The National Academies Press

Currently Skimming:

VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS
Pages 43-48

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 43... ... Thus, understanding state law is B Data Security Laws Regulating the Private Sector essential to crafting sufficient privacy protections with respect Roughly half of the states have passed legislation to ensure to data collection. Read the entire page →
From page 44... ... In 2019, the National Conference of State various exemptions from the notice requirement.387 Lastly, it Legislatures reported the existence of data disposal laws applying contains an enforcement provision.388 to public and private entities in 35 states and in Puerto Rico.375 Vermont amended its data breach notification law to expand These laws are in addition to data disposal requirements set out the definition of what constitutes PII.389 The changes are effecby the FTC Disposal Rules376 that apply to persons and entities tive on July 1, 2020, and provide that, when combined with a that use consumer reports. The FTC Disposal Rules apply to the consumer's first name or first initial and last name, PII now in reports themselves and the information derived from them.377 cludes the following: These state data disposal laws vary as to whom they apply as well as what documents are covered.378 For instance, the • Individual taxpayer identification number; Delaware data disposal law applies to businesses, but does not • Passport number; apply to government entities except in their capacities as em- • Military identification card number; ployers.379 The Wisconsin statute only applies to financial in- • Any identification number that originates from a governstitutions, medical business, or tax preparation entities.380 The ment identification document commonly used to verify Arizona statute only applies to paper records.381 identity for a commercial transaction; One common aspect of state data disposal laws is specificity • Biometric data generated from measurements or tech as to methods of disposal/destruction.382 This is a point that air- nical analysis of human body characteristics used by ports and airport stakeholders should specifically note. Read the entire page →
From page 45... ... The National Consumer individual consumer collected online by the operator from Law Center (NCLC) conducted a 50-state evaluation of UDAP that individual and maintained by the operator in an accessible statutes.391 Among the key findings in the Executive Summary form."399 The CalOPPA does not apply to Internet Service Prosection of the NCLC report is a comment on the variance in viders or to other services that process PII on behalf of a third laws from state to state.392 For example, the NCLC found that party.400 The CalOPPA does apply to mobile app providers.401 Hawaii's UDAP statute contained "strong prohibitions and What is critical to note is that the CalOPPA not only applies strong provisions for enforcement by both the state and by con- to California-based businesses, but to any business that affects sumers and no carve-outs for major industries."393 The NCLC California consumers.402 While government-operated airports was most critical of UDAP statutes in Michigan and Rhode are not themselves subject to the CalOPPA, airlines and other Island as court decisions have interpreted the statutes as being airport tenants that operate commercial websites or online serapplicable to almost no consumer transactions.394 Overall, the vices are. Read the entire page →
From page 46... ... The Enforcement of the CCPA is also largely left to the Office of CCPA also requires an affirmative opt-in to any sale of children's the California Attorney General, which can issue penalties of up personal data.414 to $2,500 per violation under Section 17206 of the Business and In contrast to the CalOPPA, the CCPA defines "personal Professions Code.424 The CCPA also provides that businesses information" much more expansively than PII as "information may also be fined up to $7,500 for each violation.425 Lastly, that identifies, relates to, describes, is capable of being associ- a consumer may bring private claims under the CCPA where a ated with, or could reasonably be linked, directly or indirectly, business allows "unauthorized access and exfiltration, theft, or with a particular consumer or household."415 This definition is disclosure" of a consumer's data due to a failure to maintain similar to the GDPR and may even be broader by including "reasonable security procedures."426 Under such circumstances, "household."416 The CCPA specifically refers to IP Addresses and each consumer can recover between $100 and $750 per incident location data as PI.417 or actual damages–whichever is greater.427 The final regulations under the CCPA provide guidance on a number of statutory requirements including definitions (Ar ticle 1) , notice requirements (Article 2) Read the entire page →
From page 47... ... The regulations require that accessibility for persons with Like the CCPA, the proposed CPRA would not apply to disabilities follow generally recommended industry standards, government entities, but would cover airlines and other airport and for website accessibility, they specifically adopt the Web tenants who operate commercial websites or otherwise provide Content Accessibility Guidelines (WCAG) , version 2.1 of June online services and who meet the statutory threshold tests.445 5, 2018, authored by the World Wide Web Consortium.433 The The proposed CPRA significantly expands the CCPA and closeWCAG outlines how to make websites accessible for people ly parallels the EU's GDPR.446 Also, because the CPRA would with visual, auditory, physical, speech, cognitive, language, be enacted by voters, rather than the California legislature, the learning and neurological disabilities.434 legislature would be constrained in passing amendments that e. Read the entire page →
From page 48... ... beyond the twelve-month lookback provided under CCPA.452 G Other State Legislative Bills • The CPRA would increase administrative fines to up to Nine other states have introduced draft bills that would im $7,500 for an intentional violation or one where the vio- pose varying requirements on business in the consumer data lator has actual knowledge that the personal information privacy area.460 Hawaii, Maryland, Massachusetts, Mississippi, involved someone under the age of 16.453 • The CPRA would grant a private cause of action for data 454 Id. Read the entire page →

From page 43...

