Public Policy Alert
May.10.2019
In the wake of the passage of the EU's General Data Protection Rule (GDPR) and the California Consumer Privacy Act (CCPA), state policymakers throughout the U.S. are focusing their attention on consumer privacy in the digital age. Orrick's State Attorney General team is pleased to provide regular analysis of legislative and regulatory developments around the country – in addition to insights into associated compliance challenges – as these policy proposals become law.
Federal Legislation: Though privacy proposals abound in both houses of Congress, the effort garnering the most attention as a viable legislative vehicle is a proposal under development by Senators Blumenthal (D-CT), Cantwell (D-WA), Moran (R-KS), Wicker (R-MS), Schatz (D-HI) and Thune (R-SD). Their proposal, with a hoped-for release date before the end of May, is expected to see a codification of the substantive rights provided to consumers in the CCPA, like the right to access or delete one's data and "opt-out" from its disclosure to third parties, in exchange for no private right of action being provided and, potentially, some level of federal preemption of state law. There is also general agreement that the FTC, as the de facto federal regulator of consumer privacy to date, should have its role in addressing such concerns affirmed and codified. The exact scope of the FTC's enforcement authority under this new law remains an open question, with some calling for personal liability for executives and others seeking civil penalty authority even in the case of first-time offenses.
Yesterday, Wednesday, a high-profile hearing in the House Energy & Commerce committee took place in which all five FTC commissioners appeared. That hearing, entitled "Oversight of the Federal Trade Commission: Strengthening Protections for Americans' Privacy and Data Security," involved the commissioners providing – explicitly – their visions for what a national U.S. digital privacy framework should entail.
Federal Trade Commission: Even in the absence of specifically granted congressional authority, the FTC's attention to consumer privacy is shaping its enforcement priorities and approach. The FTC's Enforcement Division last week signaled that, at the behest of Commissioner Chopra, long a champion of personal liability for corporate executives, the Commission would consciously begin looking into the conduct of employees as it undertakes actions against business entities. The Enforcement Division also confirmed last week that it would entertain actions against firms for Section 5 "unfairness" violations for poor data security even in the absence of a breach.
Based on testimony heard during last week's meeting, the FTC staff overseeing the event later suggested that there was consensus on a number of fronts regarding necessary developments in the context of privacy policy. Specifically, they include:
California: The Golden State's Assembly and Senate have divergent visions for the future of the CCPA. The Assembly has moved to curb CCPA's scope, while the Senate has moved to expand it. Each chamber recently moved legislation to advance its vision, with all bills now progressing to the appropriations committees of each chamber (where many are to be heard this week).
Specifically, the Assembly Committee on Privacy and Consumer Protection passed a battery of bills designed to make the CCPA more practicable, if not weaker. Of note are three bills – AB 873 (Irwin), which narrows the definition of "personal information" by removing an impractical de-identification standard; AB 846 (Burke), allowing for the continuation of customer loyalty programs; and AB 25 (Chau), permitting employers to retain information about employees that would otherwise be prohibited by the CCPA. Further, the committee's chairman, Asm. Chau, who was the sponsor of the legislative vehicle that became the CCPA, used recently granted authority (Rule 56.1) to scuttle AB 1760 (Wicks) – a bill that would have substantially expanded the scope of the CCPA by moving the Act to an "opt-in" framework and adding a private right of action.
By contrast, the Senate Judiciary Committee passed Sen. Hannah-Beth Jackson's SB 561. This bill, backed by Attorney General Becerra, would remove a firm's ability to remediate reported CCPA violations and create a broader private right of action. It would, in short, significantly expand the CCPA's enforcement scheme by providing any California consumer, whose "rights under this title are violated," a private right of action.
Based on the conflicting visions of local legislators, those following the process should expect pushback from opposite chambers once the bills "cross over" from their house of origin. The prospect of limited legislative relief makes it even more important for firms with a stake in the as-applied posture of the CCPA to actively engage in the Attorney General's rulemaking process to ensure that industry-specific concerns are considered and addressed before the law is enforced.
Other States: While the majority of state legislative sessions are wrapping up, active bills that seek to replicate the CCPA remain in play around the nation (see Figure 1: States with Comprehensive Privacy Laws and Bills). Though to date none of these bills has become law, their existence is a meaningful indicator of the salience of the issue of consumer privacy. What's more, conspicuously, not all of the CCPA-esque legislation moving in state legislatures is failing because it is too onerous for businesses. For instance, in Washington, after passing the Senate 46-1, died in the House after amendment as some consumer groups decried the bill as insufficiently onerous.
Also of note, Maine last week held a hearing on LD 946 – to enact data privacy requirements for broadband internet providers. While not as broad in scope as the CCPA, the legislation includes a troubling "opt-in" provision whereby broadband providers must actively solicit consumer consent before engaging with certain types of information. Such legislation is particularly problematic when considered in the context of an environment in which CCPA clones and similar – but not identical – laws are passed nationwide. This situation would not so much create a "patchwork" of requirements, but rather a "layer cake" in which affected firms would be subject to inconsistent and, perhaps, mutually exclusive general and sector/industry-specific requirements.
Civil Society Activity: As federal and state attention has turned to consumer privacy policy, so too have third-party commentary and advocacy efforts. Last week, "Fight for the Future" announced the creation of a coalition to oppose federal privacy preemption (here). This is the first coalition that is actively soliciting grassroots engagement around the issue and should not be taken lightly. In 2012, "Fight for the Future" organized an internet-changing strike against SOPA and PIPA.
State | Statute/Bill |
California (Passed law) | Ca. Civ. Code §§ 1798.100 - .199 “California Consumer Privacy Act” |
Connecticut | RB 1108 |
Hawaii | SB 418 |
Illinois | HB 3358 “Data Transparency and Privacy Act” |
Maine | LD 946 |
Maryland | SB 613 “Online Consumer Protection Act” |
Massachusetts | SD 341/S 120 |
Nevada (Passed law) | Chapter 603A |
Nevada | SB 220 |
New Jersey | S2834 |
New Mexico | SB 176 “Consumer Information Privacy Act” |
New York | S224 “Right to Know Act of 2019” |
New York | SB S8641 |
North Dakota | HB 1485 |
Rhode Island | S0234 “Consumer Privacy Protection Act” |
Texas | HB 4518 “Texas Consumer Privacy Act” |
Texas | HB 4390 “Texas Privacy Protection Act” |
Washington | SB 5376 “Washington Privacy Act” |