Privacy Law Update: May 2, 2022
The Connecticut Senate voted 35-0 to advance Senate Bill 6, an act concerning personal data privacy and online monitoring, to the House. The bill features provisions for “dark patterns,” recognition of global opt-out mechanisms, explicit children’s privacy measures, a right to cure that sunsets, and a July 1, 2023, effective date. A strike-all was adopted in the final Senate vote that moved the coverage threshold up to companies holding data on more than 100,000 users and a clarified definition for biometric data. The House will move right to floor consideration once the bill is transmitted.
The Wall Street Journal reports on a bipartisan appetite within the U.S. Congress to take action on federal privacy legislation. Talks among key U.S. Senate and House committees are reportedly finding more areas of compromise toward guardrails for collection, storage and use of consumers’ personal information. Discussions around preemption are fluid and include perspectives from TechNet, a Big Tech lobby group working with Congressional leaders and previously lobbying at the state-level for laws modeled after Utah and Virginia’s privacy laws. “The engines are revving on this in a way they haven’t in a long time,” TechNet Senior Vice President Carl Holshouser said.
EU institutions announced a political agreement on the final text for the Digital Services Act. The legislation includes provisions for various prohibitions on targeted advertising, specifically, the targeting of minors and ads based on sensitive personal data. European Commissioner for the Internal Market Thierry Breton said the DSA shows “the time of big online platforms behaving like they are ‘too big to care’ is coming to an end,” while European Commission President Ursula von der Leyen said the regulation “will upgrade the ground-rules for all online services in the EU.” The DSA will immediately take force once adopted but applies to platforms 15 months after its entry.
One of the benefits of GDPR and similar U.S. state privacy laws is that many companies are forced, cajoled, or encouraged to ask permission before capturing, analyzing, repackaging and selling the information they gather about you. Apps delivered under the new laws call attention to behind-the-scenes data activities, when past versions would have quietly hide the evidence. So now we are more likely to see when a website grabs our personal information and to decide whether we like it. Score one for transparency.
Transborder data flows are among the most significant and complex issues in the privacy profession at the moment. As the U.S. and EU work to finalize the highly anticipated Trans-Atlantic Data Privacy Framework, an announcement involving the other side of the North American continent aims to help mitigate some global complexity and promote data flows with privacy protections.
Calling it “a historic moment for international cooperation in the digital sector,” U.S. Department of Commerce Secretary Gina Raimondo announced Thursday the creation of the Global Cross-Border Privacy Rules Forum along with Canada, Japan, the Republic of Korea, the Philippines, Singapore and Chinese Taipei.
Consumers are burnt and disenchanted with privacy in the 21st-century digital world that has seen endless data breaches, spats about cookies and walled approaches, the pandemic and nonstop disinformation. They’re fed up with tech companies, advertisers and marketers that use their data however and wherever they like. It’s a tenuous relationship at best and their inaction only fuels consumers’ demands for accountability, transparency and change.
The Internet has been revolutionary. It provides unprecedented opportunities for people around the world to connect and to express themselves, and continues to transform the global economy, enabling economic opportunities for billions of people. Yet it has also created serious policy challenges. Globally, we are witnessing a trend of rising digital authoritarianism where some states act to repress freedom of expression, censor independent news sites, interfere with elections, promote disinformation, and deny their citizens other human rights. At the same time, millions of people still face barriers to access and cybersecurity risks and threats undermine the trust and reliability of networks.
California: The California Privacy Protection Agency’s pre-rulemaking public stakeholder sessions have been scheduled for May 4-6 via Zoom. The CPPA reports that 140 stakeholders have registered and will have 7 minutes each to speak. FPF team members will present on consumer opt-out rights; automated decisionmaking; and data minimization.
We continue to track a series of privacy bills in California, some of which would amend the CPRA directly and others that would create new obligations for regulated entities. A non-comprehensive list of recent legislative activity on significant bills follows:
- AB 2273 filed by Reps Wicks (D) and Cunningham (R) would establish an ‘Age-Appropriate Design Code’ requiring services likely to be accessed by children (under 18 years old) to establish the age of consumers with a level of certainty appropriate to risks and to implement default limits on profiling, collection & use, ‘dark patterns,’ etc. This week the bill was significantly amended, including removal of the “best interests of the child” standard from its operative text (covered in detail by Amelia Vance here). The bill previously passed the Privacy & Consumer Protection Committee by a 9-0 vote on April 19.
- SB 1189 filed by Senator Wieckowski (D) would impose new BIPA-style requirements on biometric data (with a 1 year retention schedule and statutory damages capped at $1,000 per day). On April 5 the bill passed the Senate Judiciary Committee by a 7-2 vote. On April 25 it was heard in the Senate Appropriations Committee and advanced to the Suspense File.
- SB 1276 filed by Sen. Durazo (D) would provide that “shared mobility service data” is not covered by CalECPA and would authorize government agencies to require that providers of shared mobility services turn over vehicle and trip data. The bill sponsor removed the bill from the agenda of a committee hearing scheduled for Tuesday, April 26.
Connecticut: On Thursday 4/28 SB 6, an Act Concerning Personal Data Privacy and Online Monitoring passed the Connecticut State House by a 144-5 vote. The bill will now travel to Governor Lamont for his signature, which would make Connecticut the fifth U.S. state to enact comprehensive privacy legislation. The bill is closely based on the Colorado Privacy Act.
Florida: There are increasing indications that Florida may take up privacy legislation in a special session, though no formal announcement has yet to occur. It is unclear what legislative approach to privacy a special session may take, though as a reminder, HB 9 passed the state House in early March (CCPA-style + limited PRA).
Pennsylvania: HB 2202 originally introduced in December 2021 by Rep Mecuri (R) with 23 Republican and 7 Democratic cosponsors has been scheduled for a hearing in the House Consumer Affairs Committee on May 25. This is a fairly unique bill containing elements of both the CCPA and VCPDA, it lacks a definition of “sensitive data” and would require recognition of opt-out signals.