactively addressing privacy, whether in product design or implementation and deployment, may ease the compliance burden. So, too, would comprehensive federal privacy legislation that would preempt state privacy laws.