What is CCPA? Steps Towards Becoming Compliant: A Readiness Roadmap

Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) will become effective on January 1, 2020.

All Posts

State of the States: U.S. Privacy Regulation Status Update

Updated June 7, 2019 to reflect Nevada’s new law.

We have entered a new privacy paradigm, where the only certainty is uncertainty. That is in part because of the wide range of regulations passed and pending around the world – and even within the United States. Here, we bring some order to the chaos by analyzing passed and pending privacy regulations across the U.S. and ranking each state based on the relative strength of its privacy regulatory environment.

The first map below shows how each state ranks based on its total score. Read on for details on the five metrics we analyzed in order to arrive at those overall rankings. And then keep reading for an explanation of the privacy regulatory environment in each state with passed or pending privacy regulations. (Don’t forget to subscribe to be notified when we update the rankings.)

 

Table of Contents (Click to skip to the section)

About the Privacy Regulation Strength Score

Privacy Regulations Around the U.S.: How the States Stack Up
Rights of the Consumer
Procedural
Penalties/Enforcement
Definitions
Disclosures/Notices

State-by-State Privacy Regulation Details
AZ | CA | CO | CT | FL | HI | IL | MD | MA | MS | NV | NJ | NM | NY | ND | RI | TX | VT | WA

This State of the States is a ranking and detailed explanation of passed and pending privacy regulations around the U.S. These regulations change quickly, so check back often, or sign up below to be notified when there’s an update.

New call-to-action

About the Privacy Regulation Strength Score 

The total score was calculated based on a subjective aggregation of the strength of the proposed legislation. Each of the five factors were given scores, based on the strength and the size of scope for each factor. These factors were then added together to get an overall score and relative ranking.

The overall privacy regulation strength score is comprised of five metrics:


  1. Rights of the Consumer – How many rights a consumer has in regard to managing their personal data, and how strong those rights are
  2. Procedural – What documentation and processes are required by the regulation
  3. Penalties/Enforcement – How stiff are the penalties, taking into account civil liability and civil action
  4. Definitions – How well defined are the definitions of consumers, companies, personal data and the relative size of scope of companies required to comply
  5. Disclosures/Notices – Whether there are privacy notice requirements, and how deep a company need to go in terms of disclosing information to the consumer

Privacy Regulations Around the U.S.: How the States Stack Up 

 

How States’ Privacy Regulations Stack Up: Rights of the Consumer 

The Rights of the Consumer metric assesses each regulation in terms of how many rights a consumer has in regard to managing their personal data, and how strong those rights are. The metric is comprised of six sub-factors; subjectively scored based on how well defined the regulation is worded and how strong it is against the other “signed” laws. The higher a regulation scores on each sub-factor, the higher its overall Rights of the Consumer score. (Basically: The more rights the regulations provides consumers, the higher the score.)

Sub-factors in the Rights of the Consumer metric are:

  • Access – Whether consumers can request a copy of their data
  • Portability – Whether consumers can request that the company transfer their data to another company
  • Delete – Whether consumers can request that their personal information be deleted
  • Change – Whether consumers can request that their information be changed
  • Restrict Sale – Whether consumers can request that their information not be sold to another company
  • Opt-out – Whether consumers can opt out (i.e., remove consent) for a company to use their information

 

How States’ Privacy Regulations Stack Up: Procedural 

The Procedural metric assesses each regulation in terms of what documentation and processes are required by the regulation. The metric is comprised of five sub-factors; subjectively scored based on how well defined the regulation is worded and how strong it is against the other “signed” laws. The higher a regulation scores on each sub-factor, the higher its overall Procedural score. (Basically: The more documentation and processes are required, the higher the score.)

Sub-factors in the Procedural metric are:

  • Privacy Policy Requirements – Whether there is a requirement for supply information in the privacy policy
  • Website Requirements – Whether there are website requirements within the regulation, such as link requirements.
  • Requires Privacy Assessment – Whether a privacy impact assessment is required
  • Proactive Reporting – Whether the company must provide reporting to an authority
  • Cannot Discriminate – Whether the company is required to offer goods and services at the same level if a consumer exercises any of their rights

 

How States’ Privacy Regulations Stack Up: Penalties/Enforcement 

The Penalties/Enforcement metric assesses each regulation in terms of how stiff are the penalties, taking into account civil liability and civil action. The metric is comprised of three sub-factors; subjectively scored based on how well defined the regulation is worded and how strong it is against the other “signed” laws. The higher a regulation scores on each sub-factor, the higher its overall Penalties/Enforcement score. (Basically: The more penalties and stiffer fines and requirements, the higher the score.)

