With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020.  But the rapid pace of privacy legal developments could continue next year.  This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.

This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020.  In total, at least eighteen states considered comprehensive privacy bills this year.  This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.

New York Privacy Act (S. 5642)

Even Patrick Bateman would have a tough time slashing through the New York Privacy Act. The bill would create a “data fiduciary” concept that requires data controllers to exercise duties of care, loyalty and confidentiality.  This would require controllers to “act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”  On its face, this seems to go beyond even frameworks like GDPR that expressly contemplate that processing activities may be justified where a company’s legitimate business interests are not outweighed by individuals’ privacy interests.

Controllers would be required to contractually pass along those duties of care, loyalty and confidentiality to any downstream recipients of personal data.

Consistent with this framework this bill is an “opt in” and not “opt out” framework.  Controllers generally would be obligated to provide consumers the opportunity to opt in or opt out of any processing of their personal data – not just a sale, but all processing. Any person injured by a violation of the New York Privacy Act would be able to bring a private right of action in their own name “to enjoin such unlawful act, or to recover [their] actual damages, or both such actions.”  If the plaintiff prevails, a court may award attorney’s fees.

Massachusetts SD 341 Maryland’s Online Consumer Protection Act (SB 613)

Massachusetts SD 341 and Maryland’s Online Consumer Protection Act depart from the CCPA by allowing consumers to opt out of any disclosures to third parties – not just sales, but all disclosures, subject to limited exceptions.  In addition, Massachusetts and Maryland would provide for a narrower set of exceptions than the CCPA for businesses regarding data subject rights to delete data. The Massachusetts legislature is still in session and held a hearing on its bill last month, and trade press suggests hearing participants identified these issues as concerns.

The Massachusetts bill also is notable for its robust private right of action. It would permit any consumer alleging a violation to bring a suit without showing any loss of money or property and entitle a successful plaintiff to attorney’s fees.  As currently drafted, the bill would nullify any waiver relating to the private right of action, including arbitration provisions or class action waivers.  Maryland only provides for enforcement by the Attorney General.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.