The European Union’s GDPR, California’s CCPA, Nevada’s SB 220, and New York’s SHIELD Act are all personal privacy legislation currently in effect or coming online very soon. What is a business to do with this alphabet soup of laws that are being served up and impacting your customers’ lives?
Here are some things you can do right now:
Consult an attorney to craft or verify that your Privacy Policy and website Terms of Use are compliant. Warning: while there are many free and low-cost policy-generating websites out there, we do not recommend using them without having the resulting document reviewed by your legal counsel.
Know which laws apply to you. We’ve outlined a few of the details for each below, but again, this is something your attorney will help you figure out. Acquire the language you need to help them help you.
Use Wheaton’s Law whenever you collect, have access to, or do anything with other people’s private information. From contact information to order details, don’t be one of “those guys.”
Let’s review the most current laws:
EU’s General Data Protection Regulation (GDPR)
Effective date: May 25, 2018
Impact: Businesses with customers who are EU citizens (regardless of where they live)
When the GDPR came into effect in 2018, it grabbed headlines around the world with its broad protection of EU citizens’ data. Due to the May 2018 implementation date, we’re going to assume that you are already compliant with GDPR for the purpose of this article just so we don’t confuse issues (wink). If you’re not, get on the stick!
California Consumer Privacy Act (CCPA)
Effective date: January 1, 2020
Impact: For-profit businesses with customers who are California residents
This is the first of many state-approved measures attempting to protect citizens’ private data. It’s being used as a model for many more states coming up with their own versions. General CCPA info you should know*:
Important: non-profit businesses are exempt from CCPA
Covers goods and services sold to residents of California (regardless of where the business is located)
Use opt-in as your guiding principle for all client interactions and you should be compliant*
If you have a GDPR notice on your website, you may already be complying with the CCPA notice requirement*
Add a “Do Not Sell My Personal Information” link conspicuously on your website’s homepage (footer is great) and to your privacy policy
Link to a page where customers can opt-out of the sale of their information
Acquire a toll-free number or designate one for accepting opt-out requests
Penalty for non-compliance is up to $7,500 per violation
Train your team to know what they can and cannot do with personal data collected
Look at your collected data and identify which information can be sold and which will be transferred to a third party
Add a Data Custodian role to your team – this individual will be responsible for the CCPA’s requirements for data collection, storage, and removal.
There are many more things you need to know so be sure to have your attorney help you determine compliance
Nevada SB 220
Effective date: October 1, 2019
Impact: Businesses with a website – regardless of location
Sale of data under SN 220 is limited to data brokers*
If you’re compliant with CCPA, you are likely compliant with Nevada SB 220*
New York SHIELD Act
Effective date: October 23, 2019
Impact: Businesses with customers who are residents of New York state
Use reasonable administrative, technical, and physical cybersecurity safeguards to protect customers’ information *
If a breach occurs, the act provides requirements for notification*
More states are coming up with their own versions of data privacy laws. Coming next year, from the legislature in North Dakota, Massachusetts, New Jersey, and Pennsylvania are expected to pass their own state privacy law. The state-by-state approach will continue until federal legislation is enacted. Even then, the individual state requirements may persist.
Hey – thanks for reading to the end – there’s a lot here.
So, what to do? First off, don’t panic. All will be well. Just figure out what the rules are for your playground – as each law has different effect and jurisdiction. Then, make a plan! (And make sure your plan includes monitoring these laws so you can adjust to accommodate changes in the law.)
We’ve done our best to provide you the basics, but your legal team is definitely your best solution for advice on carrying out your privacy plan.
Last thoughts: Some have asked, “Do I really need a privacy plan?” There are three main reasons why you would want to ensure you have one:
Don’t get sued.
Don’t get sued.
Don’t get sued.
It’s really that simple. All businesses have some sort of privacy concern as it pertains to the law – whether they are an online business, have a website or have employees. Not having a policy or plan in place is a large potential liability. Current and future privacy legislation is making the reality that you need a privacy plan*.
*disclaimer: Evans Larson Communication is not a law firm. While we have thoroughly researched the facts presented in this article, it does not represent legal advice and is “as is;” no representations are made that the content is error-free. Its intent is to be used as a start to your investigation into the topic. Please consult an attorney for legal advice.