CCPA | data privacy | Data Protection Legislation

By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.


Ready or not, the strictest data privacy law the United States has ever seen, the California Consumer Privacy Act (CCPA), is coming January 1, 2020. And, other states are following California by enacting their own data privacy regulations which may include rights for data subjects comparable to the EU’s General Data Protection Regulation (GDPR). And, if that weren’t enough, Congress dragging CEOs into hearings and questioning them about how they hoard and exploit the personal information of millions of Americans the momentum is finally shifting toward passing a federal law.

Accountability falls on who’s shoulders? Organizations and their vendors!

“American GDPR”

The EU’s global privacy standard is the GDPR forcing global companies to examine and alter their practices in order to comply with the Regulation thereby avoiding a potential fine of up to 4% of their global revenue.

After many publicly reported, shocking revelations of companies’ data breaches and other privacy abuses involving Americans’ personal information – a free-for-all to monitor Americans’ behavior, collecting their information across the internet and from the real world usually without their knowledge of the collection, and the manipulation of their personal information taking place behind the scenes (Facebook, Google, Equifax) –  it is no wonder consumer advocacy groups are pushing individual states and Congress to propose and enact stricter legislative measures to strengthen Americans’ privacy rights.

A few states that have passed laws, in some form or another targeting the issue of consumer privacy rights, are:

  • Connecticut’s SB118 and North Dakota’s HB1485 both passed – requires a task force to study and give recommendations on privacy laws.
  • Maine’s LD946 passed and legally protects Maine’s online consumers, including their ISPs.
  • Nevada’s SB220 passed and extends data privacy obligations to operators of an Internet website or online service. Operators are legally required to implement processes to support the right to opt-out of the sale of personal information and must allow the consumer to submit a verified request where the operator is able to verify the authenticity of the request, identity of the consumer and respond within a specified timeframe to the verified request. Violators are subject to a civil action by the Office of the Attorney General and up to $5,000 penalty for each violation.
  • Texas’ HB4390 passed and revised the notification requirements of the Texas Identity Theft Enforcement and Protection Act § 521.053, Business & Commerce Code and created the Texas Privacy Protection Advisory Council. The changes to the state’s breach law specified the disclosure timeframe to consumers and the Office of the Attorney General to be made within 60 days of the date the breach is discovered, defined a threshold for reporting to the AG – only if 250 or more Texas residents are affected, and the breach report contents to the AG are specified in the law.
  • The CCPA legally mandates companies to take adequate security measures to protect data, offers consumers the right to request access to the data that has been collected about them, to be notified if their data is being sold to third parties and the right to block that sale. Further, the consumer cannot be denied service(s) just because they didn’t want their data sold. The law allows for private right of action, albeit in a limited form.

States’ legislatures have proposed bills that would offer American consumers GDPR-like privacy rights, such as, companies to inform users about their data practices, receive explicit permission before collection of any personal information, expands the definition of personal information to include the text “any other identifiers capable of being or could be reasonably linked directly or indirectly with a particular consumer…”, data access requests, right to opt-out, right to delete personal information, the business cannot discriminate against the consumer who exercises their rights. Some of these laws provide attorney generals enforcement authority to seek civil penalties and allows consumers the right to bring a civil action.

Consumer’s Private Right of Action, AG’s Actions Against Violators, and There’s More…

A “private right of action” meaning the ability for consumers to sue companies for violations of the law.

New York’s SB224 applies to “any person, proprietorship, firm, partnership, association, cooperative, nonprofit organization or corporation organized or existing under the laws of this state or any other state, and doing business in this state…” The proposed bill allows for civil action to be brought by a consumer, the New York attorney general, a district attorney, city attorney or prosecutor to recover penalties for violations.

North Dakota’s HB1485 applies to entities with annual gross revenues in excess of $25 million; derives at least 50% of its annual revenues from selling personal information; or annually buys, receives, sells or shares personal information of at least 50,000 consumers, households or devices. The attorney general has enforcement authority seeking civil penalties between $100,000 and $250,000 for each violation of a cease and desist order, bring action in district court to recover penalties, attorney’s fees and costs. Consumers have the right to bring a civil action to recover damages, fees and costs.

New Mexico’s SB176, if passed, mandates employees must be “appropriately trained in compliance”.

Washington’s SB5376 applies to private entities conducting business in the state, or who provide products and services to Washington residents, who control or process data of 100,000 or more consumers or derive over 50% of their gross revenue from the sale of personal information and who possess or control personal information of 250,000 or more consumers. The proposed bill would require data owners (“Controllers”) to conduct and document annual risk assessment of the processing of personal information or when there is a change in the processing that would impact the risk to individuals.

