What You Need to Know About Pending U.S. Data Privacy Legislation




PHOTO:
ptiptja

Three states in the U.S. have comprehensive data privacy laws. Nearly 20 states have had laws fail in legislative sessions. And another handful or so are currently trying, according to the International Association of Privacy Professionals (IAPP).

What’s a marketer to do in this limbo state for data privacy laws in the U.S.? Just wait? Of course not.

Many marketers are well into the process of making changes due to emerging privacy laws by US states, not to mention moves by tech giants like Apple and Google. In fact, according to the Litmus “2021 State of Email” report, 43% of marketers will change how their emails are measured, while 24% don’t plan to make any changes, in light of the Apple Mail Privacy Protection. Nearly 20% will run more A/B testing, 16% will change automation flows, and 10% will message their audience about Apple Mail Privacy Protection or privacy in general.

As far as U.S. states go, marketers will have to continue to keep their eyes on states that already passed legislation (California, Colorado and Virginia) while watching for potential laws in other states. Let’s explore some of those states that have legislation pending:

Massachusetts Information Privacy Act

In the Bay State, legislators are trying to push through the Massachusetts Information Privacy Act. Here’s the skinny on where it stands:

Last reported action: March 29. It was referred to a committee on the Joint Committee on Advanced Information Technology, The Internet and Cybersecurity.

Who sponsors it: Cynthia Stone Creem, Eric P. Lesser

What the law proposes: In general, this Massachusetts bill is asking those covered entities and data processors to process personal information and use automated decision systems discreetly and honestly, and only to the extent necessary for carrying out their purpose. They must be protective of personal information, loyal to the individuals whose personal information is processed and honest about the risk of processing practices, including the use of automated decision systems.

Who would be covered? An entity that conducts business in Massachusetts, processes personal information by itself or by contracting with a data processor, and (1) has earned or received $10 million or more of annual revenue through 300 or more transactions, or (2) processes or maintains the personal information of 10,000 or more unique individuals during the course of a calendar year.

Related Article: 6 Compliance Tips for California Privacy Act (CPRA)

Minnesota Consumer Data Privacy Act

In the Land of 10,000 lakes, legislators are trying to push through the Minnesota Consumer Privacy Act. Here’s where we’re at with this piece of legislation:

Last reported action: Feb. 22. That’s when Minnesota legislators introduced the bill and then referred it to the Commerce Finance and Policy team.

Who sponsors it: Steve Elkins, Mohamud Noor

What the law proposes: Much like other data privacy laws in place in the U.S., Minnesota’s privacy act would give various rights to consumers regarding personal data, place obligations on certain businesses regarding consumer data and give enforcement powers to the attorney general.

Within those provisions, a consumer has a right to:

  • Confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing
  • Correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data
  • Delete of personal data concerning the consumer
  • Obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
  • Opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly

Who would be covered? Entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

  • During a calendar year, controls or processes personal data of 100,000 consumers or more
  • Derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more

Ohio Personal Privacy Act

In the Buckeye State, legislators are trying to push through the Ohio Personal Privacy Act.  Here’s the skinny on where it stands.

Last reported action: Sept. 16. It was referred to the Government Oversight Committee.

Who sponsors it: Rick Carfagna, Thomas Hall

What the law proposes: Under the proposed law, a consumer has a right to know the personal data that a business collects about that consumer, such as by obtaining a privacy policy from the business. Businesses need to provide notice to consumers about personal data that it processes about the consumer by providing a reasonably accessible, clear, and conspicuously posted privacy policy.

Some of the requirements for the privacy policy include:

  • The identity and the contact information of the business, including the business’s contact for privacy and data security inquiries, and the identity of any affiliate to which personal data may be transferred by the business
  • The categories of personal data the business processes
  • The purposes of processing for each category of personal data
  • The purposes for collecting or selling personal data
  • The categories of sources from which the personal data is collected
  • The categories of processors with whom the business discloses personal data

Who would be covered? This pending law applies to businesses that conduct business in Ohio, or produce products or services targeted to Ohio consumers, that satisfy one or more of the following criteria:

  • The business’s annual gross revenues generated in Ohio exceed $25 million
  • During a calendar year, the business controls or processes personal data of 100,000 or more consumers
  • During a calendar year, the business derives over 50% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers

Related Article: What Marketers Need to Know About the Colorado Privacy Act

North Carolina Consumer Privacy Act

In the Tar Heel State, legislators are trying to push through the Consumer Privacy Act.  

Last reported action: April 7. It was referred to the Committee on Rules and Operations of the Senate.

Who sponsors it: Deandrea Salvador, Ben Clark, Joyce Waddell, Natalie Murdock

What the law proposes: Gives consumers the right to:

  • Confirm whether or not a controller is processing the consumer’s personal data and to access such personal data
  • Correct inaccuracies in the consumer’s personal data
  • Delete personal data provided by or obtained about the consumer
  • Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means
  • Opt out of the processing of the personal data for purposes of targeted advertising,  the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer

Who would be covered? Those that conduct business in North Carolina or produce products or services that are targeted to residents and that either:

  • During a calendar year, control or process personal data of at least 100,000 consumers; or
  • Control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data

Pennsylvania Consumer Data Privacy Act

The Quaker State is working on rolling out a Consumer Data Privacy Act

Last reported action: April 7. The bill was referred to consumer affairs.

Who sponsors it: Ed Neilson, Stephen Kinsey, Michael Schlossberg, Benjamin Sanchez, John Galloway, Jeanne McNeill, Darisha Parker, Robert Freeman, Joe Ciresi, David Delloso, Perry Warren, Wendi Thomas, Lynda Schlegel Culver, Nick Pisciottano, Emily Kinkead, Mark Rozzi

What the law proposes: Some of the provisions charged covered entities with:

  • Providing a clear and conspicuous link on the business’s publicly accessible website, titled “Do Not Sell My Personal Information,” to a publicly accessible website that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. A business may not require a consumer to create an account to direct the business not to sell the consumer’s personal information.

Who would be covered? Pennsylvania-based businesses that satisfy one or more of the following thresholds:

  • Has annual gross revenues in excess of $10,000,000
  • Alone or in combination, annually buys, receives for the business’ commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
  • Derives 50% or more of annual revenues from selling consumers’ personal information

Related Article: What Marketers Need to Know About Virginia’s Consumer Data Protection Act

New York Privacy Act

Legislators in the Empire State are trying to push through the NY Privacy Act.  

Last reported action: June 10. The bill was committed to rules.

Who sponsors it: Kevin Thomas.

What the law proposes: Covered entities must confirm whether or not personal data concerning the consumer is being processed by the controller, including whether such personal data is sold to data brokers, and, where personal data concerning the consumer is being processed by the controller, provide access to such personal data concerning the consumer and the names of third parties to whom personal data is sold or licensed.

Also, on request from a consumer, a controller shall provide a copy of the personal data undergoing processing free of charge, up to twice annually. And on request from a consumer, the controller, without undue delay, shall correct inaccurate personal data concerning the consumer. Taking into account the purposes of the processing, the controller shall complete incomplete personal data, including by means of providing a supplementary statement.

Who would be covered? Applies to those who conduct business in New York or produce products or services that are targeted to residents of New York, and that satisfy one or more of the following thresholds:

  • Have annual gross revenue of $25 million or more
  • Controls or processes personal data of 100,000 consumers or more
  • Controls or processes personal data of 500,000 natural persons or more nationwide, and controls or processes personal data of 10,000 consumers
  • Derives over 50% of gross revenue from the sale of personal data, and controls or processes personal data of 25,000 consumers or more.

Conclusion

With all the current and pending legislation and no federal policies in place, customer privacy should be top of mind for CX and marketing leaders. Along with other changes, like the move to first-party data marketers need to reassess their customer data collection, storage and usage methods to make sure they are ready for a changing marketing landscape.



Source link

We will be happy to hear your thoughts

Leave a reply

Logo
Shopping cart