Search biometric

As we noted last month, Washington’s efforts to follow California’s lead in passing its own GDPR-like law have stalled after the bill failed to make its way through the state’s House of Representatives—despite overwhelming approval in the Senate (where it passed 46-1).  That bill’s sponsor has promised to revisit the issue during the 2020 legislative session.

Despite this roadblock on the consumer privacy front, Washington governor Jay Inslee signed a bill on May 7 (HB 1071) significantly expanding the state’s data breach notification law, RCW 19.255.01, et seq.  There was little doubt that Governor Inslee would sign the bill into law, as it passed unanimously in both state legislative bodies.

Below is a summary of major changes to the state’s data breach notification law, and key takeaways for employers subject to Washington law.  For a detailed explanation of the law’s new provisions—which will become effective March 1, 2020—please refer to this post.

Deadline to provide notice of breach shortened to thirty (30) days following discovery.

Under the current law (and until HB 1071’s amendments become effective on March 1, 2020), notice of a breach must be provided within 45 days of discovery. With the amendments, notice must be provided no more than thirty days after the organization discovers the breach. This applies to notices sent to affected consumers as well as to the state’s Attorney General. The threshold requirement for notice to the Attorney General remains the same—it is only required if 500 or more Washington residents were affected by the breach.

Thirty days may still sound like plenty of time, but it can often take several days, or even weeks, for an entity to determine the scope of a breach and compile a list of potentially affected consumers. And if the breach affected residents of more than one state, each state’s laws must be examined to ensure that the notices sent to each individual comport with the breach notification laws of that individual’s state of residence.

Definition of “personal information” significantly expanded.

The previous definition tracked the language used by the majority of states, and only covered breaches that included an individual’s first name (or initial) and last name, plus any one or more of the three “bare minimum” data elements— Social Security number, driver’s license or state ID number, and/or financial account or card number (with an access code or password that would permit access thereto).

With the amendment, Washington adds the following six additional data elements that will be considered “personal information” if combined with an individual’s first name or initial and last name:

  • Full date of birth;
  • Unique private key used to authenticate or sign an electronic record;
  • Passport, military, or student ID number;
  • Health insurance policy or identification number;
  • Information about a consumer’s medical history, physical or mental health condition, or diagnosis or treatment by a health care professional; and,
  • Biometric data (such as fingerprint or retina scans, voiceprints, or other unique biological patterns used to identify an individual).

Significantly, Washington law now considers an individual’s username (or email address) and password (or security questions sufficient to permit access to an account) to be “personal information” regardless of whether the individual’s name is included. Notice to affected consumers of a breach of this type may be provided electronically or by email (unless the affected account was the individual’s email account).

In addition, the new law provides that even without an individual’s first name or initial and last name, any one or more of the other data elements will be considered “personal information” if the element, or combination of elements, would permit a person to commit identity theft against the individual, and the data element(s) were not rendered unusable though encryption, redaction or other methods.

Finally, as discussed more thoroughly in this post, HB 1071 also added notice requirements for affected consumers and the Attorney General—though notice to the Attorney General is still not required unless 500 or more Washington residents were affected by the breach.

There are several takeaways for employers here:

  • First, employers must be aware of the types of data elements the organization maintains on its employees (or other individuals, such as customers or clients), how that data is maintained, and what happens to that data when it is no longer needed.
  • Employers should also examine the necessity of maintaining certain types of data, and consider narrowing the scope of data elements that the organization maintains by ceasing to collect and maintain unnecessary data—even if not currently listed in the state’s definition of “personal information.”
  • Until now, Washington employers may not have been overly concerned with securing certain types of data, such as an employee’s date of birth or health insurance policy number. But once HB 1071’s amendments take effect, that information could trigger breach notification duties if subject to unauthorized access or disclosure.
  • Finally, employers should ensure the organization has sound policies in place specifically to deal with sensitive data (e., “personal information”) deemed necessary to maintain.

Texans like the adage “Everything is Bigger in Texas”. So, as the Lone Star State follows its counterparts and the federal government in discussing broad sweeping privacy protections, legislators introduced two (competing) privacy bills this session: the Texas Consumer Privacy Act and the Texas Privacy Protection Act.

Readers should note that the 2019 Texas Legislative Session is set to end on May 27, 2019, although a special session may be called to address items not resolved during the regular session. If privacy legislation is not passed, state lawmakers would not consider it again until 2021, as the legislature only meets every other year, for 140 days. If either of the bills were to pass this session, the effective date could be as early as September 2020.

