Although the United States lacks a comprehensive federal consumer privacy or data law, many states are passing their own restrictions containing restrictions similar to parts of the European Union’s General Data Protection Regulation (“GDPR”).
One of the most important restrictions in the GDPR is a requirement that businesses collecting personally identifiable information disclose to the consumer how that data will be used. See GDPR, Art. 7.
The following states have similar rules:
Cal. Civ. Code § 1798.100-§ 1798.198 (“The California Consumer Privacy Act of 2018” (aka “CCPA”)). The Act gives California consumers the right to request that a business that collects consumers’ personal information disclose the categories of information collected, sources of the information, business purpose for the collection, and specific pieces of information collected. Consumers also have the right to request that a business delete personal information collected. Businesses must disclose to consumers the right to opt-out of the sale of the consumers’ personal information, and businesses may not discriminate against those consumers that exercise their rights under the Act. The law applies only to California residents and is effective January 1, 2020.
Conn. Gen. Stat. § 42-471. The statute requires any person who collects Social Security numbers in the course of business to create and publicly display a privacy protection policy, including on a website. The policy must: (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.
NRS § 603A.340. The statute requires operators of Internet websites or online services that collect personally identifiable information to make publicly available a notice that includes: (1) the categories of covered information that the operator collects about consumers and categories of third parties with whom the operator may share such covered information; (2) a description of the process for a consumer who uses or visits the Internet website or online service to review and request changes to any personally identifiable information that is collected; (3) a description of the process by which the operator notifies consumers material changes to the notice required to be made available by this subsection; (4) whether a third party can collect personally identifiable information about a consumer’s online activities; and (5) the effective date of the notice. The statute gives operators 30 days to remedy noncompliance.
ORS § 646.607. The statute makes it an unlawful trade practice for a person to publish on a website related to the person’s business, or in a consumer agreement related to a consumer transaction, a statement or representation of fact in which the person asserts that the person, in a particular manner or for particular purposes, will use, disclose, collect, maintain, delete or dispose of information that the person requests, requires or receives from a consumer and the person uses, discloses, collects, maintains, deletes or disposes of the information in a manner that is materially inconsistent with the person’s statement or representation.
Utah Code §§ 13-37-201 to -203 (“Notice of Intent to Sell Nonpublic Personal Information Act”). The Act requires a commercial entity to provide a notice to consumers regarding whether the commercial entity obtains nonpublic personal information about consumers and whether the commercial entity intends to or wants the ability to disclose the nonpublic personal information to a third party for compensation. The notice should state: “We may choose to disclose nonpublic personal information about you, the consumer, to a third party for compensation.” The notice may be provided to consumers orally or in writing. If in writing, the notice should be in bold letters and be displayed conspicuously.
9 V.S.A § 2446-2447 (2018 H.B. 764) (“Protection of Personal Information: Data Brokers”). The Act requires a data broker (a business that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship) to register annually with the Secretary of State. The registration must include, among other things: (1) the name and primary physical, e-mail, and Internet addresses of the data broker; (2) whether the data broker permits a consumer to opt out of the collection of personal information, opt out of its databases, or opt out of certain sales of data and the method for opting out; (3) a statement specifying the data collection, databases, or sales activities from which a consumer may not opt out; and (4) the number of data broker security breaches that the data broker has experienced during the prior year, and if known, the total number of consumers affected by the breaches. Under the Act, data brokers also must implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.
Please contact me if you would like to discuss this sort of privacy restriction, data breach notification, standards for safeguarding data, or other matters.