InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Nebraska enacts a comprehensive data privacy law
On April 17 Nebraska enacted LB 1074 (the “Act”), establishing a comprehensive consumer data privacy law. The Act applies to a person that is not a small business (as determined under the federal Small Business Act) who conducts business in Nebraska or produces a product or service used by Nebraska consumers and who processes or sells personal data. The Act includes exemptions for certain classes of data, including data subject to the Gramm-Leach-Bliley Act, as well as for certain entities including state agencies, financial institutions and their affiliates, nonprofits, higher education institutions, and covered entities or business associates governed by the privacy, security, and breach notification rules issued by the Department of Health and Human Services.
The Act grants consumers the right to (i) request information about whether their data is being processed; (ii) access their data; (iii) correct inaccuracies; (iv) delete their data; (v) obtain a portable copy of their data; and (vi) opt out of certain uses of their data, such as targeted advertising, sale, or “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.” Controllers, defined as persons that determine the purpose and means of processing personal data, must respond to authenticated consumer requests within 45 days and may extend the period once by another 45 days if necessary. If a request is denied, consumers must be informed of the reasons and instructed on how to appeal to the Attorney General. Controllers must offer a free response to two requests per year from each consumer but may charge a fee or refuse to act if requests are unfounded or excessive. Controllers also must establish an appeals process for consumers whose requests are denied, and inform the consumer of the outcome of their appeal within 60 days.
Rights afforded to consumers under the Act cannot be waived or limited by contract or agreement. Further, under the Act, controllers must provide consumers with a clear privacy notice including information similar to that required under the Gramm-Leach-Bliley Act.
The Act is effective on January 1, 2025 and enforceable by the Attorney General and does not provide a private right of action.
New Hampshire enacts SB 255, a comprehensive consumer privacy bill
Recently, the Governor of New Hampshire signed SB 255 (the “Act”) making New Hampshire the 14th state to enact a comprehensive consumer privacy bill. The Act will apply to entities that engage in commercial activities within New Hampshire or target New Hampshire consumers for their products or services and that during a one-year period either: (i) control or process data of 35,000 New Hampshire consumers (except solely for purposes of completing a payment transaction); or (ii) control or process data of 10,000 New Hampshire consumers and derive more than 25 percent of their revenue from selling the data. Exemptions include entities or data subject to the Gramm-Leach-Bliley Act’s Title V, non-profit organizations, and higher education institutions. The legislation will also exempt specific types of data, such as health information that is protected under HIPAA or data subject to the FCRA. The definition of consumer is limited to an individual residing in New Hampshire and excludes both employee and business-to-business (B2B) data.
The Act will define new terms, such as "sensitive data” which could mean “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status.” “Sensitive data” also includes genetic or biometric information, data on children, and precise location details. New Hampshire will now mandate that companies obtain explicit consent from consumers before processing sensitive data.
The Act also granted consumers the following rights: the right to know, the right to correct, the right to delete, the right to opt out of the processing of their personal data for targeted advertising, sales, or profiling of the consumer in furtherance of solely automated decisions that produce legal effects or other effects of similar significance, and the right to data portability. Consumers will also be protected against discrimination for exercising any of the above rights.
The Act contained controller responsibilities, including:
- Limiting the collection of personal data to what is adequate, relevant and reasonably necessary;
- not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes that were disclosed to the consumer, unless the controller obtains the consumer's consent;
- Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
- Not processing sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
- Providing an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, ceasing to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
- Not processing the personal data of a consumer for purposes of targeted advertising, or selling the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.
The controller also must provide a privacy notice meeting the standards set forth by the Secretary of State. Controllers must conduct data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including: (i) the processing of personal data for the purpose of targeted advertising; (ii) the sale of personal data; (iii) the processing of sensitive data; and (iv) the processing of personal data for profiling, where profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers, unlawful disparate impact, or undue intrusion upon solitude or seclusion.
The attorney general has exclusive authority to enforce the Act. Between January 1, 2025, and December 31, 2025, the attorney general is required to provide notice of an alleged violation and an accompanying 60-day cure period before commencing an enforcement action. Beginning January 1, 2026, the attorney general has the discretion to provide an opportunity to cure but is not required to provide such an opportunity. The Act does not include a private right of action. The Act will take effect on January 1, 2025.