Even if neither bill passes this session, which is likely the case given the legislative hurdles that must happen within the limited timeframe, privacy as an issue is not going away in Texas (or anywhere else for that matter). And, given that Texas is the second largest economy in the U.S., any privacy legislation will have a big impact. The current prediction is that Texas will take a back seat to watch how California enacts the CCPA, and (hopefully) learn from some of its pain points in order to adopt legislation in 2020.

Nevertheless, below is an overview of the two pending bills in their current form.

Texas Consumer Privacy Act (“TXCPA”)

The TXCPA is similar to the California Consumer Protection Act (“CCPA”). It provides Texas consumers with rights to:

  • Know what information is being collected, distributed and sold about them;
  • Opt-out of sales of their information, including a requirement that businesses include a “Do Not Sell My Information” link on their website; and
  • Request that their information be deleted.

The TXCPA would also require businesses subject to the act to:

  • Provide notification of categories of personal information collected and how each category would be used;
  • Provide an online privacy policy or notice; and
  • Provide methods for consumers to submit data requests and disclose certain information in response to such requests.

It also borrows concepts from the EU GDPR around transparency and notice.

Similar to the CCPA, there are questions about how the bill would define a consumer and whether it would be applied to employees. Like the CCPA, the TXCPA also provides rights to households, but this is currently not well defined. The TXCPA does not establish a business duty to implement and maintain security procedures, nor does it allow a private cause of action for consumers in the event of a breach. The Texas Attorney General would enforce violations, set at an amount up to $2,500 per violation (and $7,500 for intentional violations).

In its current form, the TXCPA would only apply to certain businesses, including those that collect consumer personal information. These types of businesses would also have to meet certain thresholds.

Texas Privacy Protection Act (HB 4390)

The TXPPA distinguishes itself from the TXCPA with applicability and its level of detail. It also does not provide the same consumer rights as the TXCPA. For the TXPPA to apply, a business must be:

  • Doing business in Texas
  • Have more than 50 employees
  • Collect personally identifiable information (“PII”) of more than 5,000 individuals, households or devices (or have this information collected on its behalf); this only applies to the collection of PII over the Internet or digital network, or through a computing device that is associated with a specific end user. This requirement is not only to “Texas residents” meaning an Internet business with only a handful of customers in Texas, but numerous customers elsewhere, may be subject to the law.
  • And either:
    • Have an annual gross revenue of more than $25 million; or
    • Derive 50% of more of its annual revenue from the processing of PII.

The traditional PII categories, like social security number, driver’s license number, credit card or financial account information, etc. are expanded under the TXPPA to include biometric information, religious affiliation, racial or ethnic origin information, unique genetic information, physical or mental health information, precise geolocation data and the private communications or other user-created content of an individual that is not publicly available.

The TXPPA requires the explicit permission from the individual from whom the information pertains, unless processing is required by law. A business may only process PII if it is relevant to accomplish the purpose for which it is to be processed, and this must be specified by notice prior to the collection. Processing also may not violate state or federal law or infringe on an individuals’ Constitutional rights or privileges. The TXPPA also gives individuals the right to access their PII and the right to be forgotten.

TXPPA requires impacted businesses to establish and maintain a comprehensive security program that contains safeguards for PII, although there is not a lot of guidance in the current bill on this. Like the TXCPA, there is no private cause of action for a breach of duty to protect PII. Businesses would also be liable when a service provider mishandles their data.

Also like the TXCPA, the Texas Attorney General may bring an action and recover civil penalties, but they are higher under the TXPPA – up to $10,000 per violation, not to exceed a total of $1 million.

Either bill, if passed into law, would keep Texas in line with other states currently enhancing their privacy and security laws to keep up with the California Consumer Privacy Act set to take effect January 1, 2020.  Organizations across the United States should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs (WISPs).

 

It was looking like Washington state would be the first state to follow the California Consumer Privacy Act (CCPA), with a GDPR-like law of its own. That effort has stalled, perhaps temporarily. However, both Washington’s House and Senate voted unanimously to send HB 1071 to Gov. Jay Inslee, which would substantially expand the state’s current data breach notification obligations.

