On the first anniversary of the European Union’s General Data Protection Regulation (GDPR), the United States is seeing a wave of state legislatures similarly considering laws to regulate the use of personal data. This installment of The eData Guide to GDPR recaps the current legislative activity across the United States.
The proposed Washington state data privacy law failed to pass the state’s House of Representatives Appropriations Committee before the end of the legislative session and therefore will not go into effect as planned.
Senate Bill 5376, titled the “Washington Privacy Act,” had been compared to California’s Consumer Privacy Act (CCPA) and Europe’s GDPR in both its identification of privacy rights and requirement for protection of those rights. The Washington bill had passed the State Senate with a nearly unanimous vote in March, but was met with opposition in the House by privacy advocacy groups and technology companies resident in the state. Advocacy groups, including the American Civil Liberties Union (ACLU), WashPIRG, and the Center for Democracy & Technology opposed the proposed law, suggesting that it did not go far enough to protect private information, such as facial recognition technology, and did not provide sufficient deterrence for violation of those rights.
As written when it passed the State Senate, the privacy law would have applied to legal entities that conducted business in Washington that
Data controllers would have been obligated to confirm and provide access to personal data, correct any inaccurate consumer personal data, and delete the data if certain grounds applied. Controllers would have also been required to restrict processing under certain conditions, such as if the consumer contested the accuracy of the personal data. The law called for civil penalties of not more than $2,500 for each violation or $7,500 for each intentional violation.
In relation to facial recognition, the original bill contained language meant to “weed out programs which have high error rates” and would have required law enforcement agencies to obtain a court order or warrant before using the technology.
After the bill failed to come to a vote before the deadline, Democratic Senator Reuven Carlyle (the bill’s sponsor) said he remained committed to the passing of the law and would try again in the 2020 legislative session.
Although Washington’s law has stalled, companies that handle personal data in the United States should be aware that many other states have data privacy bills in various stages of the legislative process. Many of these proposed laws use the GDPR and the CCPA as templates for privacy protection.
Hawaii has a bill pending in its Senate that would require certain businesses to disclose the categories of data they have collected about consumers, and to delete certain personal identifying information upon request (although, as currently written, the bill does not contain any penalties for noncompliance). Similar bills are also up for votes in Massachusetts and Rhode Island.
New Jersey’s State Assembly is also considering a bill that would require commercial websites and online services to notify customers of collection and disclosure of personally identifiable information and would allow customers to opt out of collection. New York’s State Assembly is a considering a bill that would restrict the disclosure of personal information by businesses.
Maryland has a bill pending in its Senate that would require certain businesses to provide notices to consumers when collecting their data, and would allow consumers to request information about the type of personal information collected.
Similar data protection bills have not been as successful in becoming law. Mississippi introduced a comprehensive data protection bill earlier this year that was very similar to the California’s CCPA, but that bill quickly died in committee. A data protection bill that would have granted citizens the “right-to-know”– and the “right-to-be-forgotten”–type protections was introduced earlier this year in New Mexico’s State Senate, but has since been postponed indefinitely.
With the failure of Washington’s privacy law, California still leads the way in data protection in the United States. Although the US Congress is reviewing several proposals for a federated data protection regulation, it is unclear if there will be any agreed upon law anytime soon. In the meantime, businesses operating in the United States will likely have to comply with a patchwork of data privacy laws among various states that have taken the initiative to provide their constituents with privacy rights.
If you have any questions or would like more information on the issues discussed in this installment of, please contact any of the following Morgan Lewis lawyers: