Consumers are demanding more control over their data. In recent years, new data privacy laws have gone into effect, creating new restrictions and requirements for the organizations that collect or use personal data. In the recent U.S. election, California voters approved Proposition 24, a new measure that expands the state’s existing data privacy laws.
A Brief History of Data Privacy Laws
The General Data Protection Regulation (GDPR) went into effect in the E.U. on May 25, 2018. The legislation is hundreds of pages long and is currently considered the toughest law of its type in the world. Organizations that do not comply with the GDPR’s data privacy and security requirements can face hefty fines. Brazil’s General Data Protection Law (LGPD), a somewhat similar law, went into effect in 2020.
In the U.S., California has been leading the way in data privacy legislation. The California Consumer Privacy Act of 2018 (CCPA) gives consumers the right to know about the personal information that a business collects, uses, or shares; the right to delete their personal information; the right to opt-out of the sale of their personal information; and the right not to be discriminated against for exercising their CCPA rights.
California’s Proposition 24 Has Now Passed
The Official Voter Information Guide says that Proposition 24 will allow consumers to prevent businesses from sharing personal information, it will allow consumers to correct inaccurate personal information, and it will limit the use of sensitive personal information, which includes precise geolocation, race, ethnicity, and health information. It will also establish the California Privacy Protection Agency.
According to the Associated Press, Proposition 24 is supposed to expand the CCPA and close some of the loopholes that businesses have exploited. It also triples the fines for companies that violate children’s privacy or sell children’s data illegally.
The Impact on Businesses in Other States
If you’re not in California, Brazil, or the E.U., you might wonder whether you need to care about these new privacy laws. You do.
Thanks to the rise of the internet, modern business activities don’t tend to stay within state and country borders, so there’s a good chance you’re doing business in places where these laws are on the books.
According to the National Law Review, both the E.U.’s GDPR and Brazil’s LGPD have an extraterritorial scope, meaning they may apply to any organization that collects or processes data in the E.U. or Brazil, respectively, regardless of where the organization is headquartered. California’s CCPA likewise applies to businesses located outside of California if they are doing business in California.
There’s also a good chance that more laws will be coming. According to the National Conference of State Legislators, at least 30 states and Puerto Rico have considered data privacy bills in 2020.
Data privacy is getting more attention, and companies everywhere should be taking note. This issue should also be considered as you evaluate your need for privacy liability, cyber or tech E&O insurance coverage.
Have questions? Contact your Heffernan Insurance Brokers advisor.