Technology & Privacy
Another State Has Passed a Comprehensive Privacy Bill — Will Others Follow Suit?
February 24, 2021 | Max Rieper
With Congressional action on a comprehensive privacy bill still slow to materialize, states have continued to lead by taking up legislation to address how businesses handle consumer information. California’s landmark legislation went into effect in January, and lawmakers in many other states have sought to emulate that legislation. Other new technologies such as connected devices, facial recognition technology, biometrics, and algorithms have prompted state legislators to propose additional policies to protect consumers.
Just two months into the year, lawmakers have already introduced hundreds of privacy bills in state legislatures. Here’s a look at the trending privacy issues in states so far in 2020.
The new California privacy law that went into effect this year takes ideas from the European Union General Data Protection Regulations (GDPR) to create new rights for consumers in regard to personal information collected from them by businesses. California lawmakers sought to tweak the law in 2019, and will still have to resolve temporary one-year exemptions for business-to-business communications and an exemption for information collected by employees and job applicants. California lawmakers will also seek to clarify whether customer loyalty programs violate provisions that prohibit discriminating against consumers that exercise their rights. California Attorney General Xavier Becerra has also released a draft of regulations to advise businesses on how to comply with the law, with enforcement set to begin on July 1, 2020.
An additional wrinkle: A California privacy activist, whose threat of a consumer privacy ballot measure initially convinced lawmakers to pass the CCPA, is now pushing a new privacy ballot measure that would create new rights around the use and sale of sensitive personal information, limit location tracking for target advertising, require transparency for algorithms, triple fines for violations of children’s privacy laws, allow a private right of action if online access passwords are stolen due to negligence, and establishes a California Privacy Protection Agency.
Other states have tried to emulate aspects of the CCPA, particularly as some companies treat the new California law as a de facto national standard. The Washington Senate passed a major privacy bill last year, only to have the bill killed in a House Committee. Consumer groups and the ACLU were concerned the bill was too business-friendly and a provision allowed controversial facial recognition technology. A new package of bills has been introduced this year by state Senator Rueben Carlyle (D), who introduced last year’s legislation.
Other states have also introduced comprehensive privacy legislation modeled after the California law that would give consumers some rights over personal information collected by businesses. The rights provided in these bills include:
The right to have notice on what categories of information is being collected and who it is being shared with;
The right to access any personal information collected by a business in a usable form;
The right to correct any personal information the consumer feels is incorrect;
The right to delete any personal information;
The right to opt out of any collection of information or any sharing of personal information with third parties; and
The right not to be discriminated against by any business for exercising any rights.
Some, though not all, of these bills give the consumer a private right of action to sue a business that either allows a breach of their personal information or violates provisions of these privacy laws.
Vermont became the first state to require data brokers to register with the government, with enforcement beginning in 2019. This year, Hawaii, New York, Rhode Island, and Washington are considering bills that would require data brokers to register and provide information to consumers on how to opt out of the collection of information.
California Governor Gavin Newsom has proposed a “data dividend” that would allow consumers to profit off the sale of their personal information, although he has yet to offer a concrete proposal. A proposed bill in New York (NY AB 9112) would levy a five percent tax on businesses that “derive income from the data individuals of this state share with corporations.”
Growing concerns about the ability to detect consumers through facial recognition technology has led to a flurry of bills. Many of these relate to the ability of law enforcement to use facial recognition technology, an issue we analyzed in detail last month, but bills in Arizona, Maryland, South Dakota, and Washington, among others, would limit or prohibit businesses from using the technology without consumer consent.
Biometric information, which includes unique human body or characteristic identifiers, has been added to the definition of protected personal information in many new proposed privacy bills. Illinois has already passed a landmark Biometric Privacy Law and many other states could follow. Finally, lawmakers in Florida, Illinois, and Tennessee are debating bills that would protect genetic information collected by certain “direct-to-consumer” genetic testing companies.
Many applications on ubiquitous smartphones use location tracking to provide navigation information or direct us to the closest coffee shop. The downside to these beneficial features is that this geo-location data could allow consumer locations to be identified. Bills in California, Hawaii, Illinois, Maryland, New Hampshire, New Jersey, and New York would prohibit cell phone providers and app developers from sharing location tracking information with third parties without first obtaining consent.
The popularity of connected devices that range from everything from personal assistants to thermostats, known broadly as internet of things (IoT), has created convenience in many homes. However, security concerns have led many state lawmakers (e.g., Kentucky) to introduce legislation that would require such devices to implement security measures that meet industry standards. Other legislation would limit when a microphone for voice recognition can be turned on (e.g., Illinois).
Concerns about how algorithms are used have led some states (e.g., New Jersey) to prohibit the use of algorithms to make certain decisions in credit, insurance coverage, and health care. As children use more technology, lawmakers have sought to protect them from targeted advertising and obscene content. Cybersecurity has continued to be a pressing issue, with some proposed bills giving an affirmative defense for businesses that comply with cybersecurity standards, with some states proposing the creation of a task force to study the issue.
February 24, 2021 | Max Rieper
January 25, 2021 | Max Rieper
February 19, 2020 | Kim Miller