Private Right of Action Roils Industry in State Privacy Bills
Industry won’t support comprehensive state privacy bills that allow consumers to sue businesses for possible violations, trade groups told legislators this week. Maryland senators weighed a bill (SB-698) with a private right of action (PRA) at a livestreamed hearing Wednesday. Oregon Attorney General Ellen Rosenblum (D) endorsed her state’s bill (SB-619), which also includes a PRA and gathered support from consumer privacy advocates, at a webcast hearing Tuesday.
Iowa senators voted 47-0 Monday to pass another state privacy bill (SF-262), which would include enforcement exclusively by the state AG and would grant businesses a right to cure. Illinois lawmakers plan to consider privacy and social media bills at a House Cybersecurity Committee hearing scheduled for Thursday.
Industry opposed a private right of action (PRA) in Maryland’s SB-698, which is much like Connecticut’s law, at Wednesday’s Senate Finance Committee hearing. The Connecticut law lacks a PRA and has different biometric rules. Last month at a House Economic Matters Committee hearing on House version HB-807, some delegates said they didn’t think the legislature could pass a privacy bill containing a PRA (see 2302220055).
"Nobody wants to see frivolous lawsuits,” but the PRA would give Marylanders more opportunity to protect rights, said SB-698 sponsor Sen. Malcolm Augustine (D). The bill doesn’t contain a right to cure, also sought by industry, because nothing like that exists in Maryland law, he said. The bill is based on a Connecticut law that found “middle ground” between California’s consumer-focused and Virginia’s business-focused laws, said the state senator.
The PRA in SB-698 is “very limited to the sale of biometric information,” said Steve Sakamoto-Wengel, Maryland AG office’s deputy chief-Consumer Protection Division. Maryland has a higher standard for private suits than many other states, he added, because litigants must prove actual damages.
Sen. Dawn Gile (D) asked why not cut the PRA and have AG enforcement only. She also challenged the idea that it’s hard to bring a lawsuit because one needs only to state that there were actual damages. Sakamoto said the AG office’s resources are limited and likely would be able to bring only one or two cases a year.
CTIA has “problems” with allowing private lawsuits, said Director-State Legislative Affairs Jake Lestock. TechNet members would rather focus time and money on consumer privacy and securing data than deal with “frivolous lawsuits,” said TechNet Mid-Atlantic Executive Director Margaret Durkin. Like other industry witnesses, Lestock and Durkin urged Maryland to more closely mirror Connecticut's law.
Sen. Ben Kramer (D) is skeptical of Connecticut’s law because industry likes it, he said. “That for me is an immediate red flag. When industry is supporting a state law, chances are it’s because the industry had their fingerprints all over that state law and probably rendered the bill meaningless.” If industry merely seeks to avoid a state patchwork, he asked why it wouldn’t ask Maryland to model California.
AG Backs Ore. Bill
Oregon’s proposed law is “finally ready for prime time” after the AG office worked on it for years in a task force convened in 2019, Rosenblum told the Senate Judiciary Committee at a hearing on SB-619. The bill reflects consumers’ increasing concern about companies collecting large amounts of customer data, she said. "There are strong feelings on all sides of this issue,” said the AG: Many consumers “feel exploited” but the federal government “has failed to act.”
SB-619 would give consumers a right to know what data is processed and to whom data is disclosed, said Oregon DOJ Legislative Director Kimberly McCullough: Consumers would also gain rights to correct, delete and port data. Consumers would be able to opt out of targeted advertising, data selling and profiling. They would have to opt in to processing sensitive data including on racial background, religious beliefs, sexual orientation, genetic or biometric data, and precise geolocation data, she said.
Stakeholders continue to debate several aspects, including on how to define biometric data and the bill’s inclusion of devices in the definition of personal data, said McCullough. She said other “hot topics” include pseudonymous data, applicability to nonprofits, right to know third parties’ data has been shared and the scope of children’s data protections. On enforcement, some disagree with the bill including a PRA, liability for a company directors, members, officers, employees and agents, and a right to cure with a one-year sunset, she said.
