State Law Developments in Consumer Privacy
The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most expansive state privacy law in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data. The CCPA seems to have spurred a flood of similar legislative proposals on the state level.
Since the start of 2019, at least six state legislatures have already introduced privacy laws mirrored largely on the CCPA. Below are some of the highlights of each state legislative proposal:
- Hawaii – SB 418, introduced on January 24 by two Democrat senators, the Hawaiian bills contains similar consumer rights and requirements for businesses as the CCPA. The current bill text does not include a definition for “business”. Although this will likely be remedied, if left as is, the Hawaiian bill would have a broader reach than the CCPA, which only applies to entities that do business in the state of California.
- Maryland – SB0613, introduced on February 4 by Senator Susan Lee (D), includes similar consumer rights as those in the CCPA, but its right of deletion (popularly known as the “right to be forgotten”) is more extensive as it limits the circumstances under which an organization can deny such a request. Also notable, the bill prohibits discrimination against a consumer for exercising his/her rights and financial incentives for processing personal information.
- Massachusetts – SD.341, presented by Senator Cynthia Creem in early February, this proposal combines key aspects of the CCPA together with aspects of Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected. Moreover, similar to the Illinois Supreme Court’s recent holding regarding the BIPA, under the proposed bill, Massachusetts consumers may not have to demonstrate actual harm to seek damages.
- Mississippi – HB 2153, a house bill that was quickly squashed, was the closest in structure to the CCPA, pulling direct language from the California law. Although the Mississippi bill did not succeed, it still signifies how state legislators across the U.S. are considering consumer privacy.
- New Mexico – SB176, introduced on January 19 by Senator Michael Padilla (D), attempts to balance consumer privacy without stifling “innovation and creativity” of companies. Although language differs, key components of the CCPA are present in the New Mexico bill (g. right of access, right of deletion, right to opt out, private right of action).
In addition to the CCPA-like proposals discussed above, other states are also considering unique ways to enhance consumer data privacy for their residents. For example, New York legislators recently introduced at least 4 different consumer privacy related bills, including one on biometric privacy (SB 547) and another that would regulate businesses’ collection and disclosure of personal information (S00224). And several North Dakota legislators, in mid-January, introduced a consumer privacy bill, HB 1485, exclusively focused on the prohibition of disclosure of an individual’s personal information without “express written consent”.
Finally, a group of senators in Washington State, in January, introduced the “Washington Privacy Act,” SB 5376 (WPA). That bill would establish more GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.
This state level activity could prompt Congress to move more quickly with one of its proposed bills, the latest being the Data Care Act, which proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information. Much of the private sector, including the Internet Association, comprised of the leading tech companies, is pushing for a federal approach to consumer privacy to prevent the “patchwork of state laws” that has arisen in the area of data breach notification law. Not even three months in, 2019 is already gearing up to be a busy year for consumer privacy law.