Additional U.S. States Advance the State Privacy Legislation Trend in 2020
In the wake of the California Consumer Privacy Act of 2018 (CCPA) and an updated Nevada privacy law that took effect in October 2019, states are wasting no time in 2020 introducing new privacy laws of their own.
Joining the chorus of Virginia and Florida, this month state lawmakers in New Hampshire, Washington state, and Illinois released their respective takes on what residents’ bolstered privacy rights and businesses’ corresponding obligations should look like. What follows are high-level, informational overviews of these new legislative drafts.
Introduced on January 8, 2020, New Hampshire’s HB 1680-FN is closely aligned with the CCPA. The bill’s drafters adopted the CCPA’s text nearly wholesale in some instances – although not its October 2019 amendments – adding state-specific gloss in certain areas. The draft bill’s effective date is currently set as January 1, 2021, with enforcement by the state attorney general beginning six months after the publication of final rules or July 1, 2021, whichever is sooner.
Lack of CCPA Amendments. That HB 1680-FN curiously does not contain the CCPA’s eleventh-hour codified amendments means that in some respects the Granite State’s bill is arguably stricter than the CCPA.
Accordingly, the proposed NH bill does not provide the CCPA’s qualified and time-limited exemption for certain written or verbal business-to-business communications. Likewise, it lacks the same with respect to the CCPA’s temporary exemption for employees, job applicants, and contractors.
HB 1680-FN also does not contain the condition that “personal information” (PI) be “reasonably capable” of being associated with a particular consumer or household, removing the element of “reasonableness” welcomed by most businesses.
Data Breach. Whereas the CCPA defines “personal information” in relation to California’s data breach notification law – which uses a much narrower definition of PI than the CCPA, the New Hampshire bill does not define PI by referencing another law. Accordingly, at present, the type of “nonencrypted or nonredacted” (versus the CCPA’s “nonencrypted and nonredacted”) personal information that may trigger the private right of action in HB 1680-FN is significantly expanded compared to the CCPA.
Definitional Changes. The NH bill does not adopt the CCPA’s definitions in every respect. For instance, the CCPA’s “PI” definition’s carve-out for “publicly available” information is further refined in the NH bill, which holds that information is not “publicly available” if the data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records.
Other Relevant Provisions. The New Hampshire bill includes other significant provisions that merit attention and monitoring. This includes omission of the CCPA’s explicit reference in Section 1798.175 that its provisions are not limited to online or digital PI collection. It is unclear at this time whether New Hampshire lawmakers formally intend to exclude offline PI collection from the bill’s scope.
In addition, the NH bill does not include the CCPA’s provision that it preempts all rules, regulations and other laws adopted by a city, county, municipality, or local agency regarding the collection and sale of consumers’ PI by a business. This may provide an opening for more restrictive local ordinances involving consumer privacy.
After failing to enact a new privacy law in 2019, this month, Washington state Sen. Reuven Carlyle (D-Seattle) introduced a new version of the Washington Privacy Act (WPA), Senate Bill 6281. On January 23, 2020, the Senate Committee on Environment, Energy & Technology held a hearing on the WPA, adopting several amendments to the bill. If passed, the WPA, which aligns more closely with the GDPR than the CCPA, would become the most comprehensive privacy law in the United States, and would go into effect on July 31, 2021. Given the short legislative term in Washington state, by April we should know the fate of this year’s legislation.
Scope. The WPA applies to legal entities conducting business in Washington or producing products or services targeted to Washington residents, and that either: (a) control or process the personal data of 100,000 or more Washington residents, or (b) derive 50 percent of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers.
Data Processing Agreements. Unlike the CCPA, which refers to a “business” and “service provider,” the WPA tracks the GDPR and refers to controllers and processors. In addition, the WPA requires a processor’s processing activities be governed by a contract with the controller that sets out the processing instructions to which the processor is bound. Such requirements are absent from the CCPA.
The WPA defines a “sale” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party,” and provides consumers with the right to opt out of the sale of their personal data, and the processing of their personal data for purposes of targeted advertising. Similar to the GDPR, it also provides consumers the right to opt out of any profiling that produces legal or similarly significant effects on consumers.
