Data privacy laws are constantly changing, and the nation is currently experiencing an onslaught of proposed legislation, which aims to place new standards for the handling of consumer data. Although businesses across the world are continually becoming adjusted to the changes brought by the General Data Protection Regulation, the United States is welcoming its own laws. The General Data Protection Regulation is the European Union’s law on data protection and privacy, and the United States seeks to follow its lead and consequently revolutionize the way companies engage with user data.

Understanding newly proposed laws is important, but it is equally important to understand laws that have been recently implemented. Here, we will discuss some of the most recent internet privacy laws and what data security laws you can expect in 2021.

The EU’s General Data Protection Regulation Changed the Way Digital Data Can Be Interacted With

With the passing of the General Data Protection Regulation, the goal was to shift control from companies to consumers, as it pertains to the use of their personal data. Compliance with the regulation forced global adjustments in the management of sensitive data. These changes, occurring within the EU as well as around the world, include:

• All users should be able to be aware of how their personal data is not only collected but also used.
• Users have a right to understand the terms of how their data is collected.
• Users have a right to refuse consent and/or be able to withdraw their consent.
• Companies must be able to explain why they are seeking to collect the user’s personal data.
• Companies cannot force users to consent to the collection of personal data by refusing them service or limit services.

Although the U.S. federal government is drawing inspiration from the EU’s General Data Protection Regulation, each individual state is also drafting its own laws that include one or more of the aforementioned concepts. While many of the themes are similar, i.e. consumer (personal) vs. company rights; the legal structure varies i.e. opt-in under GDPR, vs. opt-out under CCPA.

California’s Consumer Privacy Act (CCPA)

The State of California enacted a new privacy law, AB 375, that although it did not affect security as much as the EU’s General Data Protection Regulation, it still affects all those who conduct online business with California consumers.

As of mid-2018, California passed a privacy act, which could have substantial repercussions on companies across the United States, more so than the EU’s privacy law. The state’s consumer privacy act has broadened the interpretation of what constitutes consumer private data. For the law, the challenge has become to locate and secure the user’s private data. It also broadens the notion of sale of the consumer’s data to include a broader range of exchanges and collaborations beyond a simple outright sale.

Under California’s Consumer Privacy Act, any consumer can request to see the information that a company or private organization has collected from them. Consumers also have a right to see a list of all parties the data has been shared with. Additionally, California law allows all consumers the opportunity to file a lawsuit if a company collecting their data has violated privacy guidelines, even when there hasn’t been a breach.

It is important to be aware of California’s Consumer Privacy Act, as all companies that serve California’s residents and earn revenue of at least $25 million are subject to compliance. Additionally, companies of all sizes that have data on a minimum of 50,000 consumers or earn at least half of their revenue from the sale of personal data are also subject to law compliance. These companies do not have to operate from California to be subject to regulations. These companies also do not have to be based within the United States.

The Consumer Data Privacy and Security Act of 2020

In March of this year, the Senate Commerce Subcommittee on Consumer Protection introduced the Consumer Data Privacy and Security Act of 2020. The act joins other proposed legislation seeking to establish a comprehensive federal data privacy framework. For the most part, this act is not as rigid as California’s Consumer Protection Act or EU’s data privacy law. The new federal legislation is seen as business-friendly, in particular to small and midsize businesses. While the legislation seeks to observe the rights of consumers, it reduces the burden on smaller businesses by absolving them from certain obligations.

The following are top highlights of the Consumer Data Privacy and Security Act of 2020:

• Unlike California’s legislation, the federal data privacy law does not penalize businesses for being successful. To avoid potentially hurting commerce, the legislation has allowed mid-sized businesses to circumvent compliance obligations the same way smaller businesses have.
• The federal privacy law expressly preempts local laws related to the security or privacy of sensitive personal data. In spite of this, the following local laws cannot be preempted to the degree that they do not conflict with federal protection laws: (a) breach of data notification; (b) standards of public safety or fraud; (c) criminal and civil procedure; (d) as defined by FERPA, laws that address the privacy of students; (e) employment laws; and (f) laws that protect a person against discrimination.
• Small businesses are exempt from observing a person’s right to access as well as the right to corrections and information accuracy.
• Consistent with already established privacy laws, the federal data privacy law requires applicable parties to make privacy policies available in clear and noticeable locations. These policies should also be written in a manner that is easy to understand for the average user. Furthermore, applicable parties must also make previous privacy policies publicly available.

In addition to CCPA California passed the California Consumer Privacy Act, Proposition 24 this past November that amends the CCPA and help provide a framework with funding and a 5 member CA Privacy Protection Agency for state and federal privacy enforcement, new definitions for sensitive data with limits on use and sharing of that data; and expanded breach liability.

Consult With a Knowledgeable Attorney About Making Your Company Compliant With Data Privacy Laws

Privacy laws in the United States are constantly changing, and when doing business in the country, it is necessary to ensure data privacy laws are being observed. To be compliant with new and existing data privacy laws, qualified legal counsel should be obtained.

Whether your company is based in the United States or not, you may need to be compliant with state and federal regulations as it pertains to data privacy. To avoid being penalized for breaching or violating data privacy laws, speak to a qualified internet security attorney right away.

Technology Attorney John P. O’Brien has many years of dedicated experience helping businesses remain compliant with ever-changing data privacy laws. Attorney O’Brien understands that now more than ever, companies are being held strictly responsible when handling user information. Even in the slightest mishap, company’s can suffer dire consequences. Consider retaining the legal services of Attorney John P. O’Brien – contact the firm today to schedule a complimentary consultation.