Taking a cue from the European Union’s expansive new General Data Protection Regulation (GDPR), states have begun looking to safeguard personal information in a way the federal government has so far been unwilling to do following numerous high profile breaches and revelations that Facebook and possibly others have been selling personal data for purposes unbeknownst to consumers.
The
first of its kind in the states, California lawmakers this June adopted the
California Consumer Privacy Act (CCPA) which is considered the toughest and most complex data privacy regulations in the United States. Large companies doing business in California have already adopted policies themselves, essentially spreading the power of the law across the country. However, the law is complicated and its emulation by other states is not guaranteed as evidenced by the actions of Ohio, which enacted the
Ohio Data Protection Act in August.
What is the Impact? This depends on whether the state is taking the “carrot or the stick” approach. Corporate liability is contingent upon the approach the state takes to address the issue. For example, California takes the stick approach requiring as of January 1, 2020, that consumers will be allowed to take legal action against a company that violates tenets of the law. The statute establishes a fairly broad definition of personal information that includes a whole raft of personal identifiers and inferences a company might be able to make about the consumer from that data. Ohio, on the other hand, takes the carrot approach by incentivizing companies that compile and transfer personal data to better protect that information by granting them safe harbor from litigation over breaches if certain conditions are met.
Why it Matters? For the recycling industry, personal data collection is most often mandated by laws designed to address materials theft and there is little evidence to indicate that policymakers’ new focus on data security has taken such mandates into account. Recyclers need to be closely following the policy discussions on data security in their states, particularly if the state and/or localities have mandatory electronic recordkeeping and/or reporting laws on the books. This is because despite the differing approaches seen in California and Ohio, for example, both state approaches indicate it is practically-certain that the personal information collected by recyclers under materials theft laws is going to be covered by almost any new data security law.
Get to the Table Early. If recyclers are not part of the early policy discussions on data security protections, our concerns will not likely be heard or will fall on deaf ears. Recyclers are not considered to be players in this debate and probably do not want to be seen as such. However, the liability and security provisions are far-reaching and without input from the industry, policymakers likely will not connect the fact that
recyclers are not profiting from data collection that is mandated on them. There needs to be an express exclusion in the law that protects recyclers from the extensive liability in these laws and places such liability on the entities requesting the data – mainly law enforcement and/or its private sector agents’ third party data collection agents.
SPAN