Navigating the Many Worlds of State Consumer Privacy Laws

Privacy of consumer data is a legal issue that will affect the fenestration industry into 2020 and beyond. No less than 27 states are in the process of writing or enacting their own privacy statutes. The various approaches to consumer protection can differ wildly, are very technical, and impose substantial fines for the failure to comply.

An example is the California Consumer Privacy Act (CCPA). Passed in 2018, the CCPA becomes effective January 1, 2020, and will start being enforced in July. The act applies to any entity that “does business in California” and generally has gross revenue exceeding $25 million. Its scope protects various forms of personal information, including simple things like name and address information. Companies who fit the requirements of the CCPA must be able to address consumer data access requests, opt-out demands, and have updated privacy policies. Penalties for non-compliance include inunctions, statutory damages assessed per-resident and per-incident, and fines for each violation – whether intentional or simply negligent.

Another example is Nevada’s privacy act that into effect in October of 2019 as one of the nation’s first. It requires similar protections as the CCPA but applies to any company who targets Nevada’s residents. Pennsylvania, Massachusetts, and Rhode Island are developing models similar to Nevada.

These state efforts are being pursued because there is currently no comprehensive federal system governing consumer data privacy. Internationally, the approach has been to set broader, uniform standards like the European Union’s Global Data Protection Regulation (GDPR) or the Personal Information Protection and Electronic Documents Act (PIPEDA) used in Canada. Notably, the EU and Canadian approaches substantially mirror each other, easing the compliance requirements for companies.

This patchwork of existing and future U.S. privacy regulations complicates forecasting recommendations for compliance and risk management. Some points, however, are worth addressing now because the penalties and class action litigation risk presented by data-privacy failures are real and expensive.

It starts with learning what rules might currently apply because avoiding risk begins with being able to identify it. Companies must know their market regions, whether requirements apply to the business model in those regions, and what protections are required. A little early education is better than a crash course in the standards and requirements after a claim comes in. Resources for this education can be found in third-party consultants, commerce/consumer divisions of state governments, and even fenestration industry association groups.

Next, take stock of what consumer data is being generated, gathered, and retained. Website and newsletters can often request or retain information about consumers that might apply to a particular data protection scheme. Cookies and traditional methods used by companies to manage data privacy requests can work, but they also present gaps when consumers use various devices to interface with companies. Knowing how consumer data comes in can help identify what protection tools are available in hardware and software, and across access points.

If consumer information must be protected, document compliance efforts. Specific inventories of the data requiring protection, steps taken to protect that data, and periodic evaluations of the protections and data sources can present a lot of work. As a practical matter, however, many current consumer data protection regulations require a company to prove its innocence when faced with a potential privacy breach or claim relating to abuses of consumer data. Without established policies and

documented efforts to protect consumer information, companies can have little defense to alleged privacy claims.

Finally, look for opportunities to make changes. Protection of consumer data is likely to prove a business-reality for the foreseeable future. With states currently developing various approaches to protections of consumer information there may still be time to voice concerns about the costs and burdens these systems can impose. Look for the opportunities to have input into the development of these protection systems because their obligations may be with us for a number of years.