While all eyes are on the state of Washington's proposed privacy act for the final legislative week, consumer privacy rights continue to be a hot topic in a handful of other state legislatures. We reported last month on nine states (including Washington) where bills were introduced in January. Since then, six other states have joined the fray, and a second bill was introduced in Illinois. For the most part, the draft state bills continue to follow the CCPA model, though in many cases, important exemptions or details in the CCPA that were intended to make it workable are not included. Many of the bills are reaching the hearing stage, indicating some legislative interest in them.
Approach: SB134 is a CCPA copycat, with a focus on consumer rights to access, deletion, opt-out of sale, and nondiscrimination.
- Notable Distinctions: The law contains a private right of action for a breach of any data covered by the statute's broad definition of personal information—unlike the CCPA, which limits the private right of action to breaches involving the sensitive data covered by the state's data breach notification law. This could allow consumers who believe their data was disclosed by a business after they have opted out of sale to sue, since such disclosure could be considered unauthorized by the consumer.
- Enforcement: The law includes a private right of action, with statutory damages of $100-$750 for data breaches arising from failure to implement reasonable security. The Attorney General can bring suit over any other violation and recover up to $7,500 for intentional violations.
- Proposed Effective Date: January 2021.
- Legislative Action: A public hearing was held on February 25.
Approach: HB2572 is a narrow bill seeking to regulate specific harms and would not grant consumers access or deletion rights. It’s main effects would be to require explicit consent for an organization to either (1) sell geolocation data to a third party without explicit consent or (2) sell "internet browser" information to a third party without explicit consent.
- Notable Distinctions: Individual rights to access and deletion were removed from the bill following a Feb. 25, 2020 hearing, along with a requirement that data brokers register with the state. In addition to the prohibitions on sale of certain types of data without explicit consent, the law would change the definition of personal information in the state’s data breach law to an identifier specific to a person (including an online user name or email as well as name) along with a specified data element, such as SSN or last four digits of SSN, payment card number, or biometric information). The bill also includes a requirement that the provider of an electronic communications service or a remote computing service obtain explicit consent or be served with a search warrant prior to disclosing communications to a government entity (current federal law is the same). Further, the bill would make it a felony to use a device to observe or record another person in a state of undress or sexual activity, or threaten to disclose such an image, either of the person or someone that has physical characteristics that resemble the person.
- Enforcement: Not specified in current version.
- Proposed Effective Date: July 1, 2050 (per legislative report, this is a placeholder meant to encourage further discussion)
- Legislative Action: A hearing was held on February 25, 2020.
Approach: S2430 is a CCPA copycat, with a focus on consumers' rights to access, deletion, opt-out of sale, and nondiscrimination.
- Notable Distinctions: There are no carve outs from the definition of consumer (e.g. for employees) and no exemptions for data covered by other privacy laws. The law contains a private right of action for a data breach that applies to the statute's broad definition of personal information—unlike the CCPA which limits the private right of action to breaches involving the sensitive data covered by the state’s data breach notification law.
- Enforcement: No general enforcement scheme is provided, but a consumer whose personal information is subject to unauthorized access due to a failure of a business to implement reasonable security can bring a lawsuit for statutory damages between $100 and $750.
- Proposed Effective Date: Upon passage
- Legislative Action: A hearing was held on March 3, 2020.
Approach: HB784/SB957 are copycat CCPA bills that would afford individuals rights of access, deletion, opt-out, and nondiscrimination, with a few modifications from CCPA.
- Notable distinctions:
- The bill requires businesses to provide consumers with the names of third parties to whom the business disclosed their information.
- The exceptions to the right to deletion are more limited and do not allow for internal uses aligned to consumer expectations.
- The bill carves out information that has been pseudonymized, meaning the information is not attributable to a specific consumer without information kept elsewhere. This is a much easier bar to meet than full de-identification.
- Enforcement: A violation of the bill is an "unfair, abusive, or deceptive trade practice" under Maryland's consumer protection law. Under that law, a consumer can bring an action to recover for injury or loss, Md. Code Commercial Law 13-408, or the Attorney General may bring an action.
- Proposed Effective Date: January 1, 2021.
- Legislative Action: A hearing was held on February 19, 2020 in the Senate.
Approach: HF 3096 is substantively the same as the CCPA, though rewritten to be more concise. It fails to include the modifications made in the last round of CCPA amendments—for example, employees still have full consumer rights and there is no exclusion for certain business-to-business communications.
- Notable distinctions: There are no exceptions for data covered by other privacy laws (for example, GLBA, HIPAA). The bill also would not provide latitude to offer financial incentives for the collection and sale of personal information, which would create challenges for many loyalty programs.
- Enforcement: The bill creates a private right of action that allows any person injured to sue for statutory damages between $100 and $750. The state attorney general can also bring an enforcement action.
- Proposed Effective Date: June 30, 2022.
- Legislative Action: The bill was referred to the Commerce committee.
Approach: A series of three bills would require "controllers" to inform individuals of their data collection and use practices and would create a right of access (AB870); allow a consumer to request deletion of data in certain circumstances, including if it was being used for direct marketing (AB871); and require a consumer's consent for processing personal data in most situations (AB872). A controller who violates any of these requirements could be liable for fines of up to $20 million or up to 4 percent of annual revenue, whichever is greater.
- Notable Distinctions:
- AB870 would require that where a controller collects information from a source other than the consumer, that they inform the consumer of such collection within a month and state the source of the data.
- AB870 would also require disclosure of any use of the consumer's data for automated decisionmaking about the consumer.
- AB871 contains only limited exceptions to the right to deletion and does not have a catch-all category for internal uses aligned to consumer expectations.
- AB872 would require a lawful basis for processing and does not offer legitimate interest as a potential lawful basis. Certain types of sensitive data, such as biometric data or information about race or ethnicity, could only be processed with explicit consent.
- Enforcement: Enforcement by the Attorney General, with GDPR-size fines.
- Proposed Effective Date: July 31, 2022.
- Legislative Action: A hearing was held on February 12.
Approach: We reported last month on SB 2330, which would create CCPA-like rights and impose a requirement to conduct privacy risk assessments. A new draft bill, SB 3299, that is a near duplicate of the CCPA was introduced this past month. Both are pending in the state Senate's Judiciary Committee.
Approach: We reported last month on draft bill A2188 that would regulate owners/operators of websites and online services in their use of "personally identifiable information." A 3255, introduced last week, would prohibit entities from collecting and selling "personally identifiable information"—defined broadly along the lines of the CCPA definition of "personal information"—without opt-in consent. The bill would also create rights of access and deletion.