Privacy may very well be the fastest-growing area of law so far in the 21st century. While the US, at the federal level, has resisted a broad privacy law similar to the GDPR, momentum is steadily gaining for privacy legislation at the state level. This blog explores US privacy law’s recent developments from a records and information management (RIM) perspective.
I. Recently Enacted Privacy Legislation
The number of new bills introduced in 2020 broadly regulating privacy illustrates the subject’s popularity. In 2020 there were more than 20 privacy bills introduced at the state level in the US. Federally, there were dozens of bills and discussion drafts introduced during the last two sessions of congress. While most of the recent broad privacy bills met their demise in legislative committees, here are some of the ones that survived and became law.
California’s Privacy Rights Act (CPRA)
The biggest development in US privacy law in 2020 was the passage of the CRPA by ballot initiative during the November election. The CPRA amends the California Consumer Privacy Act (CCPA) in major ways. Here is a summary of these changes:
- New Privacy Authority Created: The CPRA creates the California Privacy Protection Agency (CPPA) and grants it the authority to enforce the act by making rules and investigating non-compliance.
- Creates New Sensitive Personal Information Category: The CRPA provides stricter requirements for sensitive PI, with stricter use and disclosure provisions than regular PI, including Consumers’ ability to restrict use and disclosure for some purposes. Examples of sensitive PI include social security numbers, identification numbers from identification cards such as passports and licenses, financial account information, race, ethnic origin, religion, and genetic information, and precise location information, among others.
- Expanded Rights for Consumers: In addition to their ability to restrict the use of sensitive PI, consumers have several new and expanded rights under the CRPA. These include new rights to correct inaccurate PI, expanded rights to delete PI from third parties, and expanded/modified rights to know, opt-out, notice of collection, and request deletion of PI.
- Revised Regulated Party: The CRPA expands regulated business activities to include parties receiving PI. The CCPA only included parties who buy, sell, or share PI. The CPRA also expands regulated business activities by revising the deriving at least 50 percent of income from selling PI threshold to include profits from sharing PI. However, the CPRA excludes many small businesses previously covered under the CCPA by increasing the threshold number of consumers or households from 50,000+ to 100,000+.
- PI Retention Changes: CPRA has some retention changes similar to requirements in the GDPR. Under the CPRA, businesses now are prohibited from keeping PI unless it’s reasonably necessary to meet a disclosed purpose. Further, businesses must specify the criteria used to determine the retention period for PI categories or the retention period itself at the time of collection.
Like the CCPA, there is a window before the CPRA becomes effective, allowing businesses time to implement compliance measures. The CPRA will become effective on January 1, 2023.
Maine Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301)
Maine passed a privacy act in 2019, restricting the collection, retention, use, disclosure, sale, or access to customer PI by broadband internet access services. This act provides exceptions, including consent, providing services related to the purpose for collection, direct advertising, and several others. It also includes requirements for security and protection of consumer PI lawfully collected.
Nevada Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A)
Nevada revised its PI security law by enhancing requirements for state government controls in the “collection, dissemination and maintenance” of PI.
II. U.S. Privacy Law Trends Leading Into 2020
The year 2020 highlighted an ongoing trend in U.S. privacy laws. For reference, the following includes a summary of additional privacy laws generally applicable to businesses and employers that impact PI retention:
Illinois Biometric Information Privacy Act (740 ILCS 14/)
Section 15 of this law on “Retention; collection; disclosure; destruction” requires private entities possessing biometric identifiers to have a retention schedule specifying disposition “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.”
Maryland: COMAR 09.12.22.01
This law from Maryland requires employers to retain PI medical information “only for the time needed to accomplish the purpose for access.”
New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act): NY CLS Gen Bus 899-aa and 899-bb
The SHEILD Act requires businesses owning or licensing computerized data containing PI to dispose of the PI “within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”
Texas: Tex. Bus. & Com. Code 503.001
This Texas legislation requires persons possessing biometric identifiers of individuals collected for a commercial purpose to “destroy it within a reasonable time, but not later than the first anniversary of the date the purpose for collecting the identifier expires.”
