CCPA icon

What’s the State of U.S. State Privacy Regulations?


Understanding and responding to new and emerging U.S. state regulations continues to be a top concern of many of the clients we work with. Those who realize they must bear the brunt of the California Consumer Privacy Act have been working with their technology and business teams for months now to address the regulation’s requirements. With other states following the Golden State’s lead, what’s the likelihood they will successfully pass their own privacy laws? And will the federal government step in to stem the state-by-state approach?

The California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, protects Californians’ rights to have access to and to delete the data companies collect about them. It also allows them to opt out of their data being sold.

While there are a number of existing laws and regulations about data in the U.S., the CCPA is very clear in what it sets out to do and is probably the toughest law that any state has enacted. Because California often leads in innovations, other states — along with the Federal government — are watching CCPA closely.

Here’s a look at what’s happening in other states and also recent news on a movement to advance a federal data privacy law.

Nevada Privacy Law Amended

On May 29 of this year, Nevada Governor Steve Sisolak signed into law Senate Bill 220 (SB 220), which amended the state’s existing law to post an online privacy notice. It prohibits a website or online service operator which collects certain information from Nevada consumers from making any sale of certain information about a consumer, if so directed by the consumer.

SB 220, which skips ahead of CCPA and becomes effective this October 1, imposes a civil penalty not to exceed $5,000 for each violation.

Failed State Privacy Bills

Earlier this year, New York’s Senate Bill SB S5642 set out to require companies to strengthen its state’s data privacy safeguards. The NY Privacy Act, as it was called, was meant to address how online platform and social media firms process personal data. The bill would require companies to attain consent from consumers before they share and/or sell their information by acting as fiduciary entities.

Ultimately, the bill failed to gain support in recent months due to lobbying efforts.

Other states also tried and failed this year to get new data privacy regulations off the ground, including the Washington Privacy Act and the Texas Consumer Privacy Act.

New Calls for Federal Involvement

On September 10, CEOs of well-known companies that include American Express, JPMorgan Chase & Co., Salesforce and other “Business Roundtable” members, signed a letter addressed to Majority Leader Mitch McConnell and Speaker of the House Nancy Pelosi, et al, to “pass, as soon as a possible, a comprehensive consumer data privacy law that strengthens protections for consumers and establishes a national privacy framework to enable continued innovation and growth in the digital economy.”

The letter includes a five-page Framework for Consumer Privacy Legislation that identifies key issues a federal consumer privacy law should address, including covered organizations, the definition of personal data, individual rights, governance and enforcement.

It’s too early to tell what effect this letter will have on the federal landscape — but 2019 feels like a pivotal year, as data-rich companies, several states and weary consumers all demand action. With day one of CCPA being less than four months away, all eyes will surely look to its successes, challenges and litigation as a possible route for charting the next best course.

CCPA in the News this Week

We’ll continue to use our data management consulting practice and our blog as a way to keep our clients and industry peers aware of what we’re learning and recommending.

For recent updates to U.S. state data privacy regulations, the National Conference of State Legislatures’ Consumer Data Privacy Legislation page is a good one to bookmark.

Here’s this week’s CCPA news of note, courtesy of the LA Times: On Tuesday, Alastair Mactaggart, the founder and chair of Californians for Consumer Privacy, announced a 2020 ballot measure to strengthen Californians’ control over the collection of their health and financial data, with stiff penalties proposed for companies that wrongly share and sell data about children.

If you’d like to catch up on previous CCPA perspectives from First San Francisco Partners, here are two places to start: