While all eyes are on California following the implementation of the California Consumer Privacy Act (“CCPA”) earlier this month and the start of enforcement later this year, other states are off to the privacy races already. On Monday, Washington State became the latest entrant with the introduction of a revised Washington Privacy Act.
From the proposals introduced so far this year in Washington, Virginia, New Hampshire, Illinois, and Nebraska, it is clear that states will continue to follow last year’s trend of varied approaches to state privacy legislation. While there are variations in state proposals, many of the bills seem to fall into three molds.
The first category of proposals closely track the CCPA. Some of these bills, like last year’s Mississippi Consumer Privacy Act, are essentially identical to the CCPA or have minor changes. These bills may lack changes made by the September amendments to the CCPA. For example, the CCPA originally regulated as personal information all information “capable” of being associated with a consumer or household, whereas California’s definition is now tied to information “reasonably capable” of being associated with a consumer or household. The September amendments also eliminated limitations on the scope of publicly available information and added exceptions for employment or business-to-business related data. These differences were notable in the New Hampshire legislation recently introduced, which was otherwise in line with the CCPA.
Inspired by the CCPA
The second category includes those bills inspired by the CCPA but with substantive differences. Most of these bills expand consumer rights beyond the limits of the CCPA. The newest of these bills is the latest iteration of the Illinois Data Transparency and Privacy Act (“DTPA”), which has undergone revisions since passing the House but failing in the Senate last year. It joins last year’s bills from Maryland and Massachusetts in seeking to allow consumers to opt out of the disclosure of their information to third parties, whether or not the disclosure was for monetary or other valuable consideration.
Another grouping of states has elected to pursue laws that are closer to the European Union’s General Data Protection Regulation (“GDPR”). The most high profile may be last year’s Washington Privacy Act, which failed in the House after passing the Senate 46-1. As noted above, the bill is back this year with sponsor Senator Reuven Carlyle claiming to have “95% agreement in principle on the core elements of the bill” during a press conference on Monday. The newly introduced Virginia Privacy Act also takes its cues from the GDPR, incorporating the language of controllers and processors, allowing consumers to object to the processing of their personal information, and following a 30-day timeline to respond to requests. A key difference between the Virginia and Washington Privacy Acts is that Virginia includes a private right of action through the Virginia Consumer Protection Act.
The final group of states is not easily defined and incorporates more novel provisions. Most notable from last year is the New York Privacy Act. While this bill had GDPR-like provisions and language, it added the concept of a “data fiduciary,” which would require data controllers to exercise duties of care, loyalty and confidentiality. This would require controllers to “act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker, in a manner expected by a reasonable consumer under the circumstances.” Furthermore, controllers would be required to contractually pass along those duties of care, loyalty, and confidentiality to any downstream recipients of personal data.