Privacy Law Update: April 26, 2021
Never a dull moment in the Privacy world!
The draft EU Regulation on Artificial Intelligence (the “Regulation,” available here) imposes a broad range of requirements on both the public and private sectors, which are summarized in this alert. Some of these requirements already apply (in a similar form) under the EU General Data Protection Regulation (GDPR). This begs the question: What is the impact of the Regulation on the privacy sector, and what requirements already apply?
Corporate Social Responsibility (“CSR”) and Environmental, Social, and Governance (“ESG”) practices have increasingly become priorities for many organizations as they assess their obligations to their employees, customers, and the broader community.
As companies work towards meeting these CSR and ESG objectives, one focus area is data rights and data privacy. Data privacy is increasingly becoming a hot-button issue for lawmakers, as more and more states are considering bills and passing laws in this area. This makes sense given the exponential increase in cyber threats and data breaches. But consumers are looking beyond the current laws and threat of bad actors and increasingly demanding protection for and rights in their data. Approaching data protection as a core business strategy, rather than just a compliance or security issue, can set a company apart from competitors. As a result, rather than playing catch-up with the laws and consumer demands, companies should choose to make data privacy rights a priority and a part of their CSR and ESG plans.
On a Monday, there is a data leak affecting half a billion Facebook accounts, by Tuesday a bot has scraped 500 million LinkedIn accounts. On Wednesday, Stanford University announces a hack that exposed thousands of social security numbers and financial details. Then Thursday, the world’s largest aviation IT company announces 90 percent of passenger data may have been accessed in a cyber-attack. And so on. The cycle is endless.
The sheer number of reports of data leaks, hacks, and scams on affected accounts has now grown so gargantuan that consumers and users are left numb. It might as well be the soaring national debt total —the higher the number, the less we care. But breaches of private data matter. And consumers should be rightly ticked off.
Pending State Privacy Legislation
To date, state lawmakers have introduced bills in 24 states. Alaska, Connecticut, Florida, Illinois, Minnesota, New York, Massachusetts, and Washington are considering multiple bills. One state (Virginia) has passed legislation whereas the bills in six states (Kentucky, North Dakota, Oklahoma, Mississippi, Utah, and West Virginia) have failed.
- Florida HB 969 was substituted on April 14 and overwhelmingly passed the House on April 21. It was referred to the Senate Rules Committee on the same day. The substitute raised the threshold for covered businesses to those with $50 million in global annual gross revenue and pushed the effective date to July 2022. Pending on the Senate floor is SB 1734, which is now drastically different from the House version, which includes a private right of action. The bills will likely be sent to a House and Senate conference committee for negotiations. Industry, including the IC, continue to advocate for amendments, concentrating efforts on the Senate side, as legislators in that chamber have been more receptive to industry concerns.
- Nevada SB 260 was amended in the Senate Commerce and Labor Committee on April 19 and passed the Senate on April 20. It would require data brokers that collect personally identifiable information about consumers in the state to establish a designated address for consumers to opt out of the sale of personal information collected about them. Amendments removed a provision related to the right to cure narrowing to “adjudged to have previously failed to comply,” adding exemptions for consumer reporting agencies, GLBA, HIPAA, incidental sales, fraud prevention services, and publicly available personally identifiable information. The bill also now makes clear that it does not create a PROA.
- Alaska HB 159 is scheduled for a hearing in the House Labor and Commerce Committee on April 23. The governor, who initially supported this measure, appears to be backing off. The bill would grant consumers the right to know when businesses are collecting personal information, what information is being collected, the right to request collected personal information be deleted, and the right to prevent businesses from selling their personal information. The bill would apply to businesses with gross revenues of $25 million or more, those that bought or disclosed the personal information of 100,000 or more persons or households or that sold the personal information of a consumer, household, or device in the last year. HB 159 would also prevent businesses from disclosing the personal information of minors under the age of 13 to a third party and from disclosing or selling the personal information of a minor older than 13 without the consent of a parent or guardian.
- Colorado SB 132 is set for a hearing on April 22 in the House State, Civic, Military, and Veterans Affairs Committee. As passed by the Senate, the bill would task the Joint Technology Committee, during the 2021 interim, to study whether and how the general assembly could address, through legislation, consumer protection concerns related to digital communication platforms.