As patchwork consumer privacy and data security legislation spreads across the country, is it enough to finally move the line towards a uniform federal standard?
What is consumer privacy and data security?
Consumer privacy broadly refers to the collection and handling of personal identifying information in the course of everyday consumer transactions for products and services. Data security relates to how that personal information is safeguarded against unauthorized access, use or disclosure.
In 2018, California passed the California Consumer Privacy Act (“CCPA”), subsequently amended by the California Privacy Rights Act in 2020 (“CPRA”). Together they represent the most expansive consumer data privacy and security legislation in the United States. Virginia and Colorado have both since passed their own consumer privacy and data security legislation, effective January 1, 2023, and July 1, 2023, respectively.
Several other states have also introduced comprehensive consumer privacy and data security legislation in 2021 and in 2022. The IAPP (International Association of Privacy Professionals) has compiled a state privacy law comparison tracker to assist businesses in tracing the many bills circulating throughout state legislatures. States with pending comprehensive consumer privacy legislation include Alaska, Florida, Georgia, Hawaii, Indiana, Kentucky, Massachusetts, New York, Oklahoma and Washington to name a few.
Common compliance considerations for HR
While the specific provisions of the various bills can vary amongst the states, there are some common compliance considerations for business featured in many of them. These include conducting a risk or data security assessment of the subject organization, determining how to facilitate the exercise of consumer rights including a right to access, a right to opt out of data collection and/or processing, a right to correct data, and a right to delete data; and providing notice and transparency as to the data collected, how it will be processed, for what purpose, and for what duration of time.
Of the three newly enacted laws, Virginia and Colorado depart from California on a key issue- the extension of regulation to employee HR data. Under the CPRA, effective January 1, 2023, employee HR data will no longer be exempted from application of the Act, and employers will have to begin to navigate how to reconcile the CPRA’s requirements relative to employee HR data, with those requirements already in place under existing California employment law.
While employee HR data is not included in Virginia and Colorado’s enacted laws, employers should not assume that employee HR data will remain in the background as consumer privacy laws continue to progress and evolve, especially in the realm of biometric information. Biometric information can be used as part of multifactor authentication for employees to gain access to secure systems, networks, and files; for employee timekeeping through a retinal scan or fingerprint scan on a timeclock, and for physical security purposes, such as face or palm recognition into a building. Biometric information is a subset or category of personal information, and is subject to collection, use, and privacy regulation as is other personal information.
Three states have passed legislation relative to the collection and use of biometric information: Illinois, Texas, and Washington State. Bryan Cave Leighton Paisner LLP has published a state biometric laws and bills tracker, which employers can use as a reference tool to help monitor developments in their home state.
Enforcement and potential remedies for violations
Another consideration for employers relative to the privacy law flurry, is enforcement and potential remedies for violations. Proposed legislation in several states provides for enforcement of violations by the state attorney general only, with no private right of action. However, there are some states in which a private right of action is available generally or in limited circumstances. For example, SB 2687 pending before the Massachusetts legislature provides for a private right of action for any individual whose personal information is the subject of a breach of security as a result of the controller’s failure to implement and maintain reasonable cybersecurity controls. Aggrieved individuals may institute a civil action for damages up to $500 per individual per incident or actual damages (whichever is greater); injunctive relief, or any other relief the court deems proper. However, the proposed legislation also contains a safe harbor against punitive damages available to controllers in any civil tort action who create, maintain and comply with a written cybersecurity program that conforms to an industry recognized cybersecurity framework. Please see Checkwriters compliance post regarding a similar data security safe harbor in Connecticut.
A federal standard?
All this state momentum has increased the pressure on the federal government to finally provide a uniform federal standard which has been elusive for approximately twenty years. A significant contributor to this momentum can be attributed to the rapid digitization of life during the height of the pandemic. In July 2021, Senators Wicker (R-Miss.) and Blackburn (R-Tenn.), and Representatives McMorris Rodgers, (R-Wash.) and Bilirakis, (R-Fla.) wrote a letter to President Biden urging him to enact nationwide consumer data privacy legislation. In support, the letter cited the shift in daily activities to the digital frontier on a scale never before seen, as well as the associated risks from operating online including increased cyberattacks and identity theft. Several bills have been introduced in Congress which may provide a comprehensive solution, ideally preempting the patchwork of existing state policy, and establishing one universal standard for businesses to comply with. A universal federal standard would ease the compliance burden on businesses, especially those operating in multiple states, and would help establish a uniform consumer expectation as well. Employers are advised to continue to monitor the legislative developments at the federal level as they occur.
In sum, increased regulation of consumer data privacy and security for businesses is more than a trend- it is an inevitability. Even in the absence of imminent state legislation on the subject, employers who deal with significant personal and sensitive information of consumers and employees would be wise to take stock of how they collect, process, store, and delete consumer data, and remedy any vulnerabilities which may exist.
Disclaimer:The information contained herein is not intended to be construed as legal advice, nor should it be relied on as such. Employers should closely monitor the rules and regulations specific to their jurisdiction(s) and should seek advice from counsel relative to their rights and responsibilities.