With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020.  But the rapid pace of privacy legal developments could continue next year.  This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.

This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020.  In total, at least eighteen states considered comprehensive privacy bills this year.  This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.

New York Privacy Act (S. 5642)

Even Patrick Bateman would have a tough time slashing through the New York Privacy Act. The bill would create a “data fiduciary” concept that requires data controllers to exercise duties of care, loyalty and confidentiality.  This would require controllers to “act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”  On its face, this seems to go beyond even frameworks like GDPR that expressly contemplate that processing activities may be justified where a company’s legitimate business interests are not outweighed by individuals’ privacy interests.

Controllers would be required to contractually pass along those duties of care, loyalty and confidentiality to any downstream recipients of personal data.

Consistent with this framework this bill is an “opt in” and not “opt out” framework.  Controllers generally would be obligated to provide consumers the opportunity to opt in or opt out of any processing of their personal data – not just a sale, but all processing. Any person injured by a violation of the New York Privacy Act would be able to bring a private right of action in their own name “to enjoin such unlawful act, or to recover [their] actual damages, or both such actions.”  If the plaintiff prevails, a court may award attorney’s fees.

Massachusetts SD 341 Maryland’s Online Consumer Protection Act (SB 613)

Massachusetts SD 341 and Maryland’s Online Consumer Protection Act depart from the CCPA by allowing consumers to opt out of any disclosures to third parties – not just sales, but all disclosures, subject to limited exceptions.  In addition, Massachusetts and Maryland would provide for a narrower set of exceptions than the CCPA for businesses regarding data subject rights to delete data. The Massachusetts legislature is still in session and held a hearing on its bill last month, and trade press suggests hearing participants identified these issues as concerns.

The Massachusetts bill also is notable for its robust private right of action. It would permit any consumer alleging a violation to bring a suit without showing any loss of money or property and entitle a successful plaintiff to attorney’s fees.  As currently drafted, the bill would nullify any waiver relating to the private right of action, including arbitration provisions or class action waivers.  Maryland only provides for enforcement by the Attorney General.