Here are some of the highlights:

Definition of personal information. Following many other states, the new law would add to the data elements that if breached could trigger a notification obligation. Currently, personal information includes an individual’s first initial or first name and last name, together with one or more of the following – (i) Social Security number, (ii) Driver’s license number or Washington identification card number; or (iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The following elements would be added to the list:

  • Full date of birth;
  • Private key unique to an individual and that is used to authenticate or sign an electronic record;
  • Student, military, or passport identification number;
  • Health insurance policy number or health insurance identification number;
  • Any information about a consumer’s medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment of the consumer; or
  • Biometric data generated by automatic measurements of an individual’s biological characteristics such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual;
  • Username or email address in combination with a password or security questions and answers that would permit access to an online account.

In addition, these elements (other than online account credentials) could be considered personal information even without the consumer’s first name or first initial and last name. That would be the case if encryption, redaction, or other methods have not be applied to render the element(s) unusable and the element(s) would enable a person to commit identity theft against a consumer.

Special Rule for Online Accounts. To combat the practice of many who use the same username and password for different accounts (note to reader, if this is you, stop reading this post and go change your account credentials), the new law would require notifications to provide some direction on this point. Specifically, when a breach involves a username or password, notice may be provided electronically or by email, and must inform affected persons to promptly change his or her password and security question or answer, as applicable. The notice should inform affected persons to take other appropriate steps to protect the online account and all other online accounts for which the affected person uses the same username or email address and password or security question or answer.

The new law goes a step further when the person or business providing the notice also furnished the email account to the affected person. In that case, notification must be provided using a permissible method other than email to that account, and must also include the information noted above for changing passwords for at risk accounts.

Notice Timing and Content. Like other state breach notification laws, Washington’s law requires notification be provided in the most expedient time possible and without unreasonable delay. Current law provides, however, that notice may not be provided later than forty-five calendar days following discovery. The new law reduces that period to thirty calendar days both for notice to individuals as well as to the Attorney General.

Importantly, the new law retains the exceptions to the notification period – notice may be delayed at the request of law enforcement or if due to measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. It is not clear if these exceptions also apply for notifying the Attorney General.

When notification is required, the new law adds to existing content requirements by mandating that notifications include, if known, the time frame of exposure – the date of the breach and the date of the discovery of the breach. Additional information also must be provided under the new law to the Attorney General, but under existing law that notice is required only if more than 500 persons are affected by the breach.

If enacted, the law changes in HB 1071 provide good examples of the need for organizations to continue to monitor these developments and revisit their incident response plans (IRPs). For example, some organizations may get caught off guard by the expanding definition of personal information under these laws. Date of birth typically is not included as an element of personal information in most other states (North Dakota is one exception). Having out of date template letters also can minimize the effectiveness of the organizations IRP.

As we reported, in late February, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, legislation intended to strengthen and clarify the California Consumer Privacy Act (CCPA). This week, the Senate Judiciary Committee referred the bill to the Senate Appropriations Committee by a vote of 6-2. This move came despite concerns raised about the scope of the amendment’s expanded private right of action. It is worth noting that a restricted private right of action is believed to have been fundamental to the compromise that led to the CCPA becoming law.

If SB 561 becomes law, it would make a number of significant changes to the current law. In particular, SB 561 would significantly expand the scope of the private right of action presently written into the CCPA. In its current form, the CCPA provides consumers a private right of action if their nonencrypted or nonredacted personal information is subject to an unauthorized access, exfiltration, theft, or disclosure because the covered business did not meet its duty to implement and maintain reasonable safeguards to protect that information. The amendment proposed under SB 561 broadens this provision to grant consumers a private right of action if their rights under the CCPA are violated.

This could become very costly for businesses subject to CCPA. A plaintiff suing under CCPA can recover statutory damages in an amount not less than $100 and not greater than $750 per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. With the change under SB 561, violations of rights under the statute, such as rights to certain notifications or the right to have certain information deleted upon request potentially could trigger statutory damages,

A similar cause of action exists under an Illinois privacy law that you might have heard about, the Illinois Biometric Information Privacy Act or “BIPA.” That provision has resulted in a flood of litigation, including putative class actions, seeking to recover statutory damages for plaintiffs who allege their biometric information has been collected and/or disclosed in violation of the statute.

According to reports, while Senator Jackson promised to work with stakeholders to address concerns about an expanded private right of action, the lawmaker apparently is intent on maintaining the ability for consumers whose CCPA privacy rights are violated to sue, without having to rely on the Attorney General’s office to enforce the CCPA.

