Overview of 2018
2018 was a watershed year for state privacy and security laws, with several states passing legislation in these areas. The most significant development was the enactment of the California Consumer Privacy Act (“CCPA”), the most expansive general privacy law in the United States to date. However, the year brought other notable legislation as well. In September alone, California amended the CCPA and passed the first Internet of Things law and first law regulating chat bots. Not to be outdone, Vermont enacted the first state law requiring registration of data brokers, Ohio made waves with the first state cybersecurity safe harbor law, Colorado amended its breach notification statute to include a data disposal/deletion provision, and two states enacted breach notification statutes so that all 50 states now have such statutes.
Below we highlight these and other state privacy and security laws from 2018.
California Consumer Privacy Act (AB 375, SB 1121): The CCPA grants new rights to consumers with respect to the collection, use, and disclosure of their personal information (PI), including the right to know the categories of PI a business has about them, right to access, right to request deletion, and right to opt out of the sale of their PI. It also includes a private right of action and a broad definition of PI. For a more detailed CCPA analysis, see our earlier posts regarding CCPA Overview, Amendment, and background on the ballot initiative that led to the law’s passage.
Internet of Things (SB 327): This is the first state law that directly addresses the Internet of Things (“IoT”) by regulating the security of connected devices. The law requires manufacturers of connected devices that sell or offer to sell their devices in California to equip their devices with “reasonable security features.” To read more about the California IoT law, see our post here.
Chat Bots (CA Bus. & Prof. Code §§ 17940 – 17943): Under this first state chat bot regulation, it is illegal to use a bot to interact with someone in California—with the intent to mislead a person about the bot’s artificial identity—in order to incentivize a sale or influence a vote in an election. However, a person using a bot is not liable if the artificial nature of the bot is disclosed in a way that is clear, conspicuous, and reasonably designed to inform persons that their interaction is with a bot.
Colorado Data Security and Breach Notification Law (HB 18-1128): Colorado modified its data security and breach notification laws to require entities to maintain reasonable security measures “appropriate to the nature of the personal identifying information [(“PII”)] and the nature and size of the business and its operations.” It also requires entities to develop a written policy for the destruction or disposal of PII and to shred, erase, or otherwise modify the PII to make it unreadable or indecipherable. In addition, the amendments expanded the definition of personal information under Colorado’s breach notification law and require that breach notices be provided within 30 days. For more information, see our post here.
Iowa Student Privacy Law (HF 2354): Iowa enacted a law designed to protect student personal information. The law requires operators of websites or mobile applications that are used primarily for K-12 school purposes to maintain industry standard security, delete covered information as soon as reasonably practicable, and refrain from advertising or amassing a profile, selling, or renting student personal information (with certain limitations).
Massachusetts Breach Notification Law (H. 4806): The Massachusetts legislature passed a bill in 2018 to update its breach notification law to require the provision of 18 months of credit monitoring services and more prescriptive notices to regulators in the event of a breach, and to strengthen rules for consumer reporting agencies. The Governor recommended revisions, which the legislature made and passed before the end of 2018. The Governor signed the bill into law on January 10, 2019. To learn more, see our blog post here.
Ohio Data Security Law (SB 220): In August, Ohio enacted the first cyber security safe harbor law. In the event of a data breach, this law affords companies an affirmative defense to state tort claims if they comply with certain specified cybersecurity frameworks. For more information, read our post here.
Vermont Data Broker Law (9 V.S.A. §§ 2430, 2433, 2446–2447): Vermont enacted the first state law to impose registration requirements and minimum data security standards on data brokers. Data brokers are businesses that aggregate and sell “brokered personal information” about consumers with whom they do not have a direct relationship. This law requires data brokers to register with the Vermont Secretary of State, make certain disclosures about their activities, and pay an annual fee. In addition, the law requires that data brokers comply with data security requirements equivalent to those under the Massachusetts data security regulations (201 C.M.R. 17). For further discussion of this law, see our post here.
Data Breach Notification Laws
All 50 states and DC now have their own data breach notification laws, after South Dakota and Alabama became the final two states to enact data breach notification statutes last year. The breach notification requirements are largely similar to those in other states, though both are in the minority of states that consider user credentials to be data that, if breached, require notification. Both also establish notification deadlines (45 days for Alabama, 60 days for South Dakota) and require notification to the Attorney General when a threshold number of state residents is impacted by a breach (1000 for Alabama, 250 for South Dakota). In addition, Alabama now requires “reasonable security measures” and a disposal provision for personal information no longer required to be retained by either business needs or applicable law. See our blog post here for a discussion of the Alabama law.
Insurance Data Security Acts
In May 2018, South Carolina passed the South Carolina Insurance Data Security Act, becoming the first state in the nation to pass legislation modeled after the National Association of Insurance Commissioners’ (“NAIC”) Insurance Data Security Model Law (“Model Law”). This bill requires insurers to maintain a written information security program and incident response plan. To learn more, visit our blog post here. Michigan and Ohio have also passed insurance acts based on the NAIC Model Law.
Looking ahead, we anticipate seeing state legislators debate privacy bills that follow the example of broadly applicable privacy statutes like the CCPA and EU General Data Protection Regulation (“GDPR”). In fact, New York is already considering its own comprehensive privacy legislation, the Right to Know Act (S00224). We also expect to see additional states passing insurance data security acts based on the National Association of Insurance Commissioners’ Model Law.
Given recent large and highly publicized data breaches, such as Marriott and Equifax, we expect states to continue to prioritize data security and breach notification. Last year, several states updated their data breach notification statutes to include more robust security provisions, and we expect this trend to continue into 2019 with new data security bills, such as this Act to Strengthen Identity Theft Protections from North Carolina.
In California, we expect the legislature will propose further amendments to the CCPA before it comes into force in 2020. In fact, the California Department of Justice has begun holding public forums throughout the early part of 2019 to facilitate public comment. Companies should consider voicing their opinions or questions about the CCPA during this notice and comment period at the public forum or in a written letter in the hopes of clarifying their obligations under the law.