Information Governance Blog

information Governance

First GDPR, now CCPA…What’s next for Data Privacy in the US?

Let’s be honest, GDPR has changed the way that we look at data privacy. When the EU-based compliance regulations came into effect back in 2018, businesses scrambled to get their systems and processes compliant. This included finding a way to enable “‘a customer’s right to be forgotten” meaning they could ask to be deleted from all your databases.

For global companies that hold EU citizens’ data, this was a wake-up call. But this was just the beginning. Since then, a cursory glance over the Legiscan database shows that there are hundreds of pending bills that cover customer data, privacy and cybersecurity regulations across the USA. In addition, with the knocking down of Privacy Shield for US businesses in regard to EU customer data,  GDPR compliance is mandatory for all.

Let’s look at some data privacy regulations that are already in effect, some soon to take effect, and other privacy and data protection laws which are pending:

California: The CCPA

The CCPA is the California Consumer Protection Act, and was the first state data privacy law to be drafted back in 2018, and went live in January 2020, although businesses were given a six month grace period to get themselves ready. The government began enforcing the regulations in July 2020.

The CCPA defines what personal information is, “it could include your name, social security number, email address, records of products purchased, internet browsing history, geo-location data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”

Businesses are responsible for allowing customers to opt-out of data sharing, as well as providing their own version of the ‘right to be forgotten’ including to whom their personal data has been disclosed. Any violation of customer privacy could result in anywhere from a $2,500 fine for unintentional violations, all the way up to $7,500 for intentional violations.

New York: The NYPA

Similar to California, New York has been trying to push its own legislation, the NYPA, New York Privacy Act. It builds on the precedents set in California to protect consumers. It would allow consumers to know what personal information had been collected and with whom the collectors have shared the information.

However, whereas California has thresholds to meet, the NYPA does not. This means that, unlike with the CCPA, companies would not be protected by having an annual gross income of less than $25 million, or less than 50,000 customers. New Yorkers could also sue companies directly for privacy breaches, rather than through the government.

Interestingly, the New York legislation uses the term “data fiduciaries”, language coined in 2014 by Jack Balkin from Yale University. In practice, this means that companies should be able to hold data, but not use it, the same as a financial entity might handle a customer’s money.

Nevada: The Nevada Senate Bill 229

Nevada signed its own version of a data privacy bill into law in 2019, with strict penalties that could cost up to $5,000 per infraction. The law requires all businesses with a website and Nevada traffic (read: all of them) to offer consumers an opt-out button when it comes to their personal data. The laws only refer to online activities, unlike CCPA, but consumers can demand a response within 60 days, a shorter time frame than the CCPA’s 45+90.

Illinois: Data Transparency and Privacy Act

Set to become active in 2021, Illinois has kept fairly close to the example set by the CCPA. They are planning to provide consumers with a few key rights over their data and personal information. These include:

The Right to Know: Consumers can ask for copies of personal information, and to which third-party affiliates and services their data has been disclosed.

The Right to Opt-out: Similar to Nevada, consumers need to be able to opt-out of data disclosure or third-party processing.

The Right to Correction/Deletion: If any information is inaccurate, consumers can request a correction. In addition, they can ask for their personal information to be deleted.

The Snowball Effect: Many Other States Follow Suit

For some states, it’s not a matter of creating whole new data privacy laws, but merely amending others, allowing new regulations to be enforceable extremely quickly. In Washington for example, businesses now have just 30 days to disclose a data breach to customers, including information such as the timeframe of exposure, and the steps taken to control the breach. Personal information has also been expanded to include combinations of data such as first name or even initial alongside biometric data or electronic record keys.

In Texas, the law has now changed to speed up the amount of time a business can take for breach notification down to 60 days, while in Oregon, this period is just 10 days, and personal information has been extended to include online credentials, a clear gap that needed to be filled.

Maryland, New Jersey, Maine and Massachusetts are also all on the list of States that are working on updating their data privacy laws in line with the CCPA’s example. 

How long do they have in which to disclose information after a breach? What exact information is covered? How can businesses manage multiple data privacy laws over the huge amount of data and myriad of files?

That’s exactly where MinerEye comes in, offering automated simplicity to diffuse a complex web of confusion, both from the perspective of the regulations and from the aspect of unstructured data. MinerEye’s solution for data privacy compliance provides insight, granular visibility and control over your unstructured data, meaning all those attached files uploaded to your site or in email. Without technology such as MinerEye, your option to access the data within those files is primarily via manual searches.

Get ahead of your compliance obligations with an automated unstructured data identification and compliance solution that monitors what files are compliant per regulatory article. It will flag which ones are at risk for non-compliance and make your life a lot easier.

Have a look at our demo and see how easy it can be.