By 2020, sweeping reform acts in a number of states will have changed the way companies collect, store, and sell consumer data. In 2018, California passed one of the first robust privacy laws in the United States, the California Consumer Privacy Act (“CCPA”), which promises, among other data protections, to give California residents the right to know how their online data is being used, as well as to opt-out of allowing a business to sell it. The CCPA will go into effect January 1, 2020. Since that time, other states have followed California’s lead by drafting their own consumer privacy laws.
Maine Privacy Law
Maine recently enacted a privacy law which will restrict the ability of Internet Service Providers (“ISPs”) that operate in Maine to disclose the data of Maine residents without their consent. Unlike the CCPA, which gives consumers the right to “opt-out,” Maine’s law will prohibit ISPs from using, selling or disclosing consumer data unless the consumer expressly opts-in. The law will go into effect on July 1, 2020.
The new Maine law, entitled “An Act to Protect the Privacy of Online Customer Information,” will prohibit ISPs from using, disclosing, selling, or permitting access to information like a consumer’s web browser history, application usage history, geolocation information, financial information, health information, and device identifiers (e.g., IP addresses), as well as the contents of the consumer’s messages. Moreover, the law prohibits ISPs from incentivizing consumers with discounts to provide consent or refusing to provide services to those consumers who do not provide consent.
Additionally, the law requires ISPs to take “reasonable measures” to protect consumers’ personal information, as well as to provide consumers with a notice of their rights and the company’s obligations at the point of sale. The extent of “reasonable measures” is unclear, but the law envisions separate standards for different companies based on their size and resources and the type of data they collect.
There are several exceptions to the law which allow ISPs to disclose private information for advertising purposes, to comply with a court order, to collect payment, or to prevent fraud and abuse. ISPs may also share geolocation data in the case of an emergency. Additionally, ISPs may use or disclose personal information “for the purpose of providing the service from which such information is derived or for the services necessary to the provision of such service.”
New York Privacy Act
The New York Privacy Act (“NYPA” or the “Act”), on the other hand, takes a similar approach to—and is perhaps more robust than—the CCPA, which would apply to all businesses operating in the state. NYPA, currently awaiting a hearing in the New York Senate Consumer Protection Committee, promises to substantially increase transparency in data collection practices and to create new consumer rights.
The NYPA would strengthen protections by allowing consumers to view the data companies have collected on them, see who that data has been shared with, and opt-in or -out of having their data shared in the future. Unlike the Maine law, which takes a generalized approach to what constitutes consumer data, the NYPA explicitly defines what constitutes “de-identified data,” “personal data,” and “publicly available information.” Under the NYPA, consumer consent is required to use, process or transfer any personal data. The Act provides that any information that might personally identify a consumer constitutes personal data, which includes a consumer’s:
- physical characteristics (including disability status),
- IP addresses,
- email addresses,
- gender identity,
- sexual orientation,
- race or ethnicity,
- employment history,
- financial information,
- medical information,
- property records,
- loan records,
- purchase history,
- biometric information (including fingerprints or face scans),
- internet browsing history,
- messaging records,
- geolocation data,
- educational records,
- criminal records,
- educational records (e.g., transcripts),
- passwords or usernames.
While the CCPA applies to businesses that have an annual gross revenue of $25 million or more, the NYPA applies to any entity that conducts business in the state of New York. In addition to a right of action brought by the attorney general, the NYPA provides a private right of action, permitting any person who has been injured as a result of violation of the Act to bring an action in his or her own name.
The NYPA has the potential to move quickly through the New York Senate and Assembly and land on Governor Andrew Cuomo’s desk by the end of the summer, which means the law could go into effect sometime in 2020. More reform acts from other states are set to follow this year as Nevada enacted an amendment to its existing privacy statutes, and a consumer data privacy bill in Massachusetts has advanced to committee.