The California Consumer Privacy Act (CCPA) goes into effect in 2020, and it will change how online data is collected in regards to California citizens (we have written all about getting ready for it here, and here). It will also affect all businesses who make 50 million or more in revenue. But, fun fact: there are 48 other states in the USA (49, if you count Missouri), and many of these states are following California’s lead in considering bills that give their citizens more control over how, when and why their data is collected and used. In fact, there are 24 states (plus Puerto Rico) that brought up data privacy legislation this year alone!
It is vitally important that advertisers follow each and every law, because, chances are, if you are doing business in one state, you are doing business in them all. Here are a few laws and legislative proposals that you should know about:
States with privacy laws in place
- The categories of information they collect
- The categories of 3rd parties they share data with
- A description of the process consumers may use to review and request changes to their covered information
- A disclosure that third parties may track consumers’ online activities and the effective date of these notices.
Any organization that violates these terms may be subject to a penalty up to $5,000 per violation as well as temporary or permanent injunctions.
Vermont: Vermont has enacted a law on January 1, 2019 that deals with 3rd party data. This law protects Vermont consumers from “data brokers” in these 4 ways:
- Transparency: Data brokers must register with the state every year (with a $100 application fee) and must disclose whether consumers may opt-out of the collection and sale of their data, and if so, how they may do so. 3rd party marketers must also disclose any and all data security breaches.
- Duty to secure data: Data brokers must adopt comprehensive data security programs with administrative, technical, and physical safeguards.
- No fraudulent collection: Data brokers are forbidden to collect personal information by fraudulent means, or for the purpose of harassment or discrimination.
- Free credit freezes: Vermont had already given consumers laws involving credit freezes to protect themselves from credit fraud. This new Vermont law disallows credit agencies from charging consumers fees for this protection.
It is important to note that this law only applies to 3rd party operators, and that there are no regulations of this kind involving 1st party interactions (in other words, companies that collect data through direct interaction with a consumer).
Maine and Illinois: The other states with laws in the books are Maine and Illinois. Both laws are much more limited in scope than the California and Nevada laws. Maine’s law only applies to internet service providers (ISPs) and will require them “to get permission from their customers before selling or sharing their data with a third party. The law, which goes into effect July 1 (2019), prohibits ISPs from offering customers discounts in exchange for selling their data.”
Meanwhile, in Illinois, a law was signed that specifically deals with biometric data. The law essentially states that insurance companies are banned from using genetic testing information to set health or accident insurance rates.
Upcoming data privacy laws
The states above have laws either in effect or about to be implemented, and other states are close behind. Massachusetts, Minnesota, New Hampshire, New Jersey, New York, Pennsylvania and Washington are in the process of creating and arguing data privacy bills as well. The chief among them is the state of New York. According to PewTrusts, “New York state’s pending legislation would go even further than California’s law — establishing a consumer’s right to sue over privacy or security breaches, and legally binding obligation (“fiduciary duty”) for companies to act in the customer’s best interests, even if it means forgoing profits from selling personal information.” This bill will most likely be argued and voted on in 2020, and is one to keep your eye out on.
What to Do Next: There are two actions that every company must take in regards to these laws. The first is to closely adhere to the laws set in place and constantly be on the watch for new laws that may go into effect. The second is to have a system in place that is comprehensive enough to keep up with any and all regulations. Remember, that data collection that may work in one state may be illegal in another. Lineate’s Consent Manager makes this process simple. Initially designed as a tool to help businesses prepare for GDPR, Consent Manager “allows brands to give customers access to their data while providing a central way of managing, tracking, and optimizing for consent collection on an operational level.” In other words? Consent Manager makes it easy for brands to provide consumers the ability to access, limit, or erase their data from a company’s database as needed for any statewide (or, someday, national) data privacy laws.
This tool also ensures safer campaigns by allowing brands to layer opt-in preferences into segments that are used in campaigns (i.e. ensuring that any customers who’ve opted out of display ads but are fine with email are sorted accordingly). Plus, Consent Manager provides high-level reports on customer consent by channel and device to give marketers a concrete idea of where consent messaging works and where it doesn’t.
To explore Consent Manager and prepare your brand for any new laws that come your way, signup for a free consultation!