UPDATE: As discussed below, SB2134, as introduced, would have amended BIPA to delete the language that creates a private right of action and provide, instead, that violations resulting from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would be subject to the enforcement authority of the Department of Labor. But, to survive, SB 2134 needed to be reported out of committee by March 28, 2019. That did not happen. Again, businesses should continue their efforts to comply with the requirements of BIPA.

Many businesses currently are defending a wave of class action lawsuits filed under the Illinois’ Biometric Information Privacy Act, popularly known as “BIPA” ).  The floodgates to litigation were opened earlier this year when the Illinois Supreme Court ruled that individuals need not allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the Act.  Potential damages are substantial as the BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. The majority of BIPA suits have been brought as class actions seeking statutory damages on behalf of each individual affected, exposing businesses to potentially crushing damages.

In February, SB2134 was introduced and would amend BIPA to delete the language that creates a private right of action. If enacted, the amendment would provide, instead, that violations resulting from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would be subject to the enforcement authority of the Department of Labor. The amendment would permit employees and former employees to file a complaint with the DOL, provided they are filed within one year from the date of the violation. Violations of BIPA that constitute a violation of the Consumer Fraud and Deceptive Business Practices Act would be enforced by the Attorney General. If the amendment is enacted, the changes would be effective immediately. Of course, it is unclear what the effect would be for pending litigation.

We expect businesses will be watching developments concerning SB2134 closely, which is currently is in committee. However, businesses should continue their efforts to comply with the requirements of BIPA, which do not appear to be included in the changes being proposed in SB2134.

As wearable and analytics technology continues to explode, professional sports leagues, such as the NFL, have aggressively pushed into this field. (See Bloomberg). NFL teams insert tiny chips into players shoulder pads to track different metrics of their game. During the 2018-2019 NFL season, data was released that Ezekiel Elliot ran 21.27 miles per hour for a 44-yard run, his fastest of the season. The Dallas Cowboys are not alone as all 32 teams throughout the league can access this chip data which is collected via RFID tracking devices. Sports statistics geeks don’t stand a chance as this technology will track completion rates, double-team percentages, catches over expectation, and a myriad of other data points.

There are obvious questions and concerns about the use of this technology, and not just at the professional level. Wearables can be found at all levels of sports and athletic activities, including at colleges and high schools. At the professional level, the NFL is unique in that it allows teams to use the chip data during contract negotiations. However, players do not have full access to this information, unless specifically granted by individual teams. This is important since there is much debate over who truly owns this data. And, for a variety of reasons, players and athletes want to know where their information is stored, how it is stored, whether and how it might be used and disclosed, who has access to it, and what safeguards are in place to protect it. Major League Baseball and the Players Association added Attachment 56 to the 2017-2021 Collective Bargaining Agreement to address some of these concerns. But, again, these and other questions are not unique to professional ball players.

See the source imageWith devices ranging from wearable monitors to clothing and equipment with embedded sensors, professional teams, colleges and universities, local school districts, and other sports and athletic institutions, as well as the companies that provide the wearables, can now collect massive amounts of data such as an athlete’s heart rate, glucose level, breathing, gait, strain, or fatigue. On the surface, this data may relate to an athlete’s performance and overall wellness, which may be somewhat apparent to onlookers without the aid of the device. However, alone or aggregated, the data may reveal more sensitive personal information relating to the athlete’s identity, location, or health status, information that cannot be obtained just by closely observing the individual. When organizations collect, use, share, or store this data, it creates certain privacy and security risks and numerous international, federal, and state data protection laws may apply. Any sports or athletic organization that develops a wearable device program, or has reason to believe that these devices are being used by coaches and others to collect similar data, should be mindful of these risks and regulatory issues.

Below is a non-exhaustive list of some of these laws: Continue Reading As Wearable Technology Booms, Sports and Athletic Organizations at all Levels Face Privacy Concerns

A few weeks back a company’s watch list containing nearly 2.5 million individuals and entities considered “high-risk” for its clients was mistakenly leaked to the public. A “high-risk” entity in this circumstance was one potentially linked to organized crime or terrorism. The leak resulted from an unsecured and incorrectly configured company database.

