of. The European Union’s (EU) General Data Protection Regulation (GDPR) is the first and most well-known of these. This opened a floodgate of action in the US. Several new or bolstered laws have gone into effect in the United States to protect the privacy of its citizens.
GDPR went into effect on May 25, 2018. This framework replaced the previous regulation known as the Data Protection Directive. GDPR expanded and more specifically defined the requirements that an organization had to fulfill to be permitted to store, transmit, or process the personal information of EU citizens.
GDPR has several significant requirements including:
GDPR also increased the maximum penalties that an organization could incur from non-compliance. This is now up to 4% of global turnover or €20 million, whichever is greater. Many organizations that were non-compliant with GDPR have already been penalized. This includes Google, which received a $57 million penalty for failure to describe how personal data was being used to serve targeted advertising.
The United States does not have a unified national privacy regulation. At the federal level, privacy protection is industry-dependent. Regulations like HIPAA and PCI-DSS protect certain types of personal data under certain circumstances.
However, some states have independently decided to follow the lead of the EU and pass consumer privacy-protecting regulations. In 2018, 12 of the 50 states passed consumer privacy regulations that provide at least some of the protections provided to EU citizens by the GDPR.
Alabama’s data breach notification law went into effect on June 1, 2018. It prevents organizations from collecting personal data in electronic form without authorization. The consumer privacy regulation:
Arizona previously had a breach notification law but updated it in April of 2018 to increase the protection for consumers. The new consumer privacy law:
The California Consumer Privacy Act (CCPA) is probably the most famous of the new state-specific privacy regulations in the US. The CCPA was passed in 2018 and is scheduled to go into effect on January 1, 2020. However, lawmakers have already used it as a basis for adding new regulations and protections.
The CCPA allows consumers to:
The CCPA defines personal data. It levies fines of up to $7,500 for each intentional violation and $2,500 for each unintentional violation. The offender may be forced to pay damages in the event of a breach of up to $750 per California resident or actual damages, whichever is greater.
Colorado’s breach notification law went into effect on September 1, 2018. It defines “covered entities” as persons who “maintain, own, or license” PII for business purposes.
Covered entities are required to properly secure and dispose of collected PII. They must notify affected parties and regulators of any data breach of more than 500 Colorado residents. If a covered entity outsources data storage or processing to a third-party vendor, it is required to oversee and ensure the protection of the data in the vendor’s possession.
Iowa’s privacy protection law (which went into effect July 1, 2018) is designed to protect school-age children. Organizations are prohibited from using students’ information for certain purposes and must appropriately protect the data in their possession.
Louisiana updated its data protection laws effective August 1, 2018. Under the new laws, additional types of data are protected, data breach notifications are required within 60 days, a “risk of harm” provision is included, and an organization is required to properly destroy information of which they plan to dispose of.
Nebraska’s data protection laws require organizations to appropriately protect collected personal information. They must also have any third-party vendors do the same.
Oregon expanded its existing data protection law scope effective June 2, 2018. The new law:
The South Carolina Insurance Data Security Act became effective on January 1, 2019. This law requires insurance companies to have incident response plans and cybersecurity programs and to provide breach notifications within 72 days.
South Dakota’s new data protection law protects individuals against unauthorized disclosure of a wide variety of personal information. Individuals and Consumer Reporting Agencies (CRAs) must be notified of a breach within 60 days. This carries a penalty of up to $10,000 per day. The attorney general must be notified of any breach involving more than 250 affected South Dakota residents.
Vermont’s breach notification law is designed to regulate data brokers. These data brokers must:
Virginia previously had a data protection law, but it has been revised to protect against tax fraud. Under the new law, tax preparers are required to report the suspicion that their client’s information was accessed by an unauthorized party.
The consumer privacy regulation space has become fragmented. It may be difficult to determine which regulations your organization must comply with and how to do so. Many privacy regulations have identical or similar terms. Enacting a policy that is compliant with all of them can be difficult but a good step for security.
Fulfilling compliance can be a daunting task for companies to take on themselves. Organizations often do not have the time, resources, or skill set to ensure their compliance. Reach out to Avertium's team for help with your governance, risk, and compliance initiatives.