Privacy Law Update: May 10, 2021
Private right of action proving problematic for state privacy laws
Ten states are currently considering data privacy legislation: Alabama, Alaska, Colorado, Connecticut, Illinois, Massachusetts, Minnesota, New Jersey, New York, and Texas, according to a tracker from the International Association of Privacy Professionals (IAPP). Legislation in several states where a privacy law had strong support—Florida, Oklahoma, and Washington—failed to pass because lawmakers disagreed on enforcement.
Does The Alphabet Soup Of Data Legislation Actually Protect Your Data?
As demonstrated by the recently launched Apple iOS update, which allows consumers to choose whether their apps track them or not, one thing is clear: people are becoming more conscious about the “how” and “who” when it comes to the sharing of their data. However, keeping up with the explosive growth in new state privacy and data security regulations can be confusing to professionals and consumers alike. Adding to the confusing legislative fog is that many of the state-level laws require extraterritorial enforcement outside of the borders of those states. For example, CCPA applies to businesses outside California if the business meets certain thresholds. So, a business in New York may be subject to certain CCPA obligations in relation to its website. The bramble of domestic and global data laws impacts your everyday web surfing, even if you do not realize it.
China is moving to address the issue of data privacy
On Monday of this week, draft rules on the protection of personal data were submitted to the National People’s Congress (NPC) Standing Committee, China’s top legislature, for a second reading. The People’s Republic is preparing to reinforce regulation of today’s Internet giants, which are particularly hungry for large quantities of data. The initiative may also provide Beijing with an opportunity to tighten its grip on Internet-related industries. Has the concern over data privacy prevalent elsewhere in the world finally arrived in China? According to the state press agency Xinhua, the Standing Committee of the National People’s Congress is currently deliberating on regulations to enhance the protection of data privacy.
Pending Privacy Legislation
Proposed Federal Consumer Data Privacy and Security Act
On April 29, 2021, Senator Jerry Moran of Kansas reintroduced a comprehensive federal privacy bill entitled the Consumer Data Privacy and Security Act (the Act). The Act integrates themes from the CCPA and GDPR and provides similar rights and protections, but is more favorable to small and midsize businesses. If signed into law, the Act would create a single federal standard for consumer data privacy and preempt all state consumer data privacy laws.
To whom would it apply?
The Act aims to protect the personal data of all individuals residing in the U.S. and would apply to all businesses under the purview of the Federal Trade Commission as well as non-profits and common carriers. Small businesses are exempt from complying with an individual’s right to access and rights to accuracy and correction. To qualify for the exemption, the business must:
- Have no more than 500 employees;
- Maintain less than $50,000,000 in average gross receipts for the previous three years; and
- Collect and process the personal data of no more than 1,000,000 individuals.
Service providers (i.e., a business that operates under a contract with the business from which it receives personal information) are exempt. However, at the end of the contract or service, the service provider must delete, de-identify, or return the personal data to the business with which it contracted.
What types of information would it cover?
The Act broadly defines personal data to mean information that “identifies or is linked or reasonably linkable to a specific person.” This would include, but is not limited to, a consumer’s real name, postal address, account name, email address, social security number, driver’s license number, or passport number.
What rights would it create?
The Act would provide individuals with the right to:
- Know what categories of personal data are being collected and the reason why they are being collected;
- Access the categories of personal data collected and the categories of personal data disclosed to third parties;
- Ensure that the personal data collected is accurate, and if not, correct it;
- Erase or delete the personal data collected; and
- Export the personal data generated in a machine-readable format and to transmit that information to another entity.
What obligations would it impose?
The Act would require a business that collects personal data to:
- Provide notice in a prominent and easy to understand format the types of personal data the business collects and the purpose for its collection;
- Obtain either explicit or implicit consent prior to collecting personal data. Consent will be implied where the individual did not decline the collection request and a reasonable amount of time has passed;
- Make publicly available its past and present privacy policies in a clear and prominent location;
- Provide each individual whose personal data has been collected with a clear and easy to use means to exercise their rights under the Act;
- Maintain a comprehensive data security program that contains safeguards to protect the security, confidentiality, and integrity of the personal data collected;
- Ensure that service providers have established appropriate privacy and security procedures and controls; and
- Designate a privacy officer whose job it is to oversee its policies and practices related to the collection of personal data.