Sub-factors in the Penalties/Enforcement metric are:

  • Government Fine Strength – How strong/strict are fines from local government
  • Personal Fines – Whether the consumer can bring a civil liability case to a company
  • Need to Show Harm – Whether the consumer needs to show harm of a data breach or infraction of the regulation, or can bring a case without showing harm

 

New call-to-action

How States’ Privacy Regulations Stack Up: Definitions 

The Definitions metric assesses each regulation in terms of how well defined are the definitions of consumers, companies, personal data and the relative size of scope of companies required to comply. The metric is comprised of six sub-factors; subjectively scored based on how well defined the regulation is worded and how strong it is against the other “signed” laws. The higher a regulation scores on each sub-factor, the higher its overall Definitions score. (Basically: The stronger the definitions, the higher the score.)

Sub-factors in the Definitions metric are:

  • Business Inclusion – Whether the scope of companies included is lower or higher than other laws (For example, are all companies in scope, or only if they fit a specific revenue threshold? If it is revenue based, how much revenue?)
  • Consumer Inclusion – How broad the definition of a consumer is
  • Personal Data – How deep/extensive the definition of personal data is
  • Exemptions – The number of exemptions the regulation provides (some regulations exempt financial services or healthcare or employee data)
  • HR Data Included – Whether HR data is included, and if so, how many restrictions there are
  • Household Data Included – Whether the regulation covers household data as a consumer data (Meaning anything in the household is considered a consumer and anyone in the household can see data about the household and data activities in the household)

 

How States’ Privacy Regulations Stack Up: Disclosures/Notices 

The Disclosures/Notices metric assesses each regulation in terms of whether there are privacy notice requirements, and how deep a company need to go in terms of disclosing information to the consumer. The metric is comprised of five sub-factors; subjectively scored based on how well defined the regulation is worded and how strong it is against the other “signed” laws. The higher a regulation scores on each sub-factor, the higher its overall Disclosures/Notices score. (Basically: The more notice requirements and deeper the disclosure requirements, the higher the score.)

Sub-factors in the Disclosures/Notices metric are:

  • At Point of Capture – How strict the disclosures and requirements at the point of capture are
  • Categories Collected – How deep and broad the disclosure of categories of personal information defined in the regulation is, in terms of what categories of information is collected
  • Categories Disclosed – How deep and broad the disclosure of categories of personal information defined in the regulation is, in terms of what categories of information is disclosed/shared with other companies
  • Categories Sold – How deep and broad the disclosure of categories of personal information defined in the regulation is, in terms of what categories of information is sold
  • Must Identify 3rd Parties – How strong are the requirements for the company to disclose what third parties they are working with and how information is shared

 

New call-to-action

State-by-State Privacy Regulation Details 


Arizona Privacy Regulation 

Regulation status: Pending

Details coming soon.


California Privacy Regulation 

Regulation status: Passed
Effective Date:

While the GDPR set the standard in the EU for data privacy, California set the bar for US policy. It is the most replicated bill across other states with many other states taking excerpts from the CCPA. The CCPA becomes effective on January 1, 2020.

The CCPA provides consumers (and households) the right to know (“request my data”), the right to delete, the right to opt-out of sale, transparency in the use of personal data and a right to non-discrimination or services for exercising their rights. The right to disclosure clearly states that a consumer has a right to know what categories of information is collected on them, what information is disclosed to third parties, what information is sold and how the information is used. A business has the obligation to present on their home page a link that says "Do not sell my information."

While the CCPA does not provide guidance on documentation required, it is hard for a company to comply without doing a data inventory, assessment and gap analysis – similar to the GDPR articles 30 and 35.

Businesses who infringe on the CCPA will be fined up to $7,500 per violation. This is relatively small amount in comparison to the GDPR’s head turning maximum fine of €20 million or 4 percent of annual global turnover, but even $7,500 could quickly add up if large-scale or repeated infringements occur. Twenty percent of the fine will be paid into the newly created Consumer Privacy Fund. This fund is supposed to cover the costs of enforcing the CCPA. Consumers can also bring civil claims against businesses for claims relating to unauthorized access, breach, theft, or improper disclosure of personal information.


Colorado Privacy Regulation 

Regulation status: Pending

In May 2018, a consumer data privacy bill passed legislation. The current law focuses on data breach and data security. Other initiatives are written that provide deeper rights for consumers but are not yet publicly available.


