InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Virginia legislature advances privacy bill
Recently, the Virginia Senate and House advanced identical bills (see SB 1392 and HB 2307), which would establish a framework for controlling and processing consumers’ personal data in the Commonwealth. Highlights of the bill include:
- Applicability. The bill will apply to “persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that (i) during a calendar year, control or process personal data of at least 100,000 consumers or (ii) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.” Notably, financial institutions, data governed by federal regulations, nonprofit organizations, and certain protected health information are exempt from coverage.
- Consumers’ rights. Under the bill, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; and opt out of targeted advertising, sale of their data, or “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
- Controllers’ responsibilities. Data controllers under the bill will be responsible for (i) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (ii) not processing data for reasons incompatible with the specified purpose; (iii) securing personal data from unauthorized access; (iv) not processing data in violation of state or federal anti-discrimination laws; (v) obtaining consumer consent in order to process sensitive data; (vi) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (vii) providing clear and meaningful privacy notices.
- Data processing agreements/data protection assessments. The bill requires controllers to enter into data processing agreements with data processors that outline instructions for processing personal data and require the deletion or return of personal data once a service is concluded. Controllers must also conduct data protection assessments for all processing activities that involve targeted advertising, the sale of personal data, certain profiling activities, sensitive data, and any processing activities that present a heightened risk of harm to consumers.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of no more than $7,500 per violation. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general must give the data controller written notice. The data controller then has 30 days to cure the alleged violation before the attorney general can file suit.
The two bills next move to a reconciliation process, and if passed and signed into law, the bill will take effect January 1, 2023.
New York introduces biometric privacy act
On January 6, New York Assembly Bill A 27 was prefiled in the 2021-22 state legislative session, which would establish the Biometric Privacy Act and establish provisions regarding the retention, collection, disclosure and destruction of biometric identifiers or biometric information. Highlights of the bill include:
- Private entities in possession of biometric identifiers or information will be required to develop a written public policy “establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.” Further, unless a private entity possesses a valid warrant or court subpoena, it must comply with its established retention schedule and destruction guidelines.
- Prior to obtaining a person’s biometric identifier or information, a private entity must inform the subject (or a subject’s legally authorized representative) in writing that the identifier or information is being collected or stored, the specific purpose and length of term for which it is being collected, stored, and used, and must receive a written release from the subject or legally authorized representative.
- Private entities may not sell, lease, trade, or otherwise profit from a person’s biometric identifier or information.
- Private entities may not disclose, redisclose, or otherwise disseminate such information unless (i) the subject provides consent; (ii) “the disclosure or redisclosure completes a financial transaction requested or authorized by the subject” or the subject’s legally authorized representative; or (iii) the information is required by a valid warrant or court subpoena.
- Private entities must take measures to store, transmit, and protect all biometric identifiers and information from disclosure “using the reasonable standard of care within the private entity’s industry” and “in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.”
- The bill provides a private right of action for any person aggrieved by the bill’s provisions, including damages of $5,000 or actual damages (whichever is greater), reasonable attorneys’ fees and costs, and other relief including injunctive relief as deemed appropriate.
Notably, the New York Biometric Privacy Act is a close parallel to the Illinois Biometric Information Privacy Act, which was enacted in 2008.
Updated Washington State Privacy Act re-introduced
On January 5, the Washington State Privacy Act, SB 5062, (referred to as “2021 WPA” or “bill”) was re-introduced for the 2021-22 state legislative session with some notable changes from the 2020 version. (InfoBytes coverage of the 2020 Washington Privacy Act, SB 6281, available here.) Highlights of the 2021 WPA include:
- Applicability. The bill will apply to legal entities that conduct business or produce products or services that are targeted to Washington consumers that also (i) control or process personal data for at least 100,000 consumers; or (ii) derive more than 25 percent of gross revenue from the sale of personal data, in addition to processing or controlling the personal data of at least 25,000 consumers (the 2020 version included a 50 percent gross revenue threshold). State and local governments, municipal corporations, certain protected health information, personal data governed by state and federal regulations, and employment records continue to be exempt from coverage. Additionally, the bill adds nonprofit corporations, air carriers, and institutions of higher education to the exemption list.
