State Legislators Joining the Consumer Privacy Protection Party: Introduced CCPA-Like Bills

March.19.2019

In 2018, the California legislature made headlines with its game-changing data protection law: the California Consumer Privacy Act of 2018. Other state legislators across the country appear to be hot on its heels as a flurry of CCPA-like bills have been introduced across the United States. While it is too early to predict which of these bills, if any, will be enacted, this increased focus on privacy in the state legislatures is clearly a sign that the privacy landscape—and consequent compliance challenges for companies—is going to get more complicated.

Overview of the California Consumer Privacy Act

The California Consumer Privacy Act of 2018 (the “CCPA”), as amended by California Senate Bill SB 1121, regulates the collection, use, sale and disclosure of California residents’ personal information by qualifying businesses. This newly enacted legislation, set to become effective on January 1, 2020, introduces significant legal risks and considerations for companies across the United States due to its expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, non-insignificant statutory fines and its creation of a private right of action for consumers in relation to certain data breaches. You can read more about the CCPA and its amendment here (discussing the law itself) and here (discussing the amendment), as well as its impact on breach litigation here. The CCPA is far from finalized. Last month, California Attorney General Becerra and State Senator Jackson introduced SB 561 proposing further amendments which, among other things, expands the consumers’ right to bring a private action for violations of the statute. Additionally, the Office of the Attorney General is expected to release a draft of implementing rules in the fall of 2019 and is in the process of holding public forums and receiving comments.

Summary of Introduced CCPA-Like Bills

The 2019 state legislative sessions saw several privacy and data security bills (some like the CCPA) being introduced in no fewer than ten states across the United States. Those most like the CCPA in breadth and potential impact are summarized briefly below. Please see the attached chart here for a summary of the key provisions of these state initiatives in comparison to the CCPA.

1) Hawaii SB 418 (Status: In Senate)

Hawaii’s proposed law would provide similar rights to Hawaii consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the proposed law could potentially have even broader impact than the CCPA because it likely applies to any business entity, regardless of size, that collects identifying information about an individual who interacts with a business within the state of Hawaii. The proposed law does not include a private right of action for consumers and does not enumerate the penalties that may be imposed by the Hawaii Office of Consumer Protection.

2) Maryland SB 613 (Status: In Senate)

Maryland’s proposed law would provide similar rights to Maryland consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the right to opt out may be more expansive under the proposed law because it applies to any disclosure of personal information to third parties, rather than just data sales. In addition, the proposed law contains a complete prohibition on the “knowing” disclosure of children’s personal information (under the age of 18) without exception. The proposed law does not include a private right of action for consumers.

3) Massachusetts SD 341 (In Senate)

Massachusetts’s proposed law would provide similar rights to Massachusetts consumers and impose similar, though more limited, disclosure obligations on businesses as those found in the CCPA. However, the right to opt out may be more expansive under the proposed law because it applies to any disclosure of personal information to third parties, rather than just data sales. In addition, the proposed law contains a complete prohibition on the knowing disclosure of children’s personal information (under the age of 18) without exception. The proposed law provides a private right of action for consumers who have suffered any violation of the proposed law. Except for the private right of action, Massachusetts’s proposed law is very similar to Maryland’s proposed law.

4) Mississippi HS 1253 (Dead)

Mississippi’s proposed law nearly mirrors the consumer rights and personal information obligations found in the CCPA. However, the proposed law failed to pass committee review and is no longer being considered by the state legislature.

5) Nevada SB 220 (In Senate)

Nevada’s proposed law amends the state’s existing requirement for any person who owns or operates an Internet website or online service for a commercial purpose with a sufficient nexus to Nevada to provide notice to consumers regarding covered information collected by the operator. The amendment borrows the CCPA’s right to opt out by permitting a consumer to submit a notice to an operator directing the operator not to sell his or her covered information. However, it does not expand the notice obligation to include all the components required under the CCPA, such as notice relating to the sale of information, and does not provide the other consumer rights granted under the CCPA, such as the right to deletion. The proposed law provides a private right of action for any person injured by a violation of the new right to opt out or the existing obligations to provide notice.

6) North Dakota HB 1485 (Replaced by a Legislative Management Study)

North Dakota’s proposed law represents the furthest departure from the CCPA. Unlike the CCPA, it does not contain general notice obligations other than in response to a consumer request. However, it generally prohibits the disclosure of personal information to a third party without the express written consent of the consumer. Moreover, it provides for large fines in the event a covered entity violates a cease and desist order issued by the attorney general (up to $100,000 per violation or $250,000 per intentional violation of the cease and desist order). The proposed law also includes a private right of action for consumers whose personal information is purchased, received, sold or shared in violation of the bill. However, the proposed law has been replaced in its entirety with a bill authorizing a legislative management study of consumer personal data disclosures (see here for the revised bill).

