chevron-down Created with Sketch Beta.
    May 30, 2019 Practice Points

    Navigating Privacy Laws as the Landscape Shifts

    A roundup of recent state proposals and tips on how businesses can comply with new laws.

    By Stephen Breidenbach

    With the California Consumer Privacy Act of 2018 (CCPA) approaching its operative date, other states have begun introducing bills that govern the use of consumer information.  As these bills are approved or near enactment, it may be time to counsel business clients to review their internal practices to ensure they have the necessary infrastructure to readily address new requirements. 

    While each proposed law is slightly different, there are some similarities. One of the biggest similarities is the definition of personal information. Under some of these new laws, the definition of personal information follows the broader meaning found in the European Union's General Data Protection Regulation (GDPR), namely: "information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household." Therefore, any information that could be associated with an individual (e.g., email addresses) will need to be handled in accordance with these similar definitions.

    Additionally, many of these laws provide consumers with similar protections. If passed, some of these laws will require businesses to disclose more information on how they handle customer data, including but not limited to (1) to whose customer information is provided, (2) where the business gets its information, and (3) how the business uses each type of information. Further, some of these laws, if passed, will require businesses to maintain data in such a way that they can readily delete the information upon a consumer's request and provide consumers with a readily useable copy of their information.

    Notably, while there are similarities, each of these proposed laws has unique elements and, if passed, will need to be reviewed for purposes of conducting business in those states. Some differences to note are as follows:

    • Hawaii's SB 418. This law would give Hawaiian citizens several of the privacy rights provided by the CCPA, but unlike the CCPA, which applies to business that meet certain thresholds (such as having annual gross revenues more than $25 million, among other things), SB 418 would apply to all businesses collecting information from Hawaiians.
    • Texas's Texas Privacy Protection Act (HB 4390). HB 4390 provides that when a business collects information directly from a consumer, it may not perform any operation, including the collection, on that consumer's information unless the consumer has explicitly consented to that operation.
    • Washington's Washington Privacy Act (SB 5376). SB 5376 requires any natural or legal person who determines what operations to perform on personal data (controller) to conduct written risk assessments whenever the controller's processing of personal data would create material risks to the individual, and at least annually. These risk assessments must consider a number of factors, including the type of information being processed; the type of processing; and the benefits to the controller, consumer, and others derived from the processing. These factors must then be balanced against the risk to the consumer.

    The process of complying with various laws can seem difficult, but it is not insurmountable with preparation. Companies looking to comply can begin by inventorying their data and creating a data map. When inventorying data, businesses should account for several details, including

    • what data the company collects,
    • where the company stores the data,
    • why the company collects the data, and
    • how the collection occurs.

    The data map should be a graphical representation of these facts and show such additional details as how data is transferred between devices and with whom the data is shared. Such documents will be in an invaluable tool as privacy laws continue to evolve and a business's data practices develop.

    List of Related State Bills

    • Hawaii's SB 418
    • Maryland's Online Consumer Protection Act (SB0613)
    • Massachusetts's SD 341
    • Mississippi 's The Mississippi Consumer Privacy Act of 2019 (HB 2153)
    • New Mexico's SB 176
    • New York's S00224
    • New Jersey's S2834
    • North Dakota's HB 1485
    • Rhode Island's S0234
    • Texas's Texas Privacy Protection Act (HB 4390)
    • Washington's Washington Privacy Act (SB 5376).

    List of Proposed Federal Bills

    Stephen Breidenbach is an associate with Moritt Hock & Hamroff LLP in Garden City, New York.

    Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).