Map of the United States - State Privacy Laws

State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow

Privacy Law , , , , , ,

Image Credit: Free-Photos from Pixabay.

Hard on the heels of the California Consumer Privacy Act of 2018 (CCPA) and updated state privacy laws in Nevada and Maine which took effect in 2019, state data privacy legislation is still on the rise.

In November of 2020, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), further amending the CCPA. The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

Most recently, the Virginia Governor signed the Consumer Data Protection Act into law, thereby making Virginia yet another U.S. state with a comprehensive state privacy law. 

As momentum builds for state privacy laws, 2021 could be the year that privacy laws gain footing across the country, helping Americans exercise control over their digital lives.

Washington’s Privacy Act 2021, SB 5062
**Update: The WPA did not pass the House by the April 11 deadline. On April 12, however, Senator Carlyle tweeted that the “bill remains alive through the end of the session.” The legislature will close on April 25.

*** Update 4/26: The WPA did not pass for the third year in a row, due to the late introduction of a limited private right of action (for injunctive relief). Jump to the bottom of the page for links to other pending state legislation.

The most notable – due to its furthest progression in state legislation – is the current draft of the Washington Privacy Act 2021 (“WPA”). This draft bill is the third version of the act introduced by Washington state Sen. Reuven Carlyle (D-Seattle) in as many years.

Scope

The WPA would apply to legal entities that:

Continue Reading State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow
Privacy nutrition label

Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy

Privacy Law , , , , , , ,

Image Credit: FDA Nutrition Label, modified by Metaverse Law

The growing frequency and severity of privacy incidents within the past decade—the Facebook-Cambridge Analytica data scandal and Equifax data breach, to name just a few—has made consumer privacy a topic of public attention and concern.

In response to consumers’ increased wariness regarding their private data, some companies are trying to use privacy labels and icons to signal a commitment to privacy protection. The ultimate goal is to make privacy more accessible, transparent, and understandable.

This article reviews the history and current trends around privacy icons and labels.

Privacy Visuals Part I: Icons

In 2010, the Digital Advertising Alliance (DAA) rolled out its “YourAdChoices” icon – a clickable blue triangular icon found on ads. This was one of the first privacy icons available. The DAA developed this icon in response to speculated federal regulation in the advertising industry.

Digital Advertising Alliance (DAA) YourAdChoices icon, appears as blue outlined triangle with inset letter 'i'
YourAdChoices icon. Image taken from https://digitaladvertisingalliance.org/.

To address Congressional inquiries into consumer privacy (and any possible resulting legislative efforts), the DAA formed a self-regulatory program with a set of privacy principles for participating companies and developed the YourAdChoices icon. Participating companies can voluntarily elect to place this symbol on their advertisements. By its nature, the DAA self-regulatory program and use of the YourAdChoices icon is not enforced by law. However, the DAA enforces the program by offering a consumer complaint process, public investigation procedure, and if necessary, escalation to a government agency, which happened in the case of SunTrust Bank in 2014.

Typically, the YourAdChoices icon is placed on cross-context behavioral ads—that is, ads targeted to consumers based on a profile of that consumer’s characteristics, preferences, and internet activity. If a browsing consumer views an ad that was targeted to them, they can click the YourAdChoices icon next to the ad to control whether ads should be personalized to them while browsing and to learn why that certain ad was displayed to them.

When the California Consumer Privacy Act (CCPA) came into effect in 2020, it created new privacy requirements for over 500,000 business nationwide . One of the requirements is to prominently display a “Do Not Sell My Personal Information” link on a business’ homepage, if a business is subject to CCPA, and “sells” or discloses a consumer’s personal information for valuable consideration. If a consumer submits a request through the link, the business must allow consumers to opt-out of the sale of that consumer’s personal information.

In response to this new requirement, the DAA designed a green version of the YourAdChoices icon for CCPA use. This is called the Privacy Rights Icon.

Digital Advertising Alliance (DAA) Privacy Rights icon, appears as green outlined triangle with inset letter 'i'
Privacy Rights icon. Image taken from https://digitaladvertisingalliance.org/.

When implemented correctly by participating companies, the green Privacy Rights icon brings consumers to www.privacyrights.info, a website set up by the DAA to help centralize and facilitate “Do Not Sell” requests across all participating companies.

While the two DAA icons above are forms of industry self-regulation, the California Office of the Attorney General (OAG) has also designed a “Do Not Sell” button to accompany the Do Not Sell link.