- Consumer rights. Consumers will be able to exercise the following rights concerning their personal data: access; correction; deletion; access in a portable format; and opt-out rights, including the right to opt out of the processing of personal data for targeted advertising and the sale of personal data.
- Controller responsibilities. Controllers required to comply with the bill will be responsible for (i) transparency in a privacy notice; (ii) limiting the collection of data to what is required and relevant for a specified purpose; (iii) ensuring data is not processed for reasons incompatible with a specified purpose; (iv) securing personal data from unauthorized access; (v) prohibiting processing that violates state or federal laws prohibiting unlawful discrimination against consumers; (vi) obtaining consumer consent in order to process sensitive data; and (vii) ensuring contracts and agreements do not contain provisions that waive or limit a consumer’s rights. Controllers must also conduct data protection assessments for all processing activities that involve personal data. Notably, the 2021 WPA removes the requirement from the 2020 legislation that controllers conduct additional assessments each time a processing change occurs that materially increases the risk to consumers.
- State attorney general. The bill explicitly precludes a private right of action but permits the state attorney general to bring actions and impose penalties of no more than $7,500 per violation. The bill removes the 2020 requirement that the AG submit a report evaluating the liability and enforcement provisions by 2022, but requires the AG to work in concert with the state’s office of privacy and data protection on a technology review report to be submitted to the governor by December 2022.
- Right to cure. The bill includes a new 30-day right to cure any alleged violation after a warning letter is sent by the AG identifying the specific provisions believed to have been violated.
- Preemption. Similar to the 2020 WPA, the bill would preempt local laws, ordinances, and regulations, but includes an exception for any laws, ordinances or regulations “regarding the processing of personal data by controllers or processors” that were adopted prior to July 1, 2020.
Court grants preliminary approval of CCPA class action settlement
On December 29, the U.S. District Court for the Northern District of California granted preliminary approval of a proposed settlement in a class action alleging a children’s clothing company and cloud technology service provider (collectively, “defendants”) violated, among other things, the California Consumer Privacy Act (CCPA) after suffering a data breach and potentially exposing customers’ personal information (PII) used to purchase products from the company’s website. After the company issued a notice of the security incident in January 2020, the plaintiffs filed the class action alleging the company failed to (i) “adequately protect its users’ PII”; (ii) “warn users of its inadequate information security practices”; and (iii) “effectively monitor [the company]’s website and ecommerce platform for security vulnerabilities and incidents.”
After mediation, the plaintiffs filed an unopposed motion for preliminary approval of class action settlement, which provides for a $400,000 settlement fund to cover approximately 200,000 class members who made purchases through the company’s website from September 16, 2019 to November 11, 2019. Class members have the option of claiming a cash payment of up to $500 for a Basic Award or of up to $5,000 for a Reimbursement Award, with amounts increasing or decreasing pro rata based on the number of claimants. Additionally, the company agreed to certain business practice changes, including conducting a risk assessment of its data assets and environment and enabling multi-factor authentication for all cloud services accounts. When granting preliminary approval, the court concluded that the agreement does “not improperly grant preferential treatment to any individual or segment of the Settlement Class and fall[s] within the range of possible approval as fair, reasonable, and adequate.”
Certain business and employment CCPA exemptions extended to 2022
On September 29, the California governor signed AB 1281, which extends certain exemptions under the California Consumer Privacy Act (CCPA) from January 1, 2021 to January 1, 2022. As previously covered by InfoBytes, the CCPA—enacted in June 2018 (covered by a Buckley Special Alert) and amended several times—became effective January 1, and provides consumers several rights regarding their personal information that is held by a business. Specifically, the exemptions at issue in AB 1281 apply to “information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor, as specified.” The exemptions also apply to certain personal information used in communications or transactions between a business and a consumer if the “consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency.” However, the act will only take effect if a ballot proposition does not pass during the November statewide general election.
