States Follow CCPA’s Lead



For Better Business Bureau’s National Programs, data privacy and regulation is a top priority. As CCPA has made headway, a global domino effect has taken place. Lawmakers everywhere are jumping on the bandwagon and with good reason! 

According to Forbes, data breaches left 4.1 billion records exposed in just the first six months of 2019. Hackers are not playing around, and they’re not discriminating. Major organizations like Facebook, Adobe, Doordash, Fortnite, Georgia Tech, Amazon, Instagram, and Microsoft all experienced data breaches in 2019. 

No one is safe, which is why Maine, New Hampshire, New Jersey, Florida, Nebraska, Illinois, Washington state, and Hawaii are all doing their legislative due diligence. 

New York recently passed the SHIELD Act (Stop Hacks and Improve Electronic Data Security). The law requires businesses to create security measures for New York residents’ data. Personal data is not just considered one’s name, phone number, and social security number. Its definition also includes drivers’ license numbers, banking information, biometrics, usernames, and passwords all must be protected. The New York attorney general has grounds to fine anyone in violation of SHIELD $5,000 per infraction.

Head down south where Virginia is in the process of getting not one, but two legislative bills passed. The Virginia Privacy Act is set up to protect consumers from businesses targeting direct advertising and transactions towards residents of the Commonwealth. The bill pertains to those possessing 100,000+ persons’ data. Or the company must “derive over 50% of its gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.” Furthermore, consumers must be given the right to access, right to correction, right to be forgotten, and restrict processing. 

The second Virginia bill has yet to be named at this time. It is regulation that pertains to the sale of personal data. Data sellers are people or companies that “disseminate, obtain, maintain, or collect personal data about a consumer for a fee.” The act forces these parties to establish procedures and best practices for safeguarding the privacy of any data collected. It requires parental or guardian consent for the data collection of a minor. User-friendly tools that allow anyone to request access to their data are also a condition. 

Additionally, companies are expected to provide a “Do Not Sell My Information” option for consumers to opt-out. Businesses are also obligated to alert customers and the attorney general of a data breach within 30 days of an attack. 

This is quite a bit of caution tape in comparison to past years but is a great step forward, and an opportunity for businesses to bridge the gap between data collection and consumers’ privacy rights. As we know, consumers’ brand trust is eroded, and this is one way to re-establish the B2C relationship. 

In the meantime, take a listen to our recent CCPA episodes. You’ll gain a well-rounded perspective on all things data privacy law. 

Happy listening!