The US privacy law landscape continues to shift and evolve as state and federal privacy legislative proposals continue to be debated and become enacted. While CCPA-like bills in Washington and Texas failed to pass, Nevada passed its online privacy amendment and proposals in New York and Washington, DC appear to be gaining momentum.

Nevada

On May 29, 2019, Nevada enacted an amendment to its online privacy law, requiring businesses to offer consumers a right to opt-out of the sale of their personal information. While it has some similarities to the California Consumer Privacy Act (CCPA), it contains notable differences. “Operators” of websites and online services that collect personal information from Nevada consumers should analyze the extent to which they are selling covered information within the scope of this new law and make a determination as to whether their online privacy notice needs to be updated. Businesses already preparing for CCPA should be able to incorporate the Nevada requirements, but note the Nevada law will be effective on October 1, 2019, whereas CCPA goes into effect on January 1, 2020.

Although the concept of providing consumers certain privacy rights is similar, the law has some significant differences from the CCPA, including the definition of “sale”. The Nevada law defines a “sale” to mean the “exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.”   In contrast, the CCPA’s definition of “sale” is far broader and includes not only selling but also “renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

The new Nevada law has 5 exceptions to the term “sale”:

(1) disclosure to a person who processes the information on behalf of the operator;

(2) disclosure to a person with whom the consumer has a direct relationship for the purposes of providing a product or services requested by the consumer;

(3) disclosure “consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator”;

(4) disclosure to an affiliate of the operator; and

(5) disclosures in the context of merger, acquisition, bankruptcy or other transaction in which a person assumes control of all or part of the assets of the operator.

The new law requires that the operator respond to a consumer’s “verified request” not to sell the information within 60 days (CCPA is 45 days), with an extension of up to an additional 30 days.

Unlike CCPA, the law does not require the business to provide a conspicuous notice of the opt-out right, such as the “Do Not Sell My Personal Information” home page link required under CCPA. The law also does not limit the number of times a consumer can make the request in a year, while CCPA limits requests to two (2) within 12 months.

There is no private right of action under the new Nevada law. Instead, enforcement authority is granted to the Attorney General, which can institute a legal proceeding and have the court issue a temporary or permanent injunction, or impose a civil penalty not to exceed $5,000 for each violation. These provisions are not exclusive but are in addition to any other remedies provided by law.

Perhaps one of the most significant difference is that the new Nevada law wholly exempts financial institutions subject to GLBA from the scope of the law, while CCPA took a more narrow approach and only carved out the information that is collected pursuant to that law.   The new Nevada law also exempts motor vehicle manufacturers or repair services that retrieve information from the motor vehicle “in connection with a technology or service related to the motor vehicle” or provided by a consumer in connection with a subscription or registration for a technology or service related to the vehicle.

Unlike CCPA, the new law has no provisions relating to access or deletion or a private right of action relating to breaches.

New York

We are also continuing to monitor developments in New York, which has proposed a CCPA-like law (S5462). Although the bill has a similarly broad definition of “personal information” and gives consumers the right to request deletion of their data, the bill also introduces new obligations on companies as a “data fiduciary”. The law states, in relevant parts:

Personal data of consumers shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent. Every legal entity, or any affiliate of such entity, and every controller and data broker, which collects, sells or licenses personal information of consumers, shall exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.

The New York bill further specifies that the “fiduciary duty owed to a consumer under this section shall supersede any duty owed to owners or shareholders of a legal entity or affiliate thereof, controller or data broker, to whom this article applies.”

New York’s bill would expressly permit “any person who has been injured by reason of a violation of this article may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her actual damages, or both such actions. The court may award reasonable attorney’s fees to a prevailing plaintiff.”

Washington and Texas

Earlier this year, both Washington (Washington Privacy Act, SB 5376) and Texas (Texas Privacy Protection Act, HB 4390) had introduced CCPA-like bills. Both bills failed to pass during their respective legislative sessions. Several other states still have legislation pending, which we are continuing to monitor.

First-Ever US Federal Privacy Law

The possibility of a US federal privacy law is still under consideration in Washington, DC, with the House Energy and Commerce Consumer Protection and Commerce Subcommittee Chairwoman Rep. Jan Schakowsky (D-IL) stating that she hopes to have a draft bill before Congress breaks for its August recess. She indicated that the bill could give the Federal Trade Commission more authority to police data privacy, as well as several features currently in CCPA: the right to amend, correct, and erase their data as well as not have their data used for discriminatory purposes. The topic of whether to include a private right of action is also under discussion.

CCPA Update

During the week of May 28, five Assembly bills that would narrow some aspect of CCPA moved forward. Below is a brief chart that summarizes the current status of the bills that are still active in the California legislature.

Bills to Expand CCPA

Bill No. 10-word summary Status
AB 288 Social media data – right to remove and prohibit sale 4/23 – Committee on Privacy and Consumer Protection hearing cancelled at author’s request
AB 1281 Use of facial recognition – signage required 5/8 – referred to Committees on Judiciary and Appropriations

Bills to Narrow CCPA

Bill No. 10-word summary Status
AB 25 Excludes “employees” from definition of “consumer” 5/29 – passed Assembly and ordered to Senate
AB 846 Expands incentives and differential treatment related to value of data 5/28 – passed Assembly and ordered to Senate; 5/29 – referred to Senate Committee on Rules
AB 873 Expands definition of “de-identified” data, narrows definition of “personal information” 5/29 – referred to Senate Committee on Judiciary
AB 874 Redefines “personal information” to exclude information from government records 5/22 – referred to Senate Committee on Judiciary
AB 981 Exempts from deletion personal information needed to complete insurance transactions 5/29 – referred to Senate Committee on Judiciary and Senate committee on Insurance
AB 1146 Exempts sharing between motor vehicle dealers & manufacturers 5/23 – passed Assembly and ordered to Senate
AB 1355 Narrows disclosure requirement to categories of third parties sold to 5/22 – referred to Senate Committee on Judiciary
AB 1416 Permits use of data to prevent fraud or illegal activity 5/29– passed Assembly and ordered to Senate
AB 1564 Decreases the minimum number of methods organizations must provide consumers to submit requests for information from two to one 5/22 – referred to Senate Committee on Judiciary

 

This update is a summary of the legislation and proposed amendments. If you have any questions or would like additional information regarding CCPA or other US legislative proposals, please contact a member of our Data Protection, Privacy and Cybersecurity team.

Our other CCPA articles

 

Article 1: Summary of CCPA’s major provisions

Article 2: CCPA covered entities

Article 3: CCPA definition of personal information

Article 4: CCPA disclosure requirements

Article 5: CCPA “Right to Deletion”

Article 6: California Attorney General’s Office begins CCPA rulemaking process with first public hearing while Congress debates new federal privacy law

Article 7: Comments at CCPA public forum in Los Angeles highlight tensions between businesses and consumer rights groups

Article 8: GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Article 9: CCPA:  “Attorney General Amendment” Likely Dead