States Aggressively Pursue Data Privacy and Security Measures

In light of recent controversies, governments have sought aggressive new data privacy and security measures.  In the U.S., the Federal Trade Commission (FTC) considers itself “the nation’s primary privacy and data security enforcer and one of the most active privacy and data security enforcers in the world.”  A number of other federal agencies also seek to regulate privacy, cybersecurity, and IoT. 

But individual states have also proposed new measures aimed at protecting consumer privacy, and companies should remain mindful of their requirements.  Recent measures include:

• Proposed legislation in New York that would require all electronics manufacturers to reveal technical information about Internet-connected products, including security cameras, computers, smart-home devices, video-game platforms, and smartphones;

• New York Mayor Bill de Blasio’s announcement of NYC Secure, a cybersecurity initiative aimed at protecting New Yorkers online;

• The Massachusetts Senate’s bill to amend the State’s breach notification law by expanding company requirements before, during, and after a breach; and

• The Colorado Senate’s recently passed bill requiring State agencies to annually assess the use of encryption techniques and blockchain to protect confidential state records.

New Jersey has been particularly vigilant.  Earlier this month, a Chinese software and electronics company agreed to pay the State $100,000 and change its business practices to resolve allegations that it violated disclosure requirements while collecting children’s personal information through its mobile apps.  New Jersey Attorney General Gurbir S. Grewal accused the company of violating the federal Children’s Online Privacy Protection Act (COPPA) and the New Jersey Consumer Fraud Act by failing to notify parents and obtain their consent before collecting personal information from children under the age of 13.  The settlement requires the company to provide notice of what information it collects from children, how it uses such information, and its disclosure practices for such information for any website or app geared toward children.  The company will also obtain verifiable consent from parents prior to the collection, use, or disclosure of children’s personal information, and provide reasonable means for a parent to review the personal information collected from a child. 

The New Jersey Attorney General’s Office also recently announced a new unit called the Data Privacy & Cybersecurity Section.  The unit will be responsible for enforcing laws meant to protect the State’s residents’ data privacy and cybersecurity.  It will also advise state agencies on compliance with cyber-related laws and standards. 

Increased scrutiny of data privacy and security will only continue as malicious actors seek new attack vectors and governments scramble to respond.  With the FTC and other federal agencies seeking to regulate IoT and related products and services, it is important that companies remain vigilant to ensure compliance with state and local laws as well.