Utah: Utah Code Ann. 34-46-203
Utah’s latest enacted privacy legislation requires employers to destroy information collected during a hiring process within “two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant.”
Washington: Rev. Code Wash. 19.375.020
This recent Washington law requires that possessors of biometric identifiers collected for commercial purposes retain them for “no longer than is reasonably necessary to… provide the services for which the biometric identifier was enrolled.”
Federal Children’s Online Privacy Protection Rule: 16 CFR 312.10)
This rule by the US Federal Trade Commissions requires operators of websites or online services to retain PI collected from children for “only as long as is reasonably necessary to fulfill the purpose for which the information was collected.”
The above is just a sampling of privacy laws and many other US privacy laws generally regulate businesses and specific industries. If you need help strategizing how privacy requirements impact your RIM program, Zasio Consulting is here to help, contact Zasio.
 Arizona (SB1614, HB2729), California (CPRA passed), Hawaii (HB 963), Illinois (SB2263, SB2330, HB5603), Maryland (HB0249, HB0784, HB1656), Minnesota (HF 3936), Nebraska (LB746), New Hampshire HB1236), New Jersey (A2188, A3255), New York (S224, S5642), South Carolina (H4812), Virginia (HB473), Washington (SB6281), Wisconsin (AB870, AB871, AB872).
 DATA Privacy Act (H.R.8749), Privacy Office Enhancement Act (H.R.5678), Consumer Online Privacy Rights Act (S.2968), Privacy Score Act of 2020 (H.R.6227), Social Media Privacy Protection and Consumer Rights Act of 2019 (S.189), Privacy Bill of Rights Act (S.1214), Protecting Education Privacy Act (H.R.2724), Moving Americans Privacy Protection Act (S.1302), Passenger Privacy Protection Act of 2019 (S.1206), Genetic Information Privacy Act of 2019 (H.R.2155), Secure Data and Privacy for Contact Tracing Act of 2020 (H.R.7472), Consumer Data Privacy and Security Act of 2020 (S.3456), Online Privacy Act of 2019 (H.R.4978) to name a select few.
 The California Privacy Rights Act (CPRA) Section 24. https://oag.ca.gov/system/files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20Version%203%29_1.pdf
 ID at sections 10 and 13.
 ID at sections 3A, 5-12.
 ID at section 14
 ID at sections 4, 12(7)
 Act to Protect the Privacy of Online Customer Information (35 M.R.S. 9301). https://www.mainelegislature.org/legis/bills/getPDF.asp?paper=SP0275&item=9&snum=129
 Amended Security of Information Maintained by Data Collectors and Other Businesses (Nev. Rev. Stat. Ann. 603A) Section 210. https://www.leg.state.nv.us/NRS/NRS-603A.html#NRS603ASec210
 Illinois Biometric Information Privacy Act (740 ILCS 14/) Sec. 15 (a). https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
 COMAR 09.12.22.01 (C). http://www.dsd.state.md.us/comar/comarhtml/09/09.12.22.01.htm
 NY CLS Gen Bus 899-bb (2)(b)(ii)(C)(4). https://www.nysenate.gov/legislation/laws/GBS/899-BB
 Tex. Bus. & Com. Code 503.001 (c)(3),(c-1). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.503.htm
 Utah Code Ann. 34-46-203 (2). https://le.utah.gov/xcode/Title34/Chapter46/34-46-S203.html?v=C34-46-S203_1800010118000101
 Rev. Code Wash. 19.375.020 (4)(b). https://app.leg.wa.gov/RCW/default.aspx?cite=19.375.020#:~:text=RCW%2019.375.020-,Enrollment%2C%20disclosure%2C%20and%20retention%20of%20biometric%20identifiers.,identifier%20for%20a%20commercial%20purpose.
 16 CFR 312.10. https://www.ecfr.gov/cgi-bin/text-idx?SID=d2d4616077fe505e154978fae9519ff3&mc=true&node=pt16.1.312&rgn=div5#se16.1.312_110
Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements in this article are informational only and do not constitute legal or other professional advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.