Privacy Law Update: February 21, 2022
Georgetown University Law Center’s Kenneth Propp, Université Grenoble Alpes’ Théodore Christakis and Alston & Bird’s Peter Swire, CIPP/US, wrote a post for European Law Blog proposing the creation of a U.S. authority for foreign intelligence redress mechanism to help resolve the redress issue in EU-U.S. adequacy negotiations. Propp, Christakis and Swire write that a “Foreign Intelligence Redress Authority” could strike “a non-statutory solution” that is “compatible with the ‘essential equivalence’ requirements of Article 45 of the EU General Data Protection Regulation.”
After Brexit took effect last year, the United Kingdom was no longer subject to the European Union’s General Data Protection Regulation (GDPR). While the UK already follows a data privacy regime that is substantially similar to the GDPR, the approach to data protection in the UK and the EU does differ in a number of ways that affect businesses.
The Personal Information Protection Law of the People’s Republic China entered into force Nov. 1, 2021. As the first comprehensive personal data law of China, the PIPL imposes a number of legal obligations on businesses in relation to the collection, processing, provision, transfer, deletion and destruction of personal data.
IAB Europe urged reserved judgment regarding the Belgian Data Protection Authority’s ruling against the Transparency & Consent Framework until a resolution is reached. IAB indicated two EU DPAs advised against further use of TCF while “many sources have published partial or incorrect information about the scope of that decision.” The association reiterated it is appealing the decision and has two months to rectify its alleged violations.
Government and private-sector organizations want to update data privacy and management approaches. Dense privacy policies and misleading website cookie notices are legacies of a bygone era. Today, data collection is becoming more ambient, often happening in places where there’s no ability to post a notice at all. Instead, digital experiences have expanded beyond our phones and web interactions, and data is collected in virtually augmented environments, whether through IoT devices on city streets or in our homes.
California: The CPPA held a Board Meeting on February 17th at which Executive Director Soltani gave the following updates:
- The Agency intends to hire 34 total staff with this year’s budget. Informational hearings with experts on key rulemaking issues will begin in March, public sessions to receive stakeholder input will begin in April
- Formal rulemaking proceedings are expected to begin in Q2 and conclude in Q3 or Q4 of this year (notably after the CPRA’s July deadline).
Connecticut: On February 17, the General Law joint committee voted to “draft” SB 6 an act “Concerning Personal Data Privacy and Online Monitoring.” The bill will be the product of Senator Maroney’s (D) summer working group with stakeholders; however, official text has yet to be published. The Committee Chair anticipates a forthcoming hearing dedicated solely to the consumer privacy bill.
Indiana: SB 358, a VCDPA-style bill that unanimously passed the Indiana Senate on February 1 was heard in the House Committee on Small Business and Economic Development on February 15 where it received a 12-0 vote to “Do Pass Amend.” The successful Amendment comes from the Indiana Office of Technology and concerns exceptions for third parties contracting with government entities. The Committee Chairman also offered an amendment to create a private right of action if CSAM appears on the services of large market cap companies; however, it was withdrawn after several committee members raised concerns as to whether the privacy bill would be the appropriate vehicle for such provisions. Furthermore, during public testimony, a representative from the Indiana Attorney General’s office suggested that the AG would not support the bill unless language establishing a specific consumer privacy fund for enforcement is reinserted.
There has been no activity on HB 1261, which was introduced on January 10 by Rep. Carey Hamilton (D) and would create CPRA-style rights to opt out of the sale or sharing of personal information and to restrict the use of sensitive personal information
Iowa: HSB 674 received an “Amend and Do Pass” recommendation from the House Committee on Information Technology on February 15. The text of this amendment has yet to be uploaded. This bill (along with its companion SF 2208) is essentially the VCDPA.
Kentucky: The Senate Committee on Economic Development, Tourism & Labor held an informational hearing on SB15 on February 15. Sponsor Sen. Westerfield (R) shared that he is preparing a substitute amendment that will: (1) Raise the minimum coverage threshold to entities that hold information on somewhere between 10k-100k consumers; (2) add exemptions for organizations that are “affiliates” of entities regulated under existing federal privacy law (like GLBA); (3) add an ‘opportunity to cure’ to the existing injunctive private right of action.The Act appears informed by the VCDPA/CPA frameworks but contains distinctions such as consumer rights to opt out of “tracking,” unique consent standards, and transparency obligations for the locations where data will be stored by third parties.
