Four different states (Washington, Virginia, Oklahoma and Minnesota) are on track to enact new data privacy laws in 2021, but are businesses ready to comply with state-by-state regulations? This patchwork of legislation could leave companies confused and vulnerable to legal action if they are unprepared.
According to GeekWire, the Washington Privacy act would grant consumers the right to to access, transfer, correct, and delete the data that companies such as Facebook or Google hold on them. Consumers can also opt-out of targeted advertising and the sale of their personal data under the legislation. The legislation draws on many of the principles in the European Union’s General Data Protection Regulation and the California Consumer Privacy Act that passed in 2018.
Virginia is also poised to follow in California's footsteps and enact comprehensive online data protection law for consumers. The Consumer Data Protection Act establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in Virginia and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors.
Oklahoma is also one of the states considering data privacy legislation. The Oklahoma Computer Data Privacy Act (OCDPA) requires internet technology companies to obtain explicit permission to collect and sell personal data. If passed, the bill also give residents a mechanism for requesting that businesses disclose what information they have about them, as well as the right to request deletion of that information. Companies or organizations that violate the law could be subject to fines issued by the Oklahoma Corporation Commission, as well as potential lawsuits from consumers.
Minnesota is the latest to propose new legislation aimed at enhancing consumer data privacy. The bill, according to JD Supra, would expand consumer rights over personal information, create a private right of action for any person injured by a violation, and impose specific transparency obligations on businesses collecting and disclosing personal information. The legislation largely aligns with the California Consumer Privacy Act (CCPA), with notable differences including an expanded scope of private right of action.
Dan Clarke, President at IntraEdge, says, "The privacy landscape is constantly evolving and we are likely to see new state laws soon. Washington and Virginia are the two states pushing to pass privacy protections and are in the final phase of approval. While on the forefront of the COVID pandemic, President Biden issued an executive order that was answered by the Occupational Safety and Health Act (OSHA) and aims to protect workers from COVID-19."
As COVID regulations evolve, data privacy remains top of mind as organizations determine how to manage health data associated with health screenings, tracking vaccinations and testing, preventing individuals from entering any work facility with symptoms such as fever, all while storing this data, and cooperating with contact tracing initiatives, Clarke adds.
"For all of these regulations, if you are compliant with CCPA and are thinking of how to comply with CPRA in the future, it starts with understanding your data and how it is being used," Clarke explains. "Organizations should not wait to incorporate the new elements of CPRA, such as right to correction, employee privacy rights, and how to handle sensitive data. Based on a recent consumer report, organizations need to stay on top of privacy regulation as it is constantly evolving."