There are major changes happening around the world in regards to user privacy protection. As consumers are becoming more aware of the value of personal internet user data and privacy, American lawmakers are scrambling to catch up to the European Union’s General Data Protection privacy laws. Jurisdictions, from California to Nevada, are passing legislation which can restrict the usage and sale of user data, and enacting rules which would require things like cookie notifications and privacy policies.
Here at Webspec, we are still working on our policies about privacy, and how we’re planning on rolling them into projects, but we’d like you to be informed and have enough time to consult with your attorney to implement changes before these laws go into effect. Here are a few things to know about new privacy laws:
What Are the GDPR Laws?
In 2018, we posted a blog about new regulations in the European Union known as the General Data Protection Regulation, or GDPR. These rules required businesses with websites to inform users what data was being collected, as well as give them the opportunity to either opt-out of optional cookies, or to be “permanently forgotten” by having a method of purging private user data.
These broad rules affected any user physically located in the European Union, not just EU citizens. While the rules are significant to any multinational corporations doing business abroad, many small businesses in the United States didn’t worry about the implications of the GDPR laws.
Now, several states, including Iowa, have enacted some form of data privacy protection law, so businesses are more likely to be within a jurisdiction that regulates online privacy.
What’s Happening With User Privacy in the United States?
Supplementing the GDPR laws from the EU, there are new regulations going into effect in the United States over the next several months. These include one in the state of Nevada on October 1, 2019, and a California law which starts in January 2020.
Below, we touch on the main points of these bills, but we want to stress the fact that we are not lawyers and this should not be taken as legal advice. If you need any clarifications on how these bills specifically affect your business, ask your counselor to review the laws.
Nevada Senate Bill 220
The Nevada Senate Bill 220 was passed in May 2019, and goes into effect on October 1, 2019. This law expands an existing privacy law giving consumers and end-users the chance to opt-out of the sale of what’s called “covered information,” which are different forms of personal data.
What is Considered Personal Data?
The covered information under the Nevada bill is defined as:
- Your first and last name
- Your home or other physical address which includes the name of a street and the name of a city or town
- Your electronic mail (email) address
- Your telephone number
- Your social security number
- An identifier that allows a specific person to be contacted either physically or online
- Any other information concerning a person collected from the person through the internet, website or online service of the operator and maintained by the operator in combination with an identifier in a form that makes the information personally identifiable
The statute that is already in effect requires disclosure of any of those collected items; essentially, if websites collect any of these pieces of information, they must have an online disclosure, such as a cookie or privacy policy stating:
- The categories of covered information it collects
- The categories of third parties with whom it shares covered information
- The process for consumers to review and request changes to their covered information
- The process for notification of material changes to the notice, and
- Whether it collects covered information about an individual consumer’s online activities.
What’s Changing in Nevada?
Under the new law, websites will also be required to opt-out of the sale of their private data. Nevada limits its definition of a “sale” to the exchange of covered information for monetary consideration, so it would be collecting things such as names, phone numbers or email addresses, and selling them for a profit. While it will still be legal to sell this user data, websites will need to offer the option to Nevada residents to opt-out. If businesses or websites fail to comply, they could be in violation of the new rules. Companies should come up with a plan with legal counsel on how to handle the required cookie notice, and how to handle individual requests to opt-out.
At this point, it is still allowed to collect the data and to use cookies; it’s their sale that is under fire in Nevada currently.
California Consumer Privacy Act
California has a similar user privacy protection law going into effect on January 1, 2020. This new regulation has a bit wider scope than the Nevada law, because it defines “personal information” as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The California law also covers non-household data, such as work email addresses, phone numbers or addresses.
While this may be just the beginning of user privacy protection laws, it is important to note that both of these laws are written in a way to prevent mass litigation. Only the Attorneys General of Nevada or California are allowed to sue using these laws, so it should minimize any random lawsuits like what sometimes happens with the ADA laws.
What Do Businesses Need to do Now?
The first, and most important thing to do is have your lawyer or attorney read the Nevada and California laws to see how they apply to you and your website. They should be able to tell you what steps you need to take in order to make your website or application in compliance, which we’d be happy to help you with.
Additionally, it’s also important to know what cookies or personal identifiers you are using, so that you can create an accurate cookie and/or privacy policy. Take an inventory of all the cookies, including things like Google Analytics tags, remarketing tags, social media pixels, and marketing automation pixels. These all need to be listed and recorded with how you use them, and what you do with the data.
If you sell any of this data, keep in mind the implications outlined above that you may need to take into account.
What’s Happening With User Data Privacy in Iowa?
Iowa also passed a user privacy law in 2018, which protects the privacy of minors. If the majority of a website’s target audience is under 18, then they are not allowed to track, target or sell school-aged children’s personal identifying markers.
Privacy Laws Going Forward
In the years to come, there will likely be more privacy laws, and hopefully we’ll have standardized rules in the United States that businesses can follow. Until that happens, it’s always best to play it safe and to consult with your lawyer on how to comply with the privacy laws. Once you have decided what steps to take and how you want to implement them on your website, let us know, and we can help turn on a cookie notification popup, or create, update or edit your site’s privacy or cookie policy page.