Updated 7/1/2020
We are halfway through 2020, and it is safe to say that consumer privacy is all the rage. California kicked off the movement with the California Consumer Privacy Act (CCPA), AB 375, which went into effect on January 1, 2020. The act aims to give consumers more rights to their personal data. Since then, Washington, New Hampshire, and New York have all proposed similar consumer privacy bills that – if passed – will have an effect not only on consumers but also on businesses that operate in these states.
Take a look at the bills, then consider the steps your business can take to help comply with the regulations.
California Consumer Privacy Act
The newly established rights allow consumers to request records of what personal data is collected and mandate the deletion or cease the sale of that information. The privacy act also regulates the data collected from minors and prevents businesses from discriminating against consumers that choose to exercise their rights.
Businesses that must adhere to the CCPA are those that collect personal data, conduct business in California, and fit into one or more of the following categories:
- Gross annual revenue over $25 million
- Buys, sells, or obtains the personal data of more than 50,000 consumers, devices, or households
- Makes over 50 percent of its revenue from selling consumers’ data.
To further empower consumers, CCPA has also mandated data brokers to register with the Attorney General, providing information about who they are and what their collection practices entail. This information is loaded into a database and is accessible to all consumers.
As of July 1, the Attorney General’s office will begin enforcing the privacy act. Businesses will be subject to $2,500 per violation (or $7,500 for intentional violations) if they do not address and fix the non-compliance within thirty days.
Washington Privacy Act
On January 13, 2020, Washington State Senator, Reuven Carlyle, introduced the bill for the Washington Privacy Act (WPA), SB 5376. If granted, the bill will allow residents to see who is accessing their personal data, correct or delete data, or opt-out of targeted advertisements and profiling. Controllers will need to conduct data protection assessments regarding where they are processing personal data and additional assessments anytime there is a change to the processing that could affect consumers. The bill will also require companies to disclose data management policies to increase transparency and establish limits on the use of facial recognition technology.
New Hampshire Privacy Act
Garrett Muscatel and Greg Indruk, U.S. State Representatives, reintroduced the bill for the Act Relative to the Collection of Personal Information by Businesses, HB 1680, to the New Hampshire House of Representatives. The bill, if passed, will give consumers the right to access, transfer, and delete their personal information, or deny the sale of such information. It will also give consumers the right to take action if their information is leaked. Like CCPA, the bill would apply to any legal entity that has annual gross revenues over $25,000,000, processes data of more than 50,000 New Hampshire consumers, or derives 50 percent of its revenue from selling personal information.
New York Privacy Act
The New York Privacy Act, SB 5642, was sent to the Senate Standing Committee on Consumer Protection on January 8, 2020. If approved, the bill will improve transparency, add protection, and allow for action against personal data. Personal data will include biometric information and internet or electric network activity.
What steps can you take to protect your clients and your business?
These regulations, and others, like the EU GDPR, signal that protecting and securing consumer data will increasingly be required and application security plays a role in that requirement. Whether you are looking to expand your application security (AppSec) program to further comply with the new regulations, or you are looking to start your first AppSec program, we can help. Our Veracode Verified program gives you a clear AppSec roadmap to follow, helping to ensure that security is weaved into your development process.
In addition, by participating in the program, you can earn a Veracode Verified seal, which demonstrates to customers that you are dedicated to securing your applications and protecting their personal data.
Contact us today to learn how to better secure your applications to comply with industry standards.