by Ishita Sethi
Federal consumer privacy legislation has been discussed for decades, even though individual States in the United States have sole control over consumer privacy laws. However, it appears that Congress has made some headway with the American Data Privacy Protection Act (“ADPPA”), which has been suggested as a historic piece of U.S. Federal privacy legislation, following in the footsteps of the GDPR, and will thus be discussed in the current article.
Data today is fuelling an expanding number of enterprises. Personalised customer experiences, automated marketing messages, and science-driven insights all depend on the quality and amount of your information. Companies are keen to collect data, which sounds plausible. On the other hand, legislators are concerned to safeguard people’s safety and privacy. Businesses frequently encounter difficulties while attempting to adhere to data privacy laws. Strict access restrictions are thereby required by these standards to safeguard sensitive personal data.
It is crucial to protect sensitive data and private information. Information about finances, health, and other private consumer or user data can put people in danger if it falls into the wrong hands. Individuals may be at risk for fraud and identity theft due to a lack of access control over personal information. A government data breach may also jeopardise the security of the entire population. Data protection rules thus become relevant in this situation. Cybersecurity is a developing problem as a substantial amount of our lives and activities take place online.
No other US data privacy law has advanced as far in the federal legislative process as the American Data Privacy Protection Act (ADPPA). The law has made enough progress and has garnered enough support that it merits further examination, even if there is still a long way to go and uncertainty about its prospects. The bill is supported by both Republicans and Democrats in the House and the Senate, and if it is passed, it may fundamentally alter the US privacy landscape.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act is the state law that covers data privacy the most thoroughly to date (CCPA). On January 1, 2020, it came into effect after being enacted on June 28, 2018. The CCPA is a piece of cross-sector law that establishes crucial definitions, extensive individual consumer rights, and onerous obligations on organisations or individuals who gather personal information from or about California residents. These obligations include notifying data subjects when and how their information is acquired and granting them access to, and the opportunity to modify, or delete, that data. A privacy statement posted on the website of the organisation that collects the data must include this notification.
California Privacy Rights Act (CPRA)
Businesses were not happy when a California real estate agent’s name appeared on a ballot question for the California Consumer Privacy Act. Alastair Mactaggart ultimately gathered enough signatures to submit a citizen’s initiative, which bypassed the standard legislative procedure requiring approval from the California Assembly and Senate. Once it was over, it was evident that the populace had spoken. The nation’s first comprehensive privacy law required businesses to adjust their operations, which was a bitter pill for them to chew.
The CPRA thus amended the CCPA to include the following:
- Right to rectification: This expands and refreshes the consumer’s ability to change incorrect personal data.
- Right to restriction: This gives customers the opportunity to regulate how their sensitive personal information is used and disclosed.
- Sensitive personally identifiable information: This modifies the definition of personal information to include sensitive personally identifiable information. A consumer’s Social Security number is one sort of information that has to be managed with extra care.
The CPRA further:
- Triples penalty for data breaches involving children.
- Expands the scope of a breach responsibility beyond the exposure of unencrypted data to include the revelation of credentials (such as a password or email address) that might be used to access a customer’s account.
- Restricts how long a corporation may keep customer information, allowing only that which is “proportionate” to the purpose for which it was obtained in the first place.
- Requires businesses utilising third-party contractors to contractually require such third parties to secure shared data with them with the same level of privacy as the first party.
The California Privacy Protection Agency will have the authority to impose penalties on violators, conduct investigations into privacy infractions, and clarify privacy laws. The five-member board begins implementing the CPRA on July 1, 2023, six months after it becomes law.
Virginia’s Consumer Data Protection Act (CDPA)
On March 2, 2021, Virginia approved the Consumer Data Protection Act (CDPA). It gives residents of Virginia some rights to personal data and mandates that businesses, subject to the legislation, follow guidelines about the data they gather, how to handle and safeguard it, and who they can share it with.
The terms of the law bear some resemblance to those of the California Consumer Privacy Act and the EU General Data Protection Regulation. It applies to companies who conduct business in Virginia or market goods and services to Virginians while simultaneously engaging in one of the following activities:
- Control or handles 100,000 or more people’s personal data.
- Possess or manage the personal data of at least 25,000 customers and obtain 50% of their income from the sale of personal data.
