Keypoint: Lawmakers in New York and Minnesota have proposed CCPA-like privacy legislation.

As state legislatures have started to convene for the 2021 session, state lawmakers have once-again proposed CCPA-like privacy legislation. As discussed in our prior post, in early January Washington lawmakers again proposed the Washington Privacy Act. In addition, over the last few days, CCPA-like legislation has been proposed in New York and Minnesota.

It is expected that CCPA-like legislation will be filed in more states over the coming days. Whether this legislation moves forward remains to be seen. With the exception of the Washington Privacy Act, over the last two years privacy legislation proposed in other states has failed to gain any traction.

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Key Point: If signed by the Governor, the legislation will require entities doing business in New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information.

As it closed its session, the New York legislature passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The bill, which the New York Attorney General’s (“AG”) office strongly supports, is now at the governor’s office for review. New York AG Letitia James stated New York will join the “increasing number of states that require reasonable data security protections, while being careful to avoid excessive costs to small business and without imposing duplicate obligations under federal or state data security regulations.”

If Governor Cuomo signs the bill, New York will build upon its existing data breach notification law, and add a new requirement for data custodians in the private and public sectors to adopt reasonable measures to safeguard sensitive data of New York residents.

One of the myriad of issues arising from the California Consumer Privacy Act (CCPA) is the extent to which financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) must comply with the CCPA’s requirements in light of Section 1798.145(e), which provides that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to [the GLBA], and implementing regulations.” Because the CCPA’s definition of “personal information” is broader than the GLBA’s definition of “nonpublic personal information,” financial institutions have been faced with the daunting task of not only data mapping but also classifying that data based on whether it is subject to the GLBA.