Utah enshrines two acts to create cybersecurity notification guidelines
On March 19, Utah enacted SB 98 which amended the state’s online data security and privacy requirements. SB 98 will include new protocols that individuals and governmental entities must follow under its data breach reporting requirements. SB 98 will require individuals and governmental entities to provide specific information about the breach, including, among other things: (i) when the data breach occurred; (ii) when the data breach was discovered; (iii) the total number of individuals affected by the breach, with a separate count for Utah residents; (iv) the type of personal data involved; (v) a brief description of the data breach; and only for government entities (vi) the path of means by which access was granted to the system if known; (vii) the individual or entity who perpetrated the breach if known; and (viii) the actions taken by the governmental entity to mitigate the effects of the breach. Additionally, the Cyber Center will be tasked with assisting the governmental entity in responding to breaches. This assistance may include: (a) conducting or participating in an internal investigation; (b) assisting law enforcement with their investigation if necessary; (c) determining the scope of the data breach; (d) helping the entity to restore the integrity of the compromised system; and (e) providing any other necessary support in response to the breach.
On that same day, the governor also signed into law HB 491 which enacted the Government Data Privacy Act. Similarly, the bill will describe the duties of state government agencies related to personal data privacy, including breach notification requirements, limits on data collection and use, and the ability to correct and access personal data. On structure, the bill created the Utah Privacy Governing Board to recommend changes in the state privacy policy, established the Office of Data Privacy to coordinate implementation of privacy protections, and named the Personal Privacy Oversight Commission to the Utah Privacy Commission and amended the commission’s duties. Both SB 98 and HB 491 will go into effect on May 1.
New Hampshire enshrines a new consumer privacy law
On March 6, the Governor of New Hampshire, Chris Sununu, signed into law a sweeping consumer privacy bill. Under the act, consumers will have the right to confirm if a controller (an individual who controls personal data) is processing their personal data, a right to access that data, as well as correct inaccuracies, obtain a copy, delete, and opt-out of the processing of the data for targeted advertising purposes. The act also imposed limits on collectors, including that a controller shall (i) limit the collection of data to only what is adequate, relevant, and reasonably necessary for the intended purpose; (ii) establish and maintain administrative security practices to protect the confidentiality of consumer personal data; (iii) not process sensitive data without obtaining the consumer’s consent or, if the data concerns a known child, process the data in accordance with COPPA; (iv) provide an easy means for consumers to revoke consent; and (v) not process personal data for targeted advertising purposes without consumer consent. The bill further outlined a processor’s responsibilities and required controllers to conduct a data protection assessment for each action that may present a risk of harm to a consumer. The act will go into effect on January 1, 2025.
California enacts new data broker regulations
The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.
Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.
The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.
California enacts two privacy bills AB 1194 and AB 947
On October 8, the California governor signed two bills, AB 947 amending the California Consumer Privacy Act of 2018, and AB 1194 amending the California Privacy Rights Act (CPRA) of 2020. AB 947 amends the definition of “sensitive personal information” to include any personal information that reveals a consumer’s citizenship or immigration status. AB 1194 will ensure that when a consumer’s personal information relates to “accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services,” business are obligated to comply with CPRA, except in cases where the information is in an aggregated, deidentified form and is not sold or shared. CRPA already empowers consumers to request the deletion of their personal information, with some exceptions to accommodate a business's obligations to adhere to federal, state, or local laws, fulfill court orders, respond to subpoenas for information, or cooperate with government agencies in emergency situations involving potential risks to a person's life or physical well-being.
AB 947 is effective January 1, 2024 and AB 1194 is effective July 1, 2024.
Delaware Personal Data Privacy Act to protect consumers
On September 11, Delaware’s governor signed HB 154 (the “Act”), which creates the Delaware Personal Data Privacy Act. The Act ensures that residents of Delaware have the right to be informed about the collection of their personal information, access that information, rectify any inaccuracies, or request the deletion of their personal data held by individuals or entities. The Act will apply to those who conduct business in the State, that “produce products or services that are targeted to residents of the State [of Delaware] and that during the preceding calendar year,” processed personal data of more than 35,000 consumers, or processed the personal data of at least 10,000 consumers while deriving more than 20 percent of their gross revenue from personal data sales. Additionally, the Act mandates that the Delaware Department of Justice conduct public outreach programs to educate consumers and the business community about the Act, starting at least 6 months before the date on which the Act becomes effective.
