June 3, 2020

June 03, 2020

Subscribe to Latest Legal News and Analysis

June 02, 2020

Subscribe to Latest Legal News and Analysis

June 01, 2020

Subscribe to Latest Legal News and Analysis

Additional U.S. States Advance the State Privacy Legislation Trend in 2020

In the wake of the California Consumer Privacy Act of 2018 (CCPA) and an updated Nevada privacy law that took effect in October 2019, states are wasting no time in 2020 introducing new privacy laws of their own.

Joining the chorus of Virginia and Florida, this month state lawmakers in New Hampshire, Washington state, and Illinois released their respective takes on what residents’ bolstered privacy rights and businesses’ corresponding obligations should look like. What follows are high-level, informational overviews of these new legislative drafts.

NEW HAMPSHIRE

Introduced on January 8, 2020, New Hampshire’s HB 1680-FN is closely aligned with the CCPA. The bill’s drafters adopted the CCPA’s text nearly wholesale in some instances – although not its October 2019 amendments – adding state-specific gloss in certain areas. The draft bill’s effective date is currently set as January 1, 2021, with enforcement by the state attorney general beginning six months after the publication of final rules or July 1, 2021, whichever is sooner.

Lack of CCPA AmendmentsThat HB 1680-FN curiously does not contain the CCPA’s eleventh-hour codified amendments means that in some respects the Granite State’s bill is arguably stricter than the CCPA.

Accordingly, the proposed NH bill does not provide the CCPA’s qualified and time-limited exemption for certain written or verbal business-to-business communications. Likewise, it lacks the same with respect to the CCPA’s temporary exemption for employees, job applicants, and contractors.

HB 1680-FN also does not contain the condition that “personal information” (PI) be “reasonably capable” of being associated with a particular consumer or household, removing the element of “reasonableness” welcomed by most businesses.

Data Breach. Whereas the CCPA defines “personal information” in relation to California’s data breach notification law – which uses a much narrower definition of PI than the CCPA, the New Hampshire bill does not define PI by referencing another law. Accordingly, at present, the type of “nonencrypted or nonredacted” (versus the CCPA’s “nonencrypted and nonredacted”) personal information that may trigger the private right of action in HB 1680-FN is significantly expanded compared to the CCPA.

Definitional ChangesThe NH bill does not adopt the CCPA’s definitions in every respect. For instance, the CCPA’s “PI” definition’s carve-out for “publicly available” information is further refined in the NH bill, which holds that information is not “publicly available” if the data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records.

Other Relevant ProvisionsThe New Hampshire bill includes other significant provisions that merit attention and monitoring. This includes omission of the CCPA’s explicit reference in Section 1798.175 that its provisions are not limited to online or digital PI collection. It is unclear at this time whether New Hampshire lawmakers formally intend to exclude offline PI collection from the bill’s scope.

In addition, the NH bill does not include the CCPA’s provision that it preempts all rules, regulations and other laws adopted by a city, county, municipality, or local agency regarding the collection and sale of consumers’ PI by a business. This may provide an opening for more restrictive local ordinances involving consumer privacy.

WASHINGTON

After failing to enact a new privacy law in 2019, this month, Washington state Sen. Reuven Carlyle (D-Seattle) introduced a new version of the Washington Privacy Act (WPA), Senate Bill 6281. On January 23, 2020, the Senate Committee on Environment, Energy & Technology held a hearing on the WPA, adopting several amendments to the bill. If passed, the WPA, which aligns more closely with the GDPR than the CCPA, would become the most comprehensive privacy law in the United States, and would go into effect on July 31, 2021. Given the short legislative term in Washington state, by April we should know the fate of this year’s legislation.

Scope. The WPA applies to legal entities conducting business in Washington or producing products or services targeted to Washington residents, and that either: (a) control or process the personal data of 100,000 or more Washington residents, or (b) derive 50 percent of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers.

Data Processing Agreements. Unlike the CCPA, which refers to a “business” and “service provider,” the WPA tracks the GDPR and refers to controllers and processors. In addition, the WPA requires a processor’s processing activities be governed by a contract with the controller that sets out the processing instructions to which the processor is bound. Such requirements are absent from the CCPA.

Consumer Rights. The WPA provides Washington consumers with the right of access, correction, deletion, and data portability. Like the CCPA, the WPA requires businesses to provide consumers with a Privacy Policy that describes the personal data processed, the reason for processing, the categories of data shared with third parties, and the categories of third parties with whom the data is shared.

The WPA defines a “sale” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party,” and provides consumers with the right to opt out of the sale of their personal data, and the processing of their personal data for purposes of targeted advertising. Similar to the GDPR, it also provides consumers the right to opt out of any profiling that produces legal or similarly significant effects on consumers.

