Several states have passed or are in the process of implementing data privacy laws, largely in an effort to put control of consumers’ information back into the hands of the consumer.
Four states — California, Colorado, Connecticut and Virginia — have data privacy laws that are already in effect. There also are states — Indiana, Iowa, Montana, Tennessee, Texas and Utah — where the laws have been passed and are set to go into effect at some point in the next three years. Additionally, there are six states — Delaware, Massachusetts, New Jersey, North Carolina, Oregon and Pennsylvania — where bills relating to data privacy have been introduced and are at different stages of the legislative process.
“One common theme of the various laws is to shift the default for companies that collect and sell consumer data from assumed, passive consent to express, active consent,” says Ember K. Holmes an Associate at Babst Calland. “These laws also give consumers the right to opt out of having their data collected, or to have their data deleted if it has already been collected.”
While the aim of these laws is similar, each is unique. That’s making it difficult for companies across sectors to understand how these laws affect their business and avoid what are often significant penalties for noncompliance.
Smart Business spoke with Holmes about data privacy laws states are enacting and how they are going to affect companies.
Why might data privacy laws in one state affect a company that’s headquartered in another?
Although Pennsylvania does not have a robust body of privacy laws, organizations may have obligations under the privacy laws of other states. The privacy laws recently passed in several states are comprehensive, which means they may apply to people and entities outside of the state who meet certain applicability criteria. For instance, in California, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, applies to any entity that does business in California and satisfies one of the revenue or consumer volume thresholds.
In light of the passage of these new laws, companies must revisit their internal policies, as well as their consumer-facing policies that appear on websites, to ensure that all of the proper safeguards, disclosures, and protections are in place, and that all such obligations are transparently set forth in applicable policies and contracts.
What penalties exist for companies that break these laws?
Penalties vary by state. California has some of the strongest data privacy laws, allowing consumers to pursue a private action against an entity for data breaches, failure to comply with notice or opt-out provisions, and other unlawful activities. In other jurisdictions, the penalties are limited to fines that range in severity — from up to $7,500 per violation in Virginia, to up to $20,000 per violation in Colorado.
Who can help companies navigate these laws?
A privacy lawyer can help companies ensure that their data-handling processes and policies are in compliance with all of the applicable state and international laws. Companies with a presence in any of the 10 states with active or pending legislation should start working now to understand and comply with the respective laws. ●
INSIGHTS Legal Affairs is brought to you by Babst Calland