A proposed ballot measure that would require businesses to provide annual disclosures to consumers on the collection or sale of personal information has been filed with the California Attorney General. If 365,880 signatures are obtained, it may appear on the November 2018 ballot.
The initiative is based on California’s “Shine the Light Law” which sets forth the procedures companies must follow in disclosing, upon request of a consumer, what information has been shared with third parties. The law also contains specific language to be included in online privacy policies.
Delaware recently amended its data breach notification laws through House Bill 180, which now expands the definition of breach and personal information. It is now among 14 states to impose explicit data security obligations on businesses. While revisions to the law are in some ways more stringent, they are also more balanced by including a risk of harm requirement.
Under the amended law, which will go into effect on April 14, 2018, the definition of breach has been expanded to include not only unauthorized acquisition, but also disclosure of electronic or paper files, media, databases or other data. The law also broadens the scope of personal information to include user name or email address, in combination with a password or security question, and answer medical information, and unique biometric data.
The New Jersey “Personal Information and Privacy Protection Act” was signed into law on July 21, 2017 by Governor Chris Christie and will be effective November 1, 2017.
The law restricts the way retail establishments may collect and use the personal information contained in the electronic data embedded in identification cards, such as driver’s licenses. The law responds to concerns raised by reports related to how businesses use and store personal information obtained from scanned driver’s licenses.
Nevada recently joined California as the second state to require that operators of websites and online services post public notices outlining their privacy practices. The Nevada law, which went into effect on July 1, requires that the posted notice on the website or online service do the following:
- Identify the categories of “covered information” collected through the site.
- Describe the process for consumers to review and request changes to the covered information collected through the site.
- Describe the process by which the operator notifies consumers of material changes to the notice.
- Disclose whether third parties may collect information about a consumer’s online activities over time and across different websites when the consumer uses the site.
- List an effective date.