Multiple industry sectors are in “regretful opposition” to the Oregon bill, said State Privacy and Security Coalition General Counsel Andrew Kingman. The group might remove its opposition if legislators scrap the PRA and reconsider putting a sunset on the bill’s right to cure, he said. Oregon Business and Industry will oppose SB-619 as long as it contains a PRA and liability for directors and others, said outside lobbyist Kelsey Wilson. Witnesses from TechNet, the Computer & Communications Industry Association (CCIA) and Technology Association of Oregon also opposed the bill because of the PRA.
Consumer privacy groups mostly praised the Oregon proposal. Oregon Public Interest Research Group prefers opt-in for everyone but is glad there's a strong opt-out provision and opt-in for sensitive data, said State Director Charlie Fisher. Including a PRA is a must for effective enforcement, he said. The bill has strong definitions for biometric data and personal data, which should include devices, said American Civil Liberties Union Oregon staff attorney Rachel Dallal. Without an expiration date, the right to cure “runs the risk of operating as a carte blanche for data processors who violate consumer rights.” ACLU knows a PRA is “controversial, but we believe that it’s because it provides the bill with real bite and consumers with real power.”
The Electronic Frontier Foundation generally sees rights to cure as “get out of jail free cards,” but thinks including a one-year sunset is a good compromise, said Hayley Tsukayama, EFF senior legislative activist: "This bill is not perfect, but it is pretty good."
"This is a great bill" that "gets a lot of things right," said Microsoft's Ryan Harkins, senior director-public policy. However, he classified Microsoft's testimony as "neutral." World Privacy Forum Executive Director Pam Dixon said nobody is “completely happy" or "unhappy.” SB-619 isn’t perfect but "does a lot of things very well,” she said.
The Maryland Senate panel also heard testimony on a bill (SB-844) based on California’s Age-Appropriate Design Code Act, which was challenged in court by industry (see 2303060047). A House panel considered that chamber’s version (HB-901) last week (see 2303010062).
The bill protects kids up to age 18 from spying apps and smart toys, unlike the outdated Children’s Online Privacy Protection Act, which covers only children under 13, said Senate sponsor Kramer. “Because trading in our children’s personal information nets tens of millions of dollars in profits every year for Big Tech, they are very much opposed” to SB-844. The senator said he doesn’t trust industry to protect kids and urged colleagues not to be intimidated by legal threats.
Addressing privacy risks at the design phase “is much more economical” than liability risks that come after harm occurs, said 5Rights Head-U.S. Affairs Nichole Rocha: This technology-neutral model worked in the U.K. Common Sense Media can make design choices that put kids and teens first, as the bill would require, said Policy Counsel Irene Ly.
Sen. Pamela Beidle (D) raised concerns that proposed requirements are too broadly written. Rocha replied that telling companies exactly how to protect kids’ privacy would be “too prescriptive” and hinder innovation.
SB-844 “does the exact opposite” of protecting privacy because it will require websites to treat everyone as children and collect more data to verify their age, said NetChoice General Counsel Carl Szabo. He said he has concerns as a parent because the bill would “really harm my family” and kids’ ability to be online. Challenged by Kramer to identify his employer, Szabo described NetChoice as a “small business” that fights for “free expression and free enterprise online. ... I don’t work for Big Tech.” NetChoice is an association that includes Amazon, Google, eBay and Twitter. TechNet, CCIA and other industry witnesses also opposed the bill.
“With a few critical amendments to this bill, Maryland can establish itself as a national leader in online safety for minors,” said Camille Fesche, a Maryland lobbyist for Google. The company met with 5Rights and the House version’s sponsor, Del. Jared Solomon (D), and plans to propose amendments. Fesche didn’t specify what changes Google seeks.
Exempt news media, said Rebecca Snyder, executive director of the Maryland- Delaware-District of Columbia Press Association. Otherwise, the bill could prevent teens from accessing news that shouldn’t be age-restricted, she said.