The General Data Protection Regulation (GDPR) seems to have set off a global rush for other countries to seek ways to protect their residents’ private data. The United States is no exception with several states following suit behind the European Union.
Political leaders everywhere have monitored the effects of GDPR, especially since it features fines that reach 4% of global revenue for businesses around the world. So far, global data science programming and machine learning programs using EU data have taken a profound hit over other businesses. The impact made in this sector could affect factors involving the deployment of new technology in major markets outside and inside the EU.
What Are U.S. Political Leaders Doing to Develop Data Privacy Laws at the National Level?
In the summer of 2018, immediately following the May 2018 GDPR enforcement deadline date, data security plans in the U.S. were already underway. Democratic Senator Mark Warner went to task, developing a list of policy options for national legislation regarding data privacy and security, according to The Hill. The Senator recommended a “comprehensive GDPR-like data protection legislation.”
Here are a few key points made in the document proposing U.S. national privacy law.
- The U.S. may adopt requirements and rules that resemble those of the GDPR, which include:
- Data portability,
- 72-hour data breach notification,
- The right to be forgotten,
- First-party consent and other data protections.
- Additionally, business processes handling personal data must use pseudonymisation or full anonymization.
- Many other national leaders are seeking data regulation to protect U.S. consumers.
Regulatory Changes in Data Protection Are Likely to Come State-By-State in the U.S.
Several state legislatures across the U.S. have stepped up to lead the path to data privacy. State regulatory bodies are introducing ambitious, far-reaching proposals to protect consumer data privacy. There are plenty of examples of this state-by-state movement for data privacy.
California was one of the first state legislatures to pass a large-scale, comprehensive privacy measure, mirroring the GDPR. In June 2018, just one month after GDPR’s deadline enforcement date, the California Consumer Privacy Act (CCPA) of 2018 passed.
The CCPA was proposed only a week before it passed, and it went through unanimously. In a rare and encouraging turn, the desire to protect constituents’ data trumped standard partisan gridlock. Set to come into effect in 2020, the CCPA focuses on consumer rights regarding data at its point of collection.
While California has led the states’ charge to data privacy and security laws, it is not the only state taking action. Learn more about how two other states are tackling this important matter effectively and on their own terms.
In June 2018, Vermont passed its own Data Broker Law, making data brokers subject to registration and security requirements, as of January 1, 2019.
Within this law, there are three important points:
- A broad statutory definition of a “data broker.” A data broker is an individual or business that collects and sells or licenses the brokered personal data of a consumer, even if there is no direct business relationship.
- Reporting on data broker security breaches. The Vermont law lays out a specific definition of “data broker security breaches,” which is included in the annual registration. The definition here states that a data broker security breach is “an unauthorized acquisition, or a reasonable belief of an unauthorized acquisition of more than one element of brokered personal information maintained by a data broker.” Further, the data has not been encrypted—or made unreadable or unusable—by any unauthorized party.
- An annual registration requirement for all data brokers in Vermont. Data brokers must register each year with the state of Vermont.
While many other states are developing data privacy laws, Colorado has adopted an unprecedentedly strict consumer privacy law with the Colorado Consumer Protection Act (CCPA) to protect residents’ personal data. Colorado’s lawmakers have taken notes from at least 31 other U.S. states that have adopted heightened security measures to shepherd consumer data.
The CCPA mandates that any private company or public agency that stores personal data or Colorado residents must have a data protection policy. Under the policy, each organization must also have an efficient breach notification system. Further, the business must also have the ability to destroy the data once it is no longer needed.
All businesses, regardless of size, must comply with the CCPA, as long as that business has customers in Colorado. The business can be located anywhere. It only matters that the business has customers residing in the state.
Although the CCPA is a huge move toward unrivaled data security in the U.S., the Colorado legislature has stayed busy working to tighten measures. Lawmakers in Colorado passed the Protections for Consumer Data Privacy (PCDP), known as House Bill 18-1128, which went into effect on September 1, 2018. This landmark piece of legislation has set forth tighter notification requirements. The CCPA has also set the new standard for developing and maintaining effective information security measures to protect personal data assets.
Is Your State Making Huge Strides in Data Privacy Legislation?
State and national lawmakers show no sign of slowing down efforts to write and enact new legislation to protect consumer data. Several other states, including New Jersey and Massachusetts, are definitely hot on the heels of states like California, Vermont, and Colorado.
Where is your state in the effort? Are you facing new legislation with which you must comply to protect your customers and your business’s brand? Our team at I.S. Partners can help you stay up to speed on where your state is, regarding data security and privacy laws. We can also help to ensure you are fully compliant.