... Thus, understanding state law is B Data Security Laws Regulating the Private Sector essential to crafting sufficient privacy protections with respect Roughly half of the states have passed legislation to ensure to data collection.

Read the entire page →

From page 44...

... In 2019, the National Conference of State various exemptions from the notice requirement.387 Lastly, it Legislatures reported the existence of data disposal laws applying contains an enforcement provision.388 to public and private entities in 35 states and in Puerto Rico.375 Vermont amended its data breach notification law to expand These laws are in addition to data disposal requirements set out the definition of what constitutes PII.389 The changes are effecby the FTC Disposal Rules376 that apply to persons and entities tive on July 1, 2020, and provide that, when combined with a that use consumer reports. The FTC Disposal Rules apply to the consumer's first name or first initial and last name, PII now in reports themselves and the information derived from them.377 cludes the following: These state data disposal laws vary as to whom they apply as well as what documents are covered.378 For instance, the • Individual taxpayer identification number; Delaware data disposal law applies to businesses, but does not • Passport number; apply to government entities except in their capacities as em- • Military identification card number; ployers.379 The Wisconsin statute only applies to financial in- • Any identification number that originates from a governstitutions, medical business, or tax preparation entities.380 The ment identification document commonly used to verify Arizona statute only applies to paper records.381 identity for a commercial transaction; One common aspect of state data disposal laws is specificity • Biometric data generated from measurements or tech as to methods of disposal/destruction.382 This is a point that air- nical analysis of human body characteristics used by ports and airport stakeholders should specifically note.

Read the entire page →

From page 45...

... The National Consumer individual consumer collected online by the operator from Law Center (NCLC) conducted a 50-state evaluation of UDAP that individual and maintained by the operator in an accessible statutes.391 Among the key findings in the Executive Summary form."399 The CalOPPA does not apply to Internet Service Prosection of the NCLC report is a comment on the variance in viders or to other services that process PII on behalf of a third laws from state to state.392 For example, the NCLC found that party.400 The CalOPPA does apply to mobile app providers.401 Hawaii's UDAP statute contained "strong prohibitions and What is critical to note is that the CalOPPA not only applies strong provisions for enforcement by both the state and by con- to California-based businesses, but to any business that affects sumers and no carve-outs for major industries."393 The NCLC California consumers.402 While government-operated airports was most critical of UDAP statutes in Michigan and Rhode are not themselves subject to the CalOPPA, airlines and other Island as court decisions have interpreted the statutes as being airport tenants that operate commercial websites or online serapplicable to almost no consumer transactions.394 Overall, the vices are.

Read the entire page →

From page 46...

... The Enforcement of the CCPA is also largely left to the Office of CCPA also requires an affirmative opt-in to any sale of children's the California Attorney General, which can issue penalties of up personal data.414 to $2,500 per violation under Section 17206 of the Business and In contrast to the CalOPPA, the CCPA defines "personal Professions Code.424 The CCPA also provides that businesses information" much more expansively than PII as "information may also be fined up to $7,500 for each violation.425 Lastly, that identifies, relates to, describes, is capable of being associ- a consumer may bring private claims under the CCPA where a ated with, or could reasonably be linked, directly or indirectly, business allows "unauthorized access and exfiltration, theft, or with a particular consumer or household."415 This definition is disclosure" of a consumer's data due to a failure to maintain similar to the GDPR and may even be broader by including "reasonable security procedures."426 Under such circumstances, "household."416 The CCPA specifically refers to IP Addresses and each consumer can recover between $100 and $750 per incident location data as PI.417 or actual damages–whichever is greater.427 The final regulations under the CCPA provide guidance on a number of statutory requirements including definitions (Ar ticle 1) , notice requirements (Article 2)

Read the entire page →

From page 47...

... The regulations require that accessibility for persons with Like the CCPA, the proposed CPRA would not apply to disabilities follow generally recommended industry standards, government entities, but would cover airlines and other airport and for website accessibility, they specifically adopt the Web tenants who operate commercial websites or otherwise provide Content Accessibility Guidelines (WCAG) , version 2.1 of June online services and who meet the statutory threshold tests.445 5, 2018, authored by the World Wide Web Consortium.433 The The proposed CPRA significantly expands the CCPA and closeWCAG outlines how to make websites accessible for people ly parallels the EU's GDPR.446 Also, because the CPRA would with visual, auditory, physical, speech, cognitive, language, be enacted by voters, rather than the California legislature, the learning and neurological disabilities.434 legislature would be constrained in passing amendments that e.

Read the entire page →

From page 48...

... beyond the twelve-month lookback provided under CCPA.452 G Other State Legislative Bills • The CPRA would increase administrative fines to up to Nine other states have introduced draft bills that would im $7,500 for an intentional violation or one where the vio- pose varying requirements on business in the consumer data lator has actual knowledge that the personal information privacy area.460 Hawaii, Maryland, Massachusetts, Mississippi, involved someone under the age of 16.453 • The CPRA would grant a private cause of action for data 454 Id.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS Pages 43-48

VIII. STATE STATUTORY PRIVACY PROTECTIONS AND TRENDS
Pages 43-48