Privacy initiative makes California ballot
On June 24, the California Privacy Rights Act of 2020 (CPRA) ballot initiative was submitted to the California Country Clerk’s office as an initiative qualified for the November 2020 General Election ballot after receiving more than the 623,212 valid signatures required to qualify. The initiative was drafted by Alastair Mactaggart, the Founder and Chair of the Californians for Consumer Privacy, and would amend the CCPA in several significant ways. Notably, Mactaggart also drafted the initiative that ultimately resulted in the California Consumer Privacy Act (CCPA). The ballot initiative would, among other things:
- Provide consumers with the right to require a business to correct inaccurate personal information;
- Revise the definition of “business” to: (i) clarify that the time period for calculating annual gross revenues is based on the prior calendar year; (ii) provide that an entity meets the definition of a “business” if the entity, in relevant part, alone or in combination, annually buys, sell, or shares the personal information of 100,000 or more consumers or households; (iii) include a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest; and (iv) include a person who does not otherwise qualify as a “business” but voluntarily certifies to the California Privacy Protection Agency (described below) that it is in compliance with, and agrees to be bound by, the CPRA;
- Create the California Privacy Protection Agency, which would have the authority to implement and enforce the CCPA (powers that are currently vested in the attorney general). The agency would be governed by a five-member board, including a single Chair, with members being appointed by the governor, the attorney general, and the leaders of the senate and assembly; and
- Expand on the CCPA’s opt-out provisions and prohibit businesses from selling a consumers’ “sensitive personal information”—a new term introduced by the initiative— without affirmative authorization.
Additional details regarding the proposed changes are available in the September 2019 InfoBytes post announcing the initiative. Since originally filing the initiative in September 2019, Mactaggart has amended the initiative several times, without significant change.
D.C. enacts data breach requirements and consumer protections
On March 26, the mayor of the District of Columbia signed Act 23-268 to expand data privacy and consumer protection measures. Among other things, the “Security Breach Protection Amendment Act of 2020” (i) expands the definition of personal information subject to the Act; (ii) specifies the required contents of a security breach notification and requires that written notice of a breach involving 50 or more District residents be provided to the District’s attorney general; (iii) specifies security requirements for the protection of personal information, including for nonaffiliated third-party service providers; (iv) requires consumers to be provided at least 18 months of non-cost identity theft prevention services for data breaches involving the release of a social security or tax identification number; and (v) stipulates that a violation of these requirements is considered an unfair or deceptive trade practice. The Act takes effect following a 30-day congressional review period and publication in the District of Columbia Register.
Vermont enacts data privacy and consumer protections
On March 5, the Vermont governor signed SB 110 to expand data privacy and consumer protection measures in the state. Among other things, SB 110 (i) expands the definition of personally identifiable information (PII) subject to the Security Breach Notice Act to also include taxpayer identification numbers, passport numbers, military identification card numbers, other government-originated identification numbers “commonly used to verify identity for a commercial transaction,” unique biometric data, and health records; (ii) provides that if a data breach is limited to the unauthorized acquisition of login credentials, data collectors are only required to provide notice to the state attorney general or the Department of Financial Regulation “if the login credentials were acquired directly from the data collector or its agent”; (iii) establishes requirements to ensure consumers are provided notice of a data breach; (iv) adopts online privacy protections for students, including prohibitions on the use of targeted advertising and the sale or rent of student information, as well as responsibilities for operators of online services or mobile applications; and (v) requires that consumer contracts clearly disclose any automatic renewal provisions and allow consumers to easily terminate contracts. SB 110 takes effect July 1.
