Privacy Law Update: February 28, 2022
• read
Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!
Newsworthy Updates
CPRA regulations delayed past July 1 deadline, expected Q3 or Q4
The CPRA provides for regulations to be finalized by July 1 to allow for a six-month compliance window ahead of the law’s Jan. 1, 2023 effective date, but a surprise announcement from the CPPA suggests a compliance scramble is on the horizon. While offering a rulemaking update at a recent board meeting, CPPA Executive Director Ashkan Soltani indicated completion of the rulemaking process will go beyond the July target date.
The data harvested from our personal devices, along with our trail of electronic transactions and data from other sources, now provides the foundation for some of the world’s largest companies. Personal data also the wellspring for millions of small businesses and countless startups, which turn it into customer insights, market predictions, and personalized digital services. For the past two decades, the commercial use of personal data has grown in wild-west fashion. But now, because of consumer mistrust, government action, and competition for customers, those days are quickly coming to an end.
At the current time, the IAPP Westin Research Center is tracking comprehensive consumer privacy bills in 22 states. Many states, including Alaska, Hawaii, Massachusetts, New York, Pennsylvania, Washington, Wisconsin, and New Jersey, have multiple privacy bills pending. Most of the bills listed in the chart are described as “in committee,” and two states (Indiana and Oklahoma) have bills in cross- committee status. According to the IAPP, the focus of the bills selected for the tracker is on bills that provide legislative approaches “governing the use of personal information in a state.”
Privacy and Data Protection – The Year of Privacy Framework Implementation
For those involved in supporting a privacy and data protection program, continued expansion of new regulatory requirements will likely be the biggest trend in the coming year. Whether it be new laws being discussed, pending, or already in place such as those in a U.S. state or at the country or regional level – privacy experts and the organizations they support cannot escape the constant change. Along with this continually evolving environment comes the need to adjust the privacy program to address new requirements. In addition, those in charge of privacy policy and implementation sometimes struggle to support frustrated line-of-business leaders who don’t understand or appreciate privacy program requirements and see privacy as a distraction or barrier to productivity.
Countdown to State Law Privacy Compliance: 10 Months to Go | New Rules for Sensitive Personal Data
As noted in our intro alert for this series, new omnibus privacy laws are coming to Virginia and Colorado and California’s existing comprehensive privacy law has been further modified by the CPRA. Don’t wait to implement your compliance updates as it could require changes to your operations. These state privacy laws can even apply to businesses that do not have offices or employees in that state. The new laws can also reach activities conducted outside of the applicable state.
Privacy Legislation
California: Last week saw multiple amendments to the CPRA introduced including:
- AB2871 filed by Rep Low (D) would extend the B2B and employee data exceptions indefinitely.
- AB2891 also filed by Rep Low (D) would extend the B2B and employee data exceptions until 2026.
- AB 2273 filed by Reps Wicks (D) and Cunningham (R) would create an “Age Appropriate-Design Code” modeled on the UK ICO’s code.
- AB 2486 filed by Rep Gabriel (D) would create an ‘Office for the Protection of Children Online’ within the CPPA.
- SB1172 filed by Sen Pan (D) would apply specific limitations on proctoring services.
Connecticut: The text of Senator Maroney (D)’s SB 6 an act “Concerning Personal Data Privacy and Online Monitoring” has been released. The bill follows a VCDPA-style framework but includes significant distinctions. Elements of note include a narrower GLBA exception, no rulemaking, mandatory recognition of opt-out preference signals, a narrow right to cure that sunsets, and a requirement to provide an easy mechanism for revoking consent. A General Law Committee hearing has been scheduled for March 3rd.
Florida: On Wednesday 2/23, the House Judiciary Committee voted 13-4 to favorably report HB 9. The Committee also adopted a new strike-all offered by sponsor McFarland intended to narrow the applicability of the Act to large companies engaged in online advertising and also ramp up relief available under bill’s private right of action based on the size of a business. The committee further rejected a series of amendments offered by Rep Learner (D) aimed at minimizing small business impacts, extending the 3-year deletion schedule and 48-hour deadline to implement opt-out requests, and creating an opportunity to cure. On Thursday 2/24 the Act was placed on the House ‘Special Order Calendar’ for March 1.
The “Florida Privacy Protection Act” (SB 1864), a VCDPA/CPA style bill filed on January 7 by Sen. Bradley (R) has remained idle.
