Your name. Your date of birth. Your IP addresses. The video your neighbor took of you winning the hot dog eating contest last Labor Day.

Just kidding about that last one. Kind of.

As technology evolves, more data becomes available, and more potential harm results from data breaches that expose personal information. Privacy legislation is the response to that harm, and it has evolved dramatically over the last few years. Here is a snapshot of that progression.

Global Shift Toward Privacy

In 1999 the United States federal government implemented the Gramm-Leach-Bliely Act (GLBA) with the intention of modernizing the financial industry in everything from security policies to privacy. The GLBA’s primary privacy outcome was that certain financial institutions became required to tell their customers about their information-sharing practices and provide an “opt-out” of sharing customer information with third parties.

Regulations didn’t become privacy-specific until three years ago when the EU General Data Protection Regulation (GDPR) took effect to protect individuals inside the EU. The GDPR is known as the most important change in data privacy regulations in 20 years because it impacted businesses across the world by basing its applicability on the relationship between the business and EU consumers. But, because the law is centered around EU consumers, it does not apply to many U.S. companies that don’t do business in or market to the EU.

Despite the GDPR’s inapplicability to some U.S. companies, many correctly saw the consumer rights and operational business requirements contained within the GDPR as indicators of United States privacy trends to come.

California Knows How to Privacy

On January 1, 2020, the California Consumer Privacy Act (“CCPA“) became the first impactful US privacy regulation to resemble the GDPR most closely by giving much broader privacy rights to California consumers (including prospects and employees). If a consumer lives in California and asks a business to reveal, potentially delete, provide an extract of, and/or stop selling an individual’s data, businesses must comply if the request isn’t covered by an exemption.

According to the law CA individuals can also sue a business if they are harmed by a company’s security or data breach if they can prove that the business failed to maintain reasonable security practices and procedures. In California and in many other states consumers already had the right to bring suit under data breach law. However, the CCPA’s private right of action provision makes it easier by providing for statutory damages and eliminating the need to prove actual damages in court.

CPRA

While U.S.-based businesses scrambled to prepare for the CCPA, California wasn’t done yet. The state took privacy to the next level through the California Privacy Rights Act of 2020 (“CPRA“), a ballot initiative that becomes operative Jan. 1, 2023, with a yearlong “look back” requiring businesses to include data starting Jan.1, 2022. It expands the scope of the CCPA by giving consumers additional rights (rectification, restriction against automated decision making), and adds additional business obligations such as requiring risk assessments and prohibiting discrimination. More notably, the CPRA funds a California agency that will make privacy rules, enforce them, and provide residents with related education and guidance (as opposed to the current regime where the state Attorney General is charged with interpreting and enforcing the law).

Virginia Is for Lawyers and Rocky Mountain PII

The same day that businesses must comply with the CPRA, Virginia’s Consumer Data Protection Act (“VCDPA“) becomes effective, followed by the Colorado Privacy Act (“CPA“) in July of 2023. Both Virginia and Colorado laws create similar consumer rights as California, although Virginia doesn’t go quite as far, aligning more closely with the CCPA than the CPRA (of course, with distinctions). In addition, federal law exemptions for GLBA and Health Insurance Portability and Accountability Act of 1996 (“HIPAA“) that are set to expire in California continue in perpetuity in Virginia making the law not applicable to certain businesses. In Colorado, the GLBA exemption also continues in perpetuity, but the HIPAA exemption is absent, and the scope of impacted businesses is broader.

Subtleties aside, if a financial institution is prepared for the CCPA and CPRA ,it is largely ready for (or exempt from) Virginia and Colorado regulations aside from any state specific disclosure requirements and other technicalities.

Preparing for New Privacy Laws

While the practical implications of managing state laws are manageable so far, it is becoming onerous. There are five additional state privacy bills containing equally nuanced language and implications. Luckily, the driver of federal legislation is often conflicting state legislation. Privacy laws are no different. Federal proposals were rolled out by both Republicans and Democrats in 2019 but were stalled until recently when Republicans submitted a largely reintroduced bill this summer. If and when a federal law is passed, it will likely supersede less restrictive state legislation. But the proposals from both parties so far have not been as comprehensive as states like California with more restrictive legislation.

In the meantime, businesses must be prepared to comply with each state’s law unless they are covered by an exemption. Companies should seek counsel on specific use cases and applicability and be forward-thinking in their privacy approach.

Follow the foundational tenets that the state privacy laws intend and implement them into internal policies and procedures. That way, as more state laws evolve, you will already be prepared to comply. Then take a deep breath and keep taking things one state at a time.

DISCLAIMER: The eMoney Advisor Blog is meant as an educational and informative resource for financial professionals and individuals alike. It is not meant to be, and should not be taken as financial, legal, tax or other professional advice. Those seeking professional advice may do so by consulting with a professional advisor. eMoney Advisor will not be liable for any actions you may take based on the content of this blog.

You may also be interested in...