DIY data protection: As Congress stalls, states take charge

Featured eBooks
Whole-of-State Cybersecurity
The State of Trust in Government
Cybersecurity in State and Local Government
By Andrea Little Limbago
 

Connecting state and local government leaders

By Andrea Little Limbago

|

Lacking any concrete signs of progress at the federal level, states will continue to be the driving force of data protection innovation, providing greater privacy and security protections that introduce ever greater complexity in an already dynamic compliance landscape.

With so much focus on federal data protection regulation, it would be easy to miss the tectonic shifts underway at state capitols. Last year alone, more than 90 different data protection, security and privacy proposals were introduced. The California Consumer Privacy Act (CCPA), which went into effect in January, has been the most far-reaching, but it is not alone. From Florida to Maine to Texas, states are taking the lead in innovating data protection regulation. By the end of 2019, more than half the states either proposed new privacy legislation or established a task force to do so. Absent any progress at the federal level, states will continue to push for greater data protection and regulation, augmenting security and privacy while also increasing complexity to an already dynamic landscape.

Choose your own privacy adventure

While there has been growing interest in data protection in the United States, there was a significant inflection point in 2018 as several forces combined to create the perfect privacy storm. First, the steady flow of data leaks continued as Marriott, British Airways, T-Mobile, MyHeritage, and countless other corporate breaches exposed sensitive personal data. Second, the European Union’s General Data Protection Regulation (GDPR) introduced sweeping data protection that impacted any company with European Union citizen data. Finally, and arguably the most impactful, the Cambridge Analytica data sharing scandal awoke public awareness about the vast implications of data monetization and sharing.

This confluence of events dramatically shifted public opinion in the United States and helped drive momentum and the rapid passage of the CCPA. Numerous other states are now similarly approaching data privacy through overarching omnibus legislation: integrating numerous data protection requirements under a single regulatory umbrella. New York’s proposal last summer built upon the CCPA momentum, but it differs in a few key areas. Instead of relying on the attorney general for enforcement, the New York proposal includes a private right of action and applies to any organization with New York resident data as opposed to the $25 million in annual revenue cutoff in the CCPA. The New York bill also includes data fiduciaries, which prohibit businesses from using data to the benefit of the business and the detriment of the individual.

Other states similarly integrate aspects of the CCPA, while customizing as well. Nevada’s law, for instance, does not have opt-in requirements, while opt out applies to a narrower scope of information. It also includes less time to respond to data requests and defines the sale of data differently. Nebraska’s recent proposal, in contrast, maintains more similarities to the CCPA with its focus on personal information and the right to know what is collected, how it is used, who accesses it, as well as the right to deletion and opt out. They both also include fines up to $7,500 for each violation. Finally, Florida’s proposed Consumer Data Privacy Act shares some common features with both the CCPA and Nevada’s privacy legislation, including a focus on the right to opt out of sales of personal data and a notice of what data is collected. Proposals in Maryland and Massachusetts are similar to the CCPA, but opt out includes any data disclosures, not just sales. Maryland chose enforcement by its  attorney general, while the Massachusetts law has a robust private right of action.

These are a few examples of an omnibus approach to data privacy, and additional proposals are likely to emerge over the next few years absent a federal privacy law. At the same time, several states are opting for point solutions to data privacy instead of taking the omnibus approach. That is, they are focused on narrowly addressing a specific data privacy issue. For instance, last year Vermont passed the country’s first law targeting data brokers -- those entities that gather data from a wide range of sources. The new law requires data brokers to register, uphold baseline security practices and notify if a breach occurs. It also prohibits the use of the data for criminal purposes.

Maine opted instead to focus on internet service providers. Coming into effect on July 1 of this year, the Maine law bars ISPs from, “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access.”

Instead of focusing on data aggregators and collectors, a half-dozen states have focused on the actual kind of data itself. For instance, the Illinois biometric law is a decade old, but has been making headlines lately for its use in class action lawsuits against Facebook and Google. Texas, Washington, California, New York, and Alaska are among those states that have passed or expanded existing laws to cover biometric identifiers.

What’s next: Full speed ahead for states

Despite both political parties expressing support for a federal data protection regulation, including dueling proposals at the end of 2019, security and privacy proposals failed to gain any traction in Congress. With little hope for Congressional action on data protection, and with mounting public demand in favor of it, states will continue to be the major drivers of data protection regulation in the United States.

For each state capitol, there is a seemingly endless array of components that could comprise a data protection regulation. What data is covered? Which and what size of businesses are covered? Should reasonable security measures be required? Does it cover selling data or disclosing data to any third party? How will enforcement be handled? Will it include a data fiduciary? How will users opt in and opt out?

These are just some of the questions that state legislators will have to debate. Based on what has been proposed so far, these laws look to duplicate the trajectory of data breach notification laws. There are now 54 different data breach notification laws -- one for each state, and one in Washington, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands -- each of which has its own nuance and time frame.

At the federal level: One law to rule them all?

As the variety in state-level regulations demonstrates, Congress faces many decisions when it comes to federal data privacy regulation(s): An omnibus approach or point solution regulations? Which data will be covered and will there be a private right of action? These are just a few of the considerations. As the U.S. deliberates on a federal law, Congress must ensure that the solution is not worse than the problem.

Of course, there will be many forces seeking to undermine any U.S. federal data protection regulation. As the details get debated, three overarching components should be reinforced throughout: harmonization, reasonable safeguards and a whole-of-society approach. First, ensuring a baseline consistency is essential to overcome today’s complex data ecosystem. This will require fending off special interests seeking to dilute many of the recent state-level policies. Next, introducing reasonable security safeguards has proved to incentivize more robust security practices and provide positive business returns. Finally, data protection can benefit from a herd immunity approach, applying to both the private and public sectors while also empowering individuals with greater selective control over their data. The onus should not be entirely on any specific entity, but requires a unique combination of incentives, penalties, transparency and controls to help elevate data protection across society.

For more than a decade, data theft and questionable data sharing practices have largely gone unregulated in the United States. This status quo is not sustainable. The CCPA is just the first of a state-level movement that aspires to implement modern data protection regulations appropriate for the digital revolution. Lacking any concrete signs of progress at the federal level, states will continue to be the driving force of data protection innovation, providing greater privacy and security protections while introducing ever greater complexity in an already dynamic compliance landscape.

NEXT STORY: Why integrity matters in 2020

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.