The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and enforcement will begin on July 1, 2020. It’s the first of what will be many new state privacy laws, and it includes numerous protections for consumers as well as sweeping requirements for businesses that collect, handle, store, share, and/or sell consumers’ personal information.

Already, legislators in Florida, Hawaii, Illinois, Maryland, Nebraska, New Hampshire, New Jersey, New York, Virginia, Washington, and Wisconsin are considering new or expanded state privacy legislation, so it’s safe to assume changes will be coming across the country in the near future.

What’s Next for CCPA?

The California Attorney General released modifications to the CCPA earlier this year in an effort to clarify parts of the original rules that were released in 2018. Unfortunately, the modifications generated new questions and criticisms.

Some of those criticisms came from a coalition of eight privacy organizations, including the ACLU, the Electronic Frontier Foundation (EFF), the Consumer Federation of America, Privacy Rights Clearing House, the Campaign for a Commercial Free Childhood, Common Sense Media, Media Alliance, and Oakland Privacy.

The coalition’s written Comments to the Office of the Attorney General of California cited six specific areas of concerns with the modifications to the proposed rulemaking of the CCPA:

1. Do Not Track and Do Not Sell

The coalition argues that the modified draft regulations make it harder for consumers to use their web browser headers to opt out from the sale of their personal information. Instead, the coalition says businesses should be required to “treat a ‘do not track’ browser heading” as an opt-out.

2. Interpretation of Personal Information

According to the modified rules, information including but not limited to IP addresses would not be considered personal information if the business doesn’t link the information to a particular consumer or household and could not reasonably do so.

The coalition believes that IP addresses are online identifiers that can “inherently identify and are capable of being associated or linked to a specific consumer.” As such, the coalition says IP addresses and similar information should be considered personal information under the CCPA.

3. Do Not Sell My Personal Information Button

The modified draft regulations require that businesses include an opt-out button with a tagline on their websites, but the coalition states the recommended icon is ineffective and may discourage people from exercising their right to opt out.

Instead, the coalition wants the rules to change so the required icon is the one originally recommended by a team of researchers that was tested for its effectiveness in signaling consumers to use it as an opt-out mechanism.

4. Unverifiable Requests to Delete

The coalition argues that the modified regulations actually create added burdens for consumers by requiring them to verify their desire to opt out of the sale of their data after they request deletion of their data.

This additional step is viewed as an unnecessary burden for consumers by the coalition. Instead, businesses should, “treat an unverified request to delete as a request to opt out of sale.”

5. Service Providers Use of Personal Information

Based on the modified regulations to the CCPA from the Attorney General, the coalition believes service providers would have inappropriately expanded rights to use consumers’ personal information.

Therefore, the coalition recommends that the modified regulations are updated to remove the following language, “A service provider may, however, combine personal information received from one or more entities to which it is a service provider, on behalf of such businesses, to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.”

6. Transparency

The modified draft regulations require fewer businesses to report metrics about their CCPA compliance than the original draft regulations did.

The coalition believes this reduces transparency, and instead, recommends that businesses (alone or in combination) that have annual gross revenues of $25 million or more or that derive 50% or more of their annual revenue from selling consumers’ personal information should be required to report on their activities.

Data Privacy in Other States

In addition to California, other states across the country are actively considering new or expanded consumer privacy laws related to consumers’ personal information. Here’s what’s happening in some of these states:

Florida

Two bills have been introduced to the Florida Senate and House of Representatives that would allow consumers to disallow companies from selling specific information about them. In addition, companies would be required to notify consumers about the categories of information they or third parties’ collect about them through websites or online services and provide a notice about how the information is collected and sold.

The bills would also prohibit the use of consumers’ personal data found in public records for some marketing purposes as well as for soliciting or contacting the consumer without their consent.

Hawaii

A legislative proposal in Hawaii would require companies to get consent through an opt-in prior to selling either internet browsing or geolocation information about consumers.

The legislation would significantly expand the definition of personal information in Hawaii, and already, a coalition of advertising organizations has sent comments to the state’s House of Representatives criticizing it.

Maryland

HB0249 was introduced in Maryland on January 17, 2020. The proposed legislation would allow Maryland residents to opt out of some transfers of their personal information to third parties. This includes “selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.”

Under the Maryland law, personal information would be defined as “information that reasonably identifies, relates to, describes, or could be linked to, directly or indirectly, a particular consumer, household, or consumer’s device.”

Nebraska

The Nebraska Consumer Data Privacy Act would apply to for-profit entities doing business in Nebraska that meet specific criteria. The law gives consumers who are Nebraska residents the right to access the personal information that companies collect about them, know whether the information is sold or disclosed and to whom, opt out of the sale of their personal information, and have that information deleted.

Furthermore, companies would be required to provide the same services and prices to all consumers, even if they exercise any of their privacy rights under the Nebraska Consumer Data Privacy Act. Businesses would also be required to include a Do Not Sell My Personal Information link on their websites’ home pages and give consumers two ways to request access to their personal information that has been collected, including a phone number.

New York

The New York Privacy Act would require both express and documented consent before a company can use or transfer a consumers’ personal information.

Importantly, the New York Privacy Act would allow consumers to sue companies for violations of the law.

Virginia

The Virginia Privacy Act (Senate Bill 6281) affects businesses that do business in Virginia or target residents of Virginia which meet specific criteria.

The law would give Virginia residents a number of rights related to their personal information, including the right to access the data companies collect about them, the right to correct their personal information, the right to restrict companies from processing it, and the right to have their information deleted.

Washington

The Washington Privacy Act would give residents of the state the right to access the personal information that companies collect about them, correct that information, have the data deleted, opt out of the sale of that data, and opt out of profiling and targeted advertising based on their personal information.

In addition, there are currently five other privacy bills that have been introduced to the Washington legislature (HB 2363, HB 2364, HB 2365, HB 1503, and HB 2366).

Wisconsin

Three bills were introduced to the Wisconsin House of Representatives that address personal data and privacy. The bills would give Wisconsin residents the right to access their personal information collected by online data collectors.

The bills would also enable Wisconsin consumers to learn if their information has been sold to third-parties and require companies to stop collecting their information upon their request.

Key Takeaways about CCPA and Data Privacy in the United States

In the coming months, the California Attorney General’s office will be accepting comments on the proposed regulations of the CCPA. At the same time, other states will be developing and passing their own consumer privacy laws.

For cannabis businesses, compliance with these laws will be mandatory and often will include stiff financial penalties for noncompliance. It’s critical that every business keeps up with these laws and has plans in place to modify processes as needed.