On June 28, 2018 Governor Brown signed off on the strictest set of data privacy laws to date in the United States – the California Consumer Privacy Act of 2018 (CaCPA or CCPA).
The Consumer Privacy Act will give Californians unprecedented rights to know what information businesses collect about them, where that information comes from, and control how that information is shared. It applies to all companies that “do business” in California and that exceed one of the following thresholds:
- Annual gross revenues of more than 25 million dollars
- Processes the personal information of 50,000 or more California residents, households or devices annually
- Receives 50% or more annual revenue from selling the personal information of California residents
Want to learn more?
The Health Insurance Portability and Accountability act of 1996 (HIPAA), as updated by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), mandates basic privacy and security requirements for “covered entities” such as healthcare providers, insurers, and their business associates. HIPAA provides key privacy protections for protected health information (“PHI”) such as privacy notices, patient rights to access and amend their health records, and administrative, physical, and technical safeguards for electronic PHI. These rules also require breach notification in certain circumstances. HIPAA and HITECH are generally enforced by the Office for Civil Rights in the Department of Health and Human Services, in civil cases, and by the DOJ for criminal cases.
In 2003, Congress created rules governing unsolicited commercial e-mail in the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. The CAN-SPAM Act prohibits false, misleading, and deceptive e-mail communications, and requires senders to provide opt-out mechanisms for commercial emails, amongst other rules. The FTC primarily regulates and enforces the CAN-SPAM Act, though the FCC has also implemented rules implementing the CAN-SPAM Act with respect to mobile service commercial messages.
The Telephone Consumer Protection Act (TCPA), enacted in 1991, governs most robocalls, texts, or faxes. Generally speaking,TCPA requires consent for most automated calls, except in some limited circumstances.The Telemarketing and Consumer Fraud Abuse Prevention Act, and its implementing regulation, the Telemarketing Sales Rule (TSR) provides restrictions on the telemarketers. These include, but are not limited to, required disclosures at the outset of a sales call, time restrictions, and consent requirements. Both the TCPA and TSR provide for private citizen actions, in addition to administrative remedies.
The Children’s Online Privacy Protection Act of 1998 (COPPA) regulates the collection and use of children’s information by commercial websites. Among other requirements, COPPA requires websites to provide privacy notices on the homepage of the website, accessible by every page, obtain verifiable parental consent before collecting children’s personal information, and maintain the confidentiality, security, and integrity of such information. The FTC enforces COPPA.
The European Union passed the General Data Protection Regulation (GDPR) in April 2016, to take effect on May 25 this year. The GDPR generally applies to all entities that process the data of EU residents, target services to EU residents, or monitor the behavior of EU residents. The GDPR provides consistent rules addressing the retention, processing, and security for all personal data. In addition, EU subjects have the right to access, rectify, transfer, and in many cases, erase any of their personal data stored by businesses and other entities. The GDPR provides for enforcement by data protection authorities within each EU member country, and private rights of action.
Want to learn more?
The European Union’s 2002 E-Privacy Directive governs the processing of personal data in the electronic communications sector. Most notably, the E-Privacy Directive requires prior informed consent, prior to placing cookies on a European user’s computer, except in limited circumstances.
The European Parliament is currently in the process of vetting proposals for the E-Privacy Regulation, the successor to the E-Privacy Directive, in order to harmonize the requirements for electronic communications with the GDPR.
The laws described above are only a small sample of the various federal and regional laws governing data privacy and cybersecurity. In addition to the laws noted above, there are specific sectoral rules for the financial sector, state specific privacy and breach notification rules, and more. If you are interested in learning more about the privacy laws applicable to your business, please contact us