US data privacy rights cometh: multiple states contemplating passage of significant data rights legislation
The year 2020 witnessed significant developments in U.S. data privacy law, not the least of which were the effective and enforceability dates of the California Consumer Privacy Act (CCPA), the enforceability of data security requirements under the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), and passage of the California Consumer Privacy Rights Act (CPRA). Less than two months have passed in 2021, and the year already suggests bigger changes to come as the privacy rights pendulum continues to swing.
Legislatures in multiple states currently are considering varying degrees of privacy legislation, some of which closely copy CCPA, and would bring a significant number of jurisdictions closer to privacy rights recognized under the EU’s General Data Protection Regulation (GDPR). Such laws, in turn, would create greater exposure for companies processing U.S. personal data, as well as their insurance carriers. To give a flavor of things to come, below is a synopsis of some of the more prevalent state bills introduced in early 2021, and a brief discussion regarding the potential enactment of the legislation.
S2505/A3005, the New York Data Accountability and Transparency Act (NYDAT Act) would require the New York Secretary of State, in consultation with the New York Department of Financial Services (DFS), to create a consumer data privacy bill of rights, including data rights of access, correction, deletion, control, opting out of sale, and data protection. The legislation also would create a new data privacy agency, the Consumer Data Privacy Advisory Board, and authorize the Secretary of State to promulgate data privacy and security regulations. The bill adopts principles of data minimization and requires New York organizations to (i) “[o]nly collect personal information relevant to the purposes for which they are intended to be used and only to the extent necessary for those purposes,” and (ii) provide notice to the consumer no later than at the time of the data’s collection informing the consumer of the type of personal information collected, and the purpose(s) for the collection. Importantly, the collection of categories of personal information or uses of such information in addition to such notice is prohibited without further advance notice.
A680, the New York Privacy Act (like last year’s version) creates rights of transparency, portability, correction, and deletion, as well as data fiduciary duties. The data fiduciary duty requirements state that “[p]ersonal data of consumers shall not be used, processed or transferred to a third party, unless the consumer provides express and documented consent,” and that persons and organizations that collect, sell or license consumer personal data must “exercise the duty of care, loyalty and confidentiality expected of a fiduciary” for protecting such data and must at “in the best interests” of the consumer “without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” The bill also would create a private right of action.
S4201/A3586, “It’s Your Data Act,” would criminalize (misdemeanor) the collection, storage or use of a person’s “name, portrait, picture, video, voice, likeness, and all other personal data, biometric data, and location data” for advertising, trade, data-mining, or generating commercial or economic value without the data subject’s consent. It also would criminalize the failure to reasonably protect such data. Like the New York Privacy Act, the bill creates rights of transparency, access, deletion, and data minimization for “personal information,” defined as “information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer, household, or consumer device.” The bill also would create a private right of action.
Outlook – With three prominent bills in a state with a democratic governor and democratic majorities in both Houses of the New York State Legislature, there is a very good likelihood that one of these bills – with parts of the others – will be enacted. Given that S2505/A3005, the NYDAT Act, was introduced by Governor Cuomo as part of his 2021 budget, this bill is the current favorite.
SB5062, the Washington Privacy Act, would provide consumers “the right to access, correct, and delete personal data, as well as the rights to obtain data in a portable format and to opt out of the collection and use of personal data for certain purposes.” The bill also would create “affirmative obligations upon companies to safeguard personal data, and provide clear, understandable, and transparent information to consumers about how their personal data is used.” There is no private right of action; instead, enforcement is vested with the Office of Attorney General.
HB 1433, the “People’s Privacy Act,” was written by the Washington State chapter of the ACLU. The bill would provide consumers with rights disclosure and access/correction, data portability, the right to refuse consent for any processing of personal information that is nonessential to the primary transaction, and deletion. The bill also would prohibit “surreptitious surveillance” of consumers, and require companies to provide both long-form and short-form privacy notices “conspicuously available.”
HB 1433 also would require the Washington State Department of Commerce to promulgate related regulations concerning data rights. The bill also has a data security component, including requiring businesses to “exercise reasonable oversight” over data security “including auditing the data security and processing practices of third parties it provides captured personal information to at least once annually and ensure the third party’s compliance with such contractual provisions.” Further, the company must publish results of the audit publicly on its website.
