A surprise legislative storm ripped through Olympia, Washington last week, and the proposed Washington Privacy Act (SB-5376) took the brunt of the damage. The bill sailed through the Democrat-controlled Washington State Senate on a vote of 46-1, but encountered surprise headwinds in the Democrat-controlled State House.  The House failed to vote on the bill before the April 17th deadline for taking action on non-budget legislation.

Although there is still a chance that SB-5376 can be kept alive until the Legislature adjourns on April 28, the bill’s failure to pass the House is a significant blow for some privacy advocates who saw Washington State building upon the California and European Union privacy laws. State Senator Guy Palumbo, a co-sponsor of SB-5376 lamented the impasse as a “case of the perfect being the enemy of the good.”

The impasse apparently centered on facial recognition technology and the fact legislators invited technology companies to participate in reconciling the Senate and proposed House language, but did not invite consumer advocacy groups.

Ironically, this development could be considered bad news for the companies who would be regulated by privacy regulation, because the forecast demise of this legislation weakens the argument that Congress needs to pass federal legislation to eliminate a patchwork of state laws affecting interstate commerce.

data privacyAlthough there certainly will be more bills proposed to amend the California Consumer Privacy Act (CCPA), there already are a significant number of bills that have been working their way through the legislative process. One of these bills – SB561, which would expand the CCPA’s private right of action – received widespread attention when it was introduced in February. However, SB561 is one of only 18 bills that would amend or supplement the CCPA. Many of these bills deal with important amendments to the CCPA that privacy law experts have been requesting since it was first enacted last summer.

In the below post, we identify and analyze these bills. In doing so, we first provide a summary of the most significant proposed changes and takeaways. We then provide a table linking to each bill, identifying the issue to which it is directed, and providing an analysis of the bill’s proposed changes.

Over the next few months, Husch Blackwell’s privacy and data security blog will periodically update our work as new bills are proposed. Register here to stay up-to-date on these changes.

Summary

No Reason to Delay Compliance Efforts:  Entities that are delaying compliance efforts in the expectation of widespread changes to the CCPA will be disappointed. None of the proposed bills seeks to remove the CCPA’s core privacy rights (i.e., right to access, right to be forgotten, right to opt-out) or make a change to the CCPA’s terms that would justify taking a “wait-and-see” approach.

Fixing the Deidentification Exemption: A number of the bills seek to fix the CCPA’s treatment of deidentified and aggregate data by fixing a typo in the last sentence of the CCPA’s definition of “personal information.” The statute incorrectly states that “publicly available” does not include deidentified or aggregate consumer information when it should state that “personal information” does not include such information. One of the bills also would modify the definition of “deidentified.” That change is presumably in response to criticism from privacy experts that the CCPA’s definition is out of alignment with other privacy laws.

Employment Information: AB25 would modify the definition of “consumer” to exclude certain employment-related information. Those who have closely-monitored the CCPA have anticipated that the legislature would likely remove employment-related information from its coverage. Notably, however, the current draft of the bill does not remove professional or employment-related information from the definition of “personal information.”

Removal of Household: AB873 would delete the word “household” and the phrase “is capable of being associated with” from the definition of “personal information.” The CCPA does not define “household,” which has added to the ambiguity of the definition of personal information. Notably, the bill does not remove the term “household” from other places in the CCPA, such as the definition of “business.”

Private Right of Action: As noted, SB561, which is backed by the Attorney General’s office, would expand the private right of action to cover the CCPA’s privacy-related rights.

Tag Along Bills: A number of bills seek to add new statutory provisions that would supplement the CCPA. This includes bills on data brokers, facial recognition technology, social networking services, and providing disclosures regarding the monetary value of consumer data.

Analysis

Bill Topic
 Analysis
AB25 Exclusion of Certain Employment Information from Definition of Consumer The bill would exclude from the definition of “consumer” “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”
AB288 Social Networking Service The bill would require a social networking service to provide users that close their accounts the option of having their personally identifiable information permanently removed from the company’s database and records. Users also would be able to prohibit the service from selling that information to, or exchanging that information with, a third party in the future, subject to certain exceptions. The bill would authorize a consumer to sue the service for a violation. The bill would supplement the CCPA by adding §§ 1798.90.7 and .75 to the Civil Code.
AB846 Non-discrimination Provision The bill would amend § 1798.125, which currently prohibits a business from discriminating against a consumer if the consumer exercises any of their CCPA rights. The current version of the amendment would provide that businesses could offer gift cards, discounts, payments, or other benefits associated with a loyalty or rewards program as compensation for the collection, sale, or retention of personal information. A business would be required to provide a notice that clearly describes the material terms of the incentive program, the consumer would have to give opt-in consent prior to entering into the incentive program, and the consent could be revoked at any time.
AB873 Deidentification / Removal of Household from Definition of Personal Information

The bill would amend the CCPA’s much-criticized definition of “deidentified” to be “information that does not reasonably identify or link, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: (1) Ensure that the data is deidentified. (2) Publicly commit to maintain and use the data in a deidentified form. (3) Contractually prohibit recipients of the data from trying to reidentify the data.”

