Navigating State Privacy & Data Protection Laws

September 12, 2018

According to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) Breach Reporting Portal, by the end of June the number of 2018 reported breaches had already surpassed the total of breaches reported in 2017. As of August 2018, 3.7 million individual records had been reported as compromised compared to the approximate 2.7 million in all of 2017. The causes for the increase in reported breaches cannot entirely be confirmed, but education on reporting requirements along with an emphasis on high-profile data breaches in the media are likely some of the reasons for the increase.

Adherence to the HIPAA Privacy and Security federal requirement is extremely important for companies doing business in the healthcare space. It is important to navigate the increasing number of state laws guarding consumer privacy and data security as well. Seven states have had data breach notification laws go into effect so far in 2018, and at least four additional states will have laws in place by the end of 2018. Additionally, more than a dozen states have pending or proposed legislation.

On June 28, 2018, California passed a digital privacy law that is viewed as one of the most significant regulations in digital privacy/protection law to date. This new law, which goes into effect on January 1, 2020, specifically allows consumers the right to know what data is being collected by any company, the purpose of it being collected, and if their data is being shared with or sold to any third party. The law gives consumers the right to have their data deleted, as well as the right to tell a company not to sell or share their data or “opt out.” Additionally, it requires a company to give a consumer who “opts out” of selling or sharing their data the same level of service as a consumer who does not “opt out.” The law also makes it more difficult to sell or share personal data that belongs to minors under the age of 16. The California Attorney General is given additional authority to fine companies that do not adhere to the new law.

All 50 states have some type of consumer breach notification law. In addition to legal guidance, the attached chart is great for informational purposes:

State Data Breach Notification Laws

Some additional resources:

https://www.nytimes.com/2018/06/28/technology/california-online-privacy-law.html

https://www.caprivacy.org/post/california-passes-sweeping-law-to-protect-online-privacy