Maine: On February 15, Senator Rafferty (D) and Representative Talbot Ross (D) introduced the “Maine Consumer Privacy Act” (SP 713/LD 1982). This is a CCPA-style bill with an additional section that creates rights and protections involving small dollar loans to consumers.
Massachusetts: Our legislative tracker has pinged procedural actions on several privacy bills originally introduced in 2021; however, Massachusetts in a ‘roll over’ state and we continue to believe the primary bill to watch is the “Massachusetts Information Privacy and Security Act” (S 2687) passed through the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on February 1. This bill contains distinct elements from the GDPR (bases for processing); CPRA (definitions and consumer rights); CPA (contractual requirements); VCDPA (enforcement) and ODPA (safe harbor for breach litigation). Staff for Senator Feingold (D) asked us to share with our network that they are open to stakeholder input on this bill and we are happy to share contact information.
Nebraska: LB1188, a version of the ULC’s “Uniform Personal Data Protection Act” introduced by Sen. Flood (R) is scheduled for a hearing on February 28.
Ohio: The “Ohio Personal Privacy Act” (HB 376) “informally passed” in the State House on February 16, but we do not understand this to be a procedurally significant event in the Ohio legislature. The Act includes a right to opt-out of sale and various unique elements such a broad pseudonymous data carve out and safe harbor against AG enforcement for adhering to the NIST privacy framework. Note that Rep. Carfanga (R), a key sponsor of the Act, recently announced that he will leave the legislature to join the Ohio Chamber of Commerce.
Oklahoma: On February 16, the House Committee on Technology voted 6-0 to advance the “Oklahoma Computer Data Privacy Act” (HB 2969) from Reps Walke (D), West (R), and Sims (R). The sponsors also introduced two strike-all amendments this week. The first appears broad, and the second raises the minimum revenue threshold for coverage from 10 to 15 million dollars per year. The Act provides that “a business shall not collect a consumer’s personal information directly from the consumer prior to notifying the consumer of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumer’s consent.”
HB 3447 a ULC privacy bill filed Rep. O’Donnell (R) on February 7 has remained idle.
Utah: On February 17, Rep. Cullimore (R) introduced a new version of the “Utah Consumer Privacy Act” SB 227. This is a VCDPA-style but contains several notable divergences, including lacking rights to opt-out of “profiling,” or obligations to conduct risk assessments.
Virginia: This was yet another busy week for the proposed amendments to the VCDPA. The Virginia legislative process is somewhat opaque and fast moving, but what follows is our best understanding of the state of play:
- Amendments from Sen. Marsden and Del. Hayes, the original sponsors of the VCDPA (HB 714) (SB 534) that would add “political organizations” to the nonprofit exemption and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund” passed the Senate on February 11 and the House on February 15. Both the House and Senate amendments appear to have removed provisions that would have allowed an opportunity to cure only where “deemed possible” by the AG and permit the AG to recover “actual damages” sustained by consumers.
- An amendment (HB 1259) narrowing the definition of “sensitive data” under the Act was replaced by a substitute February 14 to further remove the VCDPA’s consent requirement for sensitive data used for “marketing, advertising, fundraising, or other similar uses related to outreach, communications, or information sharing.” The amendment passed the House by a 96-4 vote on February 15.
- Amendments to allow controllers that collect consumer data indirectly to treat deletion requests as opt-out requests (HB 381) (SB 393) had substitute language incorporated and passed the House on February 9 and Senate on February 14.
Wisconsin: On February 16, the House Committee on Consumer Protection heard AB 957. Unfortunately, the Committee record is sparse and we have been unable to find a recording. Rep. Subeck, the bill’s lone Democratic supporter, was also withdrawn as a supporter. This bill (along with its companion SB 957) is essentially the VCDPA.