Insight

More US States Explore Privacy Protection Regulation

The eData Guide to GDPR

June 03, 2019

On the first anniversary of the European Union’s General Data Protection Regulation (GDPR), the United States is seeing a wave of state legislatures similarly considering laws to regulate the use of personal data. This installment of The eData Guide to GDPR recaps the current legislative activity across the United States.

Washington

The proposed Washington state data privacy law failed to pass the state’s House of Representatives Appropriations Committee before the end of the legislative session and therefore will not go into effect as planned.

Senate Bill 5376, titled the “Washington Privacy Act,”[1] had been compared to California’s Consumer Privacy Act (CCPA) and Europe’s GDPR[2] in both its identification of privacy rights and requirement for protection of those rights. The Washington bill had passed the State Senate with a nearly unanimous vote in March, but was met with opposition in the House by privacy advocacy groups and technology companies resident in the state. Advocacy groups, including the American Civil Liberties Union (ACLU), WashPIRG, and the Center for Democracy & Technology opposed the proposed law, suggesting that it did not go far enough to protect private information, such as facial recognition technology, and did not provide sufficient deterrence for violation of those rights[3].

As written when it passed the State Senate, the privacy law would have applied to legal entities that conducted business in Washington that

  1. controlled or processed data of 100,000 or more consumers; or
  2. derived 50% of gross revenue from the sale of personal information and process; or
  3. controlled personal information of 25,000 or more consumers.

Data controllers would have been obligated to confirm and provide access to personal data, correct any inaccurate consumer personal data, and delete the data if certain grounds applied. Controllers would have also been required to restrict processing under certain conditions, such as if the consumer contested the accuracy of the personal data. The law called for civil penalties of not more than $2,500 for each violation or $7,500 for each intentional violation[4].

In relation to facial recognition, the original bill contained language meant to “weed out programs which have high error rates” and would have required law enforcement agencies to obtain a court order or warrant before using the technology.[5]

After the bill failed to come to a vote before the deadline, Democratic Senator Reuven Carlyle (the bill’s sponsor) said he remained committed to the passing of the law and would try again in the 2020 legislative session.[6]

Although Washington’s law has stalled, companies that handle personal data in the United States should be aware that many other states have data privacy bills in various stages of the legislative process. Many of these proposed laws use the GDPR and the CCPA as templates for privacy protection.

Hawaii, Massachusetts, and Rhode Island

Hawaii has a bill pending in its Senate that would require certain businesses to disclose the categories of data they have collected about consumers, and to delete certain personal identifying information upon request (although, as currently written, the bill does not contain any penalties for noncompliance)[7]. Similar bills are also up for votes in Massachusetts[8] and Rhode Island.[9]

New Jersey and New York

New Jersey’s State Assembly is also considering a bill that would require commercial websites and online services to notify customers of collection and disclosure of personally identifiable information and would allow customers to opt out of collection.[10] New York’s State Assembly is a considering a bill that would restrict the disclosure of personal information by businesses.[11]

Maryland

Maryland has a bill pending in its Senate that would require certain businesses to provide notices to consumers when collecting their data, and would allow consumers to request information about the type of personal information collected.[12]

Mississippi and New Mexico

Similar data protection bills have not been as successful in becoming law. Mississippi introduced a comprehensive data protection bill earlier this year that was very similar to the California’s CCPA, but that bill quickly died in committee[13]. A data protection bill that would have granted citizens the “right-to-know”– and the “right-to-be-forgotten”–type protections was introduced earlier this year in New Mexico’s State Senate, but has since been postponed indefinitely[14].

With the failure of Washington’s privacy law, California still leads the way in data protection in the United States. Although the US Congress is reviewing several proposals for a federated data protection regulation, it is unclear if there will be any agreed upon law anytime soon. In the meantime, businesses operating in the United States will likely have to comply with a patchwork of data privacy laws among various states that have taken the initiative to provide their constituents with privacy rights.

Contacts

If you have any questions or would like more information on the issues discussed in this installment of The eData Guide to GDPR, please contact any of the following Morgan Lewis lawyers:

Philadelphia
Tess Blair
Vincent M. Catanzaro
Sarah Moran



 

[1] Senate Bill 5376, State of Washington, 66th Legislature, 2019 Regular Session.

[2] Washington State Office of Privacy & Data Protection Chief Privacy Officer Testifies in Senate on Privacy Bill.

[3] Letter to Washington State House Innovation, Technology & Economic Development Committee.

[4] Senate Bill 5376, State of Washington, 66th Legislature, 2019 Regular Session.

[5] Washington State Office of Privacy & Data Protection Chief Privacy Officer Testifies in Senate on Privacy Bill.

[6] @Reuvencarlyle, Twitter (April 17, 2019, 8:23 pm.)

[7] State of Hawaii Senate Bill No. 418, 30th Legislature (Hawaii, 2019)

[8] An Act Relative to Consumer Data Privacy, B S.120, 191st General Court (Massachusetts, 2019)

[9] Consumer Privacy Protection Act, S 0234, (Rhode Island, 2019)

[10] New Jersey State Assembly Bill No. 4902, 218th Legislature (New Jersey, 2019)

[11]New York State Assembly Bill, S00224, 224th Legislature (New York, 2019)

[12] Maryland State Senate Bill, Senate Bill 613 (Maryland, 2019)

[13] Mississippi House Bill 1253, MS HB1253, (Mississippi, 2019)

[14] New Mexico Senate Bill 176, NM SB176, (New Mexico 2019)