InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Wisconsin assembly passes comprehensive data privacy bill
On February 23, the Wisconsin assembly passed AB 957, which establishes requirements for controllers and processors of consumer personal data. An assembly amendment to the bill making various changes was adopted the same day. Highlights of the bill include:
- Applicability. The bill will apply to controllers (defined “as a person that, alone or jointly with others, determines the purpose and means of processing personal data”) that “control or process the personal data of at least 100,000 consumers or that control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data.” Personal data is defined as any information linked or reasonably linkable to an individual minus publicly available information. Certain entities are exempt from the bill’s requirements, including “governmental bodies, financial institutions subject to federal privacy disclosure requirements [including affiliates of financial institutions], certain entities subject to federal health privacy laws, nonprofits, and institutions of higher education.” Data collected, processed, and maintained in compliance with the Children’s Online Privacy Protection Act is also exempt.
- Consumer rights. Under the bill consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) make corrections; (iii) request deletion of their data; (iv) obtain a copy of their previously provided data; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, and certain forms of automated processing of their data. Controllers will be prohibited from taking discriminatory actions against consumers who exercise certain rights.
- Controllers’ responsibilities. Data controllers under the bill will be responsible for responding to consumers’ requests without undue delay, including if a controller declines to take action regarding a consumer’s request. Responses to consumers’ requests must be provided free of charge once annually per consumer, and controllers will be required to establish an appeals process for denied requests, wherein “[w]ithin 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for its decisions. If the appeal is denied, the controller must provide the consumer with a method through which the consumer can contact the attorney general to submit a complaint.” The bill will also require controllers to disclose certain information regarding data collection and sharing practices to consumers, as well as how consumers may exercise their rights under the bill. Controllers will also be prohibited from collecting or processing personal data for purposes not relevant to or reasonably necessary for the purposes disclosed in the privacy notice.
- Data processing contracts. The bill requires controllers to enter into data processing contracts with data processors and “requires controllers to conduct data protection assessments related to certain activities, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling purposes, and processing sensitive data, as defined in the bill.” The state attorney general may also request controllers to disclose any data protection assessments relevant to an investigation.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law and seek forfeiture of up to $7,500 per violation. The attorney general may also recover reasonable investigation and litigation expenses. The bill further “prohibits cities, villages, towns, and counties from enacting or enforcing ordinances that regulate the collection, processing, or sale of personal data.”
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the controller or processor written notice. The controller or processor then has 30 days to cure the alleged violation before the attorney general can file suit.
If enacted in its current form, the bill would take effect January 1, 2024. The bill still needs to be approved by the state senate and any differences reconciled before the measure can be sent to the governor.
Virginia Consumer Data Protection Act Work Group issues final report
Recently, the Virginia Consumer Data Protection Act Work Group (Work Group) released its final report addressing several privacy topics related to enforcement, definitions and rulemaking authority, and consumer rights and education. The Virginia Consumer Data Protection Act (VCDPA), enacted in March and covered by InfoBytes here, created the Work Group to study findings, best practices, and recommendations before the VCDPA’s January 1, 2023 effective date. The report summarizes information that arose during six Work Group meetings held this year, including the following:
- Establishing an education initiative led by leadership outside of the Office of Attorney General (OAG) to help small to medium-sized businesses comply with the VCDPA.
- Allowing the OAG to pursue actual damages, should they exist, based on consumer harm.
- Employing an “ability to cure” option for violations where a potential cure is possible.
- Authorizing consumers to assert, and requiring companies to honor, a global opt-out setting as a single-step for consumers to opt-out of data collection.
- Sunsetting the “right to cure” provision following the first few years after the VCDPA’s enactment to prevent companies from exploiting the provision.
- Amending “‘the right to delete’ provision to be a ‘right to opt out of sale’ in order to promote compliance and restrict further dissemination of consumer personal data.”
- Studying specific data privacy protections for children.
- Encouraging the development of third-party software and browser extensions to enable users to universally opt out of data collection instead of opting out on each website.
- Recruiting nonprofit consumer and privacy organizations to address concerns related to the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information,” and whether general demographic data used when promoting diversity and outreach to underserved populations should be included in the definition of “sensitive personal information.”
- Creating an education website containing information about consumers’ rights under the VCDPA. Additionally, the website could provide guidance for smaller businesses seeking to comply with the VCDPA, including sample data protection forms.
- Directing an agency to promulgate regulations because the VCDPA does not currently grant the OAG such authority.
The Work Group’s recommendations will be presented during the upcoming legislative session.