7) New Mexico SB 176 (In Senate)

New Mexico’s proposed law would provide similar rights to New Mexico consumers and impose similar, though more limited, disclosure obligations as those found in the CCPA. However, the proposed law does not narrowly define the term “business, “consumer” or “minor,” and could thus be broader in scope than the CCPA, potentially applying to any business entity that collects personal information of a New Mexico consumer. The proposed law does not identify the limit for penalties per violation that the attorney general may impose but does cap penalties for intentional violations at $10,000 per violation.

8) New York SB S224 (In Senate)

New York’s proposed law focuses on the transparency of the disclosure of personal information without granting the other significant consumer rights (including the right to deletion) found in the CCPA. A business is required to make available to the customer the categories of personal information disclosed to third parties and the names and contact information of all the third parties that received the customer’s personal information from the business. This proposed law is drafted broader than the CCPA because it applies to any person or entity that does business in New York. In addition, the proposed law permits a “customer” of a business, the New York attorney general, a district attorney, a city attorney, or a city prosecutor to bring a civil action to recover “penalties” for violations of the bill.

9) Rhode Island SB 234 (In Senate)

Rhode Island’s proposed law would provide similar rights to Rhode Island consumers and impose similar, though more limited, disclosure obligations as those found in the CCPA. Despite adopting the CCPA’s private right of action for certain breaches, the proposed law does not specify whether the RI attorney general has authority to enforce the proposed law and any fines that may be imposed.

10) Washington SB 5376 (Passed Senate, In House)

Washington’s proposed law incorporates several concepts from the European Union’s General Data Protection Regulation (“GDPR”) into the general framework of the CCPA (e.g., controller vs. processor obligations, risk assessment obligations). The proposed law applies to entities that conduct business in Washington or produce products or services that are intentionally targeted to Washington residents and that meet one of two thresholds like those contained in the CCPA. The proposed law requires a business to make available a privacy notice disclosing the categories of personal data collected, the purposes for which personal data are used, and information relating to the sharing and sale of personal data. The rights provided to consumers more nearly reflect the rights made available under the GDPR: the right to knowledge and access to personal data, the right to the correction of personal data, the right to the deletion of personal data, the right to restrict or object to the processing of personal data and the prohibition against certain decisions based solely on profiling from facial recognition.

The law grants the Washington attorney general the ability to use its enforcement authority under Washington’s consumer protection act for violations of the law, as well as to seek injunction or civil penalty up to $2,500 per violation or $7,500 per intentional violation. However, it does not grant any private right of action for consumers. The proposed law passed the Senate on March 6, 2019. There is now less than two months left in the 2019 Regular Session, so it is likely that additional news about this proposed law will be announced in the coming weeks.

Takeaways

Although it is too early to predict whether these laws will be enacted, there are a few key takeaways from this flurry of legislative activity:

The CCPA is unlikely to be the only state-specific general consumer privacy protection law that will be enacted in the United States. State legislatures are keenly interested in data protection and privacy regulation, which has bipartisan support in many state houses. A common denominator across the various state proposals is the provision of GDPR- and CCPA-style consumer rights of access, opt-out and deletion, though there are some differences in the breadth of application and impact of such rights. In addition, the applicability of these state proposals varies, including the available exemptions that may bring a business outside the scope of the proposed law. As just one example, while the CCPA provides a broad exemption for data covered by the Gramm-Leach-Bliley Act, only three of the eight proposed bills still under consideration have a similar exemption as currently drafted.
The increased state-level privacy regulation activity has led to a renewed push for federal legislation. Businesses should keep an eye out for initiatives at the federal level aimed at preempting, harmonizing or standardizing certain aspects of state consumer privacy laws.
Businesses that are currently subject to the GDPR and/or will be subject to the CCPA when it becomes effective in 2020 should consider whether their current or proposed privacy and data security compliance programs are flexible enough to adapt to new laws that are likely to join the privacy landscape in the near future.
Businesses that are not subject to the GDPR and will likely not be subject to the CCPA should consider whether they have in place an appropriate privacy and data security governance structure to anticipate the impact that any new laws may have on their business operations and to chart a path to credible compliance in the event they become subject to such a law.

