States across the nation are considering laws to protect consumer data. California was the first to pass such a law, rolling out the California Consumer Privacy Act (CCPA) in 2018. The California Privacy Rights Act (CPRA) replaced that law via a ballot proposal last year. Now, Virginia has its own data privacy law, and legislatures from Florida to Washington are working on similar bills.

What does this mean for HVAC contractors? That depends on what state they operate in. Or states. It mostly means becoming aware of each of these laws and keeping an eye on what data they collect and what they do with that data.

Most of these proposed laws are based off the European Union’s General Data Protection Regulation. Prior to that rule’s creation, the main concerns around data privacy focused on breaches, when people steal consumer information. Now the focus moves to information the consumer willing provided. The underlying idea is that consumers were unaware of how providers use that data, such as selling it for marketing purposes or even political analysis.

Who Will Enforce The Law?

Alissa Gardenswartz, an attorney with Brownstein Hyatt Farber Schreck LLP in Colorado, is watching as her state works toward a privacy law. Prior to private practice, Gardenswartz worked for the Colorado Attorney-General. She wonders how many resources her former colleagues will have to actually enforce the requirements of the law.

That’s the question in Virginia, which passed the Consumer Data Protection Act (VCDPA) in March. The law takes effect on Jan. 1, 2023. Justin Golart, an attorney with Troutman Pepper, wonders just “how deep in the weeds the AG will get” once it goes into effect. Even if the state brings an action against a business under the VCDPA, Golart said the business has a certain amount of time to get into compliance.

The VCDPA limits legal action to the state. Private attorneys can’t bring suits under the law. That’s a major sticking point for many legislatures. Attorneys say it’s the main reason Washington State has failed to pass its own privacy act despite several attempts.

In Florida, the House version of a privacy law allows private action, while the Senate version limits action to the state. Attorney Kelly Ruane Mechiondo of Bilzin Sumberg said business groups have pushed back against the private action provision over concerns about class action lawsuits for minor offenses.

The CPRA does allow a private right of action, meaning trial attorneys can sue under the law. The former CCPA also allowed private actions and there were several suits under that law, said Ali Jessani, an attorney with Wilmer Hale. The CRPA also creates a new regulator, the California Privacy Protection Agency, to bring enforcement actions. Not only is the CPPA solely dedicated to enforcing the new privacy law, but it funds itself with money from enforcement actions. This likely means a lot more activity from the state, Jessani said.

What about Smart Thermostat Data?

So how much will these new laws affect HVAC contractors? That’s uncertain. There are thresholds in each law so far, and that’s measured in different ways. Mechiondo said the original threshold in Florida was so low it would have applied even to one-truck contractors. The version currently being considered is based on devices. The California law sets its lowest threshold as collecting data from “50,000 or more consumers or households.” In Florida, it would be “50,000 consumers, households, or devices.”

What does that mean for HVAC contractors?

“It depends on how ‘device’ is defined,” Mechiondo said.

A laptop and a phone are both obviously devices. But what about a smart thermostat? That could very well count. The data provided by a smart thermostat seems harmless. It doesn’t contain medical or financial information. But that doesn’t mean HVAC contractors should treat it lightly.

Smart home devices have already brought a class-action lawsuit under the CCPA. In this case, it involved the hacking of indoor security cameras from Ring. The plaintiffs claimed Ring shared private data with third-parties, meaning the hackers, by failing to provide sufficient security. Jessani expects more legal action under the CRPA.

“The CPRA has a very broad definition of what is sensitive data,” Jessani said. “You’re going to see creative lawsuits.”

Name a Privacy Person, Be Transparent

Jessani recommends appointing someone at the HVAC firm to serve as a privacy officer. He said the firm needs to understand all the data it collects and how that data is categorized. Some privacy laws will dictate how quickly and thoroughly businesses need to respond to requests from consumers to purge their data. Jessani also recommends reviewing all contracts concerning data sharing with third-party vendors.

“What your relationship is with the entities that you share data with is becoming an area of increased focus as these new comprehensive privacy laws come into play,” he said.

HVAC contractors who operate in multiple states will need to get familiar with different laws. Gardenswartz said each state law could differ slightly and knowing those difference will help keep HVAC contractors out of trouble. She also said the best defense is transparency.

“You stay out of trouble by being clear with consumers,” Gardenswartz said.

It’s very likely more states will adapt their own privacy laws. Surveys show consumers are concerned about how companies treat their private data. Gardenswartz said there would have been even more movement in this area last year if it weren’t for the pandemic.

“State legislatures have a little more room to think about other things,” she said.

This brings up the possibility of federal legislation. Gardenswartz sees some advantage to a national law rather than a patchwork. She said that approach worked for data breach laws, because they covered rare events, but it works less well for data privacy, which is an ongoing concern.

The sticking point would preemption, meaning the federal law would serve as either a ceiling or a floor for state laws. Julie Hoffmeister, also with Troutman Pepper, said a federal law seems unlikely as this time.

“Just the way things are moving through the state governments vs. the federal government, I would expect to see a patchwork of laws versus a federal standard,” Hoffmeister said.