Businesses that have just about come to terms with the California Consumer Privacy Act (CCPA) may have more privacy rules and regulations to deal with going forward. Legislators in a number of other states across the country have recently proposed their own privacy bills. In many instances, these bills are similar to the CCPA, but some would impose new and different requirements on businesses and, therefore, would compound their obligations and multiply their compliance difficulties.
The Washington Privacy Act (Senate Bill 6281), which failed to pass last year, was reintroduced in the state senate for the 2020 legislative session. The proposed law would, among other things, grant Washington residents with rights to access, correct, delete, port data and opt-out of sale, profiling and targeted advertising.
In addition, there are five other privacy bills that have been introduced. These five bills would:
- Declare that each person owns and has an exclusive property right in the person’s biometric identifiers (House Bill 2363);
- Enact a “Charter of Personal Data Rights” that would establish rights to know what information a business has about a consumer, access that data and receive a copy in a format that allows for portability of data, correct and delete information, and opt-out of data sales (House Bill 2364);
- Require that connected devices sold in Washington have an easy-to-use “user data transmission” sticker (developed by the state’s Office of Privacy and Data Protection) to notify consumers if the device gathers data about them and transmits that data to the device manufacturer or any third party (House Bill 2365);
- Require that all data brokers in Washington register annually with the state’s Office of Privacy and Data Protection, pay a registration fee, provide the state’s chief privacy officer with information regarding the broker’s policies and procedures relating to opt-outs, purchaser credentialing, as well as information about the broker’s use of minor information, and the number of security breaches experienced and consumers affected (House Bill 1503); and
- Make the position of the state’s chief privacy officer a statewide elected position, serving four-year terms (House Bill 2366).
A bill that is strikingly similar to the CCPA has been introduced in Nebraska. The stated purpose of the Nebraska Consumer Data Privacy Act (Nebraska bill) would be to “enhance the protection of private online data.” It would apply to any for-profit entity doing business in Nebraska that collects consumers’ (defined as Nebraska residents, excluding those acting in a commercial or employment context) personal information and that meets at least one of the following thresholds:
- Has annual gross revenue in excess of $10 million;
- Buys or receives the personal information of 50,000 or more consumers, households or devices; or
- Derives 50 percent or more of its annual revenue from selling Nebraskans’ personal information.
Similar to the CCPA, the Nebraska bill provides consumers with the right to:
- Know, access and have deleted the personal information collected about them;
- Know whether their personal information is sold or disclosed and to whom;
- Opt-out of the sale of their personal information (or opt-in if under 16); and
- Obtain equal services and prices, even if they exercise the rights provided by the bill.
The bill also requires businesses to include a Do Not Sell My Personal Information link on its home page, and provide two or more methods for submitting requests for information, including a toll-free phone number and, if applicable, a website address. Notably, a number of terms such as “sell” and “service provider,” which caused much discussion under the CCPA, are undefined in the Nebraska bill.
House Bill No. 473 (Virginia bill) would amend Virginia law to add the Virginia Privacy Act. The bill applies to any company doing business in Virginia or that produces products or services “intentionally targeted to residents” of Virginia and that:
- Controls or processes personal data of not fewer than 100,000 consumers, or
- Derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.
Combining elements of Europe’s General Data Protection Regulation (GDPR) with the CCPA, the Virginia bill distinguishes between data “controllers” and “processors” and would provide Virginia residents with a bundle of rights including the right to access, correction and deletion, as well as the right to restrict and/or object to processing.
The concept of a “sale” under the Virginia bill is similar to the one found in Nevada’s new privacy law, which became effective October 2019, and is limited to sales of personal data for monetary consideration for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.
Companion bills have been introduced in the Florida Senate (Senate Bill 1670) and the Florida House of Representatives (House Bill 963) relating to “consumer data privacy.”
Among other things, the bills would:
- Prohibit the use of personal data contained in public records for certain marketing, soliciting and contact without the person’s consent;
- Require the operator of a website or online service that collects certain information from consumers in Florida to establish a designated request address and provide specified notice regarding the collection and sale of that information; and
- Prohibit those operators from making any sale of consumer information upon the request of the consumer.
The bills also provide that consumers may direct companies not to sell specified information about them and require that companies notify consumers about a variety of subjects, including the categories of the information that they collect through their websites or online services and whether a third party may collect covered information about consumers’ online activities.
And in New York…
New York has recently seen its own share of privacy laws and regulations proposed. Most notably, the New York Privacy Act (NYPA), which some refer to as “groundbreaking,” was reintroduced in the state senate at the beginning of the year.
If passed, the NYPA would:
- Create a private right of action permitting consumers to sue for violations of the law;
- Require express and documented consent (i.e., opt-in consent) before using or transferring personal data;
- Create a duty of care, loyalty and confidentiality expected of a fiduciary; and
- Require entities that collect personal data to act in the best interest of the consumer (without regard for the entity).
The Bottom Line
CCPA was just the tipping point of comprehensive state privacy laws. Since the law took effect on January 1, 2020, bills have been introduced in Washington, Nebraska, Virginia, Florida and there have been further developments in New York. While it’s difficult to predict which, if any, of the bills may become law, the fact that more and more legislators are introducing privacy bills is a trend that we can expect to continue. In the absence of a federal privacy law, which pre-empts state laws, compliance challenges for business will continue to grow.