States Begin 2022 With Flurry of Privacy Bills
State privacy bills are surfacing quickly as legislatures return for 2022 sessions. Washington state Sen. Reuven Carlyle (D) will try for the fourth straight year to pass a privacy bill, and many other state legislators introduced bills this and last week. Experts are also watching California Privacy Rights Act (CPRA) implementation this year.
Oklahoma Rep. Collin Walke (D) wouldn’t “be upset if every state had 50 different patchwork pieces of legislation,” he said in an interview Wednesday: Tech companies may disagree, but “if that’s not what you want, then go lobby Congress for what you do want.”
Expect at least 16 states to try to pass comprehensive laws this year, said attorney David Stauss, whose law firm Husch Blackwell tracks state privacy bills. Expect debate over enforcement, particularly on including a private right of action (PRA), to be a continued hurdle, he said. Consumer Reports Senior Policy Analyst Maureen Mahoney predicted two or more states will pass laws this year. California, Virginia and Colorado enacted legislation.
Carlyle introduced a fresh Washington bill Tuesday. Last year’s SB-5062, supported by Microsoft but opposed by American Civil Liberties Union, was reintroduced.
"The newest iteration of the bill" is SB-5813, and it "will be heard in Sen. Carlyle’s committee,” emailed legislative assistant Josh Peck. That and previous Carlyle bills stalled amid disagreement about their lack of a PRA, though the proposal influenced other states like Virginia. In the Washington House, Rep. Shelley Kloba (D) will push last year's HB-1433 and is working on an amendment, legislative assistant Brian Haifley emailed Wednesday. It was backed by ACLU and included a PRA. Rep. Vandana Slatter (D) filed HB-1850 Friday.
Carlyle's bill has a narrower scope than last year's version, with three parts to make rules for children, data brokers and a do-not-track mechanism, shows a summary. SB-5813 would allow civil actions for violations of the right to access, delete or correct personal data, with limits on remedies. Other than such violations, it “provides sole Attorney General enforcement under the [Washington] Consumer Protection Act” and a 30-day cure period.
Carlyle plans the first hearing on SB-5813 next week, he told us Wednesday. That bill is his primary focus, though the legislature can still choose to pass his older and still-alive bill SB-5062, he said. The senator rewrote the bill as SB-5813 to try to gain more support, and is optimistic it can pass, he said.
“Most people generally like children” and “don’t necessarily like data brokers,” said Carlyle. It reflects the need to treat kids’ data as sensitive and to require a “higher standard of obligation” for data brokers whose “entire business is designed to customize and profile the financial value of an individual as a consumer.” SB-5813 includes a "limited ability to seek redress if there is actual harm and if there is a violation of rights,” said Carlyle. “I’m not interested in blanket, generic lawsuits.”
'Getting Everyone On Board'
Florida Rep. Fiona McFarland (R) resurrected her privacy measure Tuesday. HB-9 again includes a PRA that caused disagreement last year. McFarland’s office “will begin meeting with everyone involved this week and working through concerns to try and reach the best bill possible,” McFarland’s legislative aide Clay Gunter emailed Monday. Florida Sen. Jennifer Bradley (R) is back this year with S-1864, an update of her bill last year with no PRA. One change would add a dedicated consumer data privacy unit to the attorney general’s office. Expect another “big fight” over the PRA this year, Shook Hardy attorney Al Saikali blogged Sunday.
Connecticut Democratic Sens. James Maroney and Bob Duff plan to introduce a revised version of their 2021 bill SB-893 next month when the legislature returns Feb. 9, Maroney said Tuesday. Duff said he has “dedicated myself to getting everyone on board with a consumer data bill of rights which guarantees companies to make a commitment to consumers.”
Connecticut’s bill has a shot, said Husch’s Stauss. Maroney convened a work group that has met monthly since August to work out differences, he said. The lawyer participated in those talks, which also included the state attorney general’s office, business interests and public advocates, the lawyer said. It helps that Maroney seeks to conform his bill with Colorado’s law, Stauss added. Stauss said he’s also watching Oklahoma and Minnesota.
Oklahoma Democrat Walke hopes to pass last year’s HB-1602, which remains alive this year in the Senate after passing the House in the red state with bipartisan support last March. While introducing an alternative bill (HB-2969) Friday, Walke told us he prefers and is optimistic about passing HB-1602 because the committee where it stalled has a new chair. HB-1602 would require opt-in consent, a big difference with other state laws, which caused industry resistance, said Walke. Alternative HB-2969 would allow opting out for first-party targeted advertising but bars selling data altogether, he said. “There is no opting in, there is no opting out. You just can’t sell it, period.” Walke chose not to have a PRA. “You want to have enough teeth but … you don’t want to open the floodgates to all kinds of fruitless junk.”
New York state Assemblymember Linda Rosenthal (D) and Sen. Kevin Thomas (D) filed revised versions of privacy bills A-680 and S-6701 last week. The amended bills include a delayed PRA: businesses would have to comply two years after enactment, but a private right of action would take effect after three years. Indiana Rep. Carey Hamilton (D) filed HB-1261 Monday. Ohio and Massachusetts legislators still have time to pass last year’s bills (see 2112080057 and 2111100063).
Calif. Timeline 'Pretty Ambitious'
Lawyers are watching progress on the many proposals. Stauss is less optimistic about Washington finally passing a bill in its fourth year trying, he said: Carlyle’s new bill is more limited in scope and application than his previous bill, but the state looks “further away than ever in passing a bill.” Stauss is watching Florida, but thinks it could be challenging to pass a bill in the legislature’s short 60-day session. Ohio’s bill was moving but seemed to run into “headwinds” last year, he said: The lawyer hasn’t yet seen much momentum for New York bills.
Mahoney is watching Washington and Florida, where previous bills got close to the finish line, she said. Consumer Reports supported New York’s legislation but is still studying this year’s amendment, she said. Mahoney participated in Connecticut’s working group, which sought to find consensus after last year’s bill stalled, she said.
Bryan Cave's Amy de La Lama is watching New York due to the large state’s possible impact, and Washington because it was “on the cusp” last year, she said. The attorney expects “two to three [to] pass per year … if and until we see federal legislation.”
The California Privacy Protection Agency (CPPA) opened a rulemaking in September to implement CPRA, the 2020 sequel to the California Consumer Privacy Act (CCPA) that will take effect Jan. 1, 2023. The agency posted comments Dec. 18 that were due Nov. 8.
CPPA could adopt CPRA rules this summer, though that timeline “seems pretty ambitious,” said Mahoney: Before then, the CPPA might release proposed rules and seek comment. “A lot of folks are going to be watching that, particularly with respect to the browser privacy signal language,” she said: Consumer advocates want a clear rule requiring companies to honor browser opt-outs.
“Companies really need to start getting ready,” for state law compliance, said de La Lama. Don’t forget that Virginia’s law will also take effect Jan. 1, while Colorado’s is effective July 1, 2023, she said. The attorney highlighted the hundreds of pages of comments filed on CPRA. “The level of interest speaks to how hard people have found the CCPA to implement and to interpret, and how concerned people are about really understanding and being able to implement these obligations.”