Typically in the news we hear of data breaches involving a leak of personal information including social security numbers, medical information or credit card numbers. Moreover, state data breach notifications and reasonable safeguard laws generally create an affirmative obligate to protect against and respond to a data breach involving personal information. For example, under California data security law a business that owns, licenses or maintains personal information must implement and maintain reasonable security procedures and practices appropriate to the nature of the information. Similarly, under New Jersey data breach notification law, any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person.  The definition of personal information under state data breach notification and reasonable safeguard laws commonly includes the following types of data: (i) Social Security number; (ii) driver’s license number or state issued ID card number; or (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account. Moreover, some states have broader definitions of personal information which can include other types of data such as biometric data, passport numbers or medical information. Note that this type of data is unlike the information involved in the “watch list” incident mentioned above.

Despite media and legislative focus on data breaches of personal information, there are other types of sensitive data that when breached can have a detrimental impact on an organization. An organization can face a data breach involving leaked confidential business information, trade secrets, organizational strategies or financial information, just to name a few. As a result it is important for an organization to have safeguards in place to protect any data it deems of value, whether personal information or otherwise, even if there is no affirmative obligation under the law to do so. Strong IT safeguards are part of the solution, but not a silver bullet. Administrative and physical safeguards also are needed, such as access management policies, awareness training, equipment inventory, and vendor assessment and management programs. No organization is immune to a data breach, and preparedness can make all the difference in both preventing a breach, and responding if one does occur.

Below are a few of our helpful resources for preventing and responding to a data breach:

 

Yesterday, the U.S. Supreme Court rejected a petition for a writ of certiorari by Zappos requesting the Court to review a Ninth Circuit Court decision which allowed customers affected by a data breach to proceed with a lawsuit on grounds of vulnerability to fraud and identity theft. The ruling stems from a 2012 breach that affected over 24 million Zappos customers, which included hackers accessing customer’s names, account numbers, passwords, email addresses, billing and shipping addresses, phone numbers, and the last four digits of the credit cards.

In March of 2018, the Ninth Circuit Court reversed a decision by the United States District Court for the District of Nevada that tossed claims brought by customers affected by the data breach who claimed that the breach left them in “imminent” risk, because they did not allege having already suffered financial losses. A three-judge Ninth Circuit panel held that sensitivity of the information stolen in the breach — including credit card numbers and other means to commit fraud or theft — led them to conclude the customers had adequately alleged an injury. “Plaintiffs allege that the type of information accessed in the Zappos breach can be used to commit identity theft, including by placing them at higher risk of ‘phishing’ and ‘pharming,’ which are ways for hackers to exploit information they already have to get even more PII,” the panel wrote.

Businesses facing class action litigation following a data breach have long waited for the Supreme Court to weigh in on the issue of whether a demonstration of actual harm is required to have standing to sue. Federal circuit courts over the past few years have struggled with this issue, in large part due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury. For example, the 3rd6th, 7th,  9th  and D.C. circuits have generally found standing, while the 1st2nd4th and 8th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”.

In its appeal to the Supreme Court, Zappos argued that “the factual scenario this case presents – a database holding customers’ personal information is accessed, but virtually no identity theft or fraud results – is an increasingly common one”. The rejection by the Supreme Court of the Zappos petition is considered a setback for companies facing similar litigation. Moreover, the California Consumer Privacy Act, set to take effect in 2020, authorizes a private cause of action against a covered business for damages resulting from a failure to implement appropriate security safeguards which result in a data breach, and the Illinois Supreme Court recently held that actual harm was not required to sue under the Illinois Biometric Information Privacy Law (“BIPA”).  The Supreme Court did not provide a reason for its denial of the Zappos petition, nonetheless its decision coupled with these state initiatives, is likely to have a significant impact on data breach class action lawsuits going forward.

Add Washington D.C. Attorney General Karl A. Racine’s recent data security legislative proposal – the Security Breach Protection Amendment Act of 2019 – to the growing list of states and jurisdictions across the country seeking to strengthen privacy and security protections around personal information.

