Among the four newly passed comprehensive privacy laws signed in April and May–Kentucky, Maryland, Minnesota, and Nebraska—there are new takes on some common requirements from the existing laws and some entirely new requirements.
New Takes on Recent Trends
Right to a list of specific third parties
The Oregon Consumer Privacy Act introduced a consumer’s right to request a list of specific third parties to which the consumer’s data has been shared. Minnesota took a spin on this data subject right in its law, providing the option so long as this information is stored in a format specific to the consumer. Otherwise, the organization must provide a list of all third parties to whom personal information on any consumer was shared.
Right to revoke consent
The New Hampshire and New Jersey laws recently included the right of the data subject to revoke their consent and require the organization to stop processing the data within 15 days. Maryland has adopted a similar requirement but allows the organization 30 days to stop the processing.
Universal opt-out mechanisms
The California Consumer Privacy Act statutes and Colorado Privacy Act were among the first to introduce a requirement to honor universal opt-out mechanisms. Since then, Connecticut, Delaware, Montana, Oregon, and New Hampshire followed suit. Minnesota continued this trend in its new laws so that consumers can opt out of processing for targeted advertising and sale of personal information.
Deidentified data
Maryland’s law followed others to include a requirement that the organization publicly commit to not re-identify deidentified personal information. The Minnesota Consumer Data Privacy Act spin on this requirement says that the processor must seek authorization from the controller before reidentifying any deidentified or pseudonymized data. There has also been a push to include monitoring of contracts with recipients of deidentified data or to require the recipient to make a similar public commitment, which Maryland also continued.
Denied appeals link
Where the organization denies an appeal, the New Hampshire Privacy Act was the first to require that said organization provide the consumer with access to an online mechanism to make a complaint to the AG, if one exists. This was carried over into the Kentucky, Nebraska, Maryland, and Minnesota laws.
Introducing New Requirements
Note that many of these requirements are already best practice.
Material notice changes
Minnesota requires organizations to notify affected consumers of material changes to the privacy notice.
Consent before sale of sensitive information
The Minnesota law also sets a requirement for opt-in consent to be collected before an organization participates in the sale of sensitive information.
Reach out to Privacy Ref with all your organizational privacy concerns, email us at info@privacyref.com or call us 1-888-470-1528. If you are looking to master your privacy skills, check out our training schedule, register today and get trained by the top attended IAPP Official Training Partner.