There are major changes happening around the world in regards to user privacy protection. As consumers are becoming more aware of the value of personal internet user data and privacy, American lawmakers are scrambling to catch up to the European Union’s General Data Protection privacy laws. Jurisdictions, from California to Nevada, are passing legislation which can restrict the usage and sale of user data, and enacting rules which would require things like cookie notifications and privacy policies.
Here at Webspec, we are still working on our policies about privacy, and how we’re planning on rolling them into projects, but we’d like you to be informed and have enough time to consult with your attorney to implement changes before these laws go into effect. Here are a few things to know about new privacy laws:
In 2018, we posted a blog about new regulations in the European Union known as the General Data Protection Regulation, or GDPR. These rules required businesses with websites to inform users what data was being collected, as well as give them the opportunity to either opt-out of optional cookies, or to be “permanently forgotten” by having a method of purging private user data.
These broad rules affected any user physically located in the European Union, not just EU citizens. While the rules are significant to any multinational corporations doing business abroad, many small businesses in the United States didn’t worry about the implications of the GDPR laws.
Now, several states, including Iowa, have enacted some form of data privacy protection law, so businesses are more likely to be within a jurisdiction that regulates online privacy.
Supplementing the GDPR laws from the EU, there are new regulations going into effect in the United States over the next several months. These include one in the state of Nevada on October 1, 2019, and a California law which starts in January 2020.
Below, we touch on the main points of these bills, but we want to stress the fact that we are not lawyers and this should not be taken as legal advice. If you need any clarifications on how these bills specifically affect your business, ask your counselor to review the laws.
The Nevada Senate Bill 220 was passed in May 2019, and goes into effect on October 1, 2019. This law expands an existing privacy law giving consumers and end-users the chance to opt-out of the sale of what’s called “covered information,” which are different forms of personal data.
The covered information under the Nevada bill is defined as:
Under the new law, websites will also be required to opt-out of the sale of their private data. Nevada limits its definition of a “sale” to the exchange of covered information for monetary consideration, so it would be collecting things such as names, phone numbers or email addresses, and selling them for a profit. While it will still be legal to sell this user data, websites will need to offer the option to Nevada residents to opt-out. If businesses or websites fail to comply, they could be in violation of the new rules. Companies should come up with a plan with legal counsel on how to handle the required cookie notice, and how to handle individual requests to opt-out.
California has a similar user privacy protection law going into effect on January 1, 2020. This new regulation has a bit wider scope than the Nevada law, because it defines “personal information” as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The California law also covers non-household data, such as work email addresses, phone numbers or addresses.
While this may be just the beginning of user privacy protection laws, it is important to note that both of these laws are written in a way to prevent mass litigation. Only the Attorneys General of Nevada or California are allowed to sue using these laws, so it should minimize any random lawsuits like what sometimes happens with the ADA laws.
The first, and most important thing to do is have your lawyer or attorney read the Nevada and California laws to see how they apply to you and your website. They should be able to tell you what steps you need to take in order to make your website or application in compliance, which we’d be happy to help you with.
If you sell any of this data, keep in mind the implications outlined above that you may need to take into account.
Iowa also passed a user privacy law in 2018, which protects the privacy of minors. If the majority of a website’s target audience is under 18, then they are not allowed to track, target or sell school-aged children’s personal identifying markers.