As it did last year, the Washington state senate has overwhelmingly passed comprehensive consumer privacy legislation. The legislation, entitled the Washington Privacy Act (WPA), passed the state senate on February 14, 2020, by a vote of 46-1. The legislation will now move to the state house of representatives where it failed last year. A copy of the WPA, as it passed the senate, is available here.
Webinar: Analyzing the AG’s Modified Proposed CCPA Regulations
On Friday, February 7, 2020, the California Attorney General’s office published modified proposed CCPA regulations. Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Wednesday, February 12, from 12:00-1:00 p.m. CT, to analyze the modified proposed regulations. Click here to register.
CCPA Update: AG’s Office Publishes Modified Proposed Regulations
Keypoint: The modified proposed regulations make substantial changes to the proposed regulations, including modifying how consumer notices must be drafted and changing some of the requirements for receiving and responding to consumer requests.
On Friday, February 7, 2020, the California Attorney General’s office published a notice of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The AG’s office also published redline and clean versions of the modified regulations.
The changes modify the proposed regulations published by the Attorney General’s office on October 11, 2019. The changes are the result of four public hearings held in December 2019 and the submission of over 1,700 pages of written comments. The Attorney General’s notice states that the department will accept written comments on the proposed changes until 5:00 p.m. on February 24, 2020.
Based on guidance previously published by the Attorney General’s office, this abbreviated comment period reflects the Attorney General’s determination that the changes are “substantial and sufficiently related,” but not “major,” which would require a new 45-day comment period. Following review of written comments, the Attorney General’s office will publish an updated informative digest and final statement of reasons (with summary and response comments) in addition to the final text of the regulations.
Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Wednesday, February 12 at noon CST to review and discuss the modified regulations. To register, click here.
Below is our analysis of the modified regulations.
Continue Reading CCPA Update: AG’s Office Publishes Modified Proposed Regulations
Analyzing the 2020 Maryland Right to Opt Out of Third-Party Disclosures Act
Keypoint: Maryland lawmakers have introduced a bill that would allow Maryland residents to opt-out of certain types of personal information transfers but that would stop far short of creating CCPA-like rights for Maryland residents.
On January 17, 2020, Maryland House Delegates Courtney Watson and Ned Carey introduced HB0249. If enacted in its current form, the bill would allow Maryland residents to opt-out of certain types of transfers of their personal information to third parties. However, it would not create other CCPA-like privacy rights such as the right to deletion and would not require businesses to make disclosures regarding their privacy practices.
Maryland joins a growing list of states considering consumer privacy legislation, including Florida, Illinois, Virginia, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.
Below is our analysis of the Maryland legislation (as introduced).
Continue Reading Analyzing the 2020 Maryland Right to Opt Out of Third-Party Disclosures Act
Analyzing the 2020 Virginia Privacy Act and Sale of Personal Data Act
Keypoint: The Virginia Privacy Act would create CCPA-like rights for Virginia residents while the Sale of Personal Data Act would create rights vis-à-vis “data sellers.”
Lawmakers in Virginia have proposed two bills that, if enacted, would create a number of privacy rights for Virginia residents and compliance burdens for covered entities.
The first bill – the Virginia Privacy Act (HB 473) – was prefiled on January 3, 2020, and offered on January 8, 2020. It would create CCPA-like rights for Virginia residents and new obligations on businesses such as a requirement to conduct risk assessments.
The second bill – which is unnamed but for our purposes will be referred to as the Sale of Personal Data Act (SB 641) – was prefiled on January 7, 2020, and offered on January 8, 2020. Among other things, it would require data sellers to implement reasonable security measures to protect personal data, respond to certain types of privacy requests, and notify Virginia residents of data breaches.
In addition to Virginia, lawmakers have proposed consumer privacy legislation in Florida, Illinois, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.
Below is our analysis of Virginia’s proposed legislation (as introduced). We will first analyze the Virginia Privacy Act and then separately analyze the Sale of Personal Data Act.
