The Future of Data Privacy in the United States
Analyzing the state of privacy regulation, including the CCPA, Nevada’s privacy law, and bills introduced in New York and Washington State
As demonstrated by the €183 million fine facing British Airlines, data privacy issues and corresponding regulations are some of the greatest challenges that companies face today. While companies affected by the GDPR have felt the initial wave of fines, requirements, and standards, privacy is now an international issue.- Advertisement –
The US has already started on a path toward revolutionary privacy regulation. With laws passed in California and Nevada and bills planned in many other states, companies should expect to be impacted within the coming months.
This article breaks down the crucial parts of each state’s privacy regulation law/bill — including who they cover, when they take effect, penalties, how to achieve compliance as well as why states took the reins before the federal government to protect consumer’s personal data.
The CCPA
As one of the first privacy laws passed after the GDPR, the CCPA is acting as the blueprint for other bills in the US. Effective January 1, 2020, the CCPA applies to a business that collects/processes California residents’ personal data or does business in California.
These businesses are subject to the CCPA if they either:
- Exceed a gross revenue of $25 million
- Buy, receive, sell, or share (combined total) personal information of 50,000 or more consumers households, or devices
- Gain 50% or more of annual revenue from selling consumer’s personal information
The CCPA grants rights to consumers similar to the GDPR, including the disclosure of personal information and requests for personal data. Businesses are required to respond to verifiable consumer requests with information, such as categories and data of personal information, third parties, and categories of third parties with which data is shared, and more.
This section, known as data subject requests (DSR) grants users access to and deletion options for their personal information. Also, the CCPA requires that businesses display a “Do not sell my personal information” link on their homepage.
The CCPA will be enforced by the Attorney General and includes fines up to $7,500 for each individual violation.
Nevada’s Privacy Law
Nevada’s privacy law was signed in on May 29, 2019, but is effective on October 1, 2019, three months before the better-known CCPA. The laws are very similar but have a major difference in how “sale” is defined. Nevada’s law is narrower, not covering all service providers and being more lenient on financial institutions.
According to InfoLawGroup, the CCPA and Nevada law are similar in that both require “businesses to come up with a process to verify the legitimacy of a consumer opt-out request and require businesses to respond to the request within 60 days.”
Similar to California, Nevada’s enforcement lies with the Attorney General and includes fines of up to $5,000 per violation.