Sensitive Data. Companies subject to the WPA must obtain affirmative, opt-in consent to process any “sensitive” data. Sensitive data includes: (a) personal data that reveals a person’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (b) genetic or biometric data that uniquely identifies a person; (c) a known child’s data; and (d) specific geolocation data. Although child’s data is listed, the WPA specifically exempts data covered by the Family Educational Rights and Privacy Act (FERPA) and entities compliant with the Children’s Online Privacy Protection Act (COPPA).
Facial Recognition. The WPA also seeks to regulate the commercial uses of facial recognition technology, and requires a “meaningful human review” of facial recognition results when used by the private sector. Affirmative, opt-in consent will be required when using facial recognition technology, and controllers and processors will need to conduct fairness and accuracy tests to ensure such technology does not discriminate.
Data Protection Assessments. Similar to the GDPR, under the WPA, controllers must conduct a data protection assessment of each of their processing activities involving personal data, and repeat the process when a change in processing materially increases the risk to consumers. If an assessment determines the potential risks to consumer rights outweigh the benefits of the processing, the controller must obtain the consumer’s consent to engage in the processing. The WPA’s “consent” definition tracks the GDPR’s, and must be as easy to withdraw as to give. The AG can request that controllers disclose any assessment relevant to their investigation.
Enforcement. The WPA provides the Washington attorney general with exclusive authority to enforce the law, and there is no private cause of action. Civil penalties for controllers and processors that violate the law are capped at $7,500 per violation.
The Illinois Senate entered the fray this month with SB2330, creating the “Data Transparency and Privacy Act” (DTPA), effective July 1, 2021.
This consumer privacy rights bill modifies and builds on an attempt from the previous year, in which the Illinois House passed a bill of the same name that eventually died in a Senate subcommittee.
The DTPA is inspired by the CCPA, as seen in its provisions that in-scope businesses must meet certain notice requirements; its establishment of rights to know, to opt out, and to not be discriminated against for exercising one’s rights; and its limited private right of action. However, differences from the CCPA are present as well.
“Business” Eligibility. Although the DTPA’s definition for “business” maintains the CCPA’s possible threshold of deriving 50% or more of the business’s annual revenue from selling consumers’ PI, it does not include a gross revenue threshold prong as the CCPA does (i.e., businesses with annual gross revenue in excess of $25 million).
The Illinois bill’s other possible eligibility threshold includes arguably ambiguous language, in its wording of “collect[ing] or disclos[ing] the [PI] of 50,000 or more persons, Illinois households, or a combination thereof.” With this sentence structure, and the “Illinois” qualifier appearing only before “households,” it is not clear whether the 50,000 amount is limited to Illinois “consumers” (a defined term, which “does not include a natural person acting in an employment context”), or merely applies to 50,000 persons’ PI collected globally by the business.
In addition, the DTPA does not include the CCPA’s “common branding” provision for controlled or controlling entities – going so far elsewhere in the bill as to exclude from the definition of “sale” any disclosure or transfer of PI to a business’s affiliate. Moreover, the bill excludes from the definition of business “any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owners.”
“Sale” Definition. The DTPA also departs from the CCPA in that the DTPA’s “sale” definition is limited to a business selling, renting, or licensing a consumer’s PI to a third party “in direct exchange for monetary consideration,” rather than the CCPA’s additional inclusion of valuable consideration.
In addition, under the Illinois bill, a sale does not occur when a business “uses a consumer’s [PI] to sell targeted advertising space to a third party as long as the [PI] is not sold by the business to the third party or affiliate.”
This is a significant provision if ultimately enacted, as it could be interpreted to remove from consideration some of the operational difficulty businesses are currently coping with under the CCPA with respect to the companies behind third-party cookies and trackers found on their websites, and mobile applications to whom site visitors’ identifiers and other PI is made available.
Risk Assessments. The DTPA, here more in line with the GDPR than the CCPA, requires that businesses, affiliates, and third parties must conduct risk assessments of each of their processing activities involving PI, and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers. Risk assessments must be made available to the Illinois attorney general upon request.
Such risk assessments must take into account the type of PI to be processed, the sensitivity of information, and an identification of “the benefits that may flow directly and indirectly from the processing to the business, consumer, other stakeholders, and the public,” balanced against the potential risks and safeguards that may be employed to mitigate such risk. Moreover, if the risks outweigh the benefits, the business may only engage in the processing with the consent of the consumer.