Jun 13, 2019
FTC Cracking Down on Lax Data Security
On June 12, 2019, the Federal Trade Commission (FTC) settled with LightYear Dealer Technologies, LLC (LightYear) over a major data breach that occurred in October of 2016 [...]
In recent weeks, Nevada and Maine passed new data privacy legislation. Although these statutes are much narrower than the California Consumer Privacy Act (CCPA), they demonstrate a continuing trend towards U.S. privacy regulation at the state level and impose additional compliance obligations on businesses.
Nevada SB 220 amends the state’s existing law by requiring operators to accept and honor consumers’ requests to opt-out of having their covered information sold to third parties. Notable differences between the Nevada law and CCPA include:
Nevada’s law takes effect on October 1, 2019, which is three months before the CCPA’s effective date. Businesses should keep this expedited timeline in mind while working towards full CCPA compliance.
Maine SP 275 applies only to providers of broadband internet access service, but it broadly prohibits such providers from using, sharing, or selling a customer’s personal information, including internet usage data, unless the customer affirmatively consents or the practices comply with specific provisions of federal law.
Providers may not decline to provide service, assess penalties or provide discounted rates based on whether the customer provides or declines to provide consent for the use, disclosure or sale of her information. The new law also requires providers to implement reasonable data security measures to protect customers’ information and provide notice of customers’ rights at point of sale and on the provider’s website.
Maine’s law takes effect on July 1, 2020.