The Changing Landscape of Data Protection and Privacy Laws

As online use continues to expand, and data use and collection increases, issues emerge around data breaches and data protection. Recently California became the first state to pass groundbreaking data privacy legislation which went into effect on January 1, 2020. California’s legislation is grabbing headlines because the California Consumer Privacy Act (CCPA) is a major shift in data protection laws for the United States where the approach to data privacy and protection has largely differed from the rest of the world. In Europe for example, protection of personal data is seen as a fundamental right and in 2018 the European Union instituted the General Data Protection Regulation (GDPR) as an effort to globally regulate the collection and use of personal data by governments and businesses. Under the GDPR, European citizens have a “right to be forgotten,” in that they have the right to demand that personal data is erased, and if a business meets certain thresholds, US-based companies included, it must comply with such demand.

The CCPA creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. CCPA grants a consumer the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. It also grants a consumer the right to request deletion of personal information and requires the business to delete upon receipt of a verified request, as specified.  CCPA applies to a business that:

  1. Does business in the state of California;
  2. Collects personal information (or on behalf of which such information is collected);
  3. Alone or jointly with others determines the purposes or means of processing of that data; and
  4. Satisfies at least one of the following:
    • Annual gross revenue in excess of $25M;
    • Annually handles the personal information of at least 50,000 consumers, households or devices; or
    • Derives 50% or more of its annual revenue from selling personal information.

In the wake of this shift, we see several other states making efforts to expand consumer privacy rights as well, and Maryland is one of the leaders in doing so. To date, Maryland has several laws that regulate online privacy:

  1. Maryland Consumer Protection Act: This Maryland law protects consumers from unfair and deceptive acts and practices, both online and offline. Generally, businesses are prevented from hiding important facts or falsely representing the facts related to consumer goods, services, property, or credit in Maryland.
  2. Maryland Personal Information Protection Act (PIPA): This Maryland law requires that certain sensitive personal identifying information (e.g. social security number, driver’s license number, taxpayer ID number, or any financial account number) are kept reasonably protected. It also provides guidelines for determining whether your personal identifying information was exposed to someone who doesn’t have permission to see it, otherwise known as a “data security breach.”
  3. Maryland User Name and Password Privacy Protection and Exclusions Law: This Maryland law says that Maryland employers may not discharge, discipline, or otherwise penalize employees or job applicants for refusing to disclose access or a password to a personal account.

In 2019, Maryland Senator Susan Lee (D) introduced a bill covering similar rights as the CCPA, and its “right to be forgotten” would have allowed consumers to demand deletion of any personal data a covered entity has. The bill would have applied to businesses meeting one of the following thresholds: (i) annual gross revenue over $25 million; (2) annual personal information of 100,000 consumers, households, or devices; or (3) at least one-half of annual revenue from selling personal information. The bill ultimately failed but its introduction is indicative of the changing landscape of privacy laws in Maryland and across the country. Stay tuned as legislatures try and keep up with the rapidly changing future of technology and data use.

For more information about this article or any other business related matter, please contact an attorney in our business practice group.