Businesses may collect personal data without consent to the extent reasonably necessary and for a permissible purpose. The Act establishes the following permissible purposes: (1) provision of service or performance of a contract; (2) compliance with laws; (3) to prevent immediate danger to the personal safety of any individual (including to effectuate a product recall); (4) to prevent fraud and protect the security of the covered entity’s, service providers’, or individual’s rights, property, services, or information systems; (5) research performed by the covered entity or service provider (at the direction of the covered entity); and (6) the covered entity’s or service provider’s operational purposes.
How would it be enforced?
The Act designates the Federal Trade Commission as the federal agency responsible for administering the Act and grants it rule-making. A business that violates the Act would be subject to civil penalties amounting to the number of individuals affected multiplied by an amount not to exceed $42,530. In considering the penalty, the following factors will be taken into account: (1) the degree of harm; (2) the intent of the business; (3) the size and complexity of the business; (4) the controls put in place by the business; (5) whether the business self-reported; and (6) the mitigation efforts of the business.
State Attorneys General may also commence a civil action in federal court on behalf of the residents of their state to the extent it has reason to believe that a business is engaging in an act or practice in violation of the Act that threatens the interests of residents.
- Alaska HB 159 was heard April 23 and May 5 in the House Labor and Commerce Committee, but the bill has not yet been scheduled for a committee vote. The legislature is scheduled to adjourn on May 19. The bill would grant consumers the right to know when businesses are collecting personal information, what information is being collected, the right to request collected personal information be deleted and the right to prevent businesses from selling their personal information. The bill would apply to businesses with gross revenues of $25 million or more, those that bought or disclosed personal information of 100,000 or more persons or households or that sold the personal information of a consumer, household or device in the last year. HB 159 would also prevent businesses from disclosing personal information of minors under the age of 13 to a third party and from disclosing or selling the personal information of a minor older than 13 without the consent of a parent or guardian.
- Colorado SB 190 passed the Senate Business, Labor and Technology Committee on May 5 and was referred to the Senate Appropriations Committee on the same day. SB 190 would grant consumers the right to opt-out of the processing of their personal data; access, correct or delete the data or obtain a portable copy of the data. The provisions would apply to legal entities that control or process personal data of more than 100,000 consumers per calendar year or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. The bill only permits attorney general or district attorney enforcement. Another bill, SB 132, is scheduled for a hearing in the House State, Civic, Military and Veterans Affairs Committee on May 6. As passed by the Senate, the bill would task the Joint Technology Committee, during the 2021 interim, to study whether and how the general assembly could address, through legislation, consumer protection concerns related to digital communication platforms.
- Connecticut SB 893 was reported out of the Legislative Commissioners’ Office on May 3 and is pending on the Senate floor. The bill would only apply to entities in the state that annually control or process personal data of 100,000 or more consumers, or controls or process data of 25,000 or more consumers and derive 50 percent of their gross revenue from the sale of personal data. The bill would grant consumers a variety of privacy rights, including the right to access, right to correct, right to delete, right to opt out and right to non-discrimination. The bill contains an exemption for financial institutions and data subject to the GLBA, business and activities covered by the FCRA and employee information. The bill would also provide guidelines on the usage and handling of personal consumer information.
- Maine LD 1655 is set for a hearing on May 11 in the Joint Innovation, Development, Economic Advancement and Business Committee. The bill would require data brokers, defined as businesses that obtain and sell or license to third parties or allow third parties to access personal information of a consumer with whom the business does not have a direct relationship, to register with the secretary of state. Consumers would also be permitted to opt out of allowing the sale or lease of or access to the consumer’s personal information. This bill was introduced by Joint Agriculture Committee Chair Margaret O’Neil, D-Saco.