All eyes are on the California Consumer Privacy Act (CCPA), which went into effect on Jan. 1. But get ready for new privacy bills across the country as state legislatures come back into session throughout January and early February.
On Monday, the first day of Washington state’s 2020 legislative session, state House Rep. Norma Smith, R-Clinton, introduced a package of five online data privacy bills that range from biometric data protection to a consumer bill of rights for personal data.
Smith serves as the ranking Republican on Washington state’s House innovation, technology and economic development committee.
This isn’t the state’s first stab at passing a privacy law. The Washington Privacy Act (WPA) of 2019, inspired by CCPA and Europe’s General Data Protection Regulation, easily passed the Senate but later died in appropriations without making it to the House for a vote after questions arose as to whether it was protective enough and its loose approach to facial recognition technology.
It’s still far too early to say whether these new bills will have more success than WPA, but there’s a good chance something will be enacted, said Gary Kibel, a partner at Davis & Gilbert LLP.
“Washington tried to pass something previously, so you could say they’ve been through a dry run, and I think they’re ready for showtime,” Kibel said.
And so are many other states. They see California getting heaps of attention for its privacy law, which is being considered by some as the de facto national standard in the absence of federal privacy legislation – and they want some.
“The business community might get upset about it, but you’re elected by constituents, and lawmakers know it looks good when they fight for consumer privacy,” Kibel said. “We’re not going to get anything at the federal level with any teeth for a while, and states feel like there’s no point waiting around.”
By the same token, it’s not a foregone conclusion that a state-based groundswell will motivate federal action. Although state-level anti-spam laws in the ’90s, for example, culminated in the CAN-SPAM Act, data security laws, such as those passed in Nevada and Massachusetts in the mid-2000s, didn’t “catch fire” across the country, said David Keating, a partner at Alston & Bird.
Even so, it makes sense to monitor what’s going on at the state level. New York is particularly interesting, Kibel said, because it’s a populous state and home base to the advertising industry.
The New York Privacy Act (Senate Bill S5642), which was reintroduced in the New York State Senate last week, would go further than the CCPA by requiring express and documented consent – aka, a clear opt-in – before using, processing, selling, sharing or transferring consumer data.
In the meantime, here’s what’s on the table in Washington state:
House Bill 2364 would create a “Charter of Personal Data Rights” that includes the right to access data, know what data a business has about a consumer, data portability and the right to correct data, delete info and opt out of data sales.
The bill defines personal data as any information that is linked or “reasonably linkable” to an individual, and includes a private right of action, meaning that consumers would be able to sue a business for violations of their data rights. Under CCPA, there’s only a limited private right of action in the case of a data breach.
“A private right of action is the scariest thing for people in the industry,” Kibel said. “Regulators get a bad rap sometimes but, ultimately, they don’t want to punish businesses, just protect consumers and ensure compliance with their laws. The motivation of the class-action folks is radically different.”
House Bill 2363 would ensure that individuals own and have control over their biometric identifiers, such as their face and voice.
House Bill 1503 would require data brokers in Washington state to register annually with the state and provide info about how they collect, store and sell personal data and disclose their opt-out procedures.
House Bill 2366 would make the state’s chief privacy officer into a four-year statewide elected position.
House Bill 2365 would require that consumer devices sold in Washington state have a simple-to-recognize sticker that says whether the device gathers consumer data and transmits it to third parties.
Updated, Jan. 15: Sen. Reuven Carlyle, D-Seattle, reintroduced a new version of the WPA on Monday along with a bipartisan group of Washington state senators. A second bill, also introduced on Monday and sponsored by Sen. Joe Nguyen (D-White Center), aims to put imitations on how government and law enforcement are able to use facial recognition tech.