Continue Reading Analyzing the 2020 Virginia Privacy Act and Sale of Personal Data Act
Analyzing the 2020 Florida Consumer Data Privacy Act
Keypoint: Florida lawmakers have proposed legislation that would require certain operators of websites to make online disclosures and accept requests to opt-out of sales of personal data but that would stop far short of creating CCPA-like privacy rights for Florida residents.
Florida lawmakers have introduced companion bills in the Florida House (HB 963) and Senate (SB 1670) that would create limited online privacy rights and obligations in the state. The legislation – which is yet to be named but for our purposes will be referred to as the 2020 Florida Consumer Privacy Act (Act) – appears to be very similar to the Nevada Online Privacy Protection Act, which was amended last year to add a right to opt-out of sales of covered information. The Act is therefore distinguishable from the California Consumer Privacy Act (CCPA) and more akin to the California Online Privacy Protection Act (CalOPPA).
Florida joins a number of other states considering consumer privacy legislation, including Illinois, Washington state, Nebraska, New Jersey, New Hampshire, Virginia, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.
Below is our analysis of the Florida legislation (as introduced).
Continue Reading Analyzing the 2020 Florida Consumer Data Privacy Act
Analyzing the 2020 Nebraska Consumer Data Privacy Act
Keypoint: Nebraska lawmakers will consider proposed legislation that would create CCPA-like privacy rights for Nebraska residents.
On January 8, 2020 Nebraska state Senator Carol Blood introduced the Nebraska Consumer Data Privacy Act (LB746) (the “Act”).
Below is our analysis of the proposed legislation (as introduced).
Continue Reading Analyzing the 2020 Nebraska Consumer Data Privacy Act
Analyzing the 2020 Illinois Data Transparency and Privacy Act
Keypoint: Illinois lawmakers have proposed legislation that would create CCPA-like privacy rights for Illinois residents.
On January 8, 2020, Illinois state Senator Thomas Cullerton introduced the Illinois Data Transparency and Privacy Act (SB2330). This comes on the heels of last year’s legislative session in which two consumer privacy bills failed to pass.
Below is our analysis of the proposed legislation (as introduced).
Continue Reading Analyzing the 2020 Illinois Data Transparency and Privacy Act
2020 Washington Privacy Act Released
Keypoint: Washington lawmakers will be filing the 2020 version of the Washington Privacy Act on Monday, January 13, 2020.
Those who follow privacy law will remember that last year Washington state came close to becoming the second state (after California) to enact consumer privacy legislation. That legislation – called the Washington Privacy Act (WPA) – overwhelmingly passed the state senate but failed in the house, in part, based on disagreements as to how the statute would be enforced and its facial recognition provisions. (See our prior post here.) The bill’s proponents; however, vowed to push the legislation again in 2020.
On Friday, January 10, 2020, the Washington Senate Democratic Caucus publicly released the 2020 version of the WPA. The release came in advance of the opening of the Washington legislature on Monday, January 13, 2020. The bill’s sponsors also will be holding a press conference on January 13, 2020, to discuss the bill.
Below is our analysis of the 2020 version of the WPA.
The Year to Come in U.S. Privacy & Cybersecurity Law
Keypoint: 2020 promises to be another ground-breaking year in privacy and cybersecurity law in the United States.
2019 was an exciting year in privacy and cybersecurity law. In the United States, the California Consumer Privacy Act (CCPA) was the most significant story, but there also were developments in states such as New York and Nevada. Numerous other states also considered consumer privacy legislation, and federal lawmakers even jumped into the fray, proposing a variety of bills and regulations. Overseas, GDPR garnered the most headlines of course, but other countries, such as Brazil, also made news.
But 2019 was just the start. There is no doubt that privacy and cybersecurity law is undergoing a fundamental change in the United States. If nothing else, the legal landscape of privacy law in the United States promises to look very different by the end of the year.
Below we discuss what we anticipate will be the biggest stories in 2020 and beyond.
Continue Reading The Year to Come in U.S. Privacy & Cybersecurity Law