Are you ready for the CCPA? Take Orrick’s CCPA Readiness Assessment.

Assess your company against CCPA provisions.
Receive a complimentary report summarizing the likely key impacts.
Use the report to development to develop your CCPA project plan.

Authors

Emily S. Tabatabai Partner, Cyber, Privacy & Data Innovation, Technology Companies Group

Washington, D.C.; Houston

See my bio

D:+1 202 339 8698
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Companies Group
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Emily S. Tabatabai Partner

Washington, D.C.; Houston

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Children’s Online Privacy Protection Act (COPPA)
Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
Family Educational Rights and Privacy Act (FERPA)
California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Washington My Health My Data Act and other state health privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Telephone Consumer Protection Act (TCPA)
Telemarketing Sales Rule (TSR)
Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Nicholas Farnsworth Senior Associate, Cyber, Privacy & Data Innovation, Artificial Intelligence & Machine Learning

Boston

See my bio

M:+1 978 430 8003
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Artificial Intelligence & Machine Learning
Technology Transactions
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Nicholas Farnsworth Senior Associate

Boston

Nick provides compliance guidance on both proposed and effective laws on a federal and state level in the U.S., including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Children’s Online Privacy Protection Act (COPPA)
Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Section 5 of the Federal Trade Commission Act (FTC) Act
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

He also counsels clients on the impact of international laws from a U.S. perspective, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive. In addition, Nick devotes a portion of his practice to innovative client solutions and community engagement. His pro bono practice has included representing clients in immigration and innocence matters and assisting small businesses with their legal needs. To make the CCPA more accessible, Nick was a member of the team that developed Orrick’s CCPA Readiness Assessment Tool, which provides companies an opportunity to test their preparedness for compliance with the CCPA as a first step to constructing their strategic compliance roadmap.

Nick has obtained the Certified Information Privacy Professional - United States (CIPP/US), Certified Information Privacy Technologist (CIPT) and Privacy Law Specialist (PLS) designations from the International Association of Privacy Professionals.

Sulina Gabale Partner, Cyber, Privacy & Data Innovation, Internet of Things

Washington, D.C.

See my bio

D:+1 202 339 8420
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Internet of Things
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sulina Gabale Partner

Washington, D.C.

As innovation pushes the limits of technology, those ideas challenge the boundaries of what is considered “personally identifiable information.” Sulina answers the question - how can we create tomorrow’s technology with yesterday’s privacy and consumer protection laws? Sulina works closely with innovators at all levels of a business – executives, engineers, marketing and product, HR and customer service teams – to gain a true understanding of their goals and the data they’re collecting, using and sharing. She places herself in her client’s shoes as well as in consumers’ mindset to devise creative privacy-by-design solutions, ensuring her client’s business and data innovation strategies withstand multi-national rules, government regulations, industry standards and consumer scrutiny.

With experience in both data privacy and consumer protection, Sulina utilizes a comprehensive approach to counsel clients on a myriad of issues affecting consumers and businesses. She routinely guides companies of all sizes through the existing patchwork of laws, self-regulatory standards and industry practice impacting data privacy and security. She advises clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including:

California Online Privacy Protection Act (CalOPPA)
Children’s Online Privacy Protection Act (COPPA)
Family Educational Rights and Privacy Act (FERPA) and related state student data privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Section 5 of the Federal Trade Commission Act (FTC Act)
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Sulina advises companies of all sizes on the development and deployment of cutting-edge technologies and services, including ad-tech, AI and machine learning, biometric tools, social media, robotics and IoT devices, marketing and promotions and more. Sulina began her legal career focusing on consumer protection. She continues to counsel clients on marketing and promotional issues, including interest-based ads; sweepstakes and promotions; automatic renewal and subscriptions; advertising substantiation; influencer programs and social media; SMS text messaging and telemarketing (including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA)); and other state and federal consumer protection laws.

Sulina’s practice is industry-agnostic. She has represented clients ranging from start-ups to Fortune 500s, non-profits, academic institutions and city governments across a range of industries from fashion and ecommerce, financial services, retail, food and beverage and technology services. Prior to law school, Sulina worked in the highly interactive fields of journalism, entertainment and digital media. This well-rounded background helps her connect with clients on a personal level, and ensure her advice integrates legal solutions with business practicality.

Before joining Orrick, Sulina was a member of the Privacy & Data Security Group; Entertainment & Media Group; and IP, Information & Innovation Group at Reed Smith, LLP in New York and Washington, D.C.