Learn About State Laws Protecting Privacy Rights
After completing this unit, you’ll be able to:
- Describe some common state requirements for data breach notifications.
- Describe the impact of CalOPPA on the use of website privacy notices.
- Explain how Salesforce is committed to protecting customers’ data.
On top of the federal privacy statutes that protect specific types of data and specific industries across the United States, states have their own laws addressing privacy protection. It can be tricky to isolate differing state privacy laws, especially when companies and customers frequently do business across state lines. For example, organizations must be aware of whose data they are collecting, where the data subjects reside, and what state laws therefore apply.
Notification Statutes in US States and Territories
Perhaps you have received an email or letter from a company informing you that your personal information was compromised in a security incident. What you may not know is, those letters are carefully crafted to satisfy the requirements imposed by over 50 different US jurisdictions.
Every US state except Alabama and South Dakota, as well as three US territories—Puerto Rico, Guam, and the Virgin Islands—require organizations that own or maintain personal information to notify individuals when certain data relating to them is accessed or acquired in an unauthorized way. Although they differ in some specific ways, these laws are generally all designed to help provide individuals with information to protect themselves after their personal information is exposed.
State laws differ on the specific data they cover, but they all protect residents’ sensitive information such as Social Security numbers, other government-issued ID numbers (for example, a driver’s license number), and financial account information. Some state laws also protect other data, such as email addresses and passwords, medical information, or biometric information.
Note that these state definitions are generally narrower than the definition of personal data under European Laws. For more information about privacy laws in the European Union, see the European Union Privacy Law Basics module.
In addition to the requirement that businesses notify individuals if their personal information has been compromised, some states require that businesses notify a governmental agency, the state attorney general, or credit reporting agencies. The notice must conform to the specific requirements of each data subject’s resident state. For example, data subjects in California must receive a notice that contains specific headings, such as “What We Are Doing.” Notices to data subjects in Rhode Island must contain an explanation of how to request a security freeze.
Massachusetts: A Pioneer in Privacy Law
It’s great that businesses notify you when your personal information has been hacked, but you may be wondering, do they need to do anything to avoid such data breaches in the first place? The answer is yes.
In 2010, Massachusetts became one of the first states to require organizations to implement safeguards on the storage and use of its residents’ personal information. Specifically, the Massachusetts General Law Chapter 93H and its regulations require organizations to develop and implement a written, regularly audited plan specifically designed to protect consumers’ personal information. The plan must include technical, physical, and administrative safeguards, such as limiting the collection of data, restricting access to the data, and monitoring security hazards.
Other states followed suit and passed laws requiring organizations that collect, store, or use their residents’ personal information to take reasonable security measures to protect this data. These laws tend to be vague about the specific measures an organization must implement. That allows organizations some flexibility in their security plans based on their size, industry, and the changing technologies available.
California: Leading the Way
California is often the first jurisdiction to impose obligations on companies to protect the privacy of its residents. Given California’s size and the volume of business that connects to California residents, these obligations and protections frequently become standard practices nationwide.
The California Online Privacy Protection Act (CalOPPA)
This law, the California Online Privacy Protection Act (CalOPPA), defines personally identifiable information to include all details collected about an individual visitor to the website—everything from name to hair color. So if your business runs a website that California residents visit, and you collect any personal information from those visitors, you must abide by CalOPPA.
The Shine the Light Act
The Song-Beverly Credit Card Act
Have you ever been asked for your email address when checking out at a store? Or for your zip code when filling up your car? Another California law regulates questions like these: the Song-Beverly Credit Card Act, or Song-Beverly.
Under this law, retailers and other businesses cannot ask a customer for personal identification information during a credit card transaction. Personal identification information under the law consists of any information regarding the customer other than the information on the credit card.
The customer, the California attorney general, the district attorney, or the city attorney can sue a business violating Song-Beverly for a $250 penalty for the first violation and $1,000 for each subsequent violation. However, the business can avoid the fine if it shows the violation was unintentional and that the violation contravened the business’s policies.
So how can the store clerk ask for your email address or the gas pump require your zip code? A clerk can request your email only if it is clear to the customer that the sale is not contingent on the information. A gas-pump request for zip code falls into a specific exception carved out of Song-Beverly for use of zip codes at retail gas stations in order to prevent identity theft.
The California Consumer Privacy Act (CCPA)
Informally known as California’s version of the GDPR, California followed in the EU’s footsteps and implemented their own all-inclusive privacy law called the California Consumer Privacy Act (CCPA). Effective January 1, 2020, California was the first US state to roll out a comprehensive data protection regulation. Similar to the way the GDPR works, CCPA protects the data privacy rights of California residents and affects businesses that collect or use personal information of Californians (even if the business itself is not in California). Get to know more about CCPA through the California Consumer Privacy Acts Basics module.
The Salesforce Commitment to Privacy
At Salesforce, trust is our #1 value, and we embody that value through our robust security and privacy programs, which are designed to help meet the highest standards in the industry.
Our services have earned numerous security-related certifications based on the administrative, technical, and physical safeguards we use to protect our customers’ personal information. For some of our services, these certifications include:
- The International Organization for Standardization (ISO) 27001 and 27018 standard
- The American Institute of CPAs’ (AICPA) System and Organization Controls (SOC) reports
- The Payment Card Industry Data Security Standards (PCI DSS)
- The German Federal Office for Information Security BSI Cloud Computing Compliance Controls Catalogue (C5)
- The UK Cyber Essentials Scheme
Certain services also have earned the TRUSTe Certified seal, signifying that the privacy certification organization TRUSTe reviewed our privacy practices and found them to be in compliance with their certification standards.
Moreover, Salesforce offers customers a robust data processing addendum containing strong privacy commitments that few software companies can match. Salesforce also publishes Trust and Compliance documentation for each of our major services. This documentation describes the architecture of each service, the security- and privacy-related audits and certifications the service has received, and the applicable administrative, technical, and physical controls. The documentation also describes the infrastructure environment and entities material to our provision of services.
The US’s sectoral approach to privacy law is a fragmented one, differing depending on industry, data type, and regulatory authority. However, don’t underestimate this patchwork of laws. In many cases they contain rigorous requirements, and violations of these laws can lead to substantial penalties and lawsuits. Compliance with all of these laws involves complex thought and knowledge about both the privacy laws themselves and about the business functions that such laws may affect.
- Text of the Massachusetts General Law Chapter 93H
- Text of CalOPPA (Cal. Bus. & Prof. Code § 22575, et seq.)
- Text of the Shine the Light Act (Cal. Civ. Code § 1798.83)
- Text of the Song-Beverly Credit Card Act (Cal. Civ. Code § 1747.08)
- Salesforce Data Processing Addendum
- Trust and Compliance Documentation