After the frenzy of activity leading up to May 25, 2018, the date the General Data Protection Regulation took effect across Europe, businesses could be forgiven for thinking this year has been quiet on the privacy front.
But legislators across the US and other countries have been busy drafting and debating laws that are likely to take effect over the coming months and year. This week, I address legislative activity across the US that seeks to expand individuals’ privacy.
Pending US Privacy Laws
With the September 2018 passage of the California Consumer Privacy Act, or CCPA, California became the first state to pass privacy legislation that goes beyond the breach notification laws that now exist in all states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands.
Effective Jan. 1, 2020, California’s law will provide a testing ground for other states that may wish to develop similar legislation. Since its passage, 11 state legislatures have introduced draft bills that would impose broad obligations on businesses to be transparent as to the use and control of personal data.
And Washington state, Illinois, Texas and Mississippi all proposed legislation to expand privacy laws in line with the California Consumer Privacy Act. While those efforts did not survive the legislative process, this is not the end of the matter. Texas has established a Privacy Protection Advisory Council charged with evaluating national and international privacy laws and making recommendations to the Texas legislature by September 2020 regarding the appropriate level of privacy protection needed in Texas.
As for the California Consumer Privacy Act, there have already been questions over its interpretation, not least in relation to whether it applies to data collected from individuals in an employment context. It is important that the law is clarified because penalties include fines up to $2,500 for each unintentional violation and $7,500 for each intentional violation. Additionally, the California Consumer Privacy Act establishes a right to private action for consumers who suffer data breaches, with statutory damages ranging from $100 to $750 per consumer per incident, or actual damages, if greater.
In my next article, I’ll address the increasingly likely “no deal” Brexit and the effect it will have on data transfers between the UK and other jurisdictions after Oct. 31.