Thanks to a trio of recently enacted privacy laws, businesses in the U.S. and around the world have a series of obligations when it comes to handling the personal information of consumers.
Taken together, California’s Consumer Privacy Act, the European Union’s General Data Protection Regulation, and Nevada’s Senate Bill 220 encompass everything from digital advertising to relationships between businesses. Navigating their overlapping requirements can be a challenge, especially for first-time founders.
To help founders get a handle on the requirements, we’ve organized them into a side-by-side, high-level guide with a focus on implications for startups. As noted in the disclaimer below, the guide is not a substitute for legal advice; you should consult your legal advisor for the particulars of your situation before making any decisions on matters covered by this post.
The California Consumer Privacy Act (CCPA)
Enacted in 2018, thewent into effect on Jan. 1. The CCPA protects the privacy rights of California residents and requires businesses with a website and customers in California (which means most businesses) to disclose how residents’ personal information is used and what data the company collects on them. The statute gives residents the option to refuse the sale of their personal information and the right to sue in case of a data breach.
General Data Protection Regulation (GDPR)
The European Union implemented thein 2018 to protect people’s online data. The law, which governs how businesses obtain and handle personal information, requires companies to consider data protection “ .” Companies that fail to comply with the GDPR, which allows people to request their online data, face steep fines.
Nevada Senate Bill 220
Nevada’s new privacy law () closely tracks the framework of the CCPA. The law applies to owners and operators of for-profit internet websites or online services who collect covered information from Nevada consumers who seek or acquire any good, service, money or credit from an operator’s internet website or online service. The law gives residents the right to opt out of the sale of their “covered information,” defined as any contact or relevant information about an individual collected through an internet website or online service.
Comparing the privacy laws
Businesses that have taken steps to comply with the GDPR may not need to start over completely for CPPA and Nevada Senate Bill 220. However, it helps to have all your bases covered. The following table compares the main requirements of each law for ease of reference.
Steps to take to be compliant
Our partners at Orrick have provided helpful tools, free of charge, to help your organization assess its compliance with these data privacy laws. Theirand can offer insights that help you determine steps you may need to take. As always, we recommend that you consult with your legal counsel to ensure you are taking the right steps for your organization’s particular situation.
At LTSE’s family of companies, we run, plus . To make it easier for our customers to vet our data security and privacy practices, we implemented a unified and across all our legal entities, products and services. This approach comes with the added benefit of simplified maintenance and customer communications should we change our products and subprocesses in the future.
Nevada Bill 220
Thanks to my colleagues& for their input.
Disclaimer: The author is not a licensed attorney, LTSE is not a law firm and neither is providing legal advice herein. The following summaries are not, and do not purport to be, complete and are qualified in their entirety by reference to each of statutes at issue. Before making any decisions on matters covered by this article, readers should consult their legal advisors about their own particular situation.