States are beginning to propose and adopt privacy regulations similar to the GDPR. The California Consumer Privacy Act (CCPA) was the first of its kind, but – as CompliancePoint’s Matt Dumiak explains – now Hawaii and Washington are considering similar legislation.
Several states recently presented and passed data privacy legislation introducing individual consumer rights and data breach notification rules that in some ways reflect the protections afforded by Europe’s General Data Protection Regulation (GDPR). Like their European counterparts, U.S states such as California, Hawaii and Washington have passed or proposed laws designed to provide customers greater transparency into and control over their personal data.
California’s Consumer Privacy Act (CCPA) even goes beyond breach notification and may require organizations to make significant changes in their data processing operations, including honoring opt-outs of selling data and notification requirements surrounding sharing practices. However, to recognize what growing consumer awareness and a movement toward data privacy and protection laws mean for companies and consumers alike, it helps to have a strong understanding of what the GDPR laws entail.
The General Data Protection Regulation is considered the top standard in consumer data rights by many. It is essentially a set of rules designed to give European citizens control over their personal data, and it aims to reduce the confusion surrounding the regulatory environment for businesses so that both citizens and corporations can fully benefit from the digital economy. These reforms are designed to reflect our technological age, and they provide legal obligations around personal data, privacy and consent management. This means that any organization must abide by these laws regarding how they collect, store and approach their obligation to keep that information safe. If that information is personal information about a customer, such as their name, birth date, credit card or social security number, it has to be protected.
With the passing of the CCPA, California is the first of the 50 states to implement a comparable privacy regulation. Organizations have until January 1, 2020 to prepare, and enforcement actions will begin in July of 2020. Several states have proposed similar legislation following the announcement of California’s CCPA law.
Recently, Hawaii and Washington proposed bills that are similarly made after the CCPA and GDPR. Hawaii has notice or transparency requirements that organizations must make to consumers and sets a broad definition of personal data. However, no breach requirements are included. Washington politicians proposed a bill that provides several notice requirements and consumer rights and is targeted not only at organizations within Washington state, but also organizations offering goods and services to Washington residents.
As increased awareness, interest and concern around consumer data privacy continues to rise across the nation, there’s no doubt we will see more and more privacy laws, especially as legislation at the state level is implemented. As new state laws become enforceable in 2020, it is vital that organizations realize how serious consumers are beginning to be about their data privacy rights and how vital it is that organizations make the necessary adjustments to not only comply with these regulations, but also protect their brand reputation by honoring their consumers demands to protect their information. As more and more individual states adopt these policies, it can be assumed that discussions around privacy will only increase at the federal level as well.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint, where he is focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP) and a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and he holds a B.S. in Economics from Georgia College. 
