If you’re feeling a creeping sense of panic about drafting compliant privacy terms, relax. You’re still sane, and you’re in good company. We are, in fact, seeing continuous change in state privacy laws, creating overlapping and potentially conflicting obligations. You might be tempted just to add the following to all IT contracts: “Each party shall comply with all applicable laws governing privacy and personally identifiable information, including state, federal, and foreign laws.” That’s actually not a terrible idea, but sadly, it’s probably not enough to ensure adequate contracts. A better strategy might be to picket the office of your U.S. Senator or Representative and refuse to leave until Congress enacts a clear, simple, preemptive federal privacy statute.
We’re going to offer suggestions soon on contract terms addressing this year’s crop of new state privacy laws. In the meantime, here’s a quick update on recent developments:
- Nevada just passed a new law giving consumers the right to opt out of the sale of their personal information. SB 220 resembles the CCPA (California’s new law, discussed below), but it’s narrower. The Nevada law doesn’t apply to business contact information or to employee data (though the CCPA may not apply to the latter either, once amended). The Nevada opt-out right is also limited to sales of information for money, not for other consideration — like an exchange of data for services. And the Nevada law is narrower in other ways, which you can see for yourself if you read the statute. That said, Nevada has one-upped California by putting its law into effect sooner. Businesses around the world will have to facilitate Nevada consumers’ opt-out requests by October 1, 2019.
- Maine has passed an opt-in law for the sale of personal information. Starting on July 1, 2020, ISP’s must not sell their Maine customers’ information without customer permission. But the law only applies to ISP’s providing broadband. See the text of the statute, L.D. 946, for more information.
- Oregon has expanded its data breach notification rules. Under SB 684, IT vendors must notify injured consumers within 10 days of a data breach — and notify the state attorney general too.
- California‘s Assembly passed a series of amendments to the California Consumer Protection Act in May. Most clarify the statute; others modify it slightly. (For one example, see our recent post: Employee Data Likely Excluded from CCPA Rules.) But none has become law; they await action from the California Senate and then, of course, the Governor. Just to make things confusing, the California Attorney General is working in parallel on regulations implementing the CCPA, and we can only guess how the amendments would impact those regulations. In any case, rather than speculate, let’s see what actually becomes law and/or regulation. (Reminder: the CCPA goes into effect on January 1, 2020. But since it governs information collected during the prior year, you should be preparing now.)
David Tollen is the author of The Tech Contracts Handbook, the American Bar Association’s bestseller on IT agreements, as well as a lecturer at U.C. Berkeley Law School. He is an attorney and the founder of Sycamore Legal, P.C., a boutique IT, IP, and privacy law firm in San Francisco. His practice focuses on software licenses, cloud computing agreements, and privacy. And he serves as an expert witness in litigation about those same topics. Finally, David is the founder of Tech Contracts Academy and our primary trainer.
© 2019 by Tech Contracts Academy, LLC. All rights reserved.
Thank you to Pixabay.com for great, free stock photos!