Privacy Law Update: February 7, 2022
Optimized data management and data security are critical within any organization. However, given the sheer amount of data that businesses collect daily, this is easier said than done. When data accuracy, quality, storage and security suffer, it can lead to poor decision making, data breaches and non-compliance issues. This is where data remediation becomes necessary, as it helps businesses clean up, organize, and efficiently move their data to a secure and clean environment.
Companies believe effective privacy management improves trust, transparency, and provides a return on investment, scotching the notion that data protection is a compliance burden and additional cost. According to technology vendor Cisco’s “2022 Data Privacy Benchmark Study,” published Jan. 26, 83 percent of the more than 4,900 security professionals globally who responded to the survey said privacy laws have had a positive impact on their business. Another 90 percent said they would not buy from an organization that does not properly protect its data, while 91 percent indicated external privacy certifications are important in their buying process.
The Belgian Data Protection Authority fined IAB Europe 250,000 euros Wednesday, ruling its Transparency and Consent Framework, used by much of the advertising industry in the European Union, does not comply with several EU General Data Protection Regulation provisions. Through data processing under the TCF, which “facilitates the management of users’ preferences for online personalised advertising,” the DPA found IAB Europe acts as a data controller and can be held responsible for potential GDPR violations. The authority also ruled IAB Europe did not establish a legal basis for processing and failed to appoint a data protection officer, conduct a data protection impact assessment, or maintain a register of processing activities. The DPA also argued it is difficult for users to “maintain control over their personal data” under the framework, as the information provided is “too generic and vague to allow users to understand the nature and scope of the processing.”
Virtual retail platforms have experienced impressive growth over the past few years, and the pandemic moved many more shoppers online. In 2020, U.S. consumers spent more than $790 billion online, representing a staggering 32% year-over-year increase. While we could easily assign these changes to the Covid era, there’s plenty of reason to believe they signal a more permanent development. Those who have learned to shop online are likely to continue doing so, at least to some degree. According to McKinsey, “Consumer intent to shop online [post-pandemic] continues to increase.”
Alaska: The “Consumer Data Privacy Act” (HB 159 / SB 116), a CCPA-style bill with a potential ‘backdoor’ private right of action introduced in 2021 at the request of Governor Dunleavey has slowed down. Following industry opposition and an announcement from Labor & Commerce Committee Co-Chair Fields (D) that he is considering an amendment that would limit the scope of covered entities, multiple scheduled hearings on the bill were either cancelled or addressed other matters. A House Judiciary Committee hearing is currently scheduled, pending referral, for February 7.
Hawaii: The “Hawaii Consumer Privacy Act” (HB 2051) received a hearing in the Committee on Higher Education and Technology on February 2nd. Following testimony in opposition from several industry groups, the Committee recommended ‘deferral,’ which we understand to mean that the bill is likely dead for this session. The 112-page bill had appeared to closely follow the CPRA but without any private right of action. There are still several live VCDPA-style bills pending in the Hawaii legislature.
Indiana: SB 358 passed the Indiana State Senate on February 1 by a 49-0 vote. The Act very closely tracks the VCDPA but includes a couple of wrinkles such as adding protections for trade secrets and an explicit carve out for “aggregated” data. The Act would also give businesses discretion to provide a “representative summary” of data in response to consumer access requests and limit the requirement to provide information in response to DSARs to once per year. A late amendment to the bill further removed the “Consumer Privacy Fund” for financing AG enforcement and corrected multiple instances where the bill referred to “HIPPA.”
Kentucky: SB 15 picked up a second co-sponsor, Senator Alvarado (R). The Act appears informed by the VCDPA/CPA frameworks but contains distinctions such as consumer rights to opt out of “tracking,” unique consent standards, and transparency obligations for the locations where data will be stored by third parties. The Act would also create a limited injunctive private right of action for particular violations.
Massachusetts: The Boston Globe reports that the “Massachusetts Information Privacy and Security Act” passed through the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on February 1. The Committee’s website has not been updated, but we are attaching a link to what we understand to be the latest text (S.46/H.142) at the bottom of this email. Many unique elements of the Massachusetts proposal (such as annual opt-in consent requirements, a broad private right of action, and ‘duty of loyalty’) appear to have been removed. The Act now trends towards CPRA-style consumer rights, Colorado-style business obligations, and a unique approach to designating “lawful bases” for processing information. FPF is continuing to analyze the latest text and welcomes input.
Nebraska: LB1188, a version of the ULC’s “Uniform Personal Data Protection Act” introduced by Sen. Flood (R) has been scheduled for a hearing on February 28.
Virginia: Multiple proposed amendments to the VCDPA are marching through their respective committees:
Amendments to allow controllers that collect consumer data indirectly to treat deletion requests as opt-out requests (HB 381) (SB 393) have passed two House committees by votes of 8-0 and 21-0 and a Senate General Laws and Technology Subcommittee by a 14-0 vote An amendment from the original sponsors of the VCDPA (HB 714) (SB 534) that would add “political organizations” to the nonprofit exemption; allow an opportunity to cure only where “deemed possible” by the AG; permit the AG to recover “actual damages” sustained by consumers; and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund” passed a House Subcommittee by an 8-0 vote. An amendment to exempt 501(c)(4) organizations from the VCDPA (SB 516) (HB 552) passed the Senate Commerce and Labor Committee by a 15-0 vote. An amendment (HB 1259) that would provide that “sensitive data” under the Act “shall only be considered sensitive data if used to make a decision that results in a legal or similarly significant effect for a consumer” has been assigned to a House Commerce and Energy subcommittee.
Washington: The Washington Foundational Data Privacy Act (HB 1850) from Reps. Slatter (D) and Berg (D) received a second hearing in the House Civil Rights & Judiciary Hearing on February 2. The Committee narrowly voted (9-8) to refer a substitute bill to the Appropriations committee. Significant changes in the substitute bill and amendments adopted during the committee hearing include: Expands the definition of targeted advertising to include use of data from affiliate websites. Modifies the right to correct to remove discretion for controllers to take into account the nature and purposes of data processing. Directly roots the bill’s private right of action in Washington’s consumer protection act. Delays the effective date for many of the act’s provisions until July 31, 2023. Directs the Consumer Data Privacy Commission to undertake rulemaking on specific topics. New clarifications of the division of enforcement activities between the Consumer Data Privacy Commission and the State AG. In short, HB 1850 would create opt out rights over targeted advertising, data sharing, and profiling, which may be exercised by user-enabled global privacy controls. The bill would further require annual registration of covered entities and data protection assessments and create a Consumer Data Privacy Commission (with rulemaking authority).
Wisconsin: On February 3, Rep. Zimmerman (R) introduced AB 957 along with 20 Republican and 1 Democratic cosponsors. This bill is essentially the VCDPA.