State Laws Requiring Disclosure When You Collect Personal Information

Although the United States lacks a comprehensive federal consumer privacy or data law, many states are passing their own restrictions containing restrictions similar to parts of the European Union’s General Data Protection Regulation (“GDPR”).

One of the most important restrictions in the GDPR is a requirement that businesses collecting personally identifiable information disclose to the consumer how that data will be used.  See GDPR, Art. 7.

The following states have similar rules:

1.                  California

Cal. Civ. Code § 1798.100-§ 1798.198 (“The California Consumer Privacy Act of 2018” (aka “CCPA”)).  The Act gives California consumers the right to request that a business that collects consumers’ personal information disclose the categories of information collected, sources of the information, business purpose for the collection, and specific pieces of information collected.  Consumers also have the right to request that a business delete personal information collected.  Businesses must disclose to consumers the right to opt-out of the sale of the consumers’ personal information, and businesses may not discriminate against those consumers that exercise their rights under the Act.  The law applies only to California residents and is effective January 1, 2020.

Calif. Bus. & Prof. Code § 22575-22578 (“CalOPPA”).  The Act requires operators of commercial websites or online services that collect personal information from California consumers to conspicuously post a privacy policy on the website or online service (which may include mobile apps) and comply with the posted policy.  The privacy policy must, among other things, identify the categories of personally identifiable information collected from consumers and categories of third parties with whom the operator shares the information.  The privacy policy must also provide information on the operator’s online tracking practices.  Operators must post a privacy policy within 30 days of being notified of noncompliance.

2.                  Connecticut

Conn. Gen. Stat. § 42-471.  The statute requires any person who collects Social Security numbers in the course of business to create and publicly display a privacy protection policy, including on a website.  The policy must: (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.

3.                  Delaware

Del. Code Tit. 6 § 205C (“Delaware Online Privacy and Protection Act”).  The Act requires any operator of a commercial internet website, online or cloud computing service, online application, or mobile application that collects personally identifiable information through the Internet about Delaware consumers who use or visit the operator's commercial internet website, online or cloud computing service, online application, or mobile application to make its privacy policy conspicuously available on its internet website, online or cloud computing service, online application, or mobile application.  An operator must make its privacy policy conspicuously available within 30 days after being notified of noncompliance.  The policy must, among other things: (1) identify the categories of personally identifiable information that the operator collects and the categories of third-parties with whom the operator may share that personally identifiable information; (2) disclose whether the operator has a process for a consumer to review and request changes to personally identifiable information collected through the internet website, online or cloud computing service, online application, or mobile application, and a description of that process; and (3) disclose how the operator responds to web browser "do not track'' signals or other mechanisms that give consumers the ability to exercise choice regarding the collection of personally identifiable information.

4.                  Nevada

NRS § 603A.340.  The statute requires operators of Internet websites or online services that collect personally identifiable information to make publicly available a notice that includes: (1) the categories of covered information that the operator collects about consumers and categories of third parties with whom the operator may share such covered information; (2) a description of the process for a consumer who uses or visits the Internet website or online service to review and request changes to any personally identifiable information that is collected; (3) a description of the process by which the operator notifies consumers material changes to the notice required to be made available by this subsection; (4) whether a third party can collect personally identifiable information about a consumer’s online activities; and (5) the effective date of the notice.  The statute gives operators 30 days to remedy noncompliance.

5.                  Oregon

ORS § 646.607.  The statute makes it an unlawful trade practice for a person to publish on a website related to the person’s business, or in a consumer agreement related to a consumer transaction, a statement or representation of fact in which the person asserts that the person, in a particular manner or for particular purposes, will use, disclose, collect, maintain, delete or dispose of information that the person requests, requires or receives from a consumer and the person uses, discloses, collects, maintains, deletes or disposes of the information in a manner that is materially inconsistent with the person’s statement or representation.

6.                  Utah

Utah Code §§ 13-37-201 to -203 (“Notice of Intent to Sell Nonpublic Personal Information Act”).  The Act requires a commercial entity to provide a notice to consumers regarding whether the commercial entity obtains nonpublic personal information about consumers and whether the commercial entity intends to or wants the ability to disclose the nonpublic personal information to a third party for compensation.  The notice should state: “We may choose to disclose nonpublic personal information about you, the consumer, to a third party for compensation.”  The notice may be provided to consumers orally or in writing.  If in writing, the notice should be in bold letters and be displayed conspicuously.

7.                  Vermont

9 V.S.A § 2446-2447 (2018 H.B. 764) (“Protection of Personal Information: Data Brokers”).  The Act requires a data broker (a business that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship) to register annually with the Secretary of State.  The registration must include, among other things: (1) the name and primary physical, e-mail, and Internet addresses of the data broker; (2) whether the data broker permits a consumer to opt out of the collection of personal information, opt out of its databases, or opt out of certain sales of data and the method for opting out; (3) a statement specifying the data collection, databases, or sales activities from which a consumer may not opt out; and (4) the number of data broker security breaches that the data broker has experienced during the prior year, and if known, the total number of consumers affected by the breaches.  Under the Act, data brokers also must implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.

Please contact me if you would like to discuss this sort of privacy restriction, data breach notification, standards for safeguarding data, or other matters.