data privacyKey Point:  Although not as far-reaching as the CCPA, the Nevada legislation will require entities subject to the statute to revise their online privacy notices and create an internal process to ensure compliance with the new opt-out right.

As we previously reported, the Nevada legislature has been considering legislation to amend Nevada’s existing online privacy notice statutes, NRS 603A.300 to .360. On May 23, 2019, the Nevada Assembly unanimously passed that legislation. The Senate previously passed it in April. The legislation is now headed to the Governor’s office for signature.

The legislation amends Nevada’s law in two notable ways. First, entities subject to the statute will need to establish a designated request address through which consumers can submit verified requests directing the entity not to make any “sale” of covered information collected about consumers. That provision will be enforceable only by the Nevada Attorney General’s office which can seek an injunction or $5,000 penalty for “each violation.” Second, the legislation excludes financial institutions subject to the Gramm-Leach-Bliley Act, HIPAA covered entities, and certain motor vehicle manufacturers from having to comply with the online privacy notice statute.

Continue Reading Nevada Legislature Passes Bill Allowing Residents to Opt-Out of Sales of Covered Information

data privacyKey Point: SB 561, which would have expanded the CCPA’s private right of action, has failed.

According to multiple reports, SB 561 failed to pass the California Senate on Thursday. The failure of SB 561 is a significant victory for businesses as the bill would have expanded the California Consumer Privacy Act’s (“CCPA”) private right of action to allow individual consumers to sue businesses for violations of the CCPA’s privacy-related rights. The current version of the CCPA only allows individual consumers to sue for certain types of data breaches and leaves enforcement of the CCPA’s privacy-related rights to the California Attorney General’s office. SB 561 was backed by the California Attorney General’s office and privacy-rights organizations. It was strongly opposed by business interests. You can read more about SB 561’s failure here and here. 

Continue Reading CCPA: Bill to Expand Private Right of Action Fails

data privacyOn June 5, Husch Blackwell’s privacy and data security practice group will host another webinar on the California Consumer Privacy Act (CCPA). In this webinar, we will:

  • Provide a brief overview of the CCPA and its requirements
  • Analyze the current proposed amendments and how they would modify the CCPA
  • Discuss the proposed amendments that have failed
  • Examine the Attorney General’s anticipated regulations
  • Provide an update on other proposed state privacy laws

 

Click here for more information and to register.

Texas flagAs we previously reported, the Texas legislature has been considering two bills directed at addressing consumer privacy. Those bills were proposed in the wake of last year’s enactment of the California Consumer Privacy Act.

On May 7, 2019, the Texas House voted overwhelmingly to pass one of those bills – HB 4390 – however, the version it passed was significantly amended and will no longer provide any privacy rights to Texas residents.

Continue Reading Texas Looks Unlikely to Pass CCPA-Like Consumer Privacy Legislation

data privacy[Update:  After publication of the below post, AB 1035 was amended to remove the below-referenced language. The fact that the California legislature considered defining what constitutes “reasonable security procedures and practices” for purposes of the CCPA’s private right of action but, at least as of now, did not proceed with such legislation leaves businesses subject to the CCPA with little to no legislative direction as to how they can demonstrate that they are undertaking reasonable security procedures and practices. It also exposes the CCPA to the argument that the subject language is void for vagueness. Given the substantial penalties businesses are exposed to under the CCPA’s private right of action, the failure of the legislature to address this issue is notable especially considering that Ohio implemented legislation last year that California could have used as a guide.]

Given the near ubiquitous coverage of proposed CCPA amendments, it may be hard to believe that any bill could fly under the radar, but that appears to be the case with AB 1035, which would amend the CCPA’s private right of action to link “reasonable security procedures and practices” to NIST standards.

Continue Reading CCPA: Proposed Bill Would Link Reasonable Security to NIST Standards

data privacyAs we first reported in February, the Nevada legislature has been considering legislation that would amend its online privacy notice statutes, NRS 603A.300 to 360. Among other things, Nevada’s existing law requires “operators” to provide a notice to consumers that (1) identifies the types of information the operator collects online, (2) describes the process (if any) for consumers to review or request changes to their information, (3) describes the process by which the operator notifies consumers of changes to the notice, and (4) discloses whether a third party may collect covered information about an individual’s online activities over time and across different Internet websites or online services.

Continue Reading Nevada Senate Passes Watered-Down Online Privacy Bill

Consistent with the cliché that “everything’s bigger in Texas,” the Texas legislature has introduced not one, but two separate bills relating to the privacy of personal information. Although still in their nascent stages, both bills are following California’s lead in creating enhanced and stringent privacy protections for individual consumers.

