0
PCI Data Security Standards v4.0What Your Business Needs to Know About the Newly Announced PCI Data Security Standards v4.0

What Your Business Needs to Know About the Newly Announced PCI Data Security Standards v4.0

In a press release published on March 31st, the PCI Security Standards Council (PCI SSC) announced v4.0 of the PCI Data Security Standards (PCI DSS).  

The PCI DSS is a global standard covering technical and operational practices for system components included in or connected to environments with cardholder data. 

In this blog post, we provide a brief overview of what’s new in this latest iteration of the standard. We also glance at the implementation timeline so that your business can get the ball rolling on the transition process. 

What’s New in the PCI Data Security Standards v.4.0? 

The new changes and requirements reflected in v4.0 address four main objectives: 

  1. continue to meet the security needs of the payment industry; 
  2. promote security as a continuous process; 
  3. add flexibility for different methodologies; and 
  4. enhance validation methods. 

PCI DSS v4.0 comes with three types of changes: (1) evolving requirements, (2) clarifications/additional guidance, and (3) structural/formatting changes. 

Evolving requirement changes include new/modified requirements and procedures. For example, concerning Requirement 1 (Install and Maintain Network Security Controls), v4.0 replaces v3.2.1’s “firewalls” and “routers” language with “network security controls” to acknowledge the broader range of technologies that are available to meet security objectives. Additionally, Requirement 2.1.2 – which requires roles and responsibilities for performing activities covered under Requirement 2 to be documented, assigned, and understood – is new in v4.0. Another new rule in v4.0, for example, is Requirement 12.5.2, which requires entities to document and confirm PCI DSS scope at least every 12 months and upon a significant change to the in-scope environment. 

Clarifications/additional guidance changes update wording, explanations, and definitions as well as provide expanded information on particular topics. PCI DSS requirements generally apply to entities with environments where account data (cardholder data and/or sensitive authentication data) is stored, processed, or transmitted and to entities with environments that can impact the security of the cardholder data environment (CDE). PCI DSS v4.0 provides updated language in the “Applicability Information” section, clarifying that “requirements may also apply to entities with environments that do not store, process, or transmit account data – for example, entities that outsource payment operations or management of their CDE.” 

Structural/formatting changes involve edits to the organization of the document. Some of these structural/formatting changes include reformatted overview sections and new summaries accompanying each principal requirement. 

Furthermore, to support flexibility in how security objectives are met, PCI DSS v4.0 offers two approaches for implementing and validating PCI DSS: defined approach and customized approach. A customized approach to a particular requirement allows entities to implement security practices and controls that meet the purpose of the requirement, but in a way that does not strictly follow the defined requirement. 

Implementation Timeline 

This latest iteration of the PCI Data Security Standards v4.0 – is designed to replace the most recent version, v3.2.1, which was first released back in 2018.  

As for the timeline, v3.2.1 will remain active for two more years until its retirement date of March 31, 2024.  

Future-dated new requirements will become effective on March 31, 2025. For example, Requirement 5.2.3.1 of v4.0 – which is a new requirement that defines the frequency of periodic evaluations of system components not at risk for malware in an entity’s targeted risk analysis – will be considered a best practice until March 31, 2025 (after which it will be required). 

Key Takeaways 

PCI DSS v4.0 brings significant changes and new approaches, and businesses will have until March 31, 2024, to effectuate a transition to this latest version of the standard. Businesses can find the newest version of the standard and supporting documentation in the “Document Library” section of the PCI SSC’s website. Our highly experienced attorneys are prepared to provide up-to-date and practical compliance counsel in connection with PCI DSS.  

* Attorney Advertising: prior results do not guarantee future outcomes. 

0
Québec's Bill 64Québec’s Bill 64 – What Businesses Need to Know Now

Québec’s Bill 64 – What Businesses Need to Know Now

In Canada, the main laws governing personal data protection and privacy at the federal level are the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. On November 17, 2020, the former Minister of Innovation, Science and Industry, Navdeep Bains, introduced An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts (Bill C-11, or the Digital Charter Implementation Act) for consideration in the House of Commons. Bill C-11 was slated to update Canada’s private-sector data privacy laws. However, it died on the Order Paper in August.