Proposed in response to major data breaches, a frequent catalyst to stronger data privacy and security legislation, AG Racine’s bill would expand legal protections concerning personal information to help prevent and enhance the response to a data breach. Specifically, the bill would:

  1. like legislation being considered in New Jersey, expand the definition of personal information that, if breached, would require notification. However, if passed, the definition of personal information in D.C. would be much broader than New Jersey and many other states, and include – passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles, and health insurance information;
  2. require businesses that experience a data breach to include specific information in the notifications to affected persons, such as (i) the categories of information that were, or are believed to have been, involved in the breach, (ii) contact information for the person making the notification, as well as the credit reporting agencies, the FTC, and the D.C. Attorney General, and (iii) the right under federal law to obtain a security freeze at no cost and how to obtain such a freeze; and
  3. mandate businesses offer two years of free identity theft protection when a breach involves Social Security numbers. Washington D.C. would join states such as Connecticut, Delaware, and, in April, Massachusetts, in requiring such services be provided following certain breaches.

The bill also would mandate that businesses that handle personal information implement reasonable safeguards to protect that data. Additionally, businesses that obtain services from a nonaffiliated third party and disclose personal information of a DC resident under an agreement with that third party must require the third party by agreement to safeguard that information. Again, these changes put D.C. in the company of other states such as California, Colorado, and Massachusetts.

The legislative screws continue to tighten around data privacy and security.

The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, is considered the most expansive state privacy law in the United States. Organizations familiar with the European Union’s General Data Protection Regulation (GDPR), which became effective on May 25, 2018, certainly will understand CCPA’s implications. Perhaps the best known comprehensive privacy and security regime globally, GDPR solidified and expanded a prior set of guidelines/directives and granted individuals certain rights with respect to their personal data. The CCPA seems to have spurred a flood of similar legislative proposals on the state level.

Since the start of 2019, at least six state legislatures have already introduced privacy laws mirrored largely on the CCPA.   Below are some of the highlights of each state legislative proposal:

  • Hawaii – SB 418, introduced on January 24 by two Democrat senators, the Hawaiian bills contains similar consumer rights and requirements for businesses as the CCPA. The current bill text does not include a definition for “business”. Although this will likely be remedied, if left as is, the Hawaiian bill would have a broader reach than the CCPA, which only applies to entities that do business in the state of California.
  • Maryland SB0613, introduced on February 4 by Senator Susan Lee (D), includes similar consumer rights as those in the CCPA, but its right of deletion (popularly known as the “right to be forgotten”) is more extensive as it limits the circumstances under which an organization can deny such a request. Also notable, the bill prohibits discrimination against a consumer for exercising his/her rights and financial incentives for processing personal information.
  • Massachusetts – SD.341, presented by Senator Cynthia Creem in early February, this proposal combines key aspects of the CCPA together with aspects of Illinois’s Biometric Information Privacy Act (BIPA). This bill would allow Massachusetts consumers a private right of action if their personal information or biometric information (referred to separately in the bill) is improperly collected. Moreover, similar to the Illinois Supreme Court’s recent holding regarding the BIPA, under the proposed bill, Massachusetts consumers may not have to demonstrate actual harm to seek damages.
  • Mississippi – HB 2153, a house bill that was quickly squashed, was the closest in structure to the CCPA, pulling direct language from the California law. Although the Mississippi bill did not succeed, it still signifies how state legislators across the U.S. are considering consumer privacy.
  • New Mexico – SB176, introduced on January 19 by Senator Michael Padilla (D), attempts to balance consumer privacy without stifling “innovation and creativity” of companies. Although language differs, key components of the CCPA are present in the New Mexico bill (g. right of access, right of deletion, right to opt out, private right of action).

In addition to the CCPA-like proposals discussed above, other states are also considering unique ways to enhance consumer data privacy for their residents. For example, New York legislators recently introduced at least 4 different consumer privacy related bills, including one on biometric privacy (SB 547) and another that would regulate businesses’ collection and disclosure of personal information (S00224).  And several North Dakota legislators, in mid-January, introduced a consumer privacy bill, HB 1485, exclusively focused on the prohibition of disclosure of an individual’s personal information without “express written consent”.

Finally, a group of senators in Washington State, in January, introduced the “Washington Privacy Act,” SB 5376 (WPA). That bill would establish more GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on use of automatic profiling and facial recognition.

This state level activity could prompt Congress to move more quickly with one of its proposed bills, the latest being the Data Care Act, which proposes to hold large tech companies, specifically “online service providers”, responsible for the protection of personal information. Much of the private sector, including the Internet Association, comprised of the leading tech companies, is pushing for a federal approach to consumer privacy to prevent the “patchwork of state laws” that has arisen in the area of data breach notification law.  Not even three months in, 2019 is already gearing up to be a busy year for consumer privacy law.