The bill also would remove “household” and the phrase “is capable of being associated with” from the definition of personal information.

Additionally, the bill would make the following change to 1798.145(i): “This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information. personally identified form.
AB874 Correct Definition of Personal Information The bill would correct the definition of “personal information” to clarify that it does not include deidentified or aggregate consumer information.  The bill would also redefine “publicly available” by removing the following sentence:  “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
AB950 Disclosure of Monetary Value of Consumer Data

The bill would require a business that collects a California resident’s consumer data to disclose to the consumer the monetary value to the business of the data. A business also would be required to include that information in its online privacy policy. Further, a business would be required to disclose any use of a consumer’s data that is not directly or exclusively related to the service that the consumer has contracted the business to provide.

The bill would also require a business that collects a California resident’s consumer data, and that sells that data, to disclose to the consumer the average price it is paid for a consumer’s data and to disclose to the consumer the actual price it was paid for a consumer’s data upon receipt of a verifiable request for that information from the consumer.

The bill would supplement the CCPA by adding §§ 1798.91.01 and .02 to the Civil Code.
AB981 Exemption The bill would exempt insurance institutions, agents, and support organizations to which the Insurance Information and Privacy Protection Act applies from the CCPA.
AB1146 Exemption The bill would make the following change in § 1798.145(g): “This title shall not apply to vehicle information, including ownership information, shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, manufacturer branch, distributor, distributor branch, or affiliate, as defined in Section 672 of the Vehicle Code, if the vehicle information is share shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code.”
AB1202 Data Brokers

The bill would require “data brokers” to register with, and disclose certain information to, the California Attorney General. A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The bill excludes certain entities such as financial institutions subject to the Gramm-Leach-Bliley Act. Data brokers would be required to provide consumers with the right to opt-out of the sale of their personal information and any other rights afforded by the CCPA.

The proposed legislation would supplement the CCPA by adding §§ 1798.99.82 and 84 to the Civil Code.
AB1281 Facial Recognition Technology This bill would add § 1798.300 to the Civil Code and require a business in California that uses facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology. The bill would consider a violation of its provisions to be unfair competition within the meaning of the Unfair Competition Law.
AB1355 Correct Definition of Personal Information The bill would correct the definition of personal information to clarify that deidentified and aggregate data is not personal information. The bill also would make a number of grammatical, non-substantive changes.
AB1416 Exemption The bill would amend § 1798.145(a)(4) to provide that the CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose personal information to (a) exercise, defend, or protect against legal claims, (b) protect against or prevent fraud or unauthorized transactions, (c) protect against or prevent security incidents, or other malicious, deceptive, or illegal activity, or (d) investigate, report, or prosecute those responsible for fraudulent or illegal activity.
AB1564 Methods for Receiving Requests This bill would modify § 1798.130 to provide that a business can make a toll-free number or email address available for submitting requests or a website (if the business has a website).
AB1758 Grammatical Change The bill would make the following grammatical change in § 1798.100(e): “This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such that information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.”
AB1760 Grammatical Change The bill would make the following grammatical change in § 1798.105(a): “A consumer shall have the right to request that a business delete any personal information about the consumer which that the business has collected from the consumer.”
SB561 Private Right of Action The bill would create a private right of action for violations of the CCPA, and eliminate the 30-day cure period. It also would replace the provision allowing businesses or third parties to seek the opinion of the AG’s office with a provision providing that the AG’s office “may publish materials that provide businesses and others with general guidance on how to comply” with the CCPA.
SB752 Grammatical Change The bill would make the following grammatical change in § 1798.125(b)(1): “A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by from the consumer’s data.”
SB753 Grammatical Change The bill would change “Internet” to “internet” and “Internet Web” to “internet web” in § 1798.135(a)(1) and (2).

 

close-up photo of diverse students sitting on bench and study u

Recently, I had the pleasure of being interviewed by Julia Kerrigan, an articulate and insightful young journalist writing for her high school paper, The Dart. In my mind (that’s foreshadowing the challenges caused by my ego-centricity dear reader), the point of the conversation was for me to provide Julia with a primer on information privacy and security issues so that she could weave into her article a few observations from a so-called expert.

Continue Reading Cybersecurity Through a Generation Z Lens: The Privacy and Security Issues that Keep Teens up at Night

data privacyIn our prior blog post, we discussed how the Washington Privacy Act (WPA) had passed the state’s senate and would be taken up by the state’s House of Representatives. On March 22, 2019, the House Innovation, Technology & Economic Development Committee held a public hearing on the legislation. A recording of the almost two-hour hearing is available here.

Although the WPA passed nearly unanimously through the state senate, the house version of the legislation includes significant deviations from the senate bill. A great side-by-side comparison of the two bills prepared by Committee Staff member Yelena Baker is available here. Some of the more notable differences are:

  • Private Right of Action: The house version would allow private litigants to bring actions against controllers for violations of the WPA. The proposed language would require a consumer to first notify the controller of the alleged violation and provide it with 30 days to cure. In the absence of a cure, the consumer would have to notify the Attorney General’s office of the consumer’s intent to bring an action. If the AG’s office did not act in 30 days, the consumer could file suit. However, the consumer would not be able to recover its attorneys’ fees and costs in the lawsuit.
  • Covered Entities: The senate version would apply to legal entities that are doing business in Washington or that produce products or services that are intentionally targeted to Washington residents and that either control or process data of 100,000 or more Washington residents or that derive 50% of their gross revenue from the sale of personal data and that process or control personal data of 25,000 or more Washington residents. The house version would only require that entities be doing business in Washington or produce products or services that are intentionally targeted to Washington residents.
  • Definition of Personal Data:  The house version would not exclude “publicly available information” from the definition of personal data.

Numerous witnesses testified at the committee hearing. The general takeaway was that business advocates felt that the senate version of the WPA was preferable with many witnesses citing the inclusion of the private right of action in the senate version as being problematic. Privacy advocates were of the opinion that both bills were deficient but that the house version was better. There also was significant disagreement over whether the WPA would provide stronger consumer protections than the CCPA.

With CCPA compliance efforts ramping up, Husch Blackwell’s privacy and data security practice group compiled the most frequently asked client questions and answers into one resource – the California Consumer Privacy Act Guidebook. The CCPA Guidebook is a great resource for any entity that is trying to understand the CCPA and what it will require when it goes into effect on January 1, 2020. Among other topics, the CCPA Guidebook discusses:

  • What entities are subject to the CCPA and exceptions;
  • The CCPA’s definition of personal information;
  • What rights the CCPA provides and who holds those rights;
  • What is a verifiable request;
  • How does the right to access personal information work;
  • How does the right to be forgotten work; and
  • Relevant dates

You can download a copy of the CCPA Guidebook by clicking here.

swim rings on pool

Having escaped the bleak midwinter of the Midwest for a few brief days, I find myself sitting poolside in sunny Orlando experiencing a few tantalizing hours of near summer temps. As I watch the inflatables being splashed about gleefully by children (mine included) impervious to the water’s lingering chill, my thoughts naturally turn to privacy and security (which is not a euphemism for my ill-fitting swimsuit by the way).

Continue Reading Husch Blackwell’s Pete Enko asks, “Will State Laws Move the Privacy Ball in 2019?”

On Wednesday, Washington took a major step towards becoming the second state to enact broad privacy legislation when its state senate approved the Washington Privacy Act. The bill passed the senate with overwhelming bipartisan support on a vote of 46-1 (with 2 excused). It now moves to the House where a companion bill has been working its way through that chamber. You can read our analysis of the bill here.

Washington is one of numerous states currently considering privacy legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). The CCPA’s enactment has even motivated Congress to consider federal privacy legislation. Although it is anyone’s guess how this legislation will play out over the next few months, Washington appears to be well-poised to become the next state to weigh in on how privacy law should develop in this country.

privacy computer

One of the myriad of issues arising from the California Consumer Privacy Act (CCPA) is the extent to which financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) must comply with the CCPA’s requirements in light of Section 1798.145(e), which provides that the CCPA “shall not apply to personal information collected, processed, sold, or disclosed pursuant to [the GLBA], and implementing regulations.” Because the CCPA’s definition of “personal information” is broader than the GLBA’s definition of “nonpublic personal information,” financial institutions have been faced with the daunting task of not only data mapping but also classifying that data based on whether it is subject to the GLBA.  Continue Reading Analyzing How Financial Institutions are Treated in Proposed State Privacy Laws

data privacy

Following the GDPR, the California Consumer Privacy Act (CCPA) and other newly introduced state privacy legislation, the Washington Senate has proposed its own GDPR-like consumer privacy act. Washington Senate Bill 5376, the Washington Privacy Act, as first proposed on January 22, 2019 and substituted February 24, 2019 applies “not only to technologies and products of today but to technologies and products of tomorrow.” If approved, it will go into effect July 31, 2021.

The Act will apply to legal entities that conduct business in Washington or produce products or services that intentionally target Washington residents. These entities must also either (1) control or process data of at least 100,000 consumers or (2) derive 50 percent gross revenue from the sale of personal information and process or control personal information of at least 25,000 consumers. Under the Act, personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person.
Continue Reading Proposed Washington Privacy Act Seeks to Protect Consumer Data Privacy from Current and Future Technology Advancements