2018 was a landmark year in state consumer privacy legislation – the most important in recent memory. The year began with states updating – or in two cases passing their first – data breach notification statutes. But the June passage of California's omnibus privacy law, the California Consumer Privacy Act (CCPA), was a first at the state or federal level. Passage of this law raises the prospect of other omnibus privacy laws passing in other states and has driven consensus in the business community on the need to enact some sort of comprehensive federal privacy law.
Elsewhere, first-in-the-nation privacy laws included Ohio establishing a cybersecurity safe harbor, Vermont imposing state registration and data security requirements on data brokers, and California passing the first Internet of Things data security law. This action-packed year portends even more activity as legislators return for the 2019 session.
Omnibus consumer privacy
California Consumer Privacy Act
June saw the passage of CA AB375, a landmark law that fundamentally altered the US privacy landscape. The CCPA is the first cross-sector law in the US to grant consumers a range of rights over an extremely broad range of personal and even household data, to create data breach statutory damage class action risk, or to restrict use of personal data that discriminates against individuals.
However, the CCPA is very confusingly drafted. It was hastily converted from a lengthy ballot initiative, focused on curbing the sale of a broad range of personal data, to a bill that tacked on most of the European GDPR data subject rights. Largely as a result, the CCPA contains an overbroad definition of "Personal Information" that encompasses both employee and household data; a definition of "de-identified data" that appears largely confined to aggregate data; an overbroad definition of "Sale" that raises possible First Amendment issues; unclear exemptions for GLBA-regulated data; a relatively short timeline for businesses to overcome operational changes in order to comply; and provisions that would create significant unintended consequences for privacy. For example, the law lacks a clear fraud prevention exemption, meaning that hackers would have the same rights to delete their personal information as consumers, and it appears to grant all members of a household the ability to obtain location data and financial account information about other members of that household.
Significantly, the CCPA introduces a statutory damage private right of action for data breaches. Moreover, the law is drafted in a way that appears to require businesses to be able to retrieve this wide range of "personal data" across their enterprise in response to a data access or data portability request, so that it is potentially more vulnerable to hackers and pretext callers and thus to data breaches, which in turn could trigger class actions.
AB 375 was introduced and passed in one week, and a number of legislators sent a letter to legislative leadership shortly after its enactment emphasizing the need for further amendments. While a subsequent bill, SB 1121, was passed in late August, it did not go nearly far enough in clarifying CCPA's confusing drafting or other shortcomings. SB 1121 changed the enforcement date for the privacy provisions from January 1, 2020 to the earlier of July 1, 2020 or six months following the issuance of the Attorney General's rulemaking, clarified some of the exemptions relating to medical and financial data, and clarified that the private right of action for statutory damages applies only to the law's data breach provisions.
The CCPA is thus a very important but unfinished product. It will likely be amended further by the legislature in 2019, and Attorney General Becerra is required to issue rules interpreting the law, which his staff has stated will occur before the end of 2019. However, because the CCPA's requirements, like the GDPR's, are complex and require significant preparation for operational changes, businesses should begin preparing to comply with the central rights in the bill while staying abreast of amendments and rules as they progress.
Looking ahead to 2019: additional states
We are already seeing the preparation of omnibus privacy bills in several states. While many of these will ultimately not be enacted, businesses should prepare for one or more additional states to pass omnibus privacy legislation in 2019. In particular, entities should watch the proceedings in Washington state closely, where the legislature will be considering bills structured more in line with GDPR than CCPA. This may provide an alternative, clearer model to the CCPA and may offer a counterweight to replication of the CCPA's problems in other states.
Regardless, until the federal government passes omnibus preemptive legislation in this area, there will very likely be a patchwork of laws with which to comply.
Data breach notification
2018 saw a number of states either pass their first data breach notification statutes or modify them in noteworthy ways. Large data breaches are again firmly in the media consciousness; as a result, many states are seeking to update statutes that were passed years ago, including expanding the range of data elements that trigger notification, establishing timeline deadlines for notice or expanding the definition of what constitutes a breach.
