compromised in a security breach.
These laws have overlapping and some- times contradictory requirements. State data-breach notification laws, for exam- ple, vary widely on the types of personal information covered, what constitutes a “breach” that requires notification, whom a breached organization must notify and when, and what information the notifica-
tion must contain.
More recently, the U.S. privacy legal
landscape has become much more compli- cated with the adoption by several states of new privacy laws that focus on other privacy practices:
• In 2016, Delaware joined Califor- nia and Nevada in regulating online pri- vacy by adopting the Delaware Online Privacy and Protection Act (DOPPA).3 Among other requirements, DOPPA mandates that website operators that col- lect personal information from Delaware residents conspicuously post and comply with comprehensive privacy policies that address a list of enumerated topics.
• Several states, including Illinois,4 Texas5 and Washington,6 have adopted laws that regulate the collection, use and disclosure of biometric data such as fin- gerprints, retina or iris scans, and scans of hand or face geometry. Illinois’ law, which includes a private right of action, has led to an onslaught of class actions. Defendants in those actions have included online social network and photo sharing sites whose offerings use facial recogni- tion technology7 and employers who use finger- and handprint-based time and at- tendance systems.8
• Vermont,9 Nevada10 and Califor- nia11 have adopted laws directed toward so-called “data brokers,” meaning com- panies that collect and sell personal in- formation of individuals with whom they have no direct relationship. Vermont and California’s laws require data brokers to register with the state attorney general and pay an annual fee, while Nevada’s law requires any business that sells informa- tion to data brokers to offer individuals an opportunity to opt out of those sales.
This increasingly fragmented patch- work of federal and state privacy laws im- poses substantial burdens on businesses, especially small and mid-size organiza-
The increasingly fragmented patchwork of federal and state privacy laws imposes substantial burdens on businesses with limited resources to understand and implement compliance with a diverse array
of requirements.
tions with limited resources available to understand and implement measures to comply with a diverse array of require- ments. Its value to consumers is also questionable: their personal information is subject to a confusing and inconsistent set of rules that vary depending on where they reside, where a business is located, and the sector in which the business operates.
The CCPA and its Copycats
Motivated by the perceived gaps cre- ated by the fragmented approach to pri- vacy regulation — especially for informa- tion collected, shared and sold by internet and technology companies — California adopted the CCPA in 2018. The law ap- plies to any for-profit business that “does business” in California and meets certain revenue or data collection thresholds, and comprehensively regulates how those or- ganizations collect, use and share “per- sonal information.” That term, as defined in CCPA, applies to any information “that identifies, relates to, describes, is reason- ably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular [California] consumer or household.”12
The CCPA imposes a highly prescrip- tive set of privacy rules for covered busi- nesses and provides California consumers
with various new privacy rights. Those rights include a right to opt out of “sales” of their personal information — a term that is defined broadly to include any dis- closure of personal information by a busi- ness to a third party for “valuable consid- eration.”
The law’s enforcement mechanisms in- clude civil penalties by the California At- torney General of up to $7,500 for each violation of any of the law’s provisions.13 It also includes a private right of action with statutory damages of up to $750 per consumer for data breaches that result in the compromise of personal information covered by California’s existing data- breach notification law.14
Although enforcement of the CCPA by the California Attorney General will not begin until July 2020,15 the law is already affecting covered businesses. Among other tasks, those businesses must prepare new and detailed notices and privacy poli- cies; develop and implement mechanisms to address the law’s detailed requirements for receiving, verifying and responding to individual rights requests; and evaluate and update any arrangements with busi- ness partners and vendors that involve the disclosure of personal information. And they must do so in an environment of significant uncertainty: since the CCPA was passed in 2018, it has already been amended twice, and the Attorney Gen- eral’s implementing regulations, which are meant to provide guidance on how various CCPA requirements should be in- terpreted, are not expected to be finalized until after the law becomes effective on January 1, 2020.
Businesses struggling to ready them- selves for the CCPA have reason to be worried their work is far from over: in 2019 at least 14 states — including Mas- sachusetts,16 New York,17 New Jersey18 and Washington — saw the introduc- tion of CCPA “copycat” bills. While all those bills generally track the substance of CCPA’s comprehensive approach to pri- vacy regulation, some include significant modifications in key areas. Those areas include the scope of the private right of action, exemptions for information sub- ject to other laws, and the thresholds for
  SPRING 2020 DELAWARE LAWYER 7