Keypoint: For the second year in a row, the Washington Privacy Act has failed to become law.
Yesterday afternoon, on the final day of the Washington legislative session, Senator Reuven Carlyle issued a statement announcing the failure of the Senate and House to reach a compromise on the Washington Privacy Act (WPA) (SB 6281). Senator Carlyle’s statement identified one insurmountable obstacle – enforcement.
Keypoint: This modified draft of proposed regulations retracts some of the modifications as published on February 10 and adds new revisions. There is an additional comment period, which delays publication of final regulations and further shortens the time businesses will have to drive compliance before the July 1, 2020 enforcement date.
On Wednesday, March 11, 2020, the California Attorney General’s office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The Attorney General’s office also published redline and clean versions of the second set of modified regulations.
In the below post, we first provide a brief background of the regulatory process. We then discuss the most significant changes made in this latest round of revisions.
Keypoint: With just two days to go before the close of the Washington legislature, a conference committee will try to resolve conflicts between the House and Senate versions of the WPA.
As we previously reported, on Friday, March 6, the Washington House passed an amended version of the Washington Privacy Act (WPA) that included a private right of action. The bill then moved back to the Senate where, on Monday, March 9, the Senate refused to concur in the amendments and asked the House to recede from them. Predictably, the House refused.
However, the House requested that the Senate agree to a conference committee, which request the Senate quickly granted. The House and Senate thereafter appointed three members each to participate in the conference committee.
Keypoint: The Washington House of Representatives passed an amended version of the WPA containing a private right of action.
On Friday, March 6, the Washington House of Representatives passed an amended version of the Washington Privacy Act (WPA) (SB 6281). Among other changes, the House WPA contains a private right of action that would allow state residents to sue data controllers for technical violations of the bill’s provisions. The House WPA now moves back to the Senate for further consideration. Lawmakers have until Thursday, March 12, to resolve the differences between the House and Senate WPA versions.
Keypoint: The WPA version that passed out of the House committee contains a private right of action along with other changes strengthening the WPA’s privacy provisions.
On Friday, February 28, the Washington House Innovation, Technology & Economic Development Committee (ITED) voted to pass a strengthened version of the Washington Privacy Act (WPA) out of committee. As discussed in our prior post, on February 14, the Washington Senate voted overwhelmingly to pass the WPA. Yet, after moving to the House, the WPA encountered substantial resistance from privacy advocates. At a public hearing on February 21, privacy advocates argued against the WPA’s lack of a private right of action, facial recognition provisions, and preemption of local laws, among other things.
Keypoint: The Wisconsin Data Privacy Act would create CCPA and GDPR-like rights for Wisconsin residents and would strengthen Wisconsin’s data security and breach notification requirements.
Lawmakers in Wisconsin have proposed three bills that, if enacted, would create privacy rights for Wisconsin residents and compliance burdens for entities that process or control consumer data. All three bills were introduced on February 10, 2020 and an initial public hearing was held on February 12, 2020.
As it did last year, the Washington state senate has overwhelmingly passed comprehensive consumer privacy legislation. The legislation, entitled the Washington Privacy Act (WPA), passed the state senate on February 14, 2020, by a vote of 46-1. The legislation will now move to the state house of representatives where it failed last year. A copy
Keypoint: The modified proposed regulations make substantial changes to the proposed regulations, including modifying how consumer notices must be drafted and changing some of the requirements for receiving and responding to consumer requests.
On Friday, February 7, 2020, the California Attorney General’s office published a notice of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The AG’s office also published redline and clean versions of the modified regulations.
The changes modify the proposed regulations published by the Attorney General’s office on October 11, 2019. The changes are the result of four public hearings held in December 2019 and the submission of over 1,700 pages of written comments. The Attorney General’s notice states that the department will accept written comments on the proposed changes until 5:00 p.m. on February 24, 2020.
Based on guidance previously published by the Attorney General’s office, this abbreviated comment period reflects the Attorney General’s determination that the changes are “substantial and sufficiently related,” but not “major,” which would require a new 45-day comment period. Following review of written comments, the Attorney General’s office will publish an updated informative digest and final statement of reasons (with summary and response comments) in addition to the final text of the regulations.
Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Wednesday, February 12 at noon CST to review and discuss the modified regulations. To register, click here.
Below is our analysis of the modified regulations.
Keypoint: Maryland lawmakers have introduced a bill that would allow Maryland residents to opt-out of certain types of personal information transfers but that would stop far short of creating CCPA-like rights for Maryland residents.
On January 17, 2020, Maryland House Delegates Courtney Watson and Ned Carey introduced HB0249. If enacted in its current form, the bill would allow Maryland residents to opt-out of certain types of transfers of their personal information to third parties. However, it would not create other CCPA-like privacy rights such as the right to deletion and would not require businesses to make disclosures regarding their privacy practices.
Maryland joins a growing list of states considering consumer privacy legislation, including Florida, Illinois, Virginia, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.
Below is our analysis of the Maryland legislation (as introduced).
Keypoint: The Virginia Privacy Act would create CCPA-like rights for Virginia residents while the Sale of Personal Data Act would create rights vis-à-vis “data sellers.”
Lawmakers in Virginia have proposed two bills that, if enacted, would create a number of privacy rights for Virginia residents and compliance burdens for covered entities.
The first bill – the Virginia Privacy Act (HB 473) – was prefiled on January 3, 2020, and offered on January 8, 2020. It would create CCPA-like rights for Virginia residents and new obligations on businesses such as a requirement to conduct risk assessments.
The second bill – which is unnamed but for our purposes will be referred to as the Sale of Personal Data Act (SB 641) – was prefiled on January 7, 2020, and offered on January 8, 2020. Among other things, it would require data sellers to implement reasonable security measures to protect personal data, respond to certain types of privacy requests, and notify Virginia residents of data breaches.
In addition to Virginia, lawmakers have proposed consumer privacy legislation in Florida, Illinois, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.
Below is our analysis of Virginia’s proposed legislation (as introduced). We will first analyze the Virginia Privacy Act and then separately analyze the Sale of Personal Data Act.