When consumers experience a “breach” of certain categories of information, state laws have required organizations to notify those affected and, in some instances, to also notify state agencies, consumer reporting agencies, and the media. A growing number of states—including California, Colorado, Connecticut, Maryland, Massachusetts, Texas, and, most recently, New York—have gone a step further, requiring organizations to develop and implement “reasonable safeguards” to secure the personal information they collect and use.
With the passage of the California Consumer Privacy Act (CCPA), California is taking US privacy and data security law to the next level. The CCPA, which takes effect on January 1, 2020, requires organizations not only to secure data and provide notification in the event of a breach, but also to develop programs to manage the comprehensive set of rights that the CCPA provides to consumers (and potentially employees). The CCPA imposes a one-year lookback period from the time a consumer requests access to their personal information and mandates that a business provide responsive materials “in a readily usable format that allows consumers to transmit [the] information from one entity to another without hindrance.”
In practice, the “lookback period” found in CCPA Sections 1798.130(a)(5)(B) and 130(a)(5)(C) requires that for the preceding 12 months, the company must disclose (i) the categories of personal information it has collected about consumers, (ii) a list of the categories of personal information sold about consumers, and (iii) a list of the categories it has disclosed about consumers for a business purpose. This is the core of what most people consider the lookback period requirement. To protect consumers who exercise their rights under the CCPA, the law generally prohibits businesses from charging different prices or rates to consumers, providing different services to them, or denying them goods or services because they exercised their CCPA rights.
In the wake of the CCPA, other states such as Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, and Rhode Island have proposed similar legislation. At the federal level, the Privacy Act of 1974 (5 U.S.C. § 552a) protects personal information held by the federal government by preventing unauthorized disclosures of such information, and the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) protects personal financial information collected by consumer reporting agencies. Given the sweeping privacy reform in the states, changes at the federal level are anticipated.
As data protection and privacy law reform are set to be among the most important legal developments in 2020, business law attorneys will have a significant opportunity to counsel clients about the proper implementation of laws like CCPA. One way to ensure compliance is to have clients review their current methods of data collection to see if their privacy policies need to be updated. Attorneys should ask their clients questions like:
- What kind of consumer information do you collect?
- How can a visitor request changes to personal information obtained by you?
- Does your target market extend beyond the United States of America?
Whether you live in California or another state that is contemplating changes to their privacy laws, be proactive and get the conversation started with your clients today. Download our free privacy checklist and worksheet that you can share with current or prospective clients.