A Comprehensive Guide To The Existing Data Laws

Since the General Data Protection Regulation (GDPR) went into effect in the EU in May 2018, EU companies that have invested in data protection have, on average, recovered 2.7 times their initial investment. Yes, companies that know how to comply are getting rich.

This means only one thing, the data protection industry is on the rise, and here is your chance to become successful, competitive, and sustainable.

But you can not open up a new market if you do not have the knowledge. And as is always the case with power, regulators have made things as complicated and scary as possible.

We were all horrified when Amazon was fined 746 million euros ($831 million!) for violations of the GDPR.

Amazon Paid $831 Million Fine For GDPR Non-Compliance!

Do not worry, they could afford it once, and they will not repeat the same gamble. A gamble is when you do something even though you are not sure what you are doing and cannot predict the long-term outcome.

Companies with 7+ numbers never act from a position of uncertainty because they know that things are only presented to appear complicated, when in reality they are manageable, to their own advantage.

For this reason, Mark Zuckerberg, CEO of Facebook Inc, has announced that Metaverse will have high privacy standards, parental controls, and data use disclosure that Facebook alone never had.

Knowledge! Information! Education! And only then action.

Translated into the language of data protection, this means serving and protecting.

As one of the pioneers in the data privacy and cyber protection industry, I can confirm that with every political attempt to reap (oops I was going to say regulate) the market, the challenges do get bigger and tougher.

But if you work with the right team, you can take back control and increase revenue at the same time.

Let me show you what I mean by analyzing the mess with current state data privacy laws, and you will understand why it is literally impossible to overpay your data security team. These professionals should be at the top of your list if you want to stay in the game. You will thank me later.

Data Privacy Laws In The U.S.

In anticipation of the first federal data privacy law, it is wise to look back at what we are leaving behind and try to understand how we can make the transition like winners.

Historically, there has been a jungle of disparate federal and state laws in the United States.

In only three states – California, Virginia, and Colorado – do you find comprehensive data privacy laws, while otherwise, you face a federal hodgepodge of consumer privacy laws with acronyms like HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA that affect only certain types of data, such as credit data or health information, in certain, often outdated, circumstances.

Federal Data Laws

The Health Insurance Portability and Accountability Act (HIPAA) does not cover all health data, only communications between you and “covered entities,” which include doctors, hospitals, pharmacies, insurers, and other similar entities. Your Fitbit data is not protected, nor does the law limit who can ask about your COVID -19 immunization status.

The Fair Credit Reporting Act (FCRA) regulates your credit report data by limiting who can view your credit report, what the credit bureaus can collect, and how the information is obtained.

The Family Educational Rights and Privacy Act (FERPA) gives parents, eligible students, and other schools the right to inspect education records maintained by a school.

The Gramm-Leach-Bliley Act (GLBA) requires consumer financial products, such as credit or investment advisory services, to explain how they share data and that the customer has the right to opt out. It does not restrict how companies use the data they collect, as long as they disclose that use beforehand.

The Electronic Communications Privacy Act (ECPA), passed in 1986, restricts government eavesdropping on telephone conversations and other electronic signals and sets broad rules for employer monitoring of employee communications.

The Children’s Online Privacy Protection Rule (COPPA) sets some limits on companies’ data collection from children under 13.

The Video Privacy Protection Act (VPPA) prevents the sharing of VHS rental data but is not enforced against streaming providers.

The Federal Trade Commission Act (FTC Act) takes action against an app or website that violates its own privacy policies and investigates marketing language violations related to privacy.

State Data Laws

The California Consumer Privacy Act (CCPA) became effective January 1, 2020, and applies to for-profit entities that collect personal information from California residents and meet any of the following criteria:

They must have gross annual revenue of at least $25 million,

Buy, sell, or receive personal information about at least 50,000 California consumers, households, or devices for commercial purposes; or,

Generate more than 50% of their annual revenue from the sale of personal information.

In addition, the CCPA gives California residents the right to know, the right to delete, the right to opt out of the sale, and the like.

The California Privacy Rights Act (CPRA) is the 2nd version of the CCPA and will take effect on January 1, 2023, adding the following:

Application of thresholds for organizations that collect personal information from California residents,

New consumer rights such as the right to rectification or the right to restrict the use and disclosure of sensitive information,

Definition of a “contractor”,

Definitions of data sale and disclosure,

Automatic $7,500 fine for violations related to personal data of minors,

Annual cybersecurity review for companies whose processing poses a significant risk to consumer privacy or security,

Establishment of a California Privacy Protection Agency (CPPA) to enforce compliance with the CPRA,

Companies whose processing poses a significant risk to consumer privacy or security must periodically submit a risk assessment to the CPPA.

The CPRA contains a 12-month retroactivity clause, which means that beginning January 1, 2022, companies must ensure that their data collection practices are compliant with the CPRA. Note that enforcement of the CPRA has gone into effect and enforcement actions will increase as the California Privacy Protection Agency (CPPA) structures its team and operations.

