Legislation

Heading into the new year, California Consumer Privacy Act (“CCPA”) readiness remains top of mind for many businesses, especially as continued developments, such as the California Attorney General’s forthcoming implementing regulations, may implicate compliance efforts.  State legislation will likely move forward in 2020.  At the same time, however, companies should not lose sight of legislative proposals at the federal level, which have the potential to reshape the privacy landscape in the United States and even preempt state laws such as the CCPA.  The question of whether a federal privacy bill can pass in 2020 remains an open one.  But regardless of whether a bill will actually pass, the legislative proposals that are emerging this year likely will shape the contours of federal legislation that could move toward becoming law.

Although the issues of preemption and a private right of action dominated the federal privacy conversation last year, four legislative trends emerged in 2019 that also may become key components of a federal privacy framework:
Continue Reading Four Federal Privacy Trends to Watch in 2020

On December 18, 2019, staffers on the House Energy and Commerce Committee circulated a draft of a bipartisan privacy bill.  The draft is currently unnamed and unfinished, but it lays out a comprehensive framework that expands both individuals’ rights to their data and the FTC’s enforcement role over digital privacy.  Rep. Cathy McMorris-Rodgers (R-Wash.) and Rep. Jan Schakowsky (D-Ill.) have been particularly involved in working on the bill.

“We welcome input from all interested stakeholders and look forward to working with them going forward,” an Energy and Commerce spokesperson told The Hill.  “This draft seeks to protect consumers while also giving data collectors clear rules of the road.  It reflects many months of hard work and close collaboration between Democratic and Republican Committee staff.”

The draft bill echoes many of the provisions in the Consumer Online Privacy Rights Act (COPRA) introduced last month by Democratic senators.  However, unlike COPRA, the bill is silent on two notable issues: whether individuals have a private right of action to assert violations and whether the bill would preempt state laws. 
Continue Reading House Energy and Commerce Committee Circulates Draft Privacy Bill Expanding FTC Authority

On November 26, 2019, a group of Democratic senators introduced the Consumer Online Privacy Rights Act (COPRA).  This comprehensive privacy bill—sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA)—would grant individuals broad control over their data, impose new obligations on data processing, and expand the FTC’s enforcement role over digital privacy.

“In the growing online world, consumers deserve two things: privacy rights and a strong law to enforce them,” Senator Cantwell explained. “They should be like your Miranda rights—clear as a bell as to what they are and what constitutes a violation.”

Here are some key elements of the bill:
Continue Reading Democratic Senators Introduce the Consumer Online Privacy Rights Act

With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020.  But the rapid pace of privacy legal developments could continue next year.  This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.

This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020.  In total, at least eighteen states considered comprehensive privacy bills this year.  This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.
Continue Reading State Privacy Laws Have the Potential to Haunt Industry

On October 17, Senator Ron Wyden introduced in the Senate a privacy bill that would expand the FTC’s authority to regulate data collection and use, allow consumers to opt out of data sharing, and create civil and criminal penalties for certain violations of the Act.

The Mind Your Own Business Act of 2019 is the latest iteration of Wyden’s discussion draft that he released last November. (We provided an overview of the draft bill here.) Although the two Wyden measures are largely similar, the new bill provides for additional enforcement mechanisms and levies taxes on companies whose executives violate reporting requirements.Continue Reading Wyden Introduces Mind Your Own Business Act of 2019

Last week, after months of negotiation and speculation, the California legislature passed bills amending the California Consumer Privacy Act (“CCPA”).  This marked the last round of CCPA amendments before the legislature adjourned for the year—and before the CCPA takes effect on January 1, 2020.  California Governor Gavin Newsom has until October 13 to sign the bills into law.  Separately, the Attorney General’s office is expected to release a draft of proposed CCPA regulations for public input later this Fall.

  • Exemption for employees and job applicants: AB 25 (Chau) generally exempts from the CCPA—for one year—personal information collected from job applicants, employees, owners, directors, officers, medical staff members, or contractors, as well as their emergency contacts and their beneficiaries.  However, employers must provide these individuals with general notice of the types of personal information collected about them and the purposes for which the information is used.  Employers may be liable if certain types of unredacted or unencrypted personal information are breached due to unreasonable data security.
  • Exemption for business customers and other technical corrections: AB 1355 (Chau) exempts from the CCPA—also for one year—personal information reflecting a communication or transaction with a natural person who is acting as an employee, owner, director, officer or contractor of another company or legal entity in most circumstances.  This language generally creates an exemption for personal information about business customers.  The bill clarifies that the CCPA’s private right of action does not apply if personal information is either encrypted or redacted.  The bill also makes certain technical corrections, including revising the exemption for activities involving consumer reports that are regulated under the Fair Credit Reporting Act and clarifying that de-identified or aggregate consumer information is excluded from the definition of “personal information.”
  • Definitions of “personal information” and “publicly available information:” AB 874 (Irwin) includes several helpful clarifications with respect to the scope of “personal information” regulated under the statute.  Previously, “personal information” was defined to include all information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  The amended definition of “personal information” clarifies that information must be “reasonably capable of being associated with” a particular consumer or household.  Separately, the bill clarifies that “publicly available information” means information that is lawfully made available from federal, state, or local records, regardless of whether the data is used for a purpose that is compatible with the purpose for which the data was made publicly available.  Further, the bill revises the definition of “personal information” to clarify that it does not include de-identified or aggregate information.
  • Required methods for receiving consumer requests: The CCPA provides that a covered business is required to make available to consumers two or more reasonably accessible methods for submitting requests under the CCPA, including, at a minimum, a toll-free telephone number, and, if the business maintains an internet website, a website address.  AB 1564 (Berman) would amend this requirement to provide that a business which (1) operates exclusively online and (2) has a direct relationship with the customer from whom it collects personal information needs to provide only an email address.  If the business also maintains a website, the bill requires the business to make the website available to consumers to submit requests.  Finally, the bill expressly permits a business to require a consumer who maintains an account with the business to submit a request through the account.
  • Exemption for vehicle warranty/recall purposes: AB 1146 (Berman) exempts, from the CCPA’s right to opt out and right to delete, vehicle or owner information retained or shared between a new motor vehicle dealer and the vehicle’s manufacturer for the purposes of vehicle repair covered by a warranty or recall.

Continue Reading California Legislature Passes CCPA Amendments and Privacy Bills

On September 10, 2019, 51 members of the Business Roundtable sent a letter to congressional leaders advocating principles for a national consumer data privacy law. The Business Roundtable’s Framework for Consumer Privacy Legislation offers a guide for potential federal legislation that would harmonize existing privacy regulations and preempt existing state and local data privacy laws. The Framework seeks to balance enhanced consumer protections with innovation and competition.
Continue Reading Business Roundtable Proposes Framework for Consumer Privacy Legislation

Over the past several months, many states, including Illinois, New York, Texas, and Washington, have passed significant amendments to their state data breach notification laws.  Currently, most state data breach notification laws only require notification of residents (and possibly state regulators or others) following a “breach” of personally identifiable information (“PII”), which is often defined as a resident’s name along with a Social Security number, driver’s license or state identification card number, or a financial account, debit, or credit card number with any required security code, access code, or password to access a financial account.  Among other changes, these amendments have expanded the categories of PII that may trigger notification obligations if breached, imposed new requirements to notify regulators (in addition to affected individuals) in the event of a breach, and implemented specific timing requirements for how soon after a breach individuals and regulators must be notified.  These changes are summarized in additional detail below.
Continue Reading Round-Up of Recent Changes to U.S. State Data Breach Notification Laws