Four trade groups sue Maine over privacy law
On February 14, four trade groups filed suit against Maine in the U.S. District Court for the District of Maine, alleging that a recently enacted state privacy law (covered by InfoBytes here) infringes the rights of Internet Service Providers (ISPs). The complaint claims that L.D. 946 “imposes unprecedented and unduly burdensome restrictions on ISPs’, and only ISPs’, protected speech,” and is “not remotely tailored to protecting consumer privacy.” Among other things, the trade groups claim that because the law only stifles the use of consumer data by ISPs and not by other similarly situated companies, it violates their First Amendment protected speech rights. The groups also argue that the Maine law is much stricter to ISPs than other state privacy laws which “provide opt-out rights for most consumer data and reserve opt-in consent for a narrow subset of sensitive personal information,” whereas L.D. 946 uses an opt-in system. L.D. 946 also restricts the ISPs’ use of non-sensitive information that is not personally identifying and prohibits the ISPs from providing customer discounts or rewards programs to consumers who opt-in to sharing information.
Maryland, Hawaii, and Virginia are latest states to introduce privacy legislation
Recently, Maryland, Hawaii, and Virginia introduced privacy legislation designed to strengthen consumer access and control over personal data, joining efforts by Washington and New York to pass privacy bills containing provisions that differ from those in the California Consumer Privacy Act (CCPA), which took effect January 1. (See InfoBytes coverage on Washington here, New York here, and the CCPA here.)
On January 17, Maryland introduced HB 249 to amend the state’s Commercial Law by adding a section titled “Consumer Personal Information Privacy.” Under the proposed bill, consumers would be provided the right to opt-out of the disclosure of their personal information to third parties. HB 249 defines “disclosure” as “a transfer of a consumer’s personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.” The bill clarifies that disclosure does not include (i) a transfer of personal information to a service provider by a business for an operational purpose; (ii) identification of a consumer who has opted-out to alert third parties; and (iii) a transfer of personal information to a third party “as an asset that is part of a transaction in which the third party assumes control of all or part of the business.” The bill also stipulates requirements for businesses related to the consumer opt-out process, and states that a violation of the bill’s provisions would constitute an unfair or deceptive trade practice under Maryland’s Consumer Protection Act.
The same day, SB 2451 was introduced in the Hawaii Senate to add a new section to Chapter 487J of the Hawaii Revised Statutes, which stipulates that third parties cannot use or sell personal information purchased from a business unless a consumer receives explicit notice, provides express written consent, and chooses not to opt-out after given the opportunity to do so. The proposed bill also provides consumers the opportunity to, at any time, opt-out of the sale of their personal information to third parties. Among other things, the bill outlines provisions related to the sale of personal information for consumers less than 16 years of age, as well as specific compliance requirements for businesses when providing notice to consumers. SB 2451 also defines a third party as one that is (i) not a “business that collects personal information from consumers”; or (ii) not a person who receives personal information from a business for a business purpose pursuant to a written contract that restricts further use of the personal information.
Earlier, on January 3, HB 473, known as the “Virginia Privacy Act,” was introduced. Among other things, the bill requires data controllers to be transparent about their processing activities and be responsible for, upon verified request from the consumer, (i) confirming the uses of personal data; (ii) correcting inaccuracies; (iii) deleting unnecessary personal data or data for which the consumer has withdrawn consent; (iv) limiting the processing of personal data to what is required and relevant for a specified purpose; and (v) obtaining consumer consent in order to process sensitive data. HB 473 also provides consumers the right to object at any time to the processing of personal data, including the sale of data to third parties for targeted advertising, and stipulates that third parties must honor objection requests received from third-party controllers. The bill also requires controllers to conduct risk assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.” If enacted, violations of HB 473 would “constitute a prohibited practice” pursuant to Virginia Consumer Protection Act (VCPA) Section 59-1-200 and violators would be subject to any and all of the VCPA’s enforcement provisions.