Connecticut Privacy Regulation 

Regulation status: Pending

Connecticut is another carve-out of CCPA, very similar in rights, business scope, and disclosures. These include right of access, disclosure of categories, purpose and specific data, and the right to opt-out of selling personal information.


Florida Privacy Regulation 

Regulation status: Proposed

Details coming soon.


Hawaii Privacy Regulation 

Regulation status: Pending

If enacted, Hawaii’s law will be very similar to CCPA but with important clarifications and even broader applicability.

There is a very broad definition of data – including biometric, IP address, physical address, geolocation (even without other elements) and any type of profiling (if stored). Applicability is also very broad, basically stipulating that if you are interacting with PII in the state (not just residents but clearly also visitors, with no threshold) then you are subject to the law.

Categories and specifics of data (with verification including third parties that will require a technical clarification by the Attorney General) specifically identify third parties (there is clear emphasis on this, even more so than in the CCPA) including transfer (not even sale), purpose of data collected, delete or opt-out and prohibit discrimination if a consumer does opt-out (very generally). No charge is permitted up to two per year. Deletion specifically includes 3rd parties. All rights include a 45-day clock, like CCPA, and 12-month look back. No account creation required and data must be returned in the same format as requested. Consumers have two methods to request data – electronic and other, like phone.

The law enumerates on the format to reply to consumer requests very nicely. If a consumer opts out, then the company is prohibited from request again for 12 months – like CCPA – but Hawaii added necessary clarifications, such that it can be implemented electronically. (You can retain the data just to keep from asking them again for 12 months.)

Notice is very strong and clear, even more so than CCPA (anyplace PII is collected), and enforcement is almost identical to CCPA – making this one of the country’s strongest proposed privacy protections for consumers.


Illinois Privacy Regulation 

Regulation status: Pending

The Right to Know Act (RTKA) appears to be smaller than both CCPA and GDPR, with less rights for the consumer, materially weaker and more narrow, with fewer stipulations on businesses.

The RTKA defines consumers as Illinois residents with the scope of the law including any business that operates a website that maintains personal information about an Illinois resident. It is interesting to note that the RTKA specifically calls out online businesses and does not include any language regarding brick and mortar.

The definition of personal information includes typical personal data, including the activities of the consumer (pages visited, products purchased, rented and services used – among other activities). There is a specific callout for including employment data, indicating that employee data is included.

As it was drafted, this bill only requires a business to disclose categories of information collected and shared. The business is obligated to notify consumers about the categories of personal information collected, disclosed and sold and provide the consumer the ability to opt out. There is no apparent clause that stipulates a business disclose the exact personal information that is being stored, nor that the consumer has a right to request the specific information collected. Penalties are light: $10 per consumer or actual damages (whichever is greater), plus attorney’s fees.


Maryland Privacy Regulation 

Regulation status: Pending

Maryland has several bills in legislation at various stages (HB1654, HB1655 and HB141). The net effect of the Maryland personal data laws pivot on the sale and use of data. A BIAS (mass market retail company) may only sell, disclose or use personal data once a consumer opts in. If a consumer does not opt in, the BIAS must provide the same level of service as if the consumer did opt in. These bills do not require a company to disclose categories of data collected or provide notice. Additionally, the bills do not require a company to disclose the specific pieces of personal information collected on a consumer.


Massachusetts Privacy Regulation 

Regulation status: Pending

Massachusetts bill SD 341 looks extremely similar to the CCPA. The measure would require a business that collects a consumer's personal information to provide at or before the point of collection a detailed notice of what information is collected and shared. Consumers also have the right to request disclosures, request a copy of their data and request the data be deleted. Much like the CCPA, the Massachusetts proposal contains applicability thresholds for businesses, verifiable consumer requests, and even a requirement for a “clear and conspicuous” link on a business’s web page for consumers wishing to opt out of third-party transfers (“do not share my information,” similar to the CCPA’s “do not sell my data”).

The scope of businesses has a definition similar to CCPA but the annual revenue threshold is $10 million (versus the CCPA’s $25 million). A business has 45 days to comply with a verifiable request.


Mississippi Privacy Regulation 

Regulation status: Pending

The Mississippi bill in legislation looks to be nearly identical to the CCPA. Same rights, same scope for business and the same definition of personal data. Consumers must be notified at or before the point of collection. The business is required to disclose the purpose of collecting the data, the categories of information and disclose any third party disclosures and sale of data. It even requires a business place on the home page a link that says “Do not sell my information.”