While efforts to enact reforms at the federal level have been halted for the moment, businesses should still be keeping a close eye on what is happening at the provincial level.

On September 22, 2021, Québec’s An Act to modernize legislative provisions as regards the protection of personal information (Bill 64) received royal assent in the National Assembly of Québec. Octillo will continue to monitor these provisions to Québec’s new privacy law and will provide updates prior to the effective date. With broad implications and with substantive provisions becoming effective in 2022, 2023, and 2024, private-sector businesses should take proactive steps to prepare for Québec’s new privacy law starting now.

Here are some of the important changes to be aware of:

Provisions effective starting September 22, 2022:

Designation of the Person in Charge of the Protection of Personal Information

Section 95 of Bill 64 adds Section 3.1 to Québec’s Private Sector Act.

By default, the person exercising the highest authority in a business, such as the chief executive officer, will be the person in charge of the protection of personal information. This responsibility may be delegated to another person, and that person’s title and contact information must be posted on the website of the business.

Confidentiality Incident Notifications to the Commission d’accès à l’information (CAI).

Section 95 of Bill 64 adds Sections 3.5-3.8 to Québec’s Private Sector Act.

Bill 64 defines a “confidentiality incident” as: (1) access not authorized by law to personal information; (2) use not authorized by law of personal information; (3) communication not authorized by law of personal information; or (4) loss of personal information or any other breach in the protection of such information.

Businesses must promptly notify the CAI about confidentiality incidents that “present a risk of serious injury” and must also notify any person whose personal information is concerned in such an incident.

The determination of a “risk of serious injury” depends on certain factors, such as “the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.”

Businesses must also keep a register of all confidentiality incidents for the CAI upon request.

Changes Concerning Personal Information in Commercial Transactions

Section 107 of Bill 64 adds Sections 18.3-18.4 to Québec’s Private Sector Act.

Bill 64 defines a “commercial transaction” as involving:

  • the alienation or leasing of all or part of an enterprise or its assets;
  • a modification of its legal structure by merger or otherwise;
  • the obtaining of a loan or any other form of financing by the enterprise; or
  • the obtaining of a security taken to guarantee any of its obligations.

When necessary for concluding a commercial transaction, businesses may communicate personal information without the consent of the person concerned. However, prior to such transactions, businesses must enter into an agreement ensuring that the other party will only use the information for concluding the commercial transaction, will not communicate the information without consent, will take measures required to protect the confidentiality of the information, and will destroy the information if the transaction does not go through or if the information is no longer necessary.

Please note that the new Section 18.4 on entering into an agreement prior to such transactions becomes effective in 2022, while the new Section 18.3 becomes effective in 2023.

Changes Concerning Personal Information in Research Studies

Section 110 of Bill 64 amends Section 21 of Québec’s Private Sector Act.

When using the information for study or research purposes or to produce statistics, businesses may communicate personal information without the consent of the person if a privacy assessment concludes that:

  • the objective can only be achieved if the information is communicated in a form allowing the persons concerned to be identified;
  • it is unreasonable to require obtaining consent;
  • the objective outweighs with regard to the public interest;
  • the personal information is used in such a way to ensure confidentiality; and
  • only necessary information will be communicated.

Businesses wishing to use personal information in studies and research must request in writing and enclose several other pieces of required materials/information. If applicable, businesses must also describe the different technologies to be used. If applicable, businesses must also send documented decisions of a research ethics committee.

Bill 64 also lists several requirements that businesses must work into an agreement with the persons or entities receiving the personal information.

Provisions effective starting September 22, 2023:

Governance Policies and Practices Regarding Personal Information

Section 95 of Bill 64 adds Section 3.2 to Québec’s Private Sector Act.

Businesses must establish and implement governance policies and practices regarding personal information. Such policies must provide a framework for the keeping and destruction of the information, define the roles and responsibilities of the members of its personnel throughout the life cycle of the information, provide a process for dealing with complaints, be proportionate to the nature and scope of the business, and be approved by the person in charge of the protection of personal information.

Businesses must publish detailed information about these policies on their websites in simple and clear language.

Privacy Assessments

Section 95 of Bill 64 adds Sections 3.3-3.4 to Québec’s Private Sector Act.

