Privacy Regulation Update from #PSR19

Welcome to this week’s Tip of the Hat! The temperature in Las Vegas in September is still hot, but LDH survived the heat while attending the Privacy. Security. Risk. 2019 conference hosted by the International Association of Privacy Professionals. Thousands of privacy professionals from a variety of backgrounds came together to share their knowledge and experiences in implementing privacy in their workplaces. Some of the presentation slides and materials are already available on the schedule page, so feel free to browse.

The California Consumer Privacy Act was on everyone’s minds and in conversations at PSR, and for good reason – enforcement begins in about three months. The amendments process is all but wrapped up, and now businesses are scrambling to be in full compliance by January 1st, 2020. Libraries do not fall under the scope of CCPA; however, library vendors who do business in California and meet certain criteria fall under the scope of CCPA.

CCPA wasn’t the only waves California made at PSR. Last week the same group that sparked the creation of CCPA proposed a new ballot initiative, the California Privacy Rights and Enforcement Act, slated for a 2020 ballot. This initiative provides additional protections to consumers on top of what CCPA already provides:

  • Rights surrounding use and sale of sensitive data such as health, race/ethnic, and location data
  • Require opt-in consent for data collection from consumers under 16 years of age
  • Require businesses to be more transparent about the use of algorithms or automatic creation of profiles from data, as well as the use of profiles in decision making

Again, while libraries are most likely not in the scope of CPREA, library vendors will need to keep track of the progression of this new initiative.

But enough about California. What are the other states doing? Take a look at “CCPA and Its Progeny: States Take Control While Congress Weighs a Broad New Law” where you will get a broad overview of privacy regulations in other states. Many states are poised to either introduce or pass privacy legislation modeled off of CCPA or GDPR in the next year. Without a general data privacy law on the federal level, many states are filling in the gaps as they did with data breach response regulations. Currently, you have 50+ different laws (including Puerto Rico) to comply with when responding to a data breach! We might reach the same situation with data privacy regulation if the federal government does not pass a data privacy bill that preempts state law. Don’t expect a federal bill to be passed during a presidential election year, though. The soonest we might have a chance for a federal bill to pass will be two to three years’ out, which gives states more than enough time to pass their own bills.

In any case, 2020 will be another busy year for privacy regulation, and LDH will keep you updated on the most relevant information for libraries and vendors.