By acquiring opt-in consent before processing customers’ sensitive data, revealing when their data will be sold, and providing customers with an opt-out option, organisations covered by the CDPA are required to help customers exercise their data rights. Additionally, it mandates that businesses give users a clear privacy notice that outlines their right to opt out of receiving targeted advertisements.
The CPRA, which supersedes the CCPA and is California’s most recent privacy legislation, goes into effect on January 1, 2023, the same day as the CDPA does. Keep an eye on this bill as it develops since it’s conceivable that politicians may change it before then.
Colorado passed a privacy law in June 2020, making it the third U.S. state to do so. Colorado residents have rights over their data under the Colorado Privacy Act, which also imposes duties on data controllers and processors. It shares certain parallels with Virginia’s recently approved Consumer Data Protection Act as well as California’s two privacy laws, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) (CDPA). Even certain concepts and words from the EU’s General Data Protection Regulation are used (GDPR).
A right to opt out in some form, specific protections for sensitive data, and the adoption of some privacy-by-design principles are some of the commonalities, but the nuances are where the contrasts really stand out.
Businesses that gather personal information from 100,000 Colorado people or 25,000 Colorado citizens and generate a percentage of their revenue from the sale of that information are subject to the CPA.
The bill states five rights that Colorado people will have once it goes into force. As follows:
- The right to object to being profiled, receiving targeted adverts, or having their personal information sold.
- The right to access the information that a business has gathered on them.
- The right to amend any information that has been gathered on them.
- The right to ask that personally identifiable information be erased.
- The right to transfer data (that is, the right to take your data and move it to another company).
The Stop Hacks and Improve Electronic Data Security (SHIELD) Act was approved in New York in July 2019. The current data breach reporting statute in New York is amended by this legislation, and additional data security obligations are added for businesses that gather data on residents of New York. The law is completely enforced as of March 2020.
This statute expanded the definition of consumer privacy and gives New Yorkers stronger protection against personal information breaches. Employers who have access to the private information of New York residents must “create, implement, and maintain adequate procedures to preserve the security, confidentiality, and integrity of the private information,” according to the law.
Utah passed complete consumer privacy legislation in March 2022, and it will go into effect on December 31, 2023, making it the fourth state to do so. The Virginia Consumer Data Protection Act, the Colorado Privacy Act, and their California forebears are all references in the Utah Consumer Privacy Act (UCPA).
Both data controllers and processors are subject to the regulation, as are those who earn more than $25 million in yearly sales and who either:
- Control or handle more than 100,000 customers’ personal data each year, or
- Control or process the personal data of at least 25,000 customers and derives more than 50% of the entity’s total income from the selling of personal data
Consumers are entitled to:
- Access or remove given personal data and confirm whether a controller is handling it.
- Demand a copy of their personal information.
- Individuals may choose not to have their personal information processed for the purpose of selling or marketing.
Connecticut’s Data Privacy Law
Connecticut is the newest and fifth state to pass a comprehensive consumer privacy law. On July 1, 2023, Senate Bill 6, also known as “An Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA), becomes law.
With few exceptions, the legislation likewise borrows from the statutes of Colorado and Virginia. It is applicable to those who handled personal data during the previous calendar year or under their control:
- Controlled or processed the personal data of at least 25,000 customers, and received more than 25% of their gross revenue from the sale of personal data.
- Controlled or processed the personal data of at least 100,000 Connecticut residents, excluding residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction.
The law is the first to specifically state that payment transaction data, which is processed by small companies like restaurants and is used to complete transactions, is not subject to the law. Customers have the option to refuse the processing of their data for profiling, targeted advertising, and selling.
Until December 31, 2024, the state grants a 60-day window for infractions to be fixed.
The ADPPA successfully made it past the House committee after receiving the aforementioned revisions. It now has to pass a House vote.
The measure will be filed in the Senate and examined by the Senate Committee on Commerce, Science, and Transportation if it is approved by a vote. The bill would then move to the Senate floor for a vote and ultimately to President Biden’s desk if the committee gave its approval.
-Ishita Sethi is a Second-year law student pursuing BCOM LLB (Hons.) from Jindal Global Law School
Image Source: DataGrail