Businesses must conduct privacy assessments for the acquisition, development, or overhaul of information or electronic service delivery systems involving the collection, use, communication, keeping, or destruction of personal information.

The person in charge of the protection of personal information may suggest measures such as:

  • the appointment of a person to be responsible for implementing the personal information protection measures;
  • measures to protect the personal information in any document relating to the project;
  • descriptions of the project participants’ responsibilities regarding the protection of personal information; or
  • training activities for project participants on the protection of personal information.

Privacy assessments must be conducted proportionately to the sensitivity of the information concerned, the purposes for which  the information will be used, the quantity and distribution of the information, and the medium on which it is stored.

Personal Information Concerning Minors Under 14 Years of Age

Section 96 of Bill 64 replaces Section 4 of Québec’s Private Sector Act.

Businesses may not collect personal information concerning a minor under 14 years of age without parental or tutor consent unless collecting the information is clearly for the minor’s benefit.

Necessary Purposes

Section 97 of Bill 64 amends Section 5 of Québec’s Private Sector Act.

Any person collecting personal information on another person may collect only the information necessary for the purposes determined before collecting it.

Source of the Personal Information

Section 98 of Bill 64 amends Section 7 of Québec’s Private Sector Act.

Any person collecting personal information from another person carrying on an enterprise must, at the request of the person concerned, inform the latter of the source of the information.

Consent

Section 99 of Bill 64 replaces Section 8 of Québec’s Private Sector Act.

When collecting information and upon request, businesses must provide, in clear and simple language, the purposes of collection, the means of collection, the rights of access and rectification under law, and the right to withdraw consent.

Persons concerned may also request the categories of persons who have access to the information within the business, the duration of time the information will be kept, and the contact information of the person in charge of the protection of personal information.

Businesses must also inform individuals of any collection of personal information using a technology that includes functions allowing the individual to be identified, located, or profiled and the means available to deactivate such functions.

Businesses collecting personal information through technological means must publish on their websites a confidentiality policy in clear and simple language.

Any person who provides his or her personal information in accordance with this new Section 8 of Québec’s Private Sector Act consents to its use for the stated purposes.

Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.

Unless the person concerned gives his or her consent, personal information may not be used within the business except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information.

Personal information may, however, be used for another purpose without consent, but only if:

  • its use is necessary for preventing and detecting fraud or assessing and improving protection and security measures;
  • its use is necessary for providing or delivering a product or providing a service requested by the person concerned;
  • its use is necessary for study or research purposes or to produce statistics and if the information is de-identified.

Privacy by Default

Section 100 of Bill 64 adds Section 9.1 to Québec’s Private Sector Act.

Businesses that collect personal information when offering a technological product or service must ensure that the parameters of the product or service provide the highest level of confidentiality by default, without any intervention by the person concerned.

Automated Decision-Making

Section 102 of Bill 64 replaces Sections 12-14 of Québec’s Private Sector Act.

Businesses that use personal information to render a decision based exclusively on automated processing of such information must inform the person concerned accordingly and not later than at the time it informs the person of the decision.”

The person concerned must be given the opportunity to submit observations to a member of the business who is in a position to review the decision.

Third Parties

Section 102 of Bill 64 replaces Section 12-14 of Québec’s Private Sector Act.

No person may communicate to a third person the personal information he holds on another person, unless the person concerned consents to, or this Act provides for, such communication. Such consent must be given expressly when it concerns sensitive personal information.

Cross-Border Data Transfers

Section 103 of Bill 64 replaces Section 17 of Québec’s Private Sector Act.

Before communicating personal information outside Québec, businesses must assess privacy-related factors. They must consider:

  • the sensitivity of the information;
  • the purposes for which it is to be used;
  • the protection measures, including those that are contractual, that would apply to it; and
  • the legal framework applicable in the State in which the information would be communicated, including the personal information protection principles, apply in that State.

The information may be communicated if the assessment establishes that it would receive adequate protection, in light of generally recognized principles regarding the protection of personal information.

Destruction of Personal Information

Section 111 of Bill 64 replaces Section 23 of Québec’s Private Sector Act.

Where the purposes for which personal information was collected or used are achieved, businesses must destroy or anonymize the information, subject to any preservation period provided for by an Act.