South Dakota (SB 62) and Alabama (SB 318) passed their first data breach notification statutes, becoming the final two states to do so. Now all 50 states, as well as Washington, DC and Puerto Rico and several other territories, require notification to affected residents of a breach of specified personal data. Both Alabama and South Dakota's statutes include a harm trigger, "health information" as a data element of personal information (Alabama's health information data element is more precisely defined) and different notice for breaches of online credentials. Alabama sets a 45-day notice deadline to residents and the state Attorney General's Office, while South Dakota sets a 60-day notice deadline to the resident. However, Alabama has much more detailed content requirements for notices to the state Attorney General's office and to state residents and includes a 10-day time limit for service providers who maintain personal information that is breached to notify the owner of that information.
Notable updates to other state breach statutes included the following:
- Oregon (SB 1551) modified its statute in a number of ways that increase the difficulty of compliance, but particularly with the addition of the term "possesses," which requires an entity that merely "possesses" personal information and suffers a breach to notify the resident and the state Attorney General. The legislature also added an ambiguous catch-all in the definition of personal information to reach "any other information or combination of information that a person reasonably knows or should know would permit access to the consumer's financial account." The entity required to give notice must do so "no later than 45 days from discovering or receiving notification of the breach of security."
- Colorado (HB 1128) expanded its breach notice law significantly and added data security requirements for both breach notice covered entities and vendors. The breach notice obligations expanded by adding biometric data, health information and online credentials information to the list of breach notice personal information, as well as imposing a 30-day notice requirement from the date of determination to the state Attorney General and to affected residents, "consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." It requires that all covered entities in the state that "maintain[s] paper or electronic documents during the course of business that contain personal identifying information" create a written policy for the destruction of the personal identifying information when that information is no longer needed. It further requires the covered entity to render the information unusable through shredding, erasing or other type of modification.
- Arizona (2154) completed a significant overhaul of its statute, becoming the first state in the nation to add digital signature keys as an element of breach notice personal information. It also added biometric data, health insurance information and information regarding an individual's medical or mental health treatment as data elements. Persons required to notify state residents now must do so within 45 days of the determination of the breach.
- Louisiana (SB 361) amended its law to add biometric data as a breach data element, insert a harm trigger, add a notification deadline of 60 days from the discovery of the breach and allow for an automatic extension of this deadline upon notice to the state Attorney General.
- As of this publication, the Massachusetts legislature (HB 4806) has sent to the governor legislation that requires rolling breach notice to both residents and the state. The governor has 10 days from the date of transmittal – December 31, 2018 – to sign the legislation for it to become law. He is expected to sign this legislation.
Safe harbor legislation
In June, Ohio (SB 220) became the first state in the nation to pass a cybersecurity safe harbor bill. This legislation allows a company that has suffered a data breach of personal information to present an affirmative defense if it has "create[d], maintain[ed], and compl[ied] with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework…"
Included in the definition of "industry recognized cybersecurity framework" are:
- PCI-DSS standards
- NIST Framework
- NIST special publications 800-171, 800-53 and 80053a
- FedRAMP security assessment framework
The law also includes a provision conditioning the defense on compliance with a revised version of any listed framework one year from the date of publication.
This concept is significant because with the advent of data breach statutory damage class actions, it will become even more important to have standards-based incentives for businesses to invest in cybersecurity ex ante, instead of simply preparing to defend enforcement actions. It is our hope that other states serious about improving cybersecurity for their state residents' data will consider adopting similar legislation in 2019.
Internet of Things security
Effective January 1, 2020, California (SB 327) will require manufacturers of most Internet of Things (IoT) and Bluetooth connected devices to implement one or more "reasonable security features." The law requires that the security feature(s) be (1) "Appropriate to the nature and function of the device, and . . . the information the device may collect, contain, or transmit"; and (2) "Designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure." These obligations apply to manufacturers and OEMs – any entity that either a) manufacturers or b) contracts to manufacture any device or physical object capable of connecting to the Internet, and that is assigned an IP address or a Bluetooth address.
