In the wake of the passage of the EU's General Data Protection Rule ( GDPR) and the California Consumer Privacy Act ( CCPA), state policymakers throughout the U.S. are focusing their attention on consumer privacy in the digital age. Orrick's State Attorney General team is pleased to provide regular analysis of legislative and regulatory developments around the country – in addition to insights into associated compliance challenges – as these policy proposals become law.
- Federal Legislation:
Though privacy proposals abound in both houses of Congress, the
effort garnering the most attention as a viable legislative vehicle
is a proposal under development by Senators
Blumenthal (D-CT), Cantwell (D-WA), Moran (R-KS), Wicker (R-MS),
Schatz (D-HI) and Thune (R-SD). Their proposal, with a hoped-for
release date before the end of May, is expected to see a
codification of the substantive rights provided to consumers in the
CCPA, like the right to access or delete one's data and
"opt-out" from its disclosure to third parties, in
exchange for no private right of action being provided and,
potentially, some level of federal preemption of state law. There
is also general agreement that the FTC, as the de facto federal
regulator of consumer privacy to date, should have its role in
addressing such concerns affirmed and codified. The exact scope of
the FTC's enforcement authority under this new law remains an
open question, with some calling for personal liability for
executives and others seeking civil penalty authority even in the
case of first-time offenses.
Yesterday, Wednesday, a high-profile hearing in the House Energy & Commerce committee took place in which all five FTC commissioners appeared. That hearing, entitled "Oversight of the Federal Trade Commission: Strengthening Protections for Americans' Privacy and Data Security," involved the commissioners providing – explicitly – their visions for what a national U.S. digital privacy framework should entail. - Federal Trade
Commission: Even in the absence of specifically granted
congressional authority, the FTC's attention to consumer
privacy is shaping its enforcement priorities and approach. The
FTC's Enforcement Division last week signaled that, at the
behest of Commissioner Chopra, long a champion of personal
liability for corporate executives, the Commission would
consciously begin looking into the conduct of employees as it
undertakes actions against business entities. The Enforcement
Division also confirmed last week that it would entertain actions
against firms for Section 5 "unfairness" violations for
poor data security even in the absence of a breach.
Based on testimony heard during last week's meeting, the FTC staff overseeing the event later suggested that there was consensus on a number of fronts regarding necessary developments in the context of privacy policy. Specifically, they include:
- That policy should endeavor to insulate consumers from harm;
- That consumers require greater transparency about, and control over, data in which they are implicated;
- That privacy controls and data practices should align with consumer expectations; and
- That policy should promote competition and pro-privacy innovation.
- California: The
Golden State's Assembly and Senate have divergent visions for
the future of the CCPA. The Assembly has moved to curb CCPA's
scope, while the Senate has moved to expand it. Each chamber
recently moved legislation to advance its vision, with all bills
now progressing to the appropriations committees of each chamber
(where many are to be heard this week).
Specifically, the Assembly Committee on Privacy and Consumer Protection passed a battery of bills designed to make the CCPA more practicable, if not weaker. Of note are three bills – AB 873 (Irwin), which narrows the definition of "personal information" by removing an impractical de-identification standard; AB 846 (Burke), allowing for the continuation of customer loyalty programs; and AB 25 (Chau), permitting employers to retain information about employees that would otherwise be prohibited by the CCPA. Further, the committee's chairman, Asm. Chau, who was the sponsor of the legislative vehicle that became the CCPA, used recently granted authority (Rule 56.1) to scuttle AB 1760 (Wicks) – a bill that would have substantially expanded the scope of the CCPA by moving the Act to an "opt-in" framework and adding a private right of action.
By contrast, the Senate Judiciary Committee passed Sen. Hannah-Beth Jackson's SB 561. This bill, backed by Attorney General Becerra, would remove a firm's ability to remediate reported CCPA violations and create a broader private right of action. It would, in short, significantly expand the CCPA's enforcement scheme by providing any California consumer, whose "rights under this title are violated," a private right of action.
Based on the conflicting visions of local legislators, those following the process should expect pushback from opposite chambers once the bills "cross over" from their house of origin. The prospect of limited legislative relief makes it even more important for firms with a stake in the as-applied posture of the CCPA to actively engage in the Attorney General's rulemaking process to ensure that industry-specific concerns are considered and addressed before the law is enforced. - Other States: While
the majority of state legislative sessions are wrapping up, active
bills that seek to replicate the CCPA remain in play around the
nation (see Figure 1: States with Comprehensive
Privacy Laws and Bills). Though to date none of these
bills has become law, their existence is a meaningful indicator of
the salience of the issue of consumer privacy. What's more,
conspicuously, not all of the CCPA-esque legislation moving in
state legislatures is failing because it is too onerous for
businesses. For instance, in Washington, SB 5376, after passing the Senate 46-1, died
in the House after amendment as some consumer groups decried the
bill as insufficiently onerous.
Also of note, Maine last week held a hearing on LD 946 – to enact data privacy requirements for broadband internet providers. While not as broad in scope as the CCPA, the legislation includes a troubling "opt-in" provision whereby broadband providers must actively solicit consumer consent before engaging with certain types of information. Such legislation is particularly problematic when considered in the context of an environment in which CCPA clones and similar – but not identical – laws are passed nationwide. This situation would not so much create a "patchwork" of requirements, but rather a "layer cake" in which affected firms would be subject to inconsistent and, perhaps, mutually exclusive general and sector/industry-specific requirements. - Civil Society Activity: As federal and state attention has turned to consumer privacy policy, so too have third-party commentary and advocacy efforts. Last week, "Fight for the Future" announced the creation of a coalition to oppose federal privacy preemption (here). This is the first coalition that is actively soliciting grassroots engagement around the issue and should not be taken lightly. In 2012, "Fight for the Future" organized an internet-changing strike against SOPA and PIPA.
Figure 1: States with Comprehensive Privacy Laws and Bills
Figure 2: U.S. State Privacy Laws, Passed and Proposed (2019)
State | Statute/Bill |
California (Passed law) | Ca. Civ. Code §§ 1798.100 - .199 "California Consumer Privacy Act" |
Connecticut | RB 1108 |
Hawaii | SB 418 |
Illinois | HB 3358 "Data Transparency and Privacy Act" |
Maine | LD 946 |
Maryland | SB 613 "Online Consumer Protection Act" |
Massachusetts | SD 341/S 120 |
Nevada (Passed law) | Chapter 603A |
Nevada | SB 220 |
New Jersey | S2834 |
New Mexico | SB 176 "Consumer Information Privacy Act" |
New York | S224 "Right to Know Act of 2019" |
New York | SB S8641 |
North Dakota | HB 1485 |
Rhode Island | S0234 "Consumer Privacy Protection Act" |
Texas | HB 4518 "Texas Consumer Privacy Act" |
Texas | HB 4390 "Texas Privacy Protection Act" |
Washington | SB 5376 "Washington Privacy Act" |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.