HB 1433 also as requirements taken from the Illinois Biometric Information Privacy Act (BIPA), mandating that businesses may not collect or process biometric information unless they first provide written notice to the data subject detailing the specific purposes and length of term for which biometric information will be processed, and the data subject’s “freely-given, specific, informed, and unambiguous” consent. Like BIOA, companies also must have publicly-available retention and destruction schedules for biometric data.
The bill also would create a private right of action permitting recovery of actual or statutory damages, punitive damages, and attorneys’ fees. A violation of the bill or related regulation would create “a rebuttable presumption of harm to that individual,” thereby effectively shifting the burden of proof in civil proceedings. The Office of Attorney General also may commence an action under the legislation.
Outlook – On February 7, 2020, the Washington Privacy Act passed the Washington Senate Ways & Means Committee with a vote of 12-1. The People’s Privacy Act remains pending before the Washington House Civil Rights and Judiciary Committee. The Peoples Privacy Act is far more expansive, so some of its provisions may be added to the Washington Privacy Act by amendment if the latter legislation were to have the clearer path of passing through both houses of the state legislature.
HB2307, the Consumer Data Protection Act would create rights of transparency, access, correction, deletion, portability, and opt out rights for the “the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The bill defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” There is no private right of action; instead, the legislation would be enforced by the Virginia Attorney General.
Outlook – On January 29, 2021, HB2307 passed the House of Delegates with a vote of 89-9. A substitute bill in the Virginia Senate Committee of Communications, Technology, and Innovation 13-8. So, the bill appears well on its way to being enacted as law.
HB 1602, the “Oklahoma Consumer Data Privacy Act” has been described as effectively CCPA with a private right of action, recognizing that “individuals within Oklahoma have a right to prohibit retention, use, or disclosure of their own personal data.” The bill would provide rights of notice and transparency, access, opting-out, deletion, protection against discrimination, as well as empower the Oklahoma Corporation Commission to promulgate accompanying regulations.
The bill defines “personal information” similarly to CCPA, to mean “information that identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household.” The private right of action allows for injunctive relief, actual damages, and statutory damages, thereby opening the door for class action litigation.
Outlook – Too early to determine.
HB1330 would amend the North Dakota Century Code to prohibit a company from selling “a user’s protected data to another person unless the user opts-in.” Specifically, the bill states a “covered entity may not sell a user’s protected data to another person unless the user opts-in to allow the sale. To opt-in, the covered entity shall provide the user with the opportunity to affirmatively click or select approval of the sale. The user must be given the opportunity to opt-in to the sale of each type of protected data by individual selection. Protected data collected and sold by the covered entity must be described clearly in plain language to the user.”
The bill defines “protected data” broadly to “include”:
a user’s location; screen name; website address; interests; hometown; professional history; friends or followers; shopping habits; test scores; health conditions, insurance, or interests; internet browsing history; purchases or purchase history; the number of friends or followers of the user; socioeconomic status; religious affiliation; alcohol, tobacco, or drug usage; gambling habits; banking relationships; residence details; children’s information or household information; credit; banking and insurance policies; media usage; and relationship status.
Violation of the bill would subject the company to civil liability of “a minimum of” $10,000, and attorneys’ fees. A knowing violation would have a minimum liability of $100,000, plus punitive damages and attorneys’ fees. The bill also authorizes class action lawsuits.
Outlook – Too early to determine.
SB2612, the “Mississippi Consumer Data Privacy Act” is another CCPA clone, affording consumers the rights: to know what personal information is being collected about them; to know whether their personal information is sold or disclosed and to whom; to opt-out of the sale of their personal information; to access their personal information; and to not be discriminated against for exercising their data rights. The bill broadly defines “personal information” to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Outlook – Too early to determine, but do not underestimate the legislation’s chances. The state has been quick to recognize other cyber-related laws, and was among the first states to enact e-discovery standards among the state courts.
HB216, the “Alabama Consumer Data Privacy Act” has been described as a clone of CCPA. The legislation would permit “a consumer to request that a business disclose, categorically and specifically, the personal information the business collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling that information, and the categories of any third parties with which the information is shared.” The bill also would require businesses “to make certain disclosures regarding what information it collects and has collected, and the purposes for which that information is used.”
The bill defines “personal information” broadly to include “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Like CCPA, the bill would create a private right of action relating to data breaches, but would not provide a private right of action for other data rights created under the legislation. Such data rights may be enforced by the Office of Attorney General under Alabama’s Deceptive Trade Practices Act. Like CCPA, the bill also would empower the Office of Attorney General to promulgate accompanying regulations.
Outlook – Too early to determine.