Nevada Privacy Regulation 

Regulation status: Passed
Effective Date:

The Nevada Internet Privacy Act SB220, which will go into effect on October 1, 2019, is a very narrowly scoped bill and only emulates a small portion of the CCPA – permitting consumers to object to the sale of their data. The scope of this bill is limited to companies who operate a website and collect information about Nevadans. Unlike the CCPA, SB220 excludes information collected offline (i.e., hand-written applications, in-store sales, etc.). The term "sale" is more limiting than CCPA. A company must receive "money”; unlike the CCPA "valuable consideration" is not in scope for SB220.

Among the exclusions are companies with an affiliate relationship are exempt from disclosure to each other. An affiliate is legally defined as "any company that controls, is controlled by or is under common control with another company". Information gathered from the transfer of records as part of a merger, acquisition, or bankruptcy is also excluded.

Any website operator collecting information from Nevadans (or with nexus to Nevada), must provide a designated address (webpage or phone number) by which a consumer can make a verifiable request to restrict a company from selling their personal information that was collected or will be collected. Once a consumer makes a verified request, the operator (i.e., company) has 60 days to complete the request. An additional 30-day extension can be requested. Civil penalties (with no right of action by the consumer) cannot exceed $5000 per violation (per consumer affected).


New Jersey Privacy Regulation 

Regulation status: Pending

The NJ bill is intended to take effect 1/1/2020, but is currently not expected to pass. The bill is similar to CCPA in many respects. Some of the larger differences include an expansive definition of “personally identifiable information” to include not only biometric data but also any information that personally identifies, describes, or is able to be associated with a customer. State and federal organizations are excepted from the law, and the gross revenue limit for a regular business is reduced to $5 million.

Another requirement is that a business must identify a specific person to which privacy requests can be made, but there is no requirement for a prominent website link to their privacy management section. In addition to identifying data collected and third parties that may receive the data, a business must disclose how long they retain the consumer data. The regulation provides for the consumer rights of data access, opt-out, change and deletion. Data access is limited to only twice a year, and business have only 30 days to respond. No time extension is permitted.

There is little discussion of data breach or data security, other than to say all business must maintain an “industry standard” security program. Penalties are not set forth in this legislation but are outlined in a separate bill, The Identity Theft Protection Act.

In addition to Assembly Bill 4640, described above, New Jersey has a second privacy bill which is primarily focused on a company’s Privacy Policy. This bill seeks to have companies conspicuously post their privacy policies. The bill requires companies to include standard information in privacy policies, including the categories of personal information collected and the categories of personal information that may be shared with third parties, similar to CCPA.

The bill does not require a company to provide procedures to review and change personal information, but if those services are offered by a company, they must be documented in the privacy policy. Uniquely, the bill requires companies to disclose procedures it uses to respond to do-not-track signals. The bill also has an expansive definition of “personally identifiable information.” However, the bill applies to companies providing a commercial Internet website or online service, not all organizations. No penalties for violating these regulations are provided in this bill.


New Mexico Privacy Regulation 

Regulation status: Pending

The New Mexico bill is almost an exact copy of the CCPA, including the same required disclosures and penalties. New Mexico extends the definition of “business” to all businesses, not just those of a certain size, but strangely does not define “consumer” within the bill. The New Mexico bill does extends the definition of personal data to include biometric information but does not include household data as personal data. Consumers may request access to their data and opt out or request deletion. The bill does not include any provisions for changing data.


New York Privacy Regulation 

Regulation status: Pending

New York’s privacy bill provides methods for consumers to request their data from any business, not just those that exist in New York. In this "access" respect the bill is very similar to GDPR, using some of the same language. However, the bill does not cover any other rights outlined in GDPR such as the right to opt out or delete. Also of note: there are no fines or penalties outlined in the bill.


North Dakota Privacy Regulation 

Regulation status: Pending

North Dakota has presented a bill that is lighter than CCPA regarding the disclosure and management of personal data. However, recently the bill was redlined to only include “A bill for an Act to provide for a legislative management study of consumer personal data disclosures” – meaning the legislature is in the studying phase to determine the proper language for a bill.


Rhode Island Privacy Regulation 

Regulation status: Pending

Rhode Island has drafted a bill just like Massachusetts and CCPA. The measure would require a business that collects a consumer's personal information to provide at or before the point of collection a detailed notice of what information is collected and shared. Consumers also have the right to request disclosures, request a copy of their data and request the data be deleted.

