State Law Developments in Consumer Privacy
The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most expansive state privacy law in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data. The CCPA seems to have spurred a flood of similar legislative proposals on the state level.
Since the start of 2019, at least six state legislatures have already introduced privacy laws mirrored largely on the CCPA. Below are some of the highlights of each state legislative proposal:
- Hawaii – SB 418, introduced on January 24 by two Democrat senators, the Hawaiian bills contains similar consumer rights and requirements for businesses as the CCPA. The current bill text does not include a definition for “business”. Although this will likely be remedied, if left as is, the Hawaiian bill would have a broader reach than the CCPA, which only applies to entities that do business in the state of California.
- Maryland – SB0613, introduced on February 4 by Senator Susan Lee (D), includes similar consumer rights as those in the CCPA, but its right of deletion (popularly known as the “right to be forgotten”) is more extensive as it limits the circumstances under which an organization can deny such a request. Also notable, the bill prohibits discrimination against a consumer for exercising his/her rights and financial incentives for processing personal information.
- Massachusetts – SD.341, presented by Senator Cynthia Creem in early February, this proposal combines key aspects of the CCPA together with aspects of Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected. Moreover, similar to the Illinois Supreme Court’s recent holding regarding the BIPA, under the proposed bill, Massachusetts consumers may not have to demonstrate actual harm to seek damages.
- Mississippi – HB 2153, a house bill that was quickly squashed, was the closest in structure to the CCPA, pulling direct language from the California law. Although the Mississippi bill did not succeed, it still signifies how state legislators across the U.S. are considering consumer privacy.
- New Mexico – SB176, introduced on January 19 by Senator Michael Padilla (D), attempts to balance consumer privacy without stifling “innovation and creativity” of companies. Although language differs, key components of the CCPA are present in the New Mexico bill (g. right of access, right of deletion, right to opt out, private right of action).
In addition to the CCPA…