Since the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, “copycat” legislation has been introduced at a dizzying pace by state legislatures across the country. Taking their cues from CCPA, at last count 16 states have borrowed language from California’s watershed law regarding consumer notices, data subject rights requests, and definitions of “personal information, “sale” of data and other key items. The likely intent is to provide equal (or, in some cases, greater) protections to the residents of their states.
As a practical matter, however, none of the proposed laws is identical to CCPA (nor to each other); some look to the EU General Data Protection Regulation (GDPR), and each takes a complex approach that requires careful reading. The proposed Washington Privacy Act (SB 6281) has been touted as the most comprehensive data protection law in the United States and combines elements of CCPA and GDPR, adding specific protections for biometric information. Late last week, the Washington House added significant enforcement “teeth” by passing an amendment that would provