In the last month before the California Consumer Privacy Act (CCPA) goes into effect on Jan. 1, 2020, citizens will be able to offer feedback on a set of proposed regulations interpreting the new statute and providing guidance to businesses.
The California Office of the Attorney General, which published the proposed guidance in October, has scheduled four public hearings in December to elicit feedback on the regulations, which provide businesses with much-needed direction on how to implement the CCPA. The hearings will be held the first week of December. Dates and locations are available on the attorney general's website.
In October, California also adopted five technical amendments that clarify various provisions of the CCPA, which will be the toughest data privacy rules in the United States. None of the fundamental consumer rights originally created by the act (rights to know, to be forgotten, and to prevent the sale of data) were changed.
The proposed guidance addresses methods for handling and verifying consumer requests, training, recordkeeping, and the special statutory provisions concerning minors.
The California law appears to be a catalyst for other states to follow with new laws enhancing data protection. A federal bill also was introduced earlier this month. Professionals should stay abreast of current requirements for data protection. This is especially true for accountants, who not only act as business advisers to clients but who are also data collectors themselves when they store sensitive financial and tax information.
Following is a brief update on the status of other data protection laws in the United States.
Federal: U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., introduced a federal statute, The Online Privacy Act of 2019, H.R. 4978, patterned after the CCPA. The federal bill would establish the same fundamental rights to data privacy contained in the CCPA on a national level. The proposed federal law is an "opt-in" statute and includes a new fundamental right to have a human decision of any automated act. Enforcement would include a new federal administrative agency titled the United States Digital Privacy Agency. More details are available in this quick summary of the bill.
Nevada: Nevada recently amended its data privacy law in Senate Bill (S.B.) 220 to add an "opt-out" provision similar to the CCPA. The prior Nevada data privacy law applied to "operators," who were defined as websites or online services collecting data for commercial purposes on Nevada residents. Existing Nevada law already provided for transparency by requiring these "operators" to disclose to consumers both the nature and scope of the data that they collect. The recent amendment, S.B. 220, took effect Oct. 1, 2019, and now also requires these "operators" to allow consumers to prevent the sale of their data to third parties through an "opt-out" procedure patterned after the CCPA's.
Maine: Maine's new law, Act to Protect the Privacy of Online Customer Information, takes effect July 1, 2020. This statute was designed to specifically protect the privacy of broadband internet consumers. Similar to the CCPA, it requires covered internet service providers to obtain "opt-in" consent from consumers before using, disclosing, or selling their personal information.
New York: The New York Stop Hacks and Improve Electronic Security Data Act (SHIELD Act) takes effect on March 21, 2020. The SHIELD law amends the current New York breach notification statute and increases data security protections. The act greatly expands the types of protected personal and private information and data that trigger the New York breach notification legal requirements when lost. The SHIELD Act also requires data collectors to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The safeguards mentioned within the act closely mirror the National Institute of Standards and Technology's Cybersecurity Framework. Most noteworthy, however, is the New York law's expansive application to any person or business that owns or licenses computerized data that includes private information of New York residents, even if that person or business does not conduct business in New York. This statute suggests that the state law applies to any data collector possessing or transacting the data of New York residents regardless of location.
Proposed legislation pending in other states: Several other states have proposed data privacy statutes that are pending and awaiting potential passage. Examples are Massachusetts's S.D. 341, and Maryland's Online Consumer Protection Act, S.B. 613/H.B. 901, both allowing consumers to "opt out" of the disclosure of their data to third parties and the right to prevent the sale of their data, similar to the CCPA.
— Kerry Myers, J.D., CFE, is a clinical professor in the Lynn Pippenger School of Accountancy at the University of South Florida. To comment on this article or to suggest an idea for another article, contact Jeff Drew, a JofA senior editor, at Jeff.Drew@aicpa-cima.com.