Iowa: The Iowa House privacy legislation has been renumbered and placed on the calendar as HF 2506. This bill (along with its companion SF 2208) follows the VCDPA.
Kentucky: On Thursday 2/24, HB 586 was introduced by Reps Pratt (R) and Decker (R). This bill closely follows the VCDPA, yet lacks a right to opt out of profiling and requires “clear notice and an opportunity to opt out” of processing sensitive data, rather than “consent.”
SB15 picked up a third sponsor, Sen. Schickel (R). We continue to await an anticipated substitute amendment from Sen. Westerfield (R) that will: (1) Raise the minimum coverage threshold to entities that hold information on somewhere between 10k-100k consumers; (2) add exemptions for organizations that are “affiliates” of entities regulated under existing federal privacy law (like GLBA); (3) add an ‘opportunity to cure’ to the existing injunctive private right of action. The Act appears informed by the VCDPA/CPA frameworks but contains distinctions such as consumer rights to opt out of “tracking,” unique consent standards, and transparency obligations for the locations where data will be stored by third parties.
Nebraska: LB1188, a version of the ULC’s “Uniform Personal Data Protection Act” introduced by Sen. Flood (R) is scheduled for a hearing on February 28.
Ohio: The “Ohio Personal Privacy Act” (HB 376) has been “re-referred” to the Rules and Reference Committee. The Act includes a right to opt-out of sale and various unique elements such a broad pseudonymous data carve out and safe harbor against AG enforcement for adhering to the NIST privacy framework.
Utah: On Wednesday 2/23, the Senate Revenue and Taxation Committee advanced the Utah Consumer Privacy Act (SB 277) by a 6-0 vote. The Committee also adopted a substitute amendment that included the alignment of certain definitions with the VCDPA, adjusted controller/processor contracting requirements, and strengthened the consumer right of access. This is a VCDPA-style but contains notable divergences, such as lacking rights to opt-out of “profiling” or obligations to conduct risk assessments. On Thursday 2/24, the Act passed a second reading in the Senate.
Virginia: This was yet another busy week for the proposed amendments to the VCDPA, what follows is our best understanding of the state of play:
- Amendments from Sen. Marsden and Del. Hayes, the original sponsors of the VCDPA (HB 714) (SB 534) that would add “political organizations” to the nonprofit exemption and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund” continue to advance. The House bill passed the House 100-0 on February 15 and was reported by the Senate General Laws Committee 14-0 on February 23. The Senate bill passed the Senate 38-1 on February 11.
- An amendment (HB 1259) narrowing the definition of “sensitive data” under the VCDPA passed the House by a 96-4 vote on February 15 but has not yet seen movement in the Senate.
- The House version of a pair of amendments to allow controllers that collect consumer data indirectly to treat deletion requests as an opt-out of processing for all non-exempt purposes (HB 381) (SB 393) has passed both the Virginia House and Senate by unanimous votes.
Washington State: SB 5062, Senator Carlyle’s 2021 Washington Privacy Act has moved to the “Rules White Sheet.” It is not immediately clear from looking up Washington State Lawmaking Rules what the significance this carries. Last year, the Act passed the Washington State Senate but stalled out in the House after receiving significant amendments (that went on to inform HB 1850).
HB 1850, the “Washington Foundational Privacy Act” which passed the House Committee on Civil Rights and Judiciary on February 2 was tentatively scheduled for a second hearing in the House Committee on Appropriations on Thursday, but was subsequently removed from the agenda. The bill would create opt out rights over targeted advertising, data sharing, and profiling, which may be exercised by user-enabled global privacy controls. The bill would further require annual registration of covered entities, create a Consumer Data Privacy Commission (with rulemaking authority), and provide for private rights of action.
Wisconsin: On Tuesday 2/22, the Committee on Consumer Protection reported AB 957 on a 5-3 vote and adopted an amendment that (1) amends the definition of “biometric” information; (2) limits the right of access to once per year free of charge; and (3) modifies the right of deletion where data is collected from a third party. On Wednesday 2/23, the Wisconsin Assembly voted to enact AB 957 on a 59-37, a largely party line vote, with Republicans mostly in favor. On Thursday, the bills was read for the first time in the Senate and referred to the Committee on Government Operations, Legal Review and Consumer Protection.
There has not been movement on SB 977 / AB 1050, a CCPA-style bill that has been introduced by Wisconsin Democrats.