The Act is effective on January 1, 2025.
Oregon is 11th state to enact comprehensive privacy legislation
On July 18, the Oregon governor signed SB 619 (the Act) to establish a framework for controlling and processing consumer personal data in the state. Oregon follows California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, Tennessee, Montana, and Texas in enacting comprehensive consumer privacy measures. Last month, Florida also enacted privacy legislation, but the requirements focus on specific digital controllers with global gross annual revenues of more than $1 billion.
Highlights of the Act include:
- Applicability. The Act applies to persons conducting business or producing products or services intentionally directed at Oregon residents that either control or process personal data of more than 100,000 consumers per calendar year (“other than personal data controlled or processed solely for the purpose of completing a payment transaction”) or earn 25 percent or more of their gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more. Additionally, the Act provides several exemptions, including financial institutions and their affiliates, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, nonprofit organizations, and protected health information processed by a covered entity in compliance with the Health Insurance Portability and Accountability Act, among others. The Act does not apply to personal information collected in the context of employment or business-to-business relationships.
- Consumer rights. Under the Act, consumers will be able to access their personal data, make corrections, request deletion of their data, and obtain a copy of their data in a portable format. Consumers will also be able to opt out of the processing of personal information for targeted advertising, the sale of personal information, or profiling “in furtherance of decisions that produce legal effects or effects of similar significance.” Data controllers also will be required to obtain a consumer’s consent to process sensitive personal information or, in the case of a known child, obtain consent from the child’s parent or lawful guardian. Additionally, the Act requires opt-in consent for using the personal data of a youth 13 to 15 years old for targeted advertising or profiling. The Act makes clear that consent means “an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice.” This does not include the use of an interface “that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice.” Controllers that receive a consent revocation from a consumer must process the revocation within 15 days.
- Controller responsibilities. Among the Act’s requirements, data controllers will be responsible for (i) responding to consumer requests within 45 days after receiving a request (a 45-day extension may be granted when reasonably necessary upon notice to the consumer); (ii) providing clear and meaningful privacy notices; (iii) disclosing to consumers when their personal data is sold to third parties or processed for targeted advertising, and informing consumers how they may opt out; (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose and securing personal data from unauthorized access; (v) conducting and retaining data protection assessments where there is a heightened risk of harm and ensuring deidentified data cannot be associated with a consumer; and (vi) avoiding unlawful discrimination.
- Data processing agreements. The Act stipulates that processors must follow a controller’s instructions and help meet the controller’s obligations concerning the processing of personal data. The Act also sets forth obligations relating to contracts between a controller and a processor. Processors that engage a subcontractor must ensure the subcontractor meets the processor’s obligations with respect to personal data under the processor’s contract with the controller.
- Private right of action and state attorney general enforcement. The Act does not provide a private right of action to consumers. Instead, the Oregon attorney general may investigate violations and seek civil penalties of no more than $7,500 per violation. Before initiating such action, the attorney general may grant the controller 30 days to cure the violation.
The Act takes effect July 1, 2024.
Nevada enacts health data privacy measures
On June 16, the Nevada governor signed SB 370 (the “Act”) to enact provisions imposing broad restrictions on the use of consumer health data. The Act is intended to cover health data and persons or entities not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as a person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in the state that “determines the purpose and means of processing, sharing or selling consumer health data.” Exempt from the Act’s requirements are government agencies, financial institutions and data that is collected, maintained or sold subject to the Gramm-Leach-Bliley Act and certain other federal laws, law enforcement agencies, and third parties that obtain consumer health data from a regulated entity through a merger, acquisition, bankruptcy or other transaction, among others.