Federal Privacy Laws – Better Late Than … Never

You may have realized by now, there is a federal privacy legislation power struggle going on in Congress. Senators and House Representative along with consumer privacy groups have introduced federal privacy laws that would either pre-empt state law and roll back data privacy and protections that individuals would receive under passed state legislation versus proposed bills that do not contain pre-emption clauses and includes similarities to the CCPA and the GDPR. The proposed bills could include but are not limited to:

  • Require some form of opt-in consent.
  • Create a private right of action.
  • Require the creation of a U.S. public listing of “data brokers” meaning third party companies who buy and sell individuals’ data including personal information.
  • Subject violators to FTC imposed penalties.
  • Allow a state to bring civil action on behalf of its resident to obtain some form of relief.

Other federal privacy bills aim at alleviating the harmful effects of data collection of consumers by creating a Do Not Track system which would be administered by the FTC. In other words, commercial websites would be legally prohibited from harvesting unnecessary data from consumers who have Do Not Track turned on.

Yet another federal privacy bill would require tech companies to test their artificial intelligence systems for biases including racial discrimination and to fix those biases.

As several authorities have been updating their guidance on cookies (already published in the case of France, Germany, Ireland and the UK, and soon others such as Denmark), it is likely that the cookie provisions will give rise to further discussions.1  Organizations embarking on significant Internet-of-Things projects may wish to take into account secrecy of electronic communications, so as to avoid having to stop or redesign the project in a year or two. Any organization contemplating a new flagship website or application may also wish to reconsider widespread use of tags rather than cookies if the intent was to avoid applicability of the cookie rules, as the rules will at some point be the same.2

Most of the proposed federal privacy laws include cybersecurity standards and require some type of platform for breach notification and timeframe for the notification. Cyberattacks can be created by linking services. The spike in data breach incidents over the past few years suggests that we will likely see an increase in services offering personal profiles; thus, an increase in the number and kinds of attacks that use personal profiles.3

Data Access Requests – A Timely Topic

The current state of proposed laws mandate that entities provide to consumers the right to access and request details regarding their personal information that the entity collects, stores and shares. Unless the law specifies an exception, the entity must provide a response to the individual within a specified timeframe, such as, 30 days or 45 days and at no charge to the individual.

The data access request provision is not a new legal concept but has become more visible due to the spotlight on privacy rights.

Under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), a Federal law that protects the privacy of student education records, gives parents and “eligible students” the right to inspect and review the student’s educational records, correct inaccurate or misleading records, the right to a hearing upon the denial of amending a record and the right to place a contestation statement about the contested information.

HIPAA’s Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity, including:

  • the right to inspect or obtain a copy, or both, of the PHI,
  • direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice,
  • the right to access their PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).4

The CCPA, when it goes into effect on January 1, 2020, mandates that residents can access and transmit their personal information in a readily usable format which enables the transfer to third parties without issues and they can request deletion of their data or bring it with them to alternative service providers. A business must respond to a consumer’s data access request within 45 days.

Vendor Verification and Validation

Alabama Code § 8-38 requires that the third-party agent that has been contracted to maintain, store, process or permitted to access sensitive personal information on behalf of a covered entity must implement and maintain reasonable security measures to protect the sensitive personal information against a breach of security and dispose or arrange disposal of records containing sensitive personal information that is within its custody or control when the records are no to be retrained pursuant to applicable law, regulations or business needs.

Under Oregon’s SB684, in the event of a breach of security or suspected breach involving a vendor under contract with a covered entity, the vendor is required to notify the covered entity of the breach as soon as practicable, but no later than ten (10) days after discovering the breach or suspected breach. Similarly, if the covered entity’s contracted vendor subcontracts with another vendor, the subcontracted vendor is required to notify its vendor about the breach within ten (10) days after discovering the breach or suspected breach. Vendors will also be required to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information including when disposing of the personal information.

Illinois (815 ILCS 530/40) states that a covered entity may contract with a third party to dispose materials containing personal information. Any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. A third party who violates this Section is subject to a civil penalty of not more than $100 for each individual with respect to whom personal information is disposed of in violation of this Section. The Attorney General may impose a civil penalty, may file a civil action in the circuit court to recover any penalty imposed under this Section and may bring an action in the circuit court to remedy a violation of this Section, seeking any appropriate relief.

New York’s recently passed SHIELD Act requires businesses who own or license computerized data which includes private information of New York residents to implement and maintain specific administrative, technical and physical safeguards which includes vendor management through due diligence and contracts. Non-compliance with the new data protection and security requirements will be considered deceptive acts and practices with civil penalties up to $5,000 per violation. This portion of the bill will go into effect on March 21, 2020.

The growing consensus is that Congress must take action to address Americans’ data privacy, and any national law must provide clear and consistent protections that both consumers and businesses will understand.




2 Id.

3 MITSloan Management Review, Casting the Dark Web in a New Light, K. Huang, M. Siegel, K. Pearlson, S. Madnick, July 15, 2019

4 Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, General Right @

Contact CSR