By: Sarah Johnson
This week we’ll take a closer look at the latest internet privacy legislation, NV SB260. Ever since GDPR went into effect in Europe, and California passed the CCPA shortly afterwards, there has been much speculation of when states around the country will pass similar legislation. At its core, internet privacy legislation aims to allow residents a greater right to protect their data and have more control over their privacy. We’ll take a brief look at the issue as a whole, a look closer at the newly passed Nevada bill, and then a brief look at some other state legislation from over the years.
What is all this business about ‘internet privacy’?
According to Technopedia, “Internet privacy refers to the vast range of technologies, protocols, and concepts related to giving individual users or other parties more privacy protections in their use of the global Internet. Internet privacy takes many forms, including mandatory privacy statements on websites, data sharing controls, data transparency initiatives, and more.” When people talk about “internet privacy”, they are usually speaking about a consumer’s ability to control how their data is handled (stored and sold) by companies. This article from the Pew Research Center titled Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information provides a pretty good overall explanation of the situation here in the United States.
GDPR at a Glance
When the General Data Protection Regulation (GDPR) was implemented in 2018, our global idea of what controls consumers should have over their data had a major shift. GDPR, the toughest privacy and security law in the world, imposes regulations on data collected on European Union (EU) consumers for organizations all over the world. It does not matter if a company is headquartered in Iowa, Ireland, Iran, Istanbul, or India – GDPR ensures all companies doing business with EU consumers have to comply with its regulations. If any company is found to have violated the privacy and security standards, massive fines could be levied against them. These fines max out at €20 million or 4% of global revenue (whichever is higher) – and the subjects who were impacted by the violation are entitled to seeking damages.
It is widely accepted in the world today that although these regulations are difficult for small-to-medium sized business to comply with, they are here to stay and all companies doing any type of business with EU consumers need to build/scale with these regulations front of mind. GDPR provides official definitions for terms like: personal data, data processing, data subject, data controller, and data processor. All companies doing data processing in the EU must process the collected data in accordance to the seven protection and accountability principles. There are also other major ideas pioneered by GDPR like consent, data protection by design, data security, and accountability.
If you would like to read the law in its entirety, go here.
CCPA at a glance
The California Consumer Privacy Act of 2018 (CCPA) was the first GDPR like legislation passed in the United States. The CCPA allows consumers to have enhanced control over the personal information businesses collect on them. Much like the GDPR, the CCPA provides guidance for California to implement these regulations on businesses doing business with consumers within the state. The CCPA has a four major ideas: right to know, right to delete, right to opt-out, and right to non-discrimination. The overall idea of the CCPA is that consumers in California have the right to know what information is being collected and stored on them, and after knowing that, should also have the right to have businesses delete the data or opt-out of allowing businesses to sell said data. The CCPA requires companies servicing consumers in California to give notices explaining their data privacy practices (adhering to “right to know”). They must then have processes to allow consumers to request their data be deleted or to request to be opted-out of the selling of their information.
If you would like to read the law in its entirety, go here.
What does Nevada’s bill do?
After the CCPA took effect in 2018, Nevada passed SB220. This bill provided Nevada state residents a limited right to opt out of sales of their covered information. In June this year, NV SB260 was signed, expanding and improving upon Nevada’s existing right to opt-out of the sale of “covered information”, among other privacy related provisions.
SB220, passed in 2018, then defined “sale” as “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” The bill states that “an operator must establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer” if they so wish. SB260 amends the definition of “sale” to be “the exchange of covered information for monetary consideration by an operator or data broker to another person,” thus expanding the activity types which could be considered as “sales” within the state.
The second major thing SB260 does is define covered information as: first and last name, home or other physical address which includes the name of a street and the name of a city or town, email, phone number, social security number, and other identifiers which would enable a specific person to be contacted either physically or online.
Finally, SB260 creates a new category of covered entities named “data brokers”. Data brokers are defined in the legislation as “a person primarily engaged in the business of purchasing covered information about consumers who reside in this State from operators or other data brokers and making sales of such covered information.”
Highlights of other bills around the country
Nevada is the only state to attempt to follow in the EU’s and California’s footsteps as of now, but other states are looking into internet privacy legislation. Here is a table with all of the legislation related to “internet privacy” proposed since 2011. Most states have passed legislation relating to employer access to information or government capture, storage, and use of information.
In 2014, Louisiana created the Personal Online Account Privacy Protection Act. This bill prohibits employers and educational institutions from requesting or requiring an employee or applicant for employment, or a student or prospective student, to disclose any username, password, or other authentication information that allows access to the individual’s personal online account.
In 2016, West Virginia passed the Internet Privacy Protection Act. This bill aimed to protect employees’ “personal accounts”. Personal accounts is defined in the bill as “an account, service or profile on a social networking website that is used by an employee or potential employee exclusively for personal communications unrelated to any business purposes of the employer.”
In 2018, Virginia enacted the Government Data Collection and Dissemination Practices Act. This legislation facilitates the sharing of data among agencies of the Commonwealth and between the Commonwealth and political subdivisions. Just last year, this legislation played vital a role in a case when “the Virginia Supreme Court, which ruled that the police are allowed to use Automated License Plate Readers (ALPR), which can photograph over 1,800 license plates per minute, and store the tag numbers, times and locations where the photos were taken in a searchable database that is shared with law enforcement, fusion centers and private companies.”
Conclusion
We’ve been hearing for years that it is just a matter of time until states follow the EU and California’s lead and enact stronger privacy legislation, but quite frankly, I am discouraged by the lack of legislation out there pertaining to this in the United States. I know it is an incredibly nuanced topic, but consumers should have the right to control the very personal information collected about them. I am interested to see how this continues to unfold and how companies will have to adapt. One thing I do know is we will not having very meaningful change to our data control until many more states (or Congress) enact strong internet privacy legislation.
Cover Photo by Dan Nelson on Unsplash
About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.