The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain voluntary consent from consumers prior to collecting, sharing, and selling their health data, and are required to provide a means by which a consumer can revoke such authorization; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific security policies and procedures. Consumers are also empowered with the right to have their health data deleted and may request a list of all third parties with whom the regulated entity has shared or sold their health data. The Act details prohibited practices and outlines numerous compliance elements relating to access restrictions, responding to consumers, and processor requirements.
Furthermore, a violation of the Act constitutes a deceptive trade practice. While the Act does not create a private right of action, under existing law a court has authority “to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability. Additionally, under existing law if a person violates a court order or injunction brought by the Commissioner of Consumer Affairs, the Director of the Department of Business and Industry, the district attorney of any county in the state or the attorney general, “the person is required to pay a civil penalty of not more than $10,000 for each violation.” Willful violations may incur an additional penalty of not more than $5,000, as well as injunctive relief.
The Act is effective March 31, 2024.
Nevada expands collection agency licensing requirements
On June 16, the Nevada governor signed SB 276 (the “Act”) to revise certain provisions relating to debt collection agencies and make amendments to the state’s collection agency licensing law. While existing law requires collection agencies to be licensed, the amendments expand the type of activities that trigger collection agency licensure. Notably, the Act now requires any “debt buyer” to hold a license, which is defined as “a person who is regularly engaged in the business of purchasing claims that have been charged off for the purpose of collecting such claims, including, without limitation, by personally collecting claims, hiring a third party to collect claims or hiring an attorney to engage in litigation for the purpose of collecting claims.” Mortgage servicers, however, are now exempt unless the “mortgage servicer is attempting to collect a claim that was assigned when the relevant loan was in default.” The amendments also repeal provisions governing foreign collection agencies and now require that such agencies be licensed in the same fashion as domestic collection agencies.
In addition to licensed mortgage servicers the amendments also exclude others from the definition of the term “collection agency,” including an expanded list of certain financial institutions (as well as their employees), persons collecting claims that they originated on their own behalf or originated and sold, and other persons not deemed to be debt collectors under federal law. The term “collection agent” has also been refined to exempt persons who do not act on behalf of a collection agency from requirements governing collection agents.
The Act revises requirements relating to “compliance managers” (formerly referred to as “collection managers”) – including an avenue to request a waiver from the Nevada compliance manager examination requirement if certain experiential requirements are met – and makes changes to certain record retention and application requirements, including amendments to the frequency with which the commissioner reviews a licensee’s required bond amount (annually instead of semiannually). A provision requiring applicants to pursue branch licenses for second or remote locations is also repealed. Instead, collection agencies must simply notify the commissioner of the location of the branch office. Further, collection agencies are now required to display license numbers and certificate identification numbers of compliance managers on any website maintained by the collection agency.
Additionally, the Act now authorizes collection agents to work remotely provided the agents meet certain criteria, including: (i) signing a written agreement prepared by the collection agency that requires the agent to maintain agency-appropriate security measures to ensure the confidentiality of customer information; (ii) refraining from disclosing details about the remote location to a debtor; (iii) refraining from conducting collection activity-related work with a debtor or customer in person at the remote location; (iv) allowing work conducted from the remote location to be monitored; and (v) completing various compliance and privacy training programs. Remote collection agents must adhere to certain practices requirements and restrictions set forth by both the Act and the FDCPA. Collection agencies must also maintain records of remote collection agents, provide oversight and monitoring of collection agents that work remotely, develop and implement a written security policy governing remote collection agents, and establish procedures to ensure collection agents working remotely are not acting in an illegal, unethical, or unsafe manner.
Finally, the Act imposes new prohibitions against collection agencies and their agents and employees. Among other things, a collection agency (and its compliance manager, agents, or employees) is banned from suing to collect a debt when it knows or should have known that the applicable statute of limitations has expired. The amendments further clarify that the applicable limitation period is not revived upon “payment made on a debt or certain other activity relating to the debt after the time period for filing an action based on a debt has expired.” Certain notice must also be given to a medical debtor notifying that such a payment does not revive the applicable statute of limitations. A collection agency may also not sell “an interest in a resolved claim or any personal or financial information related to the resolved claim.”
The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on October 1, 2023 for all other purposes. “Debt buyers” have until January 1, 2024 to submit a collection agency license application pursuant to the new provisions.