Continue Reading The Eyes (and Privacy Laws) of Texas Are Upon You…

A surprise legislative storm ripped through Olympia, Washington last week, and the proposed Washington Privacy Act (SB-5376) took the brunt of the damage. The bill sailed through the Democrat-controlled Washington State Senate on a vote of 46-1, but encountered surprise headwinds in the Democrat-controlled State House.  The House failed to vote on the bill before the April 17th deadline for taking action on non-budget legislation.

Continue Reading Washington Privacy Act Runs Aground – a harsh lesson in the risks of excluding stakeholders

data privacyAlthough there certainly will be more bills proposed to amend the California Consumer Privacy Act (CCPA), there already are a significant number of bills that have been working their way through the legislative process. One of these bills – SB561, which would expand the CCPA’s private right of action – received widespread attention when it was introduced in February. However, SB561 is one of only 18 bills that would amend or supplement the CCPA. Many of these bills deal with important amendments to the CCPA that privacy law experts have been requesting since it was first enacted last summer.

In the below post, we identify and analyze these bills. In doing so, we first provide a summary of the most significant proposed changes and takeaways. We then provide a table linking to each bill, identifying the issue to which it is directed, and providing an analysis of the bill’s proposed changes.

Over the next few months, Husch Blackwell’s privacy and data security blog will periodically update our work as new bills are proposed. Register here to stay up-to-date on these changes.

Summary

No Reason to Delay Compliance Efforts:  Entities that are delaying compliance efforts in the expectation of widespread changes to the CCPA will be disappointed. None of the proposed bills seeks to remove the CCPA’s core privacy rights (i.e., right to access, right to be forgotten, right to opt-out) or make a change to the CCPA’s terms that would justify taking a “wait-and-see” approach.

Fixing the Deidentification Exemption: A number of the bills seek to fix the CCPA’s treatment of deidentified and aggregate data by fixing a typo in the last sentence of the CCPA’s definition of “personal information.” The statute incorrectly states that “publicly available” does not include deidentified or aggregate consumer information when it should state that “personal information” does not include such information. One of the bills also would modify the definition of “deidentified.” That change is presumably in response to criticism from privacy experts that the CCPA’s definition is out of alignment with other privacy laws.

Employment Information: AB25 would modify the definition of “consumer” to exclude certain employment-related information. Those who have closely-monitored the CCPA have anticipated that the legislature would likely remove employment-related information from its coverage. Notably, however, the current draft of the bill does not remove professional or employment-related information from the definition of “personal information.”

Removal of Household: AB873 would delete the word “household” and the phrase “is capable of being associated with” from the definition of “personal information.” The CCPA does not define “household,” which has added to the ambiguity of the definition of personal information. Notably, the bill does not remove the term “household” from other places in the CCPA, such as the definition of “business.”

Private Right of Action: As noted, SB561, which is backed by the Attorney General’s office, would expand the private right of action to cover the CCPA’s privacy-related rights.

Tag Along Bills: A number of bills seek to add new statutory provisions that would supplement the CCPA. This includes bills on data brokers, facial recognition technology, social networking services, and providing disclosures regarding the monetary value of consumer data.

Analysis

Bill Topic
Analysis
AB25 Exclusion of Certain Employment Information from Definition of Consumer The bill would exclude from the definition of “consumer” “a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or as an employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of the person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”
AB288 Social Networking Service The bill would require a social networking service to provide users that close their accounts the option of having their personally identifiable information permanently removed from the company’s database and records. Users also would be able to prohibit the service from selling that information to, or exchanging that information with, a third party in the future, subject to certain exceptions. The bill would authorize a consumer to sue the service for a violation. The bill would supplement the CCPA by adding §§ 1798.90.7 and .75 to the Civil Code.
AB846 Non-discrimination Provision The bill would amend § 1798.125, which currently prohibits a business from discriminating against a consumer if the consumer exercises any of their CCPA rights. The current version of the amendment would provide that businesses could offer gift cards, discounts, payments, or other benefits associated with a loyalty or rewards program as compensation for the collection, sale, or retention of personal information. A business would be required to provide a notice that clearly describes the material terms of the incentive program, the consumer would have to give opt-in consent prior to entering into the incentive program, and the consent could be revoked at any time.
AB873 Deidentification / Removal of Household from Definition of Personal Information

The bill would amend the CCPA’s much-criticized definition of “deidentified” to be “information that does not reasonably identify or link, directly or indirectly, to a particular consumer, provided that the business makes no attempt to reidentify the information, and takes reasonable technical and administrative measures designed to: (1) Ensure that the data is deidentified. (2) Publicly commit to maintain and use the data in a deidentified form. (3) Contractually prohibit recipients of the data from trying to reidentify the data.”

