Compliance

50 States of Privacy Laws

The tech industry is abuzz with news about the CCPA, California’s new data privacy legislation. However, while California may be the first state to enact its own form of the GDPR, it certainly won’t be the last. Numerous other states either have data privacy laws on the books or are busy passing privacy bills, and each one is different from the rest. Check out just a few of the different ways that states are trying to protect their citizens’ data.

Delaware: Book Service Legislation

In 2015, the Delaware state legislature passed the Online and Personal Privacy Protection Act (DOPPA), which contained a variety of requirements aimed towards consumer-facing websites, including making posting a conspicuous privacy policy mandatory and prohibiting the marketing of age-inappropriate material to minors.

Interestingly, DOPPA also contains a clause aimed specifically towards digital book services which prohibits the service from disclosing which books their users read to third parties, even law enforcement. However, in a life-threatening emergency, the book service provider would have to provide this information, meaning maintaining customers’ data privacy isn’t so easy as to delete everything past a certain period of time.

Washington: Keeping Faces Under Wraps

Currently in progress in the Washington state legislature is the Washington Privacy Act, an act similar to the GDPR and CCPA that regulates the collection and processing of users’ personal data. While its in-the-works status means that the exact content of the bill is still subject to change, the bill is on track to being more stringent than the CCPA, both in terms of entities covered and the type of data subject to the law.

Possibly because of controversies surrounding facial recognition software, the bill also contains material regulating its use. If the Washington Privacy Act passes, companies that use facial recognition software for profiling must pass the software results through human arbiters to check for accuracy before the information can be acted upon. Furthermore, companies that use facial recognition for their own uses must obtain customer consent first, and some facial recognition software must include APIs that would allow third parties to vet it for accuracy and bias.

New Jersey: Protection For Everyone

Like other states, New Jersey is introducing its own data privacy legislation. What makes this one interesting isn’t necessarily its prohibitions, but rather who it covers. The CCPA as well as the Washington Privacy Act refer to “residents” of the state when talking about protections granted; however, the New Jersey version defines “customer” as “an individual within this state”. This means that even if the user is not a New Jersey resident, as long as they were within the boundaries of the state when the data is collected, they would be theoretically covered by the New Jersey data privacy act.

This bill is much earlier in the legislative process than the Washington Privacy Act, and thus has much that can be changed, but this definition is an example of how seemingly minor differences in data privacy laws can mean very different identification and governance is necessary for businesses.

50 States, One Solution

As more and more states start drafting their own data protection bills, it is important for an organization that works with personal data to be proactive in preparing for compliance. With an increasing number of differing requirements, dedicated compliance officers and a unified information governance solution will be key for navigating your customers’ privacy requirements in an organized and efficient way.

I'm a Bay Area native who enjoys writing about the endlessly fascinating field of information governance. In my spare time, I enjoy making board games, baking, and attempting to convince everyone I know to watch The Genius.