A founder’s guide to navigating consumer privacy laws

Taken together, California’s Consumer Privacy Act, the European Union’s General Data Protection Regulation, and Nevada’s Senate Bill 220 encompass everything from digital advertising to relationships between businesses. Navigating their overlapping requirements can be a challenge, especially for first-time founders.

To help founders get a handle on the requirements, we’ve organized them into a side-by-side, high-level guide with a focus on implications for startups. As noted in the disclaimer below, the guide is not a substitute for legal advice; you should consult your legal advisor for the particulars of your situation before making any decisions on matters covered by this post.

The California Consumer Privacy Act (CCPA)

Enacted in 2018, the California Consumer Privacy Act went into effect on Jan. 1. The CCPA protects the privacy rights of California residents and requires businesses with a website and customers in California (which means most businesses) to disclose how residents’ personal information is used and what data the company collects on them. The statute gives residents the option to refuse the sale of their personal information and the right to sue in case of a data breach.

General Data Protection Regulation (GDPR)

The European Union implemented the General Data Protection Regulation in 2018 to protect people’s online data. The law, which governs how businesses obtain and handle personal information, requires companies to consider data protection “by design and by default.” Companies that fail to comply with the GDPR, which allows people to request their online data, face steep fines.

Nevada Senate Bill 220

Nevada’s new privacy law (SB-220) closely tracks the framework of the CCPA. The law applies to owners and operators of for-profit internet websites or online services who collect covered information from Nevada consumers who seek or acquire any good, service, money or credit from an operator’s internet website or online service. The law gives residents the right to opt out of the sale of their “covered information,” defined as any contact or relevant information about an individual collected through an internet website or online service.

Comparing the privacy laws

Businesses that have taken steps to comply with the GDPR may not need to start over completely for CPPA and Nevada Senate Bill 220. However, it helps to have all your bases covered. The following table compares the main requirements of each law for ease of reference.

https://airtable.com/shrhJlbWwLVG58vA3/tbl3TUCDtDqOCb0Ij

Steps to take to be compliant

Our partners at Orrick have provided helpful tools, free of charge, to help your organization assess its compliance with these data privacy laws. Their GDPR Readiness Assessment Tool and CCPA Readiness Tool can offer insights that help you determine steps you may need to take. As always, we recommend that you consult with your legal counsel to ensure you are taking the right steps for your organization’s particular situation.

At LTSE’s family of companies, we run multiple software products, plus America’s newest stock exchange. To make it easier for our customers to vet our data security and privacy practices, we implemented a unified Privacy Policy and Data Processing Addendum across all our legal entities, products and services. This approach comes with the added benefit of simplified maintenance and customer communications should we change our products and subprocesses in the future.

References

CCPA

• https://oag.ca.gov/privacy/ccpa
• https://www.caprivacy.org/
• https://uit.stanford.edu/CCPA-Policy

GDPR

• https://gdpr.eu/
• https://www.massachusetts.edu/general-data-protection-regulation-gdpr-compliance

Nevada Bill 220

• https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Text
• https://www.ensighten.com/blog/nevada-senate-bill-220
• https://www.onetrust.com/the-nevada-privacy-law-sb-220-vs-the-california-consumer-privacy-act-ccpa/

Thanks to my colleagues Howard Steinberg & Ray Shan for their input.

Disclaimer: The author is not a licensed attorney, LTSE is not a law firm and neither is providing legal advice herein. The following summaries are not, and do not purport to be, complete and are qualified in their entirety by reference to each of statutes at issue. Before making any decisions on matters covered by this article, readers should consult their legal advisors about their own particular situation.

‍