Much like the CCPA, the Rhode Island proposal contains applicability thresholds for businesses, verifiable consumer requests, and even a requirement for a “clear and conspicuous” link on a business’s web page for consumers wishing to opt out of third-party sale of data (“Do not sell my data), which Rhode Island calls “opt out of sale.”

The scope of businesses has a definition similar to CCPA but the annual revenue threshold is $5 million (versus the CCPA’s $25 million). A business has 45 days to respond to a verifiable request.

New call-to-action

Texas Privacy Regulation 

Regulation status: Pending

Two privacy bills were introduced in Texas. HB 4518 is similar to CCPA, except it adds to the definition of personal information aggregate data. Similar to other states, Texas also includes any data that can be connected to a consumer. The definition of a “Business” is specifically called out as a for-profit organization.

In contrast, Texas’s other privacy bill, HB 4390, does not go into as much detail in defining personal data; personal information is only that which can be directly related to an individual. The definition of a business is the same as HB 4518.

Both laws give enforcement powers to the AG. Penalties are not more than $10,000 per violation, not to exceed $1 million. No private right of action is available in either bill. Unlike other states, HB 4518 specifically prohibits government entities from selling personal data that is unique genetic info, precise geo-location data, or biometric data.


Vermont Privacy Regulation 

Regulation status: Passed

The Vermont law is not a comprehensive privacy bill. It focuses only on data brokers (companies that exist only to sell data). These brokers are required to register with the state and required to provide some standardized documentation to consumers about the data they collect. Consumers cannot request their specific data, nor request that their data be deleted or not sold.


Washington Privacy Regulation 

Regulation status: Pending

If passed, the Washington Privacy Act would impose far-reaching responsibilities on companies to protect the privacy of “personal data” and would apply to any company processing over 100,000 consumers (with standard exemptions for non-marketing purposes of HIPAA and financial services) which is extended for marketing focused companies. Lifting many provisions almost entirely from the text of GDPR and combining with certain elements of California’s CCPA, the legislation would arguably make Washington one of the most privacy-protective states in the nation.

Companies would have 30 days to fulfill consumers’ requests with extension to 60 days only if warranted. In addition, the Privacy Act requires exceptional transparency for PII including clear disclosure of the purposes for which that data is used, the categories of personal data shared with third parties, and the categories of third parties with which the company shares data. Policing of vendors and service providers is also the responsibility of the company and quite strict.

Prominent disclosure is mandated. A risk assessment is a further requirement, to determine if the security of personal information might be compromised by a particular practice or use. There are unique restrictions on facial recognition, requiring organizations to provide easy-to-understand consent. The Act establishes a baseline of protection for consumer personal data, while pragmatically leaving Washington’s data breach law intact with CCPA-like enforcement by the Attorney General with specific penalties $2,500 and $7,500 per instance.

Overall this is a very well written law with broad application.


Subscribe to Stay Up-to-date Automatically

Pending privacy regulations are changing every day and new ones are being proposed. How will your company be affected? Sign up for our State of the States newsletter and we’ll send you regular updates to this information.

 


This publication informs our clients and friends about recent legal developments and is for informational purposes only. It does not constitute legal advice or reflect any opinions on any particular law or regulation.  The information contained herein is subject to change and may become inaccurate or outdated over time.  Do not rely on this publication without seeking legal guidance.

Truyo
About Truyo
Powered by IntelⓇ, Truyo is the automated answer for enterprises seeking to deploy truly integrated SAR, consent, and other data privacy rights processing capabilities that scale with your needs, deliver conspicuous compliance, and adapt to new privacy regulations as they emerge.
Recent Posts

What is CCPA? Steps Towards Becoming Compliant: A Readiness Roadmap

Signed into law on June 28, 2018, the California Consumer Privacy Act (CCPA) will become effective on January 1, 2020. This legislation strengthens pr...

Have Your Experienced These 3 Big CCPA Compliance Challenges? How to Overcome Them

There’s a growing movement to balance a company’s right to collect consumer data and the customer’s right to privacy. California is leading the way wi...

Data Subject Access Requests: How Automation Can Help Make Compliance Easier

We're now more than a year into the official implementation of the General Data Protection Regulation (GDPR), set into motion on May 25, 2018. If the ...

8 Key Steps for CCPA Compliance

The General Data Protection Regulation (GDPR) wasn't the only consumer privacy bill signed into law in 2018. That same year, Governor Jerry Brown sign...