Continue Reading Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy
Individuals behind a password screen.

The Importance of Data Privacy For Protecting Business and Client Information

Privacy Law

If you own a business that demands you to understand what data privacy is and how it affects you, then now is the time for you to get informed. It has much to do with maintaining an acceptable level of trust between organizations and clients. Data privacy compliance has a framework involving a set of guidelines that require business institutions to integrate into their security system as per several state and federal laws on varying levels.

What Is Data Privacy? 

Data privacy is a general concept that governs the handling, storage, access, and preservation of sensitive information or data. It is also referred to as information security or information control. 

In technical terms, it is a system designed to govern the handling, processing, distribution, safety management, and ownership of valuable digital information. This information may include personal details, such as credit card numbers, financial transaction details, and other facts accessible through digital systems that privately belong to individuals or organizations.

Data safety protocols and processes are imposed by the privacy protection laws in different countries. These laws ensure the legality of the use of sensitive personal information and provide guidelines for proper handling, storage, and transmission of such information. This ensures that the benefits derived from the various programs implemented by the organizations are legit and are not being abused to serve selfish ends. The process of implementation varies from each country or region and thus, different laws are governing data privacy issues in different parts of the world. 

Data Security

Protecting Business and Client Information

Data security is the practice of protecting data and maintaining the privacy of information, which obligates an organization to secure data at its source or to ensure the privacy of data in transit and throughout its lifecycle. This practice protects confidential information whether it is transmitted over the internet or through private networks. It also governs how organizations can safeguard corporate assets against corruption and unauthorized access. These have become more important with the growth of sophisticated data encryption technologies, which have made the transmission of sensitive corporate information more secure.

There are certain conditions recognized by countries across the world and are enforced by each government. They include the responsibilities of service providers to take reasonable measures to ensure the confidentiality of communications and related data, protection against data leaks and interference, and protection against the abuse of personal information. Aside from these, several laws address the rights of businesses to protect their clients’ private information. These include the right to secure network systems, secure the confidentiality of information, and providing clients with the right to access and see the documents that have been sent to them.

Data Compliance

Data compliance ensures the correct practice of data privacy along with legal and governmental regulations. If organizations are not complying with the regulations stated by the federal or state government, then they are going to find themselves out of compliance, and the clients, customers, and employees might also be bound to some legal stipulations. 

Companies that fail to comply with the legal conditions of data privacy may be sanctioned, which may include fines or other penalties. There are many legal defenses available to business owners who are accused of not being able to guarantee the confidentiality of their data. For example, a business owner may use a server that is situated abroad to facilitate trade for his company. Similarly, a person who has concerns about how a product or service obtained by purchasing online could use data protection tools and safeguard his privacy.

Businesses need to stay abreast of any changes to data protection laws and the only way for a business to satisfy data compliance is to adhere to the latest privacy law of a particular state. 

Why Is Data Privacy Important?

For starters, data privacy equips an organization to responsibly handle and protect the information of an entity or individual. Therefore, it implies the accountability of the responsible party, whether the organization, government, or a private entity, to protect any information that may be related to all transactions from unauthorized use, mishandling, and/or disclosure. 

How Does One Understand and Appreciate The Need For Privacy? 

A company’s data privacy can be interpreted as the confidence towards the organization in communicating sensitive data or information to its customers and partners. As such, companies that want to be considered most trustworthy will have to be reliable enough and have the integrity to follow data privacy protocols. This way, consumers can be reassured that their data is taken care of while they are using the company’s services. Secondly, data privacy also has to do with keeping suppliers and other business operations well within the law by ensuring compliance with regulatory requirements.

Data Privacy For Businesses and Organizations

Importance of Data Privacy

A business or organization must establish certain rules governing the use of private data for marketing, product research, customer contact, and evaluation, etc. For instance, when these valuable data are stored in company computer systems, the company and its employees are bound to respect the privacy set by data protection laws and make it impossible for anyone to commit unethical and illegal breaches. 

Whether you are a business or a consumer, how do you ensure your data is protected? 

You can guarantee security for your data through a security program installed into the organization’s computer and network system. There are many companies providing data security services to keep private information private and safe and ensure that the protocols follow state or federal laws. An organization’s IT department should be able to maintain the data privacy protocols regularly. This will keep the system running as smoothly as possible without the constant imminent threat of a data breach. 

