As 2020 began, a number of state legislators introduced consumer privacy legislation, and it appeared that there was momentum for significant changes to the national privacy landscape. But as COVID-19 interrupted life across the country, many of these bills were put on hold or failed to pass.
The one exception is California, where the ballot initiative that would further expand obligations in the California Consumer Protection Act is moving full steam ahead, despite the challenges of collecting signatures during the pandemic. Californians for Consumer Privacy announced on May 4, 2020, that they had submitted a new ballot initiative, the California Privacy Rights Act (CPRA, also known popularly as “CCPA 2.0”), to the state of California with 900,000 signatures in order to qualify for the November 2020 ballot.
If passed, the CPRA would change the current California privacy law in several ways, including by creating a California Privacy Protection Agency to enforce the CCPA through administrative actions, enabling consumers to prevent businesses from using or disclosing their sensitive personal information (such as precise geolocation, health information, and financial information), and increasing fines for privacy violations related to children’s personal information.
Meanwhile, across the country, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which requires covered organizations to implement information security programs, went into effect on March 21, 2020. There has been no movement on two bills that would further regulate the collection, use, and disclosure of personal information of New York residents, the New York Privacy Act (A8526 / S5642) and the “It’s Your Data Act” (A7736).
For the second year in a row, the Washington Privacy Act (SB 6281) failed to pass, following a dispute among legislators about whether the law should be enforced by the attorney general or through a private right of action. However, Washington legislators did pass SB 6280, which regulates public and private use of facial recognition technology. We provide a review of that new law here.
As we outlined in February, Florida legislators introduced two privacy bills earlier this year. As drafted, HB 963 and SB 1670 permitted consumers to opt out of the sale of certain covered information and prohibited the use of public records requested from state agencies for contacting, marketing, or soliciting consumers without opt-in consent. Both bills were indefinitely postponed and withdrawn from consideration on March 14.
In Hawaii, HB2572 seeks to require explicit consent for organizations to sell geolocation data to third parties or sell “internet browser” information. The bill passed multiple readings in the House as well as its first reading in the Senate before being sent to the Committee on Commerce, Consumer Protection, and Health and the Committee on Technology. This bill updates a geolocation bill proposed during the last legislative session.
The governor vetoed that bill for “lack of clarity,” with the understanding that a new bill would be re-introduced to address geolocation privacy. A public hearing that had been scheduled for March 17, 2020, was cancelled the day before and postponed until further notice.
Meanwhile, in New Hampshire, HB 1680-FN, which is modeled on the CCPA and would provide consumers with rights to access, delete, and to opt out of sales, was “referred for interim study” on March 11, 2020, which means it is effectively dead for this legislative session.
Rhode Island’s Senate Judiciary Committee recommended on March 3, 2020, that S 2430 (the Consumer Privacy Protection Act, modeled on California’s CCPA) be held for further study, which means that this bill, too, has died.
As we discussed in March, the Wisconsin legislature proposed a series of three bills requiring “controllers” of personal information to inform individuals of data collection and use practices and creating a right of access (AB 870); allowing a consumer to request deletion in certain circumstances, including where data was being used for direct marketing (AB 871); and requiring consumer consent for processing personal data (AB 872). All three bills failed to pass pursuant to a Senate Joint Resolution on April 1, 2020.