.png)
US Privacy Laws are in a constant state of flux. While some laws are passed and others get stalled, it is certain that US legislation regarding data privacy is evolving and worth keeping an eye on. California's privacy laws were the first of their kind, inspiring other states to offer consumers the same rights and protections.
US legislation regarding privacy has fallen to states to create and regulate. The GDPR influenced states like California to start passing their own data protection laws, such as the new California Consumer Protection Act.
GDPR continues to make headlines by issuing fines to businesses in the EU and European Economic Area (EEA) for not complying with data privacy safeguards. Companies in the US should learn from these expensive mistakes and make plans to avoid similar fines.
This article will look at some of the new US and state privacy laws that have just been passed. By being aware of these, you can learn more about the current and potential privacy laws and regulations. This will put your mind at ease and help you plan ahead.
The California Customer Privacy Act (CCPA) has established consumer data protection benchmarks. This groundbreaking privacy law gives people in California important privacy rights and makes corporations responsible for protecting data and upholding those rights. The topics and rules of this law are most similar to one of the best-known data protection laws, the General Data Protection Regulation (GDPR) of the European Union.
Along with California's well-known privacy law, there are some new laws that you should know about. Recent state privacy laws in Nevada, Virginia and New York provide consumers with new and extended rights, and it's worth learning more about them if they relate to your company.
While some recent state-level data privacy bills in the US did not make it beyond the first few barriers, others did and became state law.
These are some of the most recently enacted state privacy laws in the US:
Virginia's long-awaited Consumer Data Protection Act (CDPA) became law in March 2021. It is only the second state to pass its privacy law for consumers, after California's Consumer Privacy Act (CCPA), which has similar themes and goals.
In many ways, the CDPA is similar to the CCPA. It offers the same level of consumer protection and privacy security. Consumers can view, update, and remove their personal information. They have the right to know why their data is being gathered and to opt-out of data sales.
Even though the law is similar to the CCPA, it is very different regarding how data sales are defined. The CDPA clarifies that this is a financial transaction rather than a value exchange.
The CDPA, like other privacy laws, only applies to specific businesses or organizations. To be subject to this privacy regulation, a company must do business in Virginia or manage or process the personal data of a certain number of Virginia residents.
This figure is 1,000 people per year, or 25,000 if a company earns 50% or more of its total revenue from selling its customers' data.
Even though the SHIELD Security Act was passed in July 2019, it didn't go into full effect until March 2020. Now that it is up and running, it may help New Yorkers protect their personal information and information security.
The SHIELD Act gives businesses that fall under its scope more security duties and responsibilities. Companies should put in place the right safeguards to make sure that the personal information they store is correct, private, and safe.
This includes creating a thorough data security program and putting someone in charge. The Act also wants to ensure that New Yorkers' data is safer by expanding the types of information that count as personal data and the definition of a data breach.
In terms of compliance, the SHIELD Act applies to any organization that handles the personal information of New York residents. There is no limit on the number of residents' data that must be collected or processed for this to apply.
However, there are certain exceptions to who is covered by the SHIELD Act. Exempt organizations already have a data security program that meets the requirements of GLBA, HIPAA or HITECH. Businesses with fewer than 50 employees and annual sales of less than $3 million are also excluded.
Senate Bill 220 (SB 220) replaces a previous state privacy law, NRS 603A. This updated state legislation, which went into effect in October 2019, allows Nevada citizens more control over their data.
SB 220, like the Virginia Consumer Data Protection Act, provides similar consumer protection to the existing CCPA. One point of contention is the definition of customer data.
This is broader under SB 220, making it more straightforward for data collected to fall under the statute's purview. There is also more freedom in how people may opt-out of data sales. Instead of a web link, customers can submit their request by email or a toll-free phone number.
Like other state privacy laws, Senate Bill 220 can be used by organizations outside of Nevada. The law applies to operators (people who run a business website and collect personal information) who intentionally target Nevada, do business with Nevada, or have a "nexus" with the state. Examples include storing or distributing items within the state and maintaining a Nevada office.
Data privacy laws are constantly changing, and states are always looking for new ways to give their citizens more rights regarding their personal data. This implies that new privacy regulations are regularly being presented to authorities.
Let's look at some of the data privacy laws in the US as they make their way through the legislative process.
The California Consumer Privacy Act (CCPA), which was signed into law on June 28, 2018, is the flagship US data privacy law, and creates a series of consumer privacy rights and business obligations surrounding the collection and sale of personal information.
