Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


The California Privacy Act (CCPA) Clones Are Coming: States Draft Copycat Laws

Compliance & Regulation

In 2018, the California Consumer Privacy Act (CCPA) was signed into law. Its goal is to extend consumer privacy protections to the internet. The CCPA was heavily influenced by the EU’s GDPR—see our post comparing the two laws. It’s not an exaggeration to say the CCPA is the most comprehensive internet-focused data privacy legislation in the US, and with no equivalent at the federal level.

With the lack of direction in Washington, it’s not surprising that other states have taken a cue from California and drafted their own privacy laws. Before we look at individual CCPA copycat laws from New York, Massachusetts, and other states, let’s review some of the key California concepts that have been copied and tweaked.

Wish They All Could Be California

Under the CCPA, consumers can request the categories and specific pieces of personal information held by covered businesses. Businesses can’t sell consumers’ personal information without providing a web notice (“a clean and conspicuous link”) and a chance for affected consumers to opt-out.

Like the GDPR, there is also a “right to delete”—with some exemptions—consumer personal information on request. The CCPA also gives consumers a limited right of action to sue if they’re the victim of a data breach. There’s a more general ability for the state Attorney General to sue on behalf of residents. However, legislation is in the works to broaden consumer private right of action to sue on other grounds.

Another striking innovation within the CCPA is its very broad definition of personal information: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That covers a lot of ground and is similar to the GDPR’s own expansive view of personal data.

To bring it back to “black letter law”, the CCPA contains a long list of identifiers it considers personal information, including biometric, geolocation, email, browsing history, employee data, and more.  The CCPA also introduces “probabilistic identifiers”.

California goes “meta” with probabilistic identifiers.

Attorneys will be debating what this means, but it appears that data that give a greater than 50% chance of identifying someone will be treated the same as a deterministic identifier. Perhaps a combination of, say, Netflix viewing history and geo location data may be enough to tip the scales. By the way, other states have picked up the probabilistic term in their laws (below).

While the focus — and rightly so —has been on extensive new privacy rights for consumers, there’s also a data security component to the CCPA. The laws calls for companies to “implement and maintain reasonable security procedures”. What does that mean? No one’s sure, though there are some hints that the California government is looking to the Center of Internet Security’s top 20 controls as a baseline.

Two Clones Worth Focusing On: New York and Massachusetts

With no federal answer to GDPR on the horizon, several other states are taking a page from California’s book by drafting their own regulations to give citizens increased control over any personal data. While most of these bills use CCPA as a framework, there are important differences. We’ve even put together a cheat sheet at the end to compare the different proposed state laws. However, let’s focus on two major security efforts coming out of New York and Massachusetts before we look  at the rest.

Massachusetts Data Privacy Law

The proposed Data Privacy Law (S-120) shares a lot of the CCPA language. Consumer access to personal information? Check. Right to Delete? Check. Explicit notification of privacy rights, and  a chance to opt out of third-part sales of data? Check. Broad definition of personal information including probabilistic identifiers? Check.

There are a few important divergences from the CCPA, which include the right for consumers to sue for any violation of the proposed Massachusetts law. Consumers “need not suffer a loss of money or property as a result of the violation” to bring an action. Attorneys point out that there’s enormous potential exposure of Massachusetts companies to class-action lawsuits: plaintiffs can recover up to $750 per consumer. For example, in 2017, almost 400,000 Mass. residents were affected by data breaches, leading to a possible exposure, if the law had been in effect, of almost $300 million for that year.

New York Privacy Act

New York’s proposed S5642  contains some of the hallmarks of CCPA. There’s a right to delete and request personal information. The definition of personal information — “any information related to an identified or identifiable person” — includes a very extensive list of identifiers: biometric, email addresses, network information and more.

Unlike California, New York’s act has a private right of action for any violation of the law! And the law applies to all businesses without any revenue threshold, which differs from California and other states. This makes the proposed NY law quite strict.

The NY bill, though, only requires businesses to disclose to consumers the broad categories of information shared to third-parties. Service providers under contract with the business are exempt from the law, meaning that websites won’t have to disclose information which was shared to other companies hosting data on their behalf, for example. Under some circumstances, consumers would have the right to request copies of specific information shared to third-parties.

Another key difference is the proposed NY law imposes the role of data fiduciary”, forcing all NYS businesses to be legally responsible for the consumer data they hold. And by being held responsible, the NY act takes a very expansive view: “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker”.

In short: consumers own the data. The NY act also gives them the ability to correct inaccurate information, making it closer in spirit to the EU GPDR. None of the other clones, including California, go that far!

And Now the Other State Privacy Laws

Hawaii Consumer Privacy Protection Act

Hawaii’s SB 418 is very similar to the CCPA, offering all of the same major rights and protections (potentially more, based on the current wording of the bill). While CCPA explicitly applies to websites that conduct business in the state of California, Hawaii’s SB 418 bill has no similar clause. In theory, websites based anywhere in the world could violate law if they don’t offer adequate protection as outlined in the bill. However, the bill is likely to be amended in a later draft to focus solely on Hawaiian-based websites.

Maryland Online Consumer Protection Act

Maryland’s SB 613 is another bill with the potential to expand on the scope of CCPA in some areas. Businesses will have similar obligations to disclose information usage, although, to a lesser degree than under CCPA. And like California and Massachusetts, there’s also the use of “probabilistic identifier” to refer to certain type of personal information.

However, this bill goes beyond the scope of CCPA when it comes to disclosing third-party involvement. Under CCPA, companies only have to disclose if consumer information is being sold to a third-party, but in accordance with Maryland’s SB 613, companies would have to disclose any information that is passed on to third-parties, even if that data is transferred for free. This bill also prohibits websites from knowingly disclosing any personal information collected about children.

North Dakota

North Dakota’s HB 1485, which is currently in the state’s House of Representatives, is the most lightweight bill on this list. The only significant clause of HB 1485 would completely restrict websites from passing on any information to third-parties without the consent of users. There is no right to have information removed or deleted once consent has been granted.

Closing Privacy Thoughts and Chart

With states taking it upon themselves to innovate in this area, it’s perhaps only a matter of time before a federal law is introduced to create a uniform playing field. Let’s see what happens!

In the mean time, there are three lessons to draw from the state experiments. One, PII  will be defined to go beyond ordinary identifiers to encompass probabilistic identifiers (or quasi-PII) that can be used to indirectly identify consumers. Two, the right to delete or be forgotten will become an essential part of privacy laws. And finally, there’s now an understanding among regulators that consumers want to know all the information the companies have about them, backed up with the right to view and possibly correct this data.

Right to Delete? Right to Access? Private Right of Private Action? Broad Definition of PII? Businesses covered Status
California Yes Yes $750/consumer (breaches) Yes (Probabilistic) Revenues over $25 million In effect : 1/1/2020
New York Yes Yes $750/consumer Yes All Pending
Maryland Yes Yes No. (Only through AG.) Yes (Probabilistic) Over $25 million Pending
Massachusetts Yes Yes $750/consumer Yes (Probabilistic)  Over $10 million Pending
Hawaii Yes Yes No Yes All Pending
North Dakota No Yes Limited No Over $25 million Pending

Thinking about how you’ll handle data subject access requests (DSARs) at the state level? Learn more about the Varonis solution!

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.