The Virginia Consumer Data Protection Act (CDPA) will take effect on January 1, 2023. Although it is heavily inspired by the CPRA, these are the following key differences:

Consumers must consent to the collection and use of their sensitive data for processing.

The CDPA requires privacy impact assessments for any processing that involves targeted advertising, data sales, profiling, sensitive data; or any data processing that presents a “risk of harm.”

The CDPA does not require that a “Do Not Sell My Personal Information” link be included on websites.

Enforcement of the CDPA is through the Virginia Attorney General’s Office.

The Colorado Privacy Act (CPA) passed unanimously and will take effect July 1, 2023.

Unlike the first two comprehensive data privacy regimes, the CPA does not specify a monetary value in its application criteria, leaving it up to each entity to monitor the Colorado residents and households it acquires. The CPA also requires eligible companies to implement a means by which consumers can object to the processing of their personal information for profiling purposes.

What About My State?

Serious, comprehensive consumer data privacy proposals are currently in committee in at least four other states, Massachusetts, New York, North Carolina, and Pennsylvania. In other states, various bills are in the early stages.

If you’d like to track the status of all these proposals, the International Association of Privacy Professionals has created a tracker that shows all privacy bills in the works and in progress in each state.

Missouri has regulated ebook privacy. The Illinois Biometric Information Privacy Act (BIPA) gives you the right to privacy regarding your biometric information, such as fingerprints or facial scans.

The hardest part is knowing your rights on data breach notification, as there are at least 54 different laws that vary by region.

In The Contrast, GDPR

The General Data Protection Regulation (GDPR) came into force on May 25, 2018, but there have been years of preparation. IAPP has created a fairly detailed timeline of the developments in data protection that led to the adoption of the GDPR.

The main goal of the GDPR is to strengthen individuals’ control and rights over their personal data and to simplify the regulatory environment for international companies.

The GDPR introduced consumer rights for all EU residents, mandated data protection and privacy impact assessments, and added opt-in consent, which should be “freely given, specific, informed, and unambiguous” through a “clear affirmative act.”

The regulation is based on 7 key principles:

Lawfulness, fairness, and transparency

Purpose limitation

Minimization of the amount of data

Accuracy

Limitation of storage

Integrity and confidentiality

Accountability.

Funnily enough, the GDPR applies not only to non-EU organizations that have locations or employees in the EU, but also to those that do not have locations or employees in the EU, including U.S. companies, nonprofits, and universities.

Article 3.2 of the GDPR states that the law applies to organizations outside the EU if they:

Provide goods or services to people in the EU, or

Monitor the online behavior of people in the EU.

In determining whether a U.S. company is offering goods and services to data subjects in the EU for purposes of the GDPR, EU regulators will look into whether the company is targeting EU customers by advertising in the EU, offering online menus in European languages, or quoting prices in euros.

In determining whether U.S. organizations are monitoring the online behavior of people in the EU, EU regulators will look at whether the organization is using web tools that allow it to track cookies or the IP addresses of Europeans who visit its website(s).

The penalties for violating the GDPR are huge. The most serious violations can result in fines of up to €20 million or 4% of a company’s annual global turnover from the previous fiscal year, whichever is greater.

The American Data Privacy and Protection Act

The ADPPA seeks to establish basic consumer data rights, impose certain obligations (known as “duties of loyalty”) on all organizations that process personal data, and create additional requirements for large data holders (defined as organizations with sensitive personal data of 100,000 or more individuals or non-sensitive data of 5 million or more individuals) and third-party service providers that process data.

The law would apply to all organizations, including nonprofits and telecommunications companies, and establish a new division within the Federal Trade Commission (FTC) charged with enforcing the law.

The ADPPA overrides state privacy laws, except for a long list of laws and topics that are exempt, including the Illinois Biometrics Information Privacy Act, part of the California Privacy Rights Act, and broad topics such as facial recognition, non-consensual pornography, data breach notification, and more.

The list of exceptions isn’t only long, but also negates the purpose of state primacy and excludes other states that have recently adopted privacy laws, such as Virginia, Utah, Colorado, and Connecticut.

In addition, ADPPA restricts the private right of action while providing strong enforcement measures that allow the FTC and state attorneys general to take action against any data owner who doesn’t comply.

An individual may bring a civil action for damages or injunctive relief against data holders four years after the law’s effective date. But to prevent duplicative enforcement of the law, individuals must first notify their attorney general and the FTC of their intent to sue.

If either of these agencies decides to file a lawsuit, individuals cannot file their own lawsuit.

There’s also a limited right to cure; if data holders successfully remedy a perceived problem within 45 days, they may seek dismissal of an injunction action.

I’ll go into more detail in the next article.

Now you can thank me.

And if you want to know more about how to protect your data and avoid fines and cyberattacks, TLIC Worldwide, Inc. is the place to be.

Steven Palange, Your Data Expert

Call Me at 401-214-5557 or steven_palange@tlic.com