De-Indexation

Section 113 of Bill 64 replaces Section 28 of Québec’s Private Sector Act.

The person to whom the personal information relates may require a business to cease disseminating that information or to de-index any hyperlink attached to his name that provides access to the information by a technological means if the dissemination of the information contravenes the law or court order.

This new section lists several situations in which hyperlinks may be re-indexed.

Provisions effective starting September 22, 2024

Copies of Personal Information Upon Request

Section 112 of Bill 64 amends Section 27 of Québec’s Private Sector Act.

Businesses must, upon request, confirm the existence of personal information, communicate it in a structured and commonly used technological format, and allow people to obtain copies of their personal information.

Conclusion

Many of the provisions of Québec’s new privacy law do not become effective until 2023 and 2024. However, there are a few notable provisions that become effective starting on September 22, 2022. Octillo continues to monitor this area and will provide updates as the effective date approaches. Our Compliance Team recommends that businesses both within and outside Québec’s, take proactive steps to prepare for the full implementation of Bill 64 starting now, especially now that there will be new enforcement and penalties regime.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.

 

0
Data Security and Privacy Due DiligenceData Security and Privacy Must Play a Part in M&A Due Diligence

Data Security and Privacy Must Play a Part in M&A Due Diligence

In the past, acquiring companies engaged in M&A activity paid little attention to a target company’s data security & privacy (DSP) posture during due diligence. The acquiring companies learned that their failure to fully evaluate the target company’s DSP posture led to the target company inheriting more work than ever anticipated. These risks manifested in two costly areas: undisclosed cybersecurity incidents (which could lead to costly litigation and negative publicity), and poor cybersecurity and privacy infrastructure (which would delay integration).

These negatives are well documented. A 2019 Forescout report found that, “[j]ust under half (49%)” of the transactions analyzed “encountered unknown or undisclosed cybersecurity incidents, issues, or risks when integrating the acquired company’s information and technology that delayed the integration timeline.” Another well-known example was Verizon’s $350 million purchase price reduction of Yahoo!’s to cover costs of ongoing government investigations and private litigation for historic cybersecurity incidents that were not fully disclosed or evaluated in the due diligence phase.

Things have changed. Gartner reported that by 2022 sixty percent of organizations will consider a target company’s cybersecurity posture as a critical factor in their due diligence process. Acquiring companies have made DSP due diligence a priority because they understand the costly risks of inheriting a target company’s DSP liabilities.

Target companies must proactively address and disclose DSP risks to avoid renegotiation of the purchase price, delay the closing date, or at worst, the acquiring company backing out of the deal. M&A parties often retain sophisticated DSP attorneys to assist in all phases of the deal, including conducting DSP posture analyses, evaluating DSP-specific risks, and guiding the company through the diligence process.

This article addresses some of the key privacy and security issues, and strategies target companies should undertake to prepare for privacy reviews in due diligence.

 

Understand Data Privacy and Cybersecurity Obligations

The acquiring company’s goal during diligence is to understand whether the target company: (a) is in compliance with all applicable privacy and cybersecurity obligations, (b) has controls in place to avoid future regulatory or litigation exposure, and (c) has no undisclosed cybersecurity incidents that could lead to future exposure. Thus, the target company should be prepared to respond to diligence requests that focus on these key areas.

Context Matters. Cyber and privacy due diligence are heavily dependent on the target company’s profit model and industry because those factors heavily drive the evaluation of the transaction’s risk stemming from the target company’s cybersecurity posture. A purely regional business-to-business (B2B) company will generally have lower obligations than a company that handles personal health information (PHI), does significant business in California, or has international operations. A seller should focus on the following core area and consider whether it is in compliance with all standards-based on its position in that core area:

  • Profit-Model. Understand how the target company’s profit model subjects it to privacy and cybersecurity obligations. Consumer-facing companies are likely to have higher privacy obligations than those with an exclusively B2B model.  Additionally, companies who collect or trade consumer information will have higher privacy obligations, particularly when that information includes financial or health information.
  • Location. Understand the obligations imposed on the target company based on where it conducts business. Businesses in Europe or California may subject the business to specific obligations under the General Data Privacy Regulation (GRPR) or California Consumer Privacy Act (CCPA). Each has a specific requirement and harsh penalties for non-compliance. It is equally important to know if the target company is not subject to the CCPA and GRPR so that the target company does not unnecessarily expend resources to comply with those laws, and to adequately respond to misdirected diligence inquiries about GRPR and CCPA compliance.
    Cybersecurity incident notification laws also vary by state, so the company should understand could create obligations for historic cybersecurity incidents.
  • Industry. Understand whether the target company’s industry creates unique security obligations. Broadly, a company that operates in: (a) financial services, (b) healthcare, (c) government contracting, (c) consumer data collection, and (d) consumer credit card transactions. State laws may also impose industry-specific obligations.

Understand the impact of historic cybersecurity incidents. Any historic cybersecurity incidents will very likely be the subject of the acquiring company’s diligence inquiry. The target company should consider the root cause of the incident (i.e. system vulnerabilities or policy gaps).

 

Strategies to Maximize Price and Avoid Concerns During Diligence

Again, acquiring companies are evaluating potential transaction risk based on the target companies’ compliance obligations and cybersecurity risks. Strong documentation reflecting a target company’s understanding of its obligations and implementation of necessary policies and programs is a target company’s strongest asset in alleviating an acquiring company’s concerns (and in turn maximizing the purchase price).

Implement Privacy Policies. Implement compliance privacy policies to the extent necessary based on the target business’ profit model, location, and industry (as discussed above). If the target company determines its business does not require implementation of a specific policy, demand the rationale for that decision, and maintain a policy that requires a review of the target company’s privacy compliance requirements: (a) periodically, (b) based on material changes in the company’s business, and (c) based on material changes in the law.

Implement Data Governance Programs. Even if the target company has determined that specific privacy laws do not apply to the company, many acquiring companies will require that the target company understands the data it collects. Understanding the collected data allows the target company to show that: (a) it has analyzed potential risks of a cybersecurity incident, and (b) is well-positioned to comply with future privacy requirements following the acquisition (or based on future changes in the laws).

Implement Cybersecurity Policies. Maintain a cybersecurity and compliance infrastructure that require conducting penetration testing, vulnerability assessments, and corrective follow-up. An acquiring company is likely to be skeptical about a target company’s representations about a lack of prior incidents because a company that does not conduct regular testing and assessments may not even be aware of prior intrusions.

Analyze Contracts and Maintain Insurance. The target company should analyze vendor and customer contracts relating to indemnification for cyber or privacy incidents.  As the acquiring company may be inheriting these contracts, they will want to ensure that these contracts don’t create unnecessary risk. Maintaining cybersecurity insurance covering past incidents will further alleviate concerns.

Analyze Past Incidents. Analyze past incidents to determine what system vulnerabilities, policy or training gaps led to the incident, and document the steps taken to correct those issues.

Partner with Technologists Who Understand the Legal Requirements. There is no need to reinvent the wheel.  Work with experienced partners who can help assess the need for privacy and cybersecurity programs, and help you navigate due diligence requests from an acquiring company.  Octillo retains privacy attorneys and security professionals with a deep understanding of the technology in the law.

For more information on this topic, contact Octillo attorney Chirag H. Patel.

Subscribe to our newsletter.

*Attorney Advertising.  Prior results do not guarantee future outcomes.

0
Colorado Privacy ActThe Colorado Privacy Act: Explained

The Colorado Privacy Act: Explained

On July 8th, Colorado Governor Jared Polis signed Senate Bill 190, the Colorado Privacy Act (CPA), into law. The Act is the third comprehensive state privacy law in the United States, following California’s Consumer Privacy Act and Virginia’s Consumer Data Protection Act.

The CPA is applicable to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. The bill also includes various data subject rights, a broad opt-out consent model with a universal opt-out mechanism, a right to cure, and attorney general rulemaking and enforcement. It is set to go into effect on July 1, 2023.

The CPA carries specific rights for the consumer including:

  • Opt-out of processing of personal data.
  • Authorization of another person to act on behalf of the consumer to opt-out of the processing of personal data for purposes of targeted advertising or the sale of consumer data.
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format.
  • Correct inaccurate personal data.
  • Delete personal data.
  • Obtain consent before collection of certain sensitive personal data (data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation or sex life, citizenship or citizenship status, or genetic or biometric data).

