Privacy Law Update: June 1, 2021
It has been nearly a decade since former European Commission Vice President Neelie Kroes pitched plans for an EU Code of Conduct for cloud services. In 2012, data protection was very much a nascent field on European soil: There was no EU General Data Protection Regulation and privacy had hardly reached the priority files of European regulators and was far from an issue at the forefront of public minds. Nevertheless, public and private stakeholders recently gathered to announce the finalization of the first approved code under the GDPR that harked back to Kroes’ original ambitions.
The newly introduced Children and Teens’ Online Privacy Protection Act (CTOPPA) is aimed at overhauling U.S. privacy rules for children’s data under the existing Children’s Online Privacy Protection Act (COPPA). The bill was proposed by Senators Edward J. Markey (D-Mass.) and Bill Cassidy (R-La.) on May 11, 2021.
The EU’s General Data Protection Regulation took effect three years ago today, elevating awareness of privacy and data protection from boardrooms to living rooms and setting a standard for countries and jurisdictions around the world. “Broadly, it’s been really good. It’s been good for the privacy profession, it’s been good for individuals who are at the heart of the GDPR, it’s driven an acceleration of privacy program maturity and privacy technology development, and for privacy professionals it’s been an amazing opportunity,” said BNY Mellon Global Chief Privacy Officer Kirsten Mycroft, CIPP/E, CIPM. https://iapp.org/media/pdf/resource_center/GDPR-at-Three-Infographic_v3.pdf
Pending Privacy Legislation
- Connecticut SB 893, data broker privacy bill passed Joint Appropriations Committee 34-15, passed LCO now on the Senate floor. Connecticut SB 893, which passed the Senate Appropriations Committee on May 17, is still pending on the Senate floor. The bill would only apply to entities in the state that annually control or process personal data of 100,000 or more consumers, or controls or process data of 25,000 or more consumers and derive 50 percent of their gross revenue from the sale of personal data. The bill would grant consumers a variety of privacy rights, including the right to access, right to correct, right to delete, right to opt out and right to non-discrimination. The bill contains an exemption for financial institutions and data subject to the GLBA, business and activities covered by the FCRA and employee information. The bill would also provide guidelines on the usage and handling of personal consumer information.
- Colorado SB 190 Colorado SB 190 passed the Senate on May 26 with adverse amendments that would make this omnibus privacy bill more like the California privacy law. Industry continues to oppose the bill and is working on prioritizing proposed amendments to pitch before the bill sponsors, House leadership and the attorney general’s office. SB 190, which still must pass the House, would require opt-in consent before processing sensitive data, sets broad attorney general rulemaking authority and includes problematic processor obligations that go beyond what was proposed in the Washington privacy model.
- New York SB 6701 is likely stalled on the Senate floor. This consumer privacy rights bill would require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. The bill is not supported by the attorney general nor is it likely to have an Assembly companion bill.
- Nevada AB 483 Assembly Commerce and Labor work session May 24. Public awareness campaigns privacy collection of PII.
- Nevada SB 260, data broker bill, passed the Assembly on May 21, sent to the Senate.
- Maine LD 1714, Maine Consumer Privacy Act, modeled on CCPA; collection and sale of PII; set of data privacy rights for consumers; repeals existing state ISP privacy law; effective January 1, 2022. On May 20, Senate referral to Innovation Committee but House referral to Energy Committee.
- Maine LD 1529 Resolution, Proposing An Amendment To The Constitution Of Maine To Create A Right To Privacy, May 28 work session in Joint Judiciary. This is up for a work session on the 28th.
- Maine LD 1655, data broker privacy bill was voted down on May 20. Innovation, Development, Economic Advancement and Commerce Committee voted ought not to pass. LD 1720 voted down on May 21 by Innovation, Development, Economic Advancement and Commerce Committee voted ought not to pass. This has some elements of CCPA included but they can’t agree on which committee will handle it.