The tech industry is abuzz with news about the CCPA, California’s new data privacy legislation. However, while California may be the first state to enact its own form of the GDPR, it certainly won’t be the last. Numerous other states either have data privacy laws on the books or are busy passing privacy bills, and each one is different from the rest. Check out just a few of the different ways that states are trying to protect their citizens’ data.
Delaware: Book Service Legislation
Interestingly, DOPPA also contains a clause aimed specifically towards digital book services which prohibits the service from disclosing which books their users read to third parties, even law enforcement. However, in a life-threatening emergency, the book service provider would have to provide this information, meaning maintaining customers’ data privacy isn’t so easy as to delete everything past a certain period of time.
Washington: Keeping Faces Under Wraps
Currently in progress in the Washington state legislature is the Washington Privacy Act, an act similar to the GDPR and CCPA that regulates the collection and processing of users’ personal data. While its in-the-works status means that the exact content of the bill is still subject to change, the bill is on track to being more stringent than the CCPA, both in terms of entities covered and the type of data subject to the law.
Possibly because of controversies surrounding facial recognition software, the bill also contains material regulating its use. If the Washington Privacy Act passes, companies that use facial recognition software for profiling must pass the software results through human arbiters to check for accuracy before the information can be acted upon. Furthermore, companies that use facial recognition for their own uses must obtain customer consent first, and some facial recognition software must include APIs that would allow third parties to vet it for accuracy and bias.
New Jersey: Protection For Everyone
Like other states, New Jersey is introducing its own data privacy legislation. What makes this one interesting isn’t necessarily its prohibitions, but rather who it covers. The CCPA as well as the Washington Privacy Act refer to “residents” of the state when talking about protections granted; however, the New Jersey version defines “customer” as “an individual within this state”. This means that even if the user is not a New Jersey resident, as long as they were within the boundaries of the state when the data is collected, they would be theoretically covered by the New Jersey data privacy act.
This bill is much earlier in the legislative process than the Washington Privacy Act, and thus has much that can be changed, but this definition is an example of how seemingly minor differences in data privacy laws can mean very different identification and governance is necessary for businesses.
50 States, One Solution
As more and more states start drafting their own data protection bills, it is important for an organization that works with personal data to be proactive in preparing for compliance. With an increasing number of differing requirements, dedicated compliance officers and a unified information governance solution will be key for navigating your customers’ privacy requirements in an organized and efficient way.