Home Privacy California Isn’t The Only State Getting Busy With New Privacy Laws

California Isn’t The Only State Getting Busy With New Privacy Laws

SHARE:

The California Consumer Privacy Act (CCPA) grabs most of the attention, but other state privacy laws are cropping up across the nation.

More than a dozen states either have new data protection regulations on the books or in committee, from Nevada, Maine, Pennsylvania and Connecticut to Massachusetts, New Jersey, Illinois and Maryland, said Gary Kibel, a partner at Davis & Gilbert, LLP.

“And there’s a likelihood that we’ll see more coming,” he said. “States are looking at what’s happening in California and thinking, ‘Huh, we could do something like that, too.’”

Although the California law is by far the most robust and wide ranging, marketers and ad tech companies shouldn’t assume that if they’re ready to comply with the CCPA they’ll automatically be safe across the board.

“Some people are doing that, and it’s to their detriment,” Kibel said. “People need to take a closer look at each one of these other laws to see if there’s something unique that applies to their business.”

Here’s a quick and dirty guide to the privacy laws coming to a state near you.

California (goes into effect on Jan. 1, 2020)

The CCPA is an opt-out law, other than for the personal information of children under 16, which requires an opt-in.

The law has a broad definition of what constitutes personal data – it includes IP address, browsing history and geolocation – and applies to any business with $25 million or more in revenue that derives over half of that revenue from buying, selling, receiving for sharing the personal information of 50,000 or more consumers. Consumers are defined as residents of California as per the state tax code.

Starting on Jan. 1, 2020, businesses that are subject to the law will have to start providing a prominent “Do Not Sell My Data” button on their homepage. Consumers also have a right of access and deletion. Companies will have 45 days to comply with these requests.

Mess up and a business could be on the hook for up to $2,500 for each unintentional violation and $7,500 for each intentional abuse.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“The California law puts a big focus on ad tech and the broader reach of companies that might use ad tech, like retailers,” said Dominique Shelton Leipzig, a partner at Perkins Coie. “In a sense, it’s like the whole ad tech ecosystem is on display here.”

Several amendments to the law are still outstanding and lobbyists continue to push for late-in-the-day changes before the effective date hits.

Nevada (Goes into effect on Oct. 1, 2019, three months before CCPA)

Nevada’s law gives consumers the right to prevent online service providers and website owners from selling specific types of personal information about them to third parties, including their name, address, email, phone number and pseudonymous data, which is data that’s been anonymized but can be reidentified without a huge amount of effort.

The scope of the Nevada law is more limited than CCPA. California, for example, applies to any online and offline business that touches a California resident’s data, while Nevada only applies to online businesses that purposely direct their activities at Nevada residents.

But the penalties are no joke. The Nevada attorney can levy up to $5,000 per violation.

Maine (Goes into effect on July 1, 2020)

Maine’s law is narrow, but it’s a big deal for internet service providers. Any ISP located in Maine that provides broadband service to a customer physically located in the state has to get clear opt-in before using, disclosing, selling or giving access to a customer’s personal information, and a consumer has the right to take away consent at any time.

The law echoes the now defunct ISP privacy rules passed by the Federal Communications Commission that were later repealed in 2017 by President Trump.

Pennsylvania (Introduced in April, referred to the Pennsylvania state House, will take effect immediately if passed)

Almost identical to the CCPA, the Pennsylvania law requires full disclosure of what data a business collects and gives consumers the right to request deletion and opt out of the collection and sale of personal information. The main difference is that Pennsylvania also applies to businesses with $10 million in revenue, far less than the $25 million threshold under CCPA.

What about the rest?

Other states are in various different stages with their own privacy and data security laws.

Some states, like Oregon and New Jersey, are updating their existing information protection laws to clarify the difference between controllers and processors, for example, or to shore up their breach notification requirements.

Other states, such as Maryland, have drafted online consumer protection acts that are still in limbo waiting for the legislature to come back into session.

What to do?

There are a lot of moving parts to keep track of, which is why it’s vital for companies to create a “topline compliance program,” which should help them comply with whatever comes down the pike without major disruption, said Shelton Leipzig.

“It’s better than lurching from privacy law to privacy law every time a new one comes out,” she said.

Step one, designate someone in the company whose job it is to be in charge of privacy and data management. Second, conduct an internal audit to inventory every piece of personal data that the business touches, from IP addresses to device IDs.

“Spoiler alert, it’s all considered to be personal information under these laws,” Shelton Leipzig said.

Next, do a data privacy risk assessment followed by an impact assessment of any high-risk data processing, like location data, health data or children’s data. Phase five involves developing a mitigation plan complete with external policies and procedures, privacy notices, disclosures, cookie policies and internal data governance documents.

Last, companies should keep an auditable record of everything that they do – and then keep going through the steps at least annually and after any major product launch, Shelton Leipzig said

“Once you have a program like that in place, when a new state passes a law you can more easily make tweaks,” she said. “It’s the only way to tackle it, otherwise you’re just putting Band-Aids on and constantly waiting for the other shoe to drop.”

Must Read

Comic: Alphabet Soup

Buried DOJ Evidence Reveals How Google Dealt With The Trade Desk

In the process of the investigation into Google, the Department of Justice unearthed a vast trove of separate evidence. Some of these findings paint a whole new picture of how Google interacts and competes with its main DSP rival, The Trade Desk.

Comic: The Unified Auction

DOJ vs. Google, Day Four: Behind The Scenes On The Fraught Rollout Of Unified Pricing Rules

On Thursday, the US district court in Alexandria, Virginia boarded a time machine back to April 18, 2019 – the day of a tense meeting between Google and publishers.

Google Ads Will Now Use A Trusted Execution Environment By Default

Confidential matching – which uses a TEE built on Google Cloud infrastructure – will now be the default setting for all uses of advertiser first-party data in Customer Match.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
In 2019, Google moved to a first-price auction and also ceded its last look advantage in AdX, in part because it had to. Most exchanges had already moved to first price.

Unraveling The Mystery Of PubMatic’s $5 Million Loss From A “First-Price Auction Switch”

PubMatic’s $5 million loss from DV360’s bidding algorithm fix earlier this year suggests second-price auctions aren’t completely a thing of the past.

A comic version of former News Corp executive Stephanie Layser in the courtroom for the DOJ's ad tech-focused trial against Google in Virginia.

The DOJ vs. Google, Day Two: Tales From The Underbelly Of Ad Tech

Day Two of the Google antitrust trial in Alexandria, Virginia on Tuesday was just as intensely focused on the intricacies of ad tech as on Day One.

A comic depicting Judge Leonie Brinkema's view of the her courtroom where the DOJ vs. Google ad tech antitrust trial is about to begin. (Comic: Court Is In Session)

Your Day One Recap: DOJ vs. Google Goes Deep Into The Ad Tech Weeds

It’s not often one gets to hear sworn witnesses in federal court explain the intricacies of header bidding under oath. But that’s what happened during the first day of the Google ad tech-focused antitrust case in Virginia on Monday.