Privacy Law Update: March 7, 2022
Stay up to date with this weekly release covering key developments on data privacy laws, technology, and other hot privacy topics!
Utah On The Cusp Of US’s Latest Comprehensive State Privacy Law
Senate Bill 227, the Utah Consumer Privacy Act, cleared the Senate Feb. 25 on a 28-0 vote and the House followed suit with 71-0 approval March 2. There are a few formalities left in the legislative process. The bill will require concurrence with the Senate and signatures from leaders of both legislative chambers prior to 2022 session adjournment March 4. The bill will then head to Gov. Spencer Cox, R-Utah, who can sign the bill within 20 days after receipt, let it become law at the end of 20 days with no signature or veto the bill.
The Florida House Passes Data Privacy Legislation (Again)
The Florida House of Representatives today passed HB 9 by a vote of 103 to 8. The bill would be Florida’s first “comprehensive” data privacy law.
Biden’s Endorsement Could Be A Game-Changer For Kids’ Privacy Legislation
President Biden called on Congress to boost data privacy protections for children and ban digital advertising targeting them during his State of the Union address Tuesday night — a prominent endorsement that could jolt lawmakers into action after years of stagnation.
Why You Shouldn’t Wait to Build Out Your Company’s Data Privacy Function
Waiting even a year or two to start building out a compliant data privacy and management program will cost more, take longer, and be more disruptive to business operations.
Connecticut: The General Law Committee heard Senator Maroney (D)’s SB 6 an act “Concerning Personal Data Privacy and Online Monitoring” on Thursday March 3 but did not take further action. The bill follows a VCDPA-style framework but includes various distinctions. Elements of note include a narrower GLBA exception, no rulemaking, mandatory recognition of opt-out preference signals, a narrow right to cure that sunsets, and a requirement to provide an easy mechanism for revoking consent.
Florida: Representative McFarland introduced a third strike-all for HB 9 that is intended to strengthen the exceptions for warranties and recalls, permit certain advertising measurements, increase the deadline to implement opt-out requests to 4 days, and allow businesses to collect attorney fees when a consumer lawsuit is in bad faith. On Wednesday March 2, the Act passed the State House by a vote of 103-8. The House further rejected a series of amendments offered by Rep Learner (D) aimed at minimizing small business impacts, extending the 3-year deletion schedule, and creating an opportunity to cure in private litigation. The Florida Legislature adjourns on March 11.
The “Florida Privacy Protection Act” (SB 1864), a VCDPA/CPA style bill filed on January 7 by Sen. Bradley (R) has remained idle.
Nebraska: LB1188, a version of the ULC’s “Uniform Personal Data Protection Act” introduced by Sen. Flood (R) was heard on Monday, February 28 by the Committee on Banking, Commerce and Insurance but no action was taken. In announcing the bill, Senator Flood noted that he does not expect the Committee to pass it this year.
Utah: The Utah Consumer Privacy Act (SB 277) has passed the State House and Senate by unanimous votes and will soon be transmitted to the Governor for signature. This is a VCDPA-framework bill but contains notable divergences in the scope of consumer rights and business obligations. If signed, the Act will go into effect on December 31, 2021. A full FPF analysis memo is available in our membership portal.
Virginia: This was yet another busy week for the proposed amendments to the VCDPA. Amendments from Sen. Marsden and Del. Hayes, the original sponsors of the VCDPA (HB 714) (SB 534) that would add “political organizations” to the nonprofit exemption and replace the “Consumer Privacy Fund” with the existing “Revolving Trust Fund” have passed the House and Senate.
An amendment (HB 1259) narrowing the definition of “sensitive data” under the VCDPA that had passed the House by a 96-4 vote on February 15 failed in the Virginia Senate General Law and Technology Committee following testimony in opposition from the Virginia Poverty Law Center and the Future of Privacy Forum.
Amendments to allow controllers that collect consumer data indirectly to treat deletion requests as opt-out of processing for all non-exempt purposes (HB 381) (SB 393) have passed the House and Senate.
Washington State: On Monday February 28, the House Appropriations Committee adopted a second substitute to HB 1850 that appears to drop most of the bill except for the enforcement provisions. The Committee also favorably referred the bill by a 17-16 vote, sending the bill to the House Rules Committee. On Thursday March 3, House rules was “relieved of further consideration” and the Act was placed on second reading. The Act is currently scheduled for the agenda in the *Senate* Ways & Means meetings on March 5 and March 7. The Washington State legislature adjourns on March 10.
There has been no further movement on SB 5062, Senator Carlyle’s 2021 Washington Privacy Act, since it moved to the “Rules White Sheet” on Thursday 2/24.