Background

In previous articles we have highlighted importance of disposing sensitive information.

In this article we will focus on importance of understanding different data privacy laws in US.

Why it is Important to understand the US Data Privacy Laws

Majority of data privacy regulation in the US is based on state-level laws.

Data breach notification is a standard provision in the US data privacy laws, but the definition of personal data and data breach varies. Businesses might find it challenging to understand their obligations clearly. Hence this article will delve into details of different Data Privacy regulations in different states of US. While disposing the IT assets, it is critical to understand what information is critical which may result in data breach according to state laws and subject to penalties when lost.

Why it is important for data destruction?

Also, data destruction or deletion standards may vary, most data privacy laws compel organizations to destroy personal data on request. This will help organization to take corrective action while disposing or recycling the IT assets and differentiate between critical and non-critical IT assets as far as data destruction is concerned.

Following are description of some important US state laws will be useful to understand as it describes what information is deemed critical and how much state can impose penalties if lost or leaked.

1.  California Consumer Privacy Act (CCPA)

Key provisions

Right to know: CCPA allows consumers to request companies for disclosure of their personal information collected, used, shared, or sold.

Right to delete: The law allows consumers to seek deletion of their personal information with a maximum notification time of 45 days.

Right to opt-out: The consumers can request companies to stop selling their personal information, i.e., opt-out of sales and marketing campaigns.

Right to non-discrimination: No company can discriminate against a consumer because they exercised their rights as per CCPA.

CCPA Applicability: CCPA applies to all for-profit companies that conduct business in California and meet any of the following conditions:

• Gross annual revenue greater than $25
• Generate 50% or more of their annual revenue by selling consumer’s
• Purchase, collect or sell the data of more than 50,000 households, devices, or

Penalties: CCPA imposes a penalty of $7,500 per episode of intentional violation and $2,500 per inadvertent violation. So, if 200 Californians, complain of violation, then the organization might be looking at a total penalty of USD $1.5 million.

2.  New York Privacy Act (NYPA)

NYPA guarantee every state resident the right to access, control, and erase their personal data collected from them by any organization in NY state.

Key Provisions

Key provisions are provided through Bill S5642 related to data privacy, following are important sections. Section 1102 of the New York Privacy Act mandates companies to acquire consumers expressed and documented consent before sharing or selling their personal data.

Section 1103 obligates companies to notify the consumers of their rights as per the law. It also obligates them to allow customers the right to opt-in or opt-out.

Right to Deletion: NYPA empowers New York residents to request deletion of their personal data, and the company must delete it without undue delay.

Applicability

The New York Privacy Act applies to legal entities, i.e., individuals or companies that conduct business in New York State or intentionally target products or services to New York state residents.

Penalty Implication

The law has provisions to impose civil penalties and damages based on the number of affected individuals, the extent of the violation, and the company's size and revenue. The act allows civil penalties of up to $5000 per violation. Therefore, for a data breach involving 200 users, a penalty of USD $1 Million will be imposed

3.  Nevada Privacy Law

Key Provisions

NRS 603A.200 Destruction of certain records: The law mandates companies that maintain records with personal data or PII to take reasonable measures to ensure the destruction of records when they are no longer maintained.

NRS 603A.210 Security measure: The data collector, including government agency, higher education institution, corporation, financial institution, retail operator, or any other business entity, shall maintain reasonable measures to protect the customers’ personal data and PII.

NRS 603A.220 Disclosure of breach: The data collector shall disclose any security breach and notify Nevada residents whose unencrypted personal data is believed to have been compromised.

Applicability

The Nevada privacy law applies to all individuals and organizations that own and operate a website for business purpose or collect and maintain the personal data of consumers residing in Nevada.

Penalty

The Nevada privacy law has provisions to impose civil action, reparation, injunction, and a civil penalty of up to $5000 for each violation. Therefore, for a data breach involving 200 users, a penalty of USD $1 Million will be imposed

4.  Maine Privacy Law

Key Provisions

Customer consent: The law prohibits broadband Internet access service providers from using, divulging, selling, or allowing access to personal data without the customer’s express consent.

Security of personal information: Maine privacy law obligates providers to take reasonable measures to safeguard customer personal data from unauthorized access.

Notification: The provider is responsible for notifying the customers of the provider’s obligations and customers’ rights through the point-of-sale medium and publicly accessible website.

Applicability

The Maine privacy law applies to all broadband Internet access service providers who serve customers physically located and billed in the state.

Penalty Implication

Maine Privacy Law does not explicitly mention the quantum of penalty for non-compliance. Presently, any non-compliance or enforcement of private rights of action will be adjudicated in courts of law.

5.  Washington Biometric Privacy Law

Key Provisions

Citizen’s consent: The law mandates businesses to obtain customer consent before collecting their biometric data. It obligates businesses to disclose how they use the biometric data and notify individuals of any changes in the use of their data.

Non-disclosure of biometric identifiers: Individuals’ biometric data cannot be sold, leased, or otherwise disclosed for a commercial purpose without express consent. Hence this type of information should always be treated as very critical.

Applicability

This Law applies to all individuals and non-government entities who collect biometric data for commercial purposes.

Penalty

Washington Biometric Privacy Law also is silent on penalties for non-compliance and does not include a private right of action.

Conclusion

Majority of data privacy laws compel organizations to destroy personal data on request. Hence it is important for organizations to use proper data destruction or deletion standards. Investment in data destruction technologies such as Jungle’s DiskDeleter product will make sure the data breach is not happening due to data loss from the disposed IT assets. This can save companies from multi-million dollars of penalties which otherwise companies may be liable.