Illinois enacts the Protecting Household Privacy Act
Earlier this year, the Illinois governor signed HB 2553 to create the Protecting Household Privacy Act. Among other things, the act specifies when state law enforcement agencies may acquire and use data from household electronic devices. The act defines “household electronic data” as information or input provided by a person to a household electronic device that is capable of facilitating electronic communications. (A “household electronic device” excludes personal computing devices and digital gateway devices.) The act generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Exceptions to this prohibition include when a law enforcement agency first obtains a warrant, an emergency situation arises, or the owner of the household electronic device lawfully consents to the acquisition of the data. The act also states that it shall not “be construed to require a person or entity to provide household electronic data to a law enforcement agency,” except as provided under certain provisions outlined in Section 15. The act further requires entities disclosing household electronic data to “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Additionally, the act outlines information retention limits, which provide, among other things, that if a law enforcement agency obtains household electronic data and does not file criminal charges, it must destroy the data within 60 days unless subject to certain circumstances. The act is effective January 1, 2022.
California clarifies CPRA rulemaking authority timing
On October 5, the California governor signed AB 694. The bill clarifies that the California Privacy Protection Agency (which was given “full administrative power, authority, and jurisdiction to implement and enforce the [California Consumer Privacy Act]”) would assume responsibility for rulemaking “on or after the later of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking.” A previously covered by InfoBytes, last month the CPPA formally called on stakeholders to provide preliminary comments on proposed Consumer Privacy Rights Act rulemaking. However, the CPPA noted that the invitation for comments is not a proposed rulemaking action and stated that the public will have additional opportunities to provide comments on proposed regulations or modifications when it proceeds with a notice of proposed rulemaking action.
California expands consumer privacy rights to include genetic data
On October 6, the California governor signed SB 41, which requires direct-to-consumer genetic testing companies to provide consumers with information about the collection, use, maintenance, and disclosure of genetic data. Under the Genetic Information Privacy Act (GIPA), companies are required to honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days after the consent has been revoked. Companies must also obtain a consumer’s express consent for collection, use, or disclosure of an individual’s genetic data. GIPA also requires companies to comply with all applicable federal and state laws for disclosing genetic data without a consumer’s express consent, and companies must “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.” Violations of the law may result in civil penalties ranging from $1,000 to $10,000. Exempt from GIPA’s provisions is medical information governed by the Confidentiality of Medical Information Act, or medical information collected and used by business associates of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services.
Earlier on October 5, the governor also signed AB 825, which expands the definition of “personal information” to include genetic data, regardless of its format. Under existing law, any agency that owns or licenses computerized data that includes personal information is required to immediately disclose a security breach upon discovery to California residents who may have been impacted. Agencies are also required to implement and maintain reasonable security procedures and practices.
Both bills take effect January 1, 2022.
Special Alert: Colorado enacts comprehensive consumer privacy law
On July 7, the Colorado governor signed SB 21-190 to create the Colorado Privacy Act (CPA) and establish a framework for personal data privacy rights. Colorado now joins Virginia and California as the third state in the nation to enact comprehensive consumer privacy laws. In 2018, California became the first state to put in place significant consumer data privacy measures under the California Consumer Privacy Act (covered by a Buckley Special Alert), and earlier this year in March, Virginia enacted the Consumer Data Protection Act (covered by InfoBytes here).
Highlights of the CPA include:
Connecticut amends data security breach provisions
On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection personal identification numbers; (iii) passport and military identification numbers, as well as other government-issued identification numbers; (iv) medical information; (v) health insurance policy numbers or other identifiers used by health insurers; (vi) biometric information; and (vii) user names or email addresses combined with passwords or security questions and answers used to access an individual’s online account.
The act also requires businesses to notify residents whose personal information was breached or reasonably believed to have been breached within 60 days instead of 90 days after the discovery of the breach. Should a business identify additional affected residents after 60 days, it is required to provide notice as expediently as possible. Additionally, in the event that a resident’s login credentials are breached, a business may provide notice in electronic form (or another form) that directs the individual to take appropriate measures to protect the affected online account and all other online accounts. Businesses that furnish email accounts are also required to either verify that the affected individual received the data breach notice or provide notification through another method. The act also adds provisions related to compliance with privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and specifies that information provided in response to an investigative demand connected to a data breach will be exempt from public disclosure, but the attorney general may make the information available to third parties in furtherance of the investigation. The act takes effect October 1.