The bill also would remove “household” and the phrase “is capable of being associated with” from the definition of personal information.

Additionally, the bill would make the following change to 1798.145(i): “This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information. personally identified form.

AB874 Correct Definition of Personal Information The bill would correct the definition of “personal information” to clarify that it does not include deidentified or aggregate consumer information.  The bill would also redefine “publicly available” by removing the following sentence:  “Information is not ‘publicly available’ if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.”
AB950 Disclosure of Monetary Value of Consumer Data

The bill would require a business that collects a California resident’s consumer data to disclose to the consumer the monetary value to the business of the data. A business also would be required to include that information in its online privacy policy. Further, a business would be required to disclose any use of a consumer’s data that is not directly or exclusively related to the service that the consumer has contracted the business to provide.

The bill would also require a business that collects a California resident’s consumer data, and that sells that data, to disclose to the consumer the average price it is paid for a consumer’s data and to disclose to the consumer the actual price it was paid for a consumer’s data upon receipt of a verifiable request for that information from the consumer.

The bill would supplement the CCPA by adding §§ 1798.91.01 and .02 to the Civil Code.

AB981 Exemption The bill would exempt insurance institutions, agents, and support organizations to which the Insurance Information and Privacy Protection Act applies from the CCPA.
AB1146 Exemption The bill would make the following change in § 1798.145(g): “This title shall not apply to vehicle information, including ownership information, shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle’s manufacturer, manufacturer branch, distributor, distributor branch, or affiliate, as defined in Section 672 of the Vehicle Code, if the vehicle information is share shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code.”
AB1202 Data Brokers

The bill would require “data brokers” to register with, and disclose certain information to, the California Attorney General. A data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The bill excludes certain entities such as financial institutions subject to the Gramm-Leach-Bliley Act. Data brokers would be required to provide consumers with the right to opt-out of the sale of their personal information and any other rights afforded by the CCPA.

The proposed legislation would supplement the CCPA by adding §§ 1798.99.82 and 84 to the Civil Code.

AB1281 Facial Recognition Technology This bill would add § 1798.300 to the Civil Code and require a business in California that uses facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology. The bill would consider a violation of its provisions to be unfair competition within the meaning of the Unfair Competition Law.
AB1355 Correct Definition of Personal Information The bill would correct the definition of personal information to clarify that deidentified and aggregate data is not personal information. The bill also would make a number of grammatical, non-substantive changes.
AB1416 Exemption The bill would amend § 1798.145(a)(4) to provide that the CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose personal information to (a) exercise, defend, or protect against legal claims, (b) protect against or prevent fraud or unauthorized transactions, (c) protect against or prevent security incidents, or other malicious, deceptive, or illegal activity, or (d) investigate, report, or prosecute those responsible for fraudulent or illegal activity.
AB1564 Methods for Receiving Requests This bill would modify § 1798.130 to provide that a business can make a toll-free number or email address available for submitting requests or a website (if the business has a website).
AB1758 Grammatical Change The bill would make the following grammatical change in § 1798.100(e): “This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such that information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.”
AB1760 Grammatical Change The bill would make the following grammatical change in § 1798.105(a): “A consumer shall have the right to request that a business delete any personal information about the consumer which that the business has collected from the consumer.”
SB561 Private Right of Action The bill would create a private right of action for violations of the CCPA, and eliminate the 30-day cure period. It also would replace the provision allowing businesses or third parties to seek the opinion of the AG’s office with a provision providing that the AG’s office “may publish materials that provide businesses and others with general guidance on how to comply” with the CCPA.
SB752 Grammatical Change The bill would make the following grammatical change in § 1798.125(b)(1): “A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by from the consumer’s data.”
SB753 Grammatical Change The bill would change “Internet” to “internet” and “Internet Web” to “internet web” in § 1798.135(a)(1) and (2).

 

Recently, I had the pleasure of being interviewed by Julia Kerrigan, an articulate and insightful young journalist writing for her high school paper, The Dart. In my mind (that’s foreshadowing the challenges caused by my ego-centricity dear reader), the point of the conversation was for me to provide Julia with a primer on information privacy and security issues so that she could weave into her article a few observations from a so-called expert.

Continue Reading Cybersecurity Through a Generation Z Lens: The Privacy and Security Issues that Keep Teens up at Night