With less than two months until it goes into effect, many practitioners are focused on bringing their programs into compliance with the California Consumer Protection Act (“CCPA”) by January 1, 2020.  But the rapid pace of privacy legal developments could continue next year.  This past year, five states established studies or task forces to study privacy laws and report back to the legislature before their next session begins. Bills in Washington and Illinois passed one legislative chamber before failing, and their proponents have promised a renewed effort in 2020.

This is the first of a series of blog posts on what states other than California were considering to help you anticipate and prepare for 2020.  In total, at least eighteen states considered comprehensive privacy bills this year.  This initial blog post — on the heels of Halloween last week — focuses on some of those that are the scariest: bills in New York, Massachusetts, and Maryland.

New York Privacy Act (S. 5642)

Even Patrick Bateman would have a tough time slashing through the New York Privacy Act. The bill would create a “data fiduciary” concept that requires data controllers to exercise duties of care, loyalty and confidentiality.  This would require controllers to “act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.”  On its face, this seems to go beyond even frameworks like GDPR that expressly contemplate that processing activities may be justified where a company’s legitimate business interests are not outweighed by individuals’ privacy interests.

Controllers would be required to contractually pass along those duties of care, loyalty and confidentiality to any downstream recipients of personal data.

Consistent with this framework this bill is an “opt in” and not “opt out” framework.  Controllers generally would be obligated to provide consumers the opportunity to opt in or opt out of any processing of their personal data – not just a sale, but all processing. Any person injured by a violation of the New York Privacy Act would be able to bring a private right of action in their own name “to enjoin such unlawful act, or to recover [their] actual damages, or both such actions.”  If the plaintiff prevails, a court may award attorney’s fees.

Massachusetts SD 341 Maryland’s Online Consumer Protection Act (SB 613)

Massachusetts SD 341 and Maryland’s Online Consumer Protection Act depart from the CCPA by allowing consumers to opt out of any disclosures to third parties – not just sales, but all disclosures, subject to limited exceptions.  In addition, Massachusetts and Maryland would provide for a narrower set of exceptions than the CCPA for businesses regarding data subject rights to delete data. The Massachusetts legislature is still in session and held a hearing on its bill last month, and trade press suggests hearing participants identified these issues as concerns.

The Massachusetts bill also is notable for its robust private right of action. It would permit any consumer alleging a violation to bring a suit without showing any loss of money or property and entitle a successful plaintiff to attorney’s fees.  As currently drafted, the bill would nullify any waiver relating to the private right of action, including arbitration provisions or class action waivers.  Maryland only provides for enforcement by the Attorney General.

Print:
EmailTweetLikeLinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.