These obligations do not apply, however, to downstream purchasers of connected devices, unless they contracted for the manufacturing of the device. The delayed date was intended to accommodate manufacturers of devices in later stages of production as of the date of enactment.
See our alert for a more in-depth description of this law.
The law is likely to drive additional consideration of IoT security legislation in other states. Although not enforceable by the plaintiffs' bar, it may be enforced by the California State Attorney General's office, as well as county, city and district attorney's offices, some of which have records of adopting aggressively broad interpretations of state laws. The law covers most devices sold or offered for sale in California that "connect to the Internet directly or indirectly" and that are "assigned an [IP] address or Bluetooth address," except for devices whose functionality is subject to federal security requirements or enforceable guidance.
In 2018, Vermont became the first state to pass a law (H.764) requiring data brokers to register with the secretary of state and to adhere to certain minimum data security standards. Failing to register entails a fine of $50 for each day the company fails to register, with an annual maximum of $10,000 – these penalties mirroring those foreign corporation must pay for failing to register to do business in the state.
The statute defines "data broker" as a company that collects computerized, personal information of Vermont residents with whom the company has no direct relationship, and then goes on to either sell or license the information. For instance, a retailer that sells information about its customers is not a data broker, nor is a corporation that sells information about its investors. The second key feature is that a data broker does more than simply collect the information for its own analysis. This means, for example, that an insurance company that purchases consumer data in order to set rates is not a broker, so long as the company does not sell the data it purchased.
An additional feature of a data broker is that the data it sells or licenses must fit the definition of "brokered personal information" (BPI), meaning the information is: (1) computerized (not merely on paper); and (2) organized in a way that makes its marketable to third parties (eg, by categorization). Attorney General guidance states that the data may take the form of lists, such as "People with incomes over $100,000" or "People preparing for weddings."
The law creates exceptions for companies performing certain activities so that they do not fall under the statutory definition of data brokers. Important to note is that a company must be performing only these activities to qualify for the exception. They may be summarized as follows: (1) maintaining third-party ecommerce or application platforms; (2) providing 411 directory assistance or directory information services; (3) providing public information to a consumer's business; and (4) providing public information via real-time (or near real-time) alert services for health or safety.
Other significant outlier bills were defeated this year. In several states, including Connecticut, Massachusetts, Maryland, and Louisiana, Internet service provider (ISP) privacy legislation was introduced but did not pass. This is the third year that ISP privacy legislation was widely introduced in the states, but interest from legislators seems to be waning, just as the DC kerfuffle over the FCC ISP privacy rules has faded over time.
Biometric and geolocation privacy legislation, including Delaware's HB 350, did not pass. This bill sought to introduce an Illinois BIPA-style approach to biometric privacy – an approach that has fueled significant class action activity in Illinois – as well as a bill designed to regulate geolocation privacy. Given the FTC's public privacy framework that includes sensitive data such as precise geolocation privacy, and the problems that BIPA has created in Illinois, this bill did not advance.
The CCPA included what can be considered a supercharged version of a right-to-know bill, but no other state moved forward with right-to-know legislation. In particular, Rhode Island HB 7111 was defeated at the very end of session, resulting in the creation of the Rhode Island Online Data and Privacy Protection Commission. It remains to be seen what outcomes the Commission recommends in 2019.
In all, 2018 was the most important year for US state privacy legislation in recent memory. With the passage of the CCPA and subsequent work on that law, as well as heavy media coverage, legislators are becoming more interested and more educated about the topic. It is incumbent upon all stakeholders – legislators, businesses and consumers - to find a sweet spot that protects consumers in an operationally practical way that avoids unintended consequences.
Learn more about the ramifications of these changes by contacting any of the authors.
*Thomas Kenny is a law clerk in DLA Piper's Technology Transactions and Strategic Sourcing group, based in Washington, DC.