Nevada updates consumer privacy framework
On June 2, the Nevada governor signed SB 260, which revises certain provisions under the state’s existing privacy law. Among other things, the act (i) adds “data broker” to the existing privacy framework; (ii) exempts certain persons and information collected about a consumer in the state from requirements imposed on operators, data brokers, and covered information, including consumer reporting agencies, personally identifying information regulated by the FCRA or the federal Driver’s Privacy Protection Act, information collected for the purposes of fraud information, publicly available information, and financial institutions; (iii) prohibits a data broker from selling covered information collected about a consumer in the state if so directed by the consumer, and revises provisions related to the sale of certain covered information about a consumer; (iv) requires data brokers to respond to a consumer’s verified request within 60 days after receipt (a data broker may extend this period by no more than 30 days if an extension is determined to be reasonably necessary); (v) provides data brokers and operators 30 days to remedy violations of the opt-out requirement (provided they have not previously failed to comply with the opt-out requirements); and (vi) updates the definition of “sale” to include “the exchange of covered information for monetary consideration by an operator or data broker to another person.” While existing law already provides the Nevada attorney general with the authority to seek injunctive relief and impose civil penalties of no more than $5,000 per violation, the act extends this authority to cover data brokers. Additionally, the act explicitly does not provide for a private right of action against operators. The act takes effect October 1.
Virginia enacts comprehensive consumer data privacy framework
On March 2, the Virginia governor enacted the Consumer Data Protection Act (VCDPA), which establishes a framework for controlling and processing consumers’ personal data in the Commonwealth. Virginia is now the second state in the nation to enact a comprehensive consumer privacy law. In 2018, California became the first state to put in place significant consumer data privacy measures (covered by a Buckley Special Alert). As previously covered by InfoBytes, under the VCDPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” The VCDPA also outlines controller responsibilities, including a requirement that, among other things, controllers must enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. While the VCDPA explicitly prohibits a private right of action, it does grant the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. Additionally, upon discovering a potential violation of the VCDPA, the attorney general must give the data controller written notice and allow the data controller 30 days to cure the alleged violation before the attorney general can file suit. The VCDPA takes effect January 1, 2023.
Florida legislature introduces comprehensive privacy bill
On February 15, the Florida legislature filed HB 969, which would, among other things, regulate the sale and sharing of consumers’ personal data. Highlights of the bill include:
- Applicability. The bill will apply to for profit businesses that do business in the state, collect consumers’ personal information (“or is the entity on behalf of which such information is collected”), and (i) have global annual gross revenues exceeding $25 million; (ii) annually buy, receive, sell, or share for commercial purposes, personal information of at least 50,000 consumers, households, or devices; or (iii) derive 50 percent or more of its gross revenue from the sale of personal information. Notably, data governed by certain federal regulations and specified protected health information are exempt from coverage.
- Consumer rights. Under the bill consumers will be able to, among other things, access their personal data; have available at least two methods for requesting personal information free of charge within a certain timeframe; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of third-party disclosure of their personal information collected by businesses. Businesses will also be prohibited from selling or disclosing the personal information of minor consumers, except in certain circumstances, and will be prohibited from taking certain discriminatory actions against consumers who exercise certain rights. Additionally, the bill will provide that contracts or agreements that waive or limit certain consumer rights are void and unenforceable.
- Disclosures. The bill will require businesses that collect consumers’ personal data to disclose certain information regarding data collection and selling practices to consumers at or before the point of collection. This information “may be provided through a general privacy policy or through a notice informing the consumer that additional specific information will be provided upon a certain request.” Businesses will also be prohibited from collecting or using additional categories of personal information without first notifying consumers.
- Security. Under the bill, businesses will be required “to implement reasonable security procedures and practices” to protect consumers’ personal information. The definition of “personal information” will also be revised “to include additional specified information to data breach reporting requirements.”
- Private cause of action. The bill will provide “a private right of action for consumers whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access,” and will allow consumers to bring a civil action for injunctive or declaratory relief, as well as damages that must be at least $100 but not more than $750 per consumer per incident or actual damages, whichever is greater. The Department of Legal Affairs is also authorized to seek civil penalties of no more than $2,500 for each unintentional violation or $7,500 for each intentional violation. However, fines may be tripled if a violation involves consumers 16 years of age or younger.
- Right to cure. Upon notification of any alleged violation of the law, businesses have 30 days to cure the alleged violation.
If enacted in its current form, the bill would take effect January 1, 2022. Florida is just one of several states that have recently introduced or advanced privacy legislation (continuing InfoBytes coverage available here).