Will the California Consumer Privacy Act serve as a blueprint for a federal privacy law or for a patchwork quilt of state privacy laws?

As states have been commencing legislative proceedings and as proposals for a federal privacy law are being formulated, the following seem to be principles that most agree should be included in a privacy law in the U.S.:

  • Banning some practices, including using data to discriminate against users.
  • Giving people the right to sue over misuse.
  • Giving people ownership rights in their data including the right to delete it, change it or take it back.
  • Requiring companies to be more transparent about how they use data and collect consumers’ consent, with some exceptions.

A point of contention is whether or not a federal U.S. privacy law should completely preempt (invalidate) state privacy laws (or whether they should continue to be binding if stricter than the federal law).

Details from the San Francisco Chronicle.

New Jersey follows in California’s footsteps with legislative initiatives on privacy.

The main proposed law (bill A-4902), will require commercial websites and online service operators to give customers:

  • a description of the personal information collected
  • a way to prevent the disclosure of personal information to third parties
  • a description of the information
  • an email address or phone number for requesting information
  • upon request from an individual, information on all disclosures of his data within the past year
  • a “Do Not Sell My Personal Information” link to a page that would allow customers to opt out of the disclosure of their personal data

Here’s what the chairman of the state’s Assembly Science, Innovation and Technology Committee has to say about the legislation:

“Should this happen at the federal level? Absolutely. We would want to see these protections at the federal level, but we are not seeing that … Until they do, New Jersey is going to do everything we can to protect New Jersey residents,”  said Assemblyman Andrew Zwicker (D-Middlesex), who chairs the committee and is sponsoring four of the bills on the agenda. Additional bills cover GPS data, student data and cybersecurity.

Details from NJ Spotlight.

Data monetization coming to California?

“In his first state of the state address on Tuesday, California Gov. Gavin Newsom proposed “a new data dividend” that could allow residents to get paid for providing access to their data” – reports CNBC.

“California’s consumers should also be able to share in the wealth that is created from their data,” Newsom said. Tech companies that “make billions of dollars collecting, curating and monetizing our personal data have a duty to protect it.”

Details from CNBC.

Data privacy bills are pending in at least eight states, reports Sara Merken at Bloomberg Law.

State lawmakers are aiming to give citizens more control over their personal data. Some of the bills largely follow the lead of California, whose Consumer Privacy Act takes effect Jan. 1, 2020. Others are more narrowly focused on specific business practices.

Some highlights:

  • In North Dakota – a bill would require companies to provide to consumers, upon request, information about the types of personal information the companies collect and possess
  • In New York – one bill addresses biometric privacy and another would govern businesses’ collection and disclosure of personal information
  • In Utah – a bill would require law enforcement to get a warrant from a judge to access electronic information
  • In Washington state – a bill would allow consumers to ask companies for a copy of their personal data and to delete or correct inaccurate data and would also regulate facial recognition technology

Details in Bloomberg Law.

In the age of digitization, personal information your business holds about your customers (or your customers’ customers) has become a strategic enterprise asset and should be treated as such.

Privacy considerations should be incorporated into your go-to-market strategies.

Gartner with some tips:

  • Customer-facing policies and communications should clearly explain what information is collected and why, as well as any applicable customer rights.
  • Policies should be readily accessible and understandable for customers — and are reinforced internally.
  • Managers and senior leaders should echo the standards in small team discussions, all-company meetings and other forms of messaging.
  • There should be a coherent approach to working with third parties. Codify what third parties can and can’t do with user data, and define consequences for failure to comply. Make sure to follow through and monitor compliance.
  • Compare your customers’ privacy appetite to your organization’s overall risk appetite — and be prepared to manage any gaps between the two.

Details from the International Association of Privacy Professionals.