As California and Virginia start rolling out their new privacy laws and Washington and Florida look like they will be next, what is the impact on businesses?
Most companies are likely going to implement a strategy of this state is the most aggressive. Lets follow this one and we should be good for all the rest. This is MOSTLY true; each state has some quirks, so what does this look like. This is what Ballard-Spahr says:
The only one of these that is not LAW YET is Washington.
Here are a couple of interesting hand grenades.
For companies processing personal information that presents significant risk to the consumer’s privacy, CPRA requires an annual cybersecurity audit and delivery of a copy of the risk assessment to CPPA (the regulator) on a regular basis. Details to follow.
What does sensitive personal information mean? It depends.
For California, it means SSN, drivers license, passport, financial accounts, credit or debit cards, geolocation info, race, religion, genetic data, union membership, sexual orientation and other information. Florida doesn’t define it. Virginia and Washington say it includes race, religion, medical, genetic, biometric, geolocation, PI of a minor, sexual orientation and citizenship status. While a lot of companies do not collect this info, some do.
Washington and Virginia require a Data Protection Assessment if you use the information for targeted advertising, sales, profiling where risks are involved, sensitive PI as described above or activities with heightened risks. Whatever that means. Sales probably includes most everyone.
You must provide a copy of the DPA the the state AG if he or she asks nicely. No subpoena required.
Next you have to worry about opt out notices. For California, you have to give both a do not sell and limit use of sensitive data notice, although they can be combined. Florida only requires a do not sell link. Washington and Virginia are quiet about it, but it could be defined in the regulations. We say a lot of that in California.
Finally, how much is it going to cost you if you screw up. California and Florida have a private right to sue you and can nick you for statutory damages of up to $750 per record or actual damages if more. In all four states the AG can nick you for up to $7,500 per record for intentional action, if minors are involved. Virginia and Washington add their attorneys’ fees and costs to the mix.
Needless to say, it is probably better to follow the rules.
Credit: Ballard Spahr