The California Privacy Rights Act (CPRA), also known as Proposition 24, is a ballot measure that was approved by California voters on Nov. 3, 2020. It significantly expands and amends the CCPA, and is thus sometimes referred to as “CCPA 2.0.”
This new privacy legislation builds on and adds additional rights for California citizens. When the law comes into force, citizens will obtain the following rights:
Another key development that comes with the CPRA is the formation of a dedicated agency to handle enforcement. The California Privacy Protection Agency will comprise consumer rights, technology, and data privacy experts, with any revenue earned via enforcement reinvested in the agency's future operations.
Colorado has new privacy legislation, like the CPRA, that goes into effect in 2023. The Colorado Privacy Act (CPA) went into effect in July 2021. It gives customers new rights about how their personal information can be used and sold.
Colorado residents now have the following rights under the new Privacy Act:
Experts agree that the Colorado Privacy Act will be the third most important privacy law in the US when it is fully in place. The ability to appeal is an essential provision of the CPA. This means a consumer has 45 days to file an appeal if an organization says no to a request to see or delete data. If a customer's request is valid, they can use an appeals process to get what they want.
If approved, the New York Privacy Act (NYPA) would be the fourth major US state privacy law, following California's CCPA, CDPA, and Colorado's CPA. The bill, which is now in committee, would give New Yorkers more rights, most of which would be like the state's current privacy laws.
Consumers will receive access to the following under this proposed Act:
There are also some noticeable contrasts in the corporate world. Whereas the CCPA requires you to provide consumers with the option to opt out of selling personal data, the NYPA requires them to consent to process personal data.
This brings it closer to the GDPR consent requirements. There is also a higher risk of private action, with no clear provision for a mediation phase before this occurs.
New consumer rights and privacy laws have been introduced in Illinois. The Illinois Consumer Privacy Act (ICPA) expands the limitations and expectations for what businesses must do with personal data and gives customers more rights.
The proposed Consumer Privacy Act would grant Illinois residents the following rights:
This proposed privacy law, like the CCPA, would force firms to incorporate a "Do Not Sell My Information" option on their website. Organizations that follow the law must also post a privacy policy that tells users their rights and how to use them.
The Massachusetts Information Privacy Act (MIPA), referred to the committee in March 2021, proposes to provide Massachusetts residents with a mechanism to keep up to date with privacy protection in the digital era.
This proposed legislation would give residents the right to:
Like the CPRA in California, this Massachusetts privacy bill would create a new organization to handle enforcement and regulatory operations – the Massachusetts Information Privacy Commission. The state legislation also intends to reflect on and highlight the beneficial data privacy rules created by California's CCPA and CPRA and the EU's GDPR.
The Consumer Privacy Act of North Carolina (CPA), one of the most recent state privacy laws on this list, was introduced in April 2021. While the state already has the Identity Theft Protection Act in effect, this new legislation gives customers more control over their data.
North Carolina residents would have the following rights under this proposed Act:
The CPA in North Carolina also grants consumers a private right of action. As is customary with legislation, enforcement would be handled by the state attorney general.
Still, consumers can also take civil action to get compensation for damages caused by data breaches or not following the law. If this measure passes, you need to be up to date on data compliance if you don't want customers to take action on their own.
The rules protecting individuals' privacy are always evolving, and new measures will always be filed in states that do not yet have laws that provide consumers with the protections they enjoy in other jurisdictions.
It's a good idea to keep an eye on current and proposed US data privacy regulations to understand what could be expected of you in the future and to ensure you're on the right track.
When storing or broadcasting video or picture footage that includes personally identifiable information, it is more important than ever for companies in the US to look at their data privacy policies and use tools like redaction solutions.
Companies should think about how they can use technology to meet regulatory and compliance needs in a way that helps them reach their business goals without putting important governance mandates at risk.
Sighthound is one of the few companies that provides a video redaction solution, which allows you to automatically conceal or blur elements like people's faces, vehicles, and license plates from digital media. Our objective is to assist clients in deriving valuable insights from video information while remaining data-privacy compliant.
Data is valuable and more valuable in aggregate. In order to derive value from data such as video insights, companies would need to store it properly for an extensive period of time.
Redacted Consumer Video by Sighthound Redactor
Redacted videos support compliance requirements and the organization's ability to extrapolate insights that drive revenue gains or market intelligence. Because the footage has real business value after the first 30 days, redaction makes it possible to store it for longer and still meet regulatory requirements.