Ira: Comprehensive data privacy laws coming to a state near you

By Adam S. Ira

These days, it seems we cannot go a single day without seeing news of the next big data breach.

As the effects of data breaches have come to light over the last few decades, individual states and the federal government have taken action to attempt to bolster data security practices. There is a keystone moment associated with the passage of almost every data security law. For example, the Video Privacy Protection Act of 1988 was enacted after United States Supreme Court nominee Robert Bork’s video rental history was leaked to the press during his confirmation process. Later, in 1994, the Driver’s Privacy Protection Act was enacted by Congress after an obsessed fan stalked and murdered actress Rebecca Schaeffer in her home after obtaining her address from the California Department of Motor Vehicles. The COVID-19 pandemic may very well serve as one of these turning points for much of the country, as we have seen unprecedented cyberattacks occur in the wake of the pandemic. Perhaps more compelling is the significant increase in the collection and use of biometrics to screen people who may have the virus and perform contact tracing.

In the absence of a federal law protecting disclosure of personally identifiable information, all 50 states have passed some form of a data breach disclosure requirement that applies generally to breaches of personally identifiable information of the residents of each state. While each state’s notification statute will differ, they generally follow the same basic principles. Indiana, for example, requires notice to be given if someone’s unencrypted and unredacted Social Security number is compromised, or a combination of the person’s first and last names and one of the following are breached:

• driver’s license number;

• state ID number;

• credit card number; or

• financial account or debit card number in combination with a security code, password or access code that would permit access to the person’s account.

Indiana has yet to expand the breadth of information that must be protected from disclosure since the data breach notification statute was passed in the late 2000s. Importantly, Indiana’s data breach notification law does not create a private right of action, but only provides for administrative enforcement by the Indiana Attorney General. Considering the above, the state of Indiana law with respect to data security and privacy remains largely unchanged over the last decade. However, since 2018 alone, 26 states have enacted legislation, are currently considering proposed legislation or have enacted a special task force to overhaul their data security and privacy laws.

Many of these changes can and do affect people and companies here in Indiana. Here’s a great example: Starting in May 2018, you may have noticed websites explicitly asking your permission to store cookies in your browser. That is due in large part to the European Union’s General Data Protection Regulation (“GDPR”) and, subsequently, the California Consumer Privacy Act (“CCPA”). Perhaps more importantly, these new laws may have extraterritorial effect for acts or omissions that occur here in Indiana.

The EU General Data Protection Regulation

GDPR was one of the first comprehensive data security and privacy laws. It generally protects EU citizens and confers certain privacy rights that had not been codified before its passage. For example, some of the more interesting rights include: (1) a right of explicit consent for collection and processing of one’s data (which is why you now get to select which cookies websites use); (2) a right against automated decision-making on one’s behalf; (3) the right to request and receive one’s data in a commonly used machine readable format; (4) the right to have incorrect data concerning one corrected; and (5) the right to erasure of your data (also called the “right to be forgotten”). GDPR has extraterritorial effect outside the European Union, which is why we all began receiving cookie consent forms when we visited websites from our U.S.-based devices in May 2018.

The kind of data protected by the GDPR is far broader than what is typically covered under individual state data breach laws. The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

GDPR confers a right to compensation for a violation of one’s rights under GDPR, with no limit of liability. GDPR also provides for administrative enforcement, with authorized fines up to 4% of a company’s gross (not a typo) global revenue for the preceding year.

At this point you are no doubt thinking, “What relevance does an EU law have to an Indiana lawyer?” Well, it has about the same relevance as the Magna Carta has to the U.S. Constitution, and it has heavily influenced how states around the country protect and regulate data privacy, as we will see in our brief examination of the California Consumer Privacy Act of 2018.

The California Consumer Privacy Act

Many have likened the CCPA to America’s version of the GDPR. One significant difference is the CCPA’s simplicity (15 pages in length) in comparison to the complexity of the GDPR (261 pages). The CCPA only covers businesses that do business in the state of California and satisfy one of the following:

(1) Collect California residents’ personal information that have annual gross revenues in excess of $25 million (basically almost every Fortune 500 company);

(2) Receives the personal information of 50,000 or more California residents, households or devices; or

(3) Derives 50% or more of its annual revenues from selling California residents’ personal information.

The CCPA provides many of the same rights as GDPR does, such as the right to request what data has been collected, the right to withdraw consent to the processing of your data and the right to be forgotten. There is also a nondiscrimination provision that prohibits businesses from denying or offering different services simply because a consumer exercises their lawful privacy rights guaranteed by the CCPA. This is why, with most websites, you can usually deny all cookies and still continue to use the site without issue.

The CCPA only provides a private right of action in the event of a data breach, and there is no private right of action for a violation of one of the other enumerated privacy rights. The CCPA authorizes a $100 minimum to $750 maximum penalty per consumer incident. The California Attorney General may bring a relator action to seek an injunction and administrative penalties of $2,500 to $7,500 per violation.•

• Adam S. Ira is an attorney at Kightlinger & Gray in Indianapolis. Opinions expressed are those of the author.