Sensitive Data. Companies subject to the WPA must obtain affirmative, opt-in consent to process any “sensitive” data. Sensitive data includes: (a) personal data that reveals a person’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (b) genetic or biometric data that uniquely identifies a person; (c) a known child’s data; and (d) specific geolocation data. Although child’s data is listed, the WPA specifically exempts data covered by the Family Educational Rights and Privacy Act (FERPA) and entities compliant with the Children’s Online Privacy Protection Act (COPPA).

Facial Recognition. The WPA also seeks to regulate the commercial uses of facial recognition technology, and requires a “meaningful human review” of facial recognition results when used by the private sector. Affirmative, opt-in consent will be required when using facial recognition technology, and controllers and processors will need to conduct fairness and accuracy tests to ensure such technology does not discriminate.

Data Protection Assessments. Similar to the GDPR, under the WPA, controllers must conduct a data protection assessment of each of their processing activities involving personal data, and repeat the process when a change in processing materially increases the risk to consumers. If an assessment determines the potential risks to consumer rights outweigh the benefits of the processing, the controller must obtain the consumer’s consent to engage in the processing. The WPA’s “consent” definition tracks the GDPR’s, and must be as easy to withdraw as to give. The AG can request that controllers disclose any assessment relevant to their investigation.

Enforcement. The WPA provides the Washington attorney general with exclusive authority to enforce the law, and there is no private cause of action. Civil penalties for controllers and processors that violate the law are capped at $7,500 per violation.

ILLINOIS

The Illinois Senate entered the fray this month with SB2330, creating the “Data Transparency and Privacy Act” (DTPA), effective July 1, 2021.

This consumer privacy rights bill modifies and builds on an attempt from the previous year, in which the Illinois House passed a bill of the same name that eventually died in a Senate subcommittee.

The DTPA is inspired by the CCPA, as seen in its provisions that in-scope businesses must meet certain notice requirements; its establishment of rights to know, to opt out, and to not be discriminated against for exercising one’s rights; and its limited private right of action. However, differences from the CCPA are present as well.

“Business” EligibilityAlthough the DTPA’s definition for “business” maintains the CCPA’s possible threshold of deriving 50% or more of the business’s annual revenue from selling consumers’ PI, it does not include a gross revenue threshold prong as the CCPA does (i.e., businesses with annual gross revenue in excess of $25 million).

The Illinois bill’s other possible eligibility threshold includes arguably ambiguous language, in its wording of “collect[ing] or disclos[ing] the [PI] of 50,000 or more persons, Illinois households, or a combination thereof.” With this sentence structure, and the “Illinois” qualifier appearing only before “households,” it is not clear whether the 50,000 amount is limited to Illinois “consumers” (a defined term, which “does not include a natural person acting in an employment context”), or merely applies to 50,000 persons’ PI collected globally by the business.

In addition, the DTPA does not include the CCPA’s “common branding” provision for controlled or controlling entities – going so far elsewhere in the bill as to exclude from the definition of “sale” any disclosure or transfer of PI to a business’s affiliate. Moreover, the bill excludes from the definition of business “any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owners.”

“Sale” Definition. The DTPA also departs from the CCPA in that the DTPA’s “sale” definition is limited to a business selling, renting, or licensing a consumer’s PI to a third party “in direct exchange for monetary consideration,” rather than the CCPA’s additional inclusion of valuable consideration.

In addition, under the Illinois bill, a sale does not occur when a business “uses a consumer’s [PI] to sell targeted advertising space to a third party as long as the [PI] is not sold by the business to the third party or affiliate.”

This is a significant provision if ultimately enacted, as it could be interpreted to remove from consideration some of the operational difficulty businesses are currently coping with under the CCPA with respect to the companies behind third-party cookies and trackers found on their websites, and mobile applications to whom site visitors’ identifiers and other PI is made available.

Risk Assessments. The DTPA, here more in line with the GDPR than the CCPA, requires that businesses, affiliates, and third parties must conduct risk assessments of each of their processing activities involving PI, and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers. Risk assessments must be made available to the Illinois attorney general upon request.

Such risk assessments must take into account the type of PI to be processed, the sensitivity of information, and an identification of “the benefits that may flow directly and indirectly from the processing to the business, consumer, other stakeholders, and the public,” balanced against the potential risks and safeguards that may be employed to mitigate such risk. Moreover, if the risks outweigh the benefits, the business may only engage in the processing with the consent of the consumer.

©2020 Greenberg Traurig, LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Gretchen A. Ramos, Lawyer, Greenberg Traurig, Data, Privacy & Cybersecurity,The Cloud,Artificial Intelligence, Big Data
Shareholder

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of...

415.655.1319
Of Counsel

Darren J. Abernethy is a data privacy attorney with more than a decade of experience, including in private practice in Washington, D.C. and as in-house counsel at startups and a leading privacy technology vendor. He advises clients on matters related to advertising technology, privacy and data governance, and FTC best practices.

Darren focuses on the California Consumer Privacy Act (CCPA), the European Union General Data Protection Regulation (GDPR)/ePrivacy, digital advertising, direct marketing, and product counseling.

415-655-1261