The CCPA Domino Effect
The California Consumer Privacy Act (CCPA) went into effect in January 2020 and set forth standards that radically changed and improved the way consumer data is protected. With the constant threat of data breaches, the CCPA has initiated a domino effect, triggering other U.S. states to follow suit. Many states, including Virginia, Nevada, Florida, Washington, and Texas, are proposing their own privacy bills, with requirements similar to the CCPA, while others already have passed a CCPA doppelgänger:
Virginia: The Virginia Consumer Data Protection Act (VCDPA) applies to any company that does business in the state, handles data of more than 100,000 consumers, and gets 50% of its revenue from the sale of consumer data. While it appears to be a combination of EU’s General Data Protection Regulation and the CCPA, this act has a much broader exception for uses of personal data. Under VCDPA, consumers have a right to access, correction, deletion, and opt-out options, as well as sale of their personal data. However, it also has different definitions to a number of terms like “personal data” and “sale”, which could provide companies with some flexibility to use consumer data as they see fit.
Nevada: Though rooted in the CCPA, the Nevada data privacy law (known as the Senate Bill 220 or SB220) has a narrower scope in various terminologies. The primary difference is that SB220 only allows consumers the right to opt out from companies selling or using their personal data. SB220 applies to any internet website or online service provider that caters to the residents of Nevada. Unlike the CCPA, SB220 is not very stringent in defining what constitutes personal information and what companies can sell.
Nebraska: The Nebraska Consumer Data Privacy Act is very similar to the CCPA, with minor differences. Like the CCPA, Nebraska consumers have the right to access, correction, deletion, opt-out options, etc. In addition, it also requires companies to include a “Do not sell my personal information.” link on its homepage and provide some means of submitting a request to opt-out from selling consumer data. Again, like the VCDPA and SB220, terms like “sale” and “personal data” are a bit ambiguous in their definitions.
New York: The New York Privacy Act (NYPA) is considered as a “groundbreaking” law as it is substantially broader in scope as compared to its counterparts in California and Virginia. An important element of the NYPA is the consumer rights, which is more extensive than other bills and provides unparalleled rights to consumers. The NYPA expects businesses to take on the role of a loyal and caring fiduciary, ensuring their operations do not harm consumer interests.
Privacy bills proposed in Florida, Washington, Oklahoma, and Texas that were similar to the CCPA have all failed to pass. However, they have not been completely abandoned, and it is believed that revised bills may be reintroduced in the near future.
At this juncture, it is difficult to anticipate which states will pass their own privacy laws, but one thing is certain, as long as data breaches continue to be a constant threat, it will not be long until the next data privacy domino falls.
Citrin Cooperman can help businesses to navigate through the complexity of the various compliance laws. Contact us today to talk with our team of experienced professionals who understand the increasingly complex data privacy landscape like no one else: Kevin Ricci at kricci@citrincooperman.com or Michael Camacho at mcamacho@citrincooperman.com
Related Insights
All InsightsOur specialists are here to help.
Get in touch with a specialist in your industry today.