The right to opt-out model gives consumers a user-selected universal opt-out mechanism for executing their opt-out right, however, it applies to targeted advertising and the sale of information. Consumers cannot opt out of unnecessary and irrelevant collection of information.  Controllers must comply with the universal opt-out. Consumer requests must be verifiable, and a controller may deny the request if the request cannot be authenticated.

All consumers are provided the opportunity to appeal any denials of request. Under the act, all controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receiving the request. The time period may be extended an additional 45 days with a notice of delay and reasons for the delay.

The controllers must receive a consumer’s consent before processing a consumer’s sensitive information. Consent must be a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous consent. Consent cannot be obtained by way of acceptance of general or broad terms of use. While the CPA requires consent to process “sensitive” personal data, the bill exempts protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm-Leach Bliley Act, information regulated by the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act, and information regulated by the Driver’s Privacy Protection Act of 1994. The CPA also exempts information maintained for employment records purposes.

Under the CPA, controllers are also required to conduct and document data protection assessments of each of its processing activities that involves personal data acquired when conducting processing that presents a heightened risk of harm to a consumer.

Controllers must provide a privacy notice to the consumer including:

  • Categories of personal data collected, processed, and/or shared with third parties,
  • Purposes for processing such data,
  • Categories of third parties with whom the controller shares personal data,
  • How and where consumers may exercise their rights, and
  • Whether the controller sells personal data or processes personal data for targeted advertising.

Data security practices must be appropriate to the volume, scope, and nature of the personal data processes and nature of the business. While the CPA carries these consumer rights and provides for several controller obligations, it does not offer a private right of action.

The Attorney General has the capability to address outstanding compliance concerns and ambiguities ahead of the law’s effective date. The Attorney General and state district attorneys will enforce the CPA. Under the bill, there is a 60-day cure period to rectify non-compliance provided before the Attorney General or district attorney may take enforcement action. The cure period is only provided until January 1, 2025, and noncompliance can result in civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. Again, consumers are not given the private right of action under the bill.

We anticipate more states will begin to enact legislation that will encourage the regulation of sensitive data processing and enhance consumer privacy rights. Octillo will continue to monitor any developments regarding the bill. Our team of highly skilled attorneys are especially equipped to help your business implement a proactive plan to help mitigate risk and remain compliant with emerging laws.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

PrivacyVirginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Virginia, Oklahoma, and Florida Join Growing List of States With Proposed Privacy Legislation

Since California’s Consumer Privacy Act (CCPA) was passed in 2018, Octillo has seen a slew of other states follow suit in proposing and enacting their own comprehensive data privacy bills. Most recently, lawmakers in Virginia, Oklahoma, and Florida have joined the growing list of states with proposed privacy bills. So far this year, New York, Washington, and Minnesota have also introduced legislation governing the ways companies collect, store, use, and share consumer data and we expect to see other laws emerging in the coming months with still no federal data privacy bill in sight.  

Working with experienced privacy counsel can help build out data privacy programs that stand the test of time and contemplate emerging legislation.   

Below is an overview of the Virginia and Oklahoma proposed bills, their requirements, and their potential impact on the data privacy landscape. 

Virginia Consumer Data Protection Act (SB 1392) 

The Virginia proposal is quickly moving through the Virginia state legislature and is likely to be the next comprehensive state data privacy law on the books. This bill passed the Virginia House of Delegates on January 29th by a wide margin and was unanimously approved in the Senate on February 3rd. Assuming Governor Northam signs it into law, the Virginia Consumer Data Protection Act is set to go into effect on January 1, 2023. 

Who Does It Apply To? 

Companies that conduct business in Virginia or “produce products or services that are targeted to” Virginians would have to comply with the Virginia Consumer Data Protection Act if they: 

  • Control or process the personal data of at least 100,000 Virginians; or 
  • Control or process the personal data of at least 25,000 Virginians and derive over 50% of their gross revenue from the sale of that data. 

The Legislation does provide exemptions for financial institutions governed by the Gramm-Leach-Bliley Act, entities subject to HIPAA or HITECH, non-profits, and educational institutions. 

