Preparing for Consumer Privacy Laws from California to Maine
Leveraging ServiceNow to Stay On Top of Ever-Changing Privacy Laws
In the United States, California led the way in consumer privacy legislation, passing the California Consumer Privacy Act (CCPA) in 2018. Since then, many other states have followed suit, proposing their own laws to protect the privacy of their citizens. Being aware of this legislation before it becomes mandated can help you establish or fortify your organization’s consumer privacy posture. Even better, if you are a current or prospective ServiceNow customer, you have an ideal solution for achieving and maintaining compliance.
In this blog, Mike DeAndrea, GRC Advisory Solution Architect at Milestone Technologies, outlines the current status of these proposed laws, summarizing those that have already been enacted, those that are still working their way through their state’s legislative bodies, and those that have failed to pass.
While all 50 states have enacted regulations requiring businesses to notify affected individuals of data breaches where their personal information was exposed, only three states have passed laws that grant them greater rights over how their personal information is collected, used, and shared—California, Nevada, and Maine. It is vitally important for all organizations to understand that this legislation does not only apply to organizations operating in these states. Rather, it applies to many organizations (with a number of exceptions) that have access to the data of consumers who reside in these states.
The California Consumer Privacy Act (CCPA)
The CCPA is a sweeping new law that went into effect on January 1 of this year and becomes enforceable on July 1, 2020. It grants California residents the right to know what information a company has collected on them, the right to request their personal data be deleted, and the right to “say no” to the selling/sharing of their personal information (aka, the right to “opt-out”). The law applies to most businesses that sell services or products to California residents, regardless of where the business is located. It also grants citizens the right to sue in the event of a data breach. The CCPA is the most stringent consumer privacy law in the United States and is replete with requirements. (See the other blogs in this series for more information on the CCPA.)
The Nevada Online Privacy Law (SB220)
The Nevada Privacy Law, doesn’t compare to the stringent requirements imposed by California’s CCPA. The Nevada law requires businesses to offer consumers to opt out of the selling of their personal information. It doesn’t grant consumers the right to know what data has been collected or the right to request data be deleted. It also doesn’t require that the notice of the consumer’s right to opt out be placed in a conspicuous location or that a “Do Not Sell My Personal Information” link be provided. The Nevada law also defines “selling” and “personal information” more narrowly than the CCPA. If your organization is doing business in Nevada and it is already CCPA compliant, it is likely to already be SB220 compliant since most of the requirements of the Nevada law can also be found in the CCPA. (Pro tip: Review the Nevada requirements with your legal/compliance teams to confirm this.)
The Maine Act to Protect the Privacy of Online Consumer Information (LD946)
Signed into law in June 2019, the new Maine privacy law prohibits internet providers from using, selling, distributing, or allowing access to a customer’s personal information without the express consent of the customer. This requirement to obtain the consumer’s permission beforehand is much more stringent than the CCPA. It puts the burden of obtaining consent on the business collecting and using the data rather than on the consumer. The Maine law also defines a ‘customer’ as well as ‘personal information’ much more narrowly than the CCPA. But perhaps the biggest difference is that the Maine law is only applicable to broadband service providers operating within the state. However, if your business is covered by the Maine law, be aware that failures to comply carry extremely harsh penalties – up to $500,000 or 5% of annual revenues maximum for willful non-compliance.
The following states have proposed laws that are still working their way through the legislative process.
- Arizona, HB2729
- Illinois HB5603, Consumer Privacy Act
- Maryland HB784, Online Consumer Protection Act
- Minnesota HF3936, Minnesota Consumer Data Privacy Act
- Nebraska, LB746, Nebraska Consumer Data Privacy Act
- New Hampshire, HB1680https://www.gencourt.state.nh.us/404.aspx?aspxerrorpath=/bill_status/billText.aspx
- New Jersey, A3255
- New York, S5642, Privacy Act
- South Carolina, H4812, South Carolina Biometric Data Privacy Act
In addition, in lieu of a comprehensive bill, the following states have established a task force to examine privacy concerns and propose new laws:
Failed, Postponed, or Carried Over Bills
The following states have proposed laws that failed to be approved by their respective state legislative bodies. Although these bills failed to become law in 2019, they provide insight into how the various states view privacy.
- Florida H963 – Died in Oversight Subcommittee.
- Hawaii SB418 – Carried over to 2020 legislative session.
- Mississippi HB1253 – Died in Committee
- New Mexico SB176 – Died (Action Postponed Indefinitely)
- Pennsylvania HB1049 – Died (Pending House Consumer Affairs Committee)
- Rhode Island, S0234 – Died (Being held for further study)
- Texas HB4518 – Left pending in committee
- Virginia HB473 – Postponed to 2021
- Washington State, SB6281 – Legislative conflict over enforcement prevented bill from passing.
- Wisconsin AB 870,-71, –72 – Failed to pass Senate.
While only three states have enacted privacy laws so far, 24 additional states are considering or have considered enacting similar consumer privacy protection laws and undoubtedly more states will follow. While many of the new laws will differ in potentially significant ways (as we saw with the California, Nevada, and Maine laws), all will share common requirements. For example, they will all grant consumers certain rights and require businesses to enable their consumers to exercise their rights. This means your privacy compliance processes need to not only be efficient and effective but also highly flexible and scalable.
How Milestone Can Help
At Milestone, our team of ServiceNow Governance, Risk, and Compliance experts are well-versed in privacy compliance and bring a wealth of practitioner experience as well as deep ServiceNow platform expertise to your project. ServiceNow is uniquely positioned to help you comprehensively establish or fortify and maintain an effective consumer privacy posture.
Contact us for more information.
About the Author
Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Milestone
With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Milestone customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time. Mike has extensive experience both as a practitioner and a consultant. As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years. As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years. He maintains a number of ServiceNow and industry certifications and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization. You can connect with Mike on LinkedIn.