We know this fact: changes in laws and regulations always trail behavioral changes. This truism is playing out in the consumer privacy space. Since more consumers now care deeply about how their personal privacy can be protected, legislators have begun to take the issue more seriously.
Let’s look at how we got where we are and where we appear to be headed with new state-level regulations.
Federal data privacy background
Current Federal data privacy practices are the outcome of four main vertically focused laws.
US Privacy Act – 1974
This act lays out the rights and restrictions placed on the personal consumer data held by government agencies.
Health Insurance Portability and Accountability Act (HIPAA) – 1996
The law spells out specific protections and procedures to keep consumer healthcare data and information private.
Gramm-Leach-Bliley Act (GLBA) – 1999
The first law to govern how financial non-public personal information must be protected.
Children’s Online Privacy Protection Act (COPPA) – 2000
An act providing guidelines for how to safeguard the personal information of children age 12 and under.
Emerging state-level personal privacy protections take a different approach
For starters, they flip the whole privacy paradigm on its head. Instead of a focus on how institutions protect information, the states develop their regulations from the consumer protection point of view. California is the most instructive current example in terms of what can be done to advance personal privacy protection.
The California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) of 2018 went into effect on January 1, 2020. It allows any California consumer to demand to see all their personal information a company has in its possession. The consumer can also request a full list of third parties with whom data is shared. The California law allows consumers to sue companies when privacy guidelines are violated, even if there’s no accompanying data breach.
The act applies to companies providing service to California residents and at least $25 million in annual revenue. Companies need not be based in California or even have a physical presence there to fall under the law. They don’t even have to be based in the United States.
When a violation takes place, a company has 30 days to resolve the issue and demonstrate compliance. If they fail to do so, they can be fined up to $7,500 per record. This can add up quickly.
In late 2020, California voters passed the California Privacy Rights and Enforcement Act (CPRA). The CPRA updates and supersedes the CCPA and aligns more closely with the European Union’s General Data Protection Regulation (GDPR.) This move significantly strengthens the personal privacy rights of California residents. CPRA goes into effect on January 1, 2023.
Lots of other states are getting into consumer privacy legislation too
The CCPA was a ground-breaking shift in consumer privacy rules. The aftershocks of it will likely be felt for a long time. Beyond the CPRA passed in 2020, probable future provisions include:
- Employee privacy
- Privacy in business-to-business interactions
- Registration of data brokers
Multiple states are introducing consumer privacy laws. While it’s tricky to predict which states will pass which bills into law, the sheer number of states and the increasing public interest in data privacy probably means California won’t be alone for long.
At least 30 states have introduced or considered consumer privacy laws, but only a small number of laws have passed. The vast majority are either pending, have been defeated or have expired as a result of a legislative session ending.
There are dozens of ideas and permutations of ideas under discussion, far too many to consider here. If you’re interested to read for yourself what’s going on in your state, this article will be helpful.
MemberPass, the credit union industry’s digital passport solution, is available for you right now
Take advantage of increasing member interest in personal privacy as well as ownership and control over their personal information and create greater digital trust and a significantly better member experience in the process.