Summary

Data privacy compliance is highly necessary for organizations to avoid breaking the law or risking their businesses and their clients’ personal information. Users are advised to follow basic personal data protection like using passwords whenever they transfer personal information online and use safety protocols when using public networks. It is up to the user to implement data privacy into the system and follow professional data security advice.

Find out which privacy laws impact your business. Metaverse Law specializes in privacy, data protection, and cybersecurity law to assist startups and multinationals across the country in the high-tech, digital marketing, healthcare, and e-commerce industries with their privacy and data security obligations. Visit us here today to learn more!

Image of virginia state and shield. Virginia has a new data privacy law.

Virginia Governor Signs Comprehensive Data Privacy Law

California Privacy Law, CCPA, Privacy Law , , , ,

Image Credit: Kjrstie from Pixabay.

Following hot on the footsteps of the California Privacy Rights Act, Virginia Gov. Ralph Northam (D) signed the Consumer Data Protection Act on Tuesday, making Virginia the second state in the U.S. to pass a comprehensive data privacy law. Below, please see our comparison of the the California Consumer Privacy Act and the Virginia Consumer Data Protection Act.

CCPA-VCDPA ChartDownload
California Consumer Privacy Act
(CCPA)		California Privacy Rights Act
(CPRA)		Virginia Consumer Data Protection Act
(VCDPA)
Date of effectJanuary 1, 2020January 1, 2023January 1, 2023
Law applies toA “business” that meets at least one threshold below:
• Generates over $25M in annual gross revenue;
• Handles the records of at least 50,000 California consumers; or
• Generates over 50% in annual revenue from sales of consumer data		Same as CCPA, except the threshold for handling records of California consumers increases from 50,000 to 100,000.Applies to businesses that
• Handles the records of at least 100,000 Virginia consumers; or
• Handles the records of at least 25,000 Virginia consumers and derives over 50% in gross revenue from sales of consumer data

Definition of personal data		Any information that could be associated or linked with a particular consumer or household.Same as CCPA, except that there is a reasonableness element:
Any information that could be reasonably associated or linked with a particular consumer or household.		Limited to particular consumers.
“Any information that is linked or reasonably linkable to an identified or identifiable natural person”
Definition of sensitive personal dataDoes not define sensitive personal data.Defines sensitive personal data to include:
• Social security number
• Driver’s license
number
• Account log-in, debit,
or credit card number in combination with password or PIN
• Precise geolocation
• Racial/ethnic origins
• Religious or
philosophical beliefs
• Union membership
• Contents of e-mails or
texts to others
• Genetic/biometric
data
• Health information
• Sex life/sexual
orientation data		Defines sensitive personal data to include:
• Racial/ethnic origins
• Religious beliefs
• Mental or physical
health diagnosis
• Sexual orientation
• Citizenship/
immigration status
• Genetic/biometric
data
• Children’s data
• Precise geolocation
Consumer rights• Access
• Deletion
• Non-Discrimination
• Opt-out of:
o Sale of personal data		Same as CCPA, with the addition of rights to:
• Correct personal information
• Limit the use of
sensitive personal information		• Access
• Correction
• Deletion
• Port
• Opt-out of:
o Targeted advertising
o Sale of personal data
o Profiling in furtherance of decisions that produce legal effects
Data Privacy Impact AssessmentsNo requirement to conduct or document.No requirement to conduct or document.Controllers must conduct and document data protection assessments for the following activities:
• Targeted advertising
• Sale of personal data
• Profiling
• Sensitive data
• Catch-all: any data that presents a “heightened risk of harm to consumers.”
Data Protection AuthorityCalifornia Office of the Attorney General$10 million allocated per year to the California Privacy Protection Agency (CPPA).
Primary enforcement and rulemaking abilities shift from the California Attorney General to the CPPA.		Virginia Office of the Attorney General
Cure Provision30 days to cure upon written notice of a violation by the California Attorney General’s office.Ability to cure removed from CPRA.30 days to cure upon written notice of a violation by Virginia Attorney General’s office.
EnforcementAdministrative fines ranging from $2,500 per violation to $7,500 for intentional violations.Administrative fines of $7,500 now includes intentional violations and children’s data violations.Administrative fines of $7,500 per violation.
Private Right of ActionConsumers have a private right of action for the unauthorized disclosure of nonencrypted and nonredacted personal information.Same as CCPA.Consumers do NOT have a private right of action.
1 2 3 4 7