What Is Included? 

Included in this Bill are several requirements not covered under the CCPA or any other U.S. privacy law. One such obligation requires entities that control personal data to conduct protection assessments of any activities that use personal data for specific purposes, such as targeted advertising. These data protection assessments may be requested and evaluated by the attorney general to ensure compliance. 

This Act would afford Virginia consumers with several rights regarding their personal data, including the right to opt-out of the sale or use of their information for targeted advertising or profiling. It would also allow consumers to delete their data, move their data, correct inaccuracies in their data, and confirm if their data is being processed upon request.  

Notably missing is a private right of action through which consumers could seek damages for alleged violations. Instead, enforcement of the Act would be left exclusively to the attorney general, who may seek up to $7,500 per violation. 

Oklahoma Computer Data Privacy Act (HB 1602) 

Introduced on January 19, 2021 by Representatives Josh West (R) and Collin Walke (D), this Bill has bipartisan support in the Oklahoma House of Representatives. Its intended purpose is to give Oklahomans more online privacy by taking aim at tech companies. If passed, the Oklahoma Computer Data Privacy Act would go into effect on November 1, 2021. 

Who Does It Apply To? 

If passed, this act would apply to companies that operate in the state of Oklahoma and collect Oklahoman’s personal information or have information collected on their behalf, determine the purpose for and means of processing that information, and satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $10 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 25% or more of their annual revenue from the sale of personal data. 

What Is Included? 

Companies subject to this legislation would be required to disclose what personal information they hold on a consumer and allow for the deletion of that information upon the consumer’s request. This proposal also mandates consumers opt-in to providing their personal data, which differentiates it from most other state privacy laws, like the CCPA. The Oklahoma Computer Data Privacy Act also differs from the CCPA in its inclusion of a broad private right of action through which Oklahoma residents could seek damages up to $7,500 for violations. 

Florida House Bill 969 (HB 969) 

Introduced on February 15th by Representative Fiona McFarland (R), House Bill 969 would place several requirements on businesses that deal with Florida residents’ private information. If passed, it would go into effect on January 1, 2022. 

Who Does It Apply To? 

For-profit companies that do business in Florida and collect personal information about consumers, have personal information collected on their behalf, or determine the process and means of processing personal information will have to comply with this Bill’s requirements if they satisfy one of the following thresholds: 

  • Has an annual gross revenue exceeding $25 million; 
  • Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or 
  • Derives 50% or more of their annual revenue from the sale of personal data. 

What Is Included? 

HB 969 would require that applicable businesses notify consumers about their data collection and selling practices before or at the point of data collection. Under this Bill, consumers would also have the right to request their data be disclosed, corrected, or edited and the right to opt-out of having their personal information disclosed or sold to a third party. 

Applicable businesses would be required to implement reasonable security protocols to protect their consumer’s personal data. Also included is a private right of action through which a consumer “whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access” may seek damages for violations of the Bill. The Department of Legal Affairs would be authorized to bring other enforcement actions, up to $2,500 per unintentional violation and $7,500 per intentional violation. 

Potential Impact 

Currently, the data privacy landscape in the United States is a patchwork of enacted and proposed laws, all with their own requirements and consumer rights, creating a confusing web for companies operating in more than one jurisdiction. While advocates of these state privacy laws argue for the protection of consumers’ data in an increasingly digitally-driven world, opponents argue that the potential risk of operating within states who have enacted comprehensive privacy laws may deter businesses from expanding their operations there. 

A federal privacy law that could rectify the many differences between individual state laws would simplify this landscape, making it easier for companies to protect their consumers’ data and operate efficiently while complying with regulations.  

Octillo is closely monitoring these, and other emerging privacy laws. In the meantime, companies that collect personal data should start thinking about privacy compliance by conducting a baseline privacy assessment and starting to develop relevant policies and procedures. Octillo attorneys, who are also technologists and certified privacy professionals, are happy to help counsel your business on compliance with the CCPA, GDPR, and other pending and enacted privacy legislation.  We work with clients of all sizes to build out data privacy programs and address compliance matters.  

Subscribe to our newsletter. 

*Attorney advertising – prior results do not guarantee future outcomes. 

1 2 3 11