Has the CCPA Started a Domestic Privacy Wave?

This post is authored by Antonia Dumas, JD, an associate with XPAN Law Group.

In the wake of the European Union’s General Data Protection Regulations’ arrival, there have been many discussions whether the U.S. will adopt a similar legislation. However, just as in other areas, the U.S. often does things differently. Here, waves of change often come from the states and not at the federal level. In the privacy context, has the California Consumer Privacy Act (“CCPA”) started a domestic privacy wave?

The CCPA is expected to come into effect in 2020, after having just been passed in June (we broke down the CCPA in a prior blog post here). Although the CCPA purports to give a two year grace period, in reality the implications of the Regulation are as of January 2019 given its 12 month look-back rule. So, surprising to most,this Regulation has almost immediate ramifications.

As soon as the news – and in some places almost panic – of the CCPA began to travel across the states, we began to hear murmurs of other states proposing new data privacy laws and even some major cities. Most of these regulations are not as broadly applicable as the CCPA, but they do raise the bar for businesses to take stronger steps to protect individuals’ data.

States Are Proposing Stricter Data Privacy Laws

It was not a surprise that California was the first to pass a data privacy regulation, as it has been a known to be trendsetter in other areas of law. However, it is a little surprising that other states have already begun to follow California so quickly.

Some states are focusing on certain industries or targeting certain companies. Vermont was the first to regulate data brokers, companies that buy and share user data. In its law, it requires data brokers to disclose the data they collect, provide customers with an opt out and imposes security and breach notification requirements. South Carolina was the first state to pass an insurance industry cybersecurity law. It requires insurances entities, operating within the state, to “develop, implement, and maintain a comprehensive written information security program” including safeguards to protect a policyholder’s personal information. § 38-99-20.

Iowa’s Act focuses on companies targeting children and K-12 students. It bars not only the sale but also the “rental” of student information and imposes specific security requirements. Nebraska’s law takes a geographical approach by focusing its application to commercial entities doing business in Nebraska and that own or license personal information of Nebraska residents.

Some of these laws, like the CCPA, have broaden the definition of personal identifying information, or PII. Under the CCPA, the definition of PII extends to “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” § 1798.140(o)(1). Under the Act, PII was broadened to include biometric information, internet or network activity (such as browsing and search history) and information regarding a consumer’s interaction with websites, applications or advertisements. § 1798.140(o)(1)(a-k). (However note, there are a number of “exceptions” to this broad definition.) Colorado’s recently adopted cybersecurity law also includes additional components of qualifying data such as biometric data. Delaware significantly broadened their definition of PII to not only include biometric data but also information required to access an online account (a username or email address) in combination with a password or with a security question and answer. § 12B-101, 7(a)(1-9). In connection with medical information as PII, Delaware includes:

“Medical history, medical treatment by a health-care professional, diagnosis of mental or physical condition by a health-care professional, or deoxyribonucleic acid profile… Health insurance policy number, subscriber identification number, or any other unique identifier used by a health insurer to identify the person.”
§ 12B-101, 7(a)(6-7).

The Colorado law also requires documentation and implementation of practices tied to the nature of the information collected and the nature and size of a business and its operations. More specifically, it requires businesses to keep a written data management policy. This proactive cybersecurity requirement is also seen in Ohio’s new cybersecurity law, although the law incentivizes compliance by providing companies with an affirmative defense in the event of a breach if the company implements a recognized cybersecurity framework.

Overall, all of these regulations impose new requirements and equate to one important takeaway for businesses – documentation, documentation, documentation.

Major Cities Are Following the States’ Example

Over the summer we have seen that it is not only states that are leading the way in the area of data privacy, but cities are proposing their own privacy plans.

Chicago was the first to propose a city ordinance that requires companies to provide Chicago residents with an opt-in before allowing their data to be used, bought or sold. (The Ordinance was proposed as an Amendment of Municipal Code Title 4 by adding new Chapter 4-402 entitled “Chicago Personal Data Collection and Protection Ordinance“). It notes the need for stronger protections and that “…it is time to equip consumers with control over their information, informed consent to its disclosure, awareness of its use, and redress for its misuse . . . .”

San Francisco became the second major city to initiate an action plan, the“Privacy First Policy”, to protect against misuse and misappropriation of personal data. In its action plan to be voted on in November 2018, companies will be required to disclose their data collection policies and even take into account the impact of those policies on the communities affected.

Will This Domestic Privacy Wave Create Structure or Chaos?

With an increased awareness of the importance of strong data privacy protections, will the CCPA and other state regulations result in strong domestic privacy protections or create chaos? Some are at the edge of their seats waiting to see the wave continue. As for now, there are still challenges with these new state regulations, including enforcement and encouraging compliance. Security and privacy can be costly if a company was not designed and architected with those concepts in mind. Incentivizing with the carrot or stick is always a tricky balance.

For those of us that address our clients’ concerns related to the use of data and legal implications of data protection regulations on a daily basis, the possibility of unified domestic data privacy protections and obligations is enticing. At the federal level, there is movement, such as Senator Warner’s policy proposals for regulation of social media and technology firms and the Balancing the Rights of Web Surfers Equally and Responsibly (BROWSER) Act of 2017 introduced by Congressman Marsha Blackburn, as well as the upcoming hearing to be held by the the Senate Committee on Commerce, Science, and Transportation entitled “Examining Safeguards for Consumer Data Privacy.” However, the reality is that the development of a single domestic data privacy regulation is, at the moment, not likely to materialize in the near future. It is more likely that we will continue to have a patchwork of regulations that may become an intricate web to navigate. With a void at the federal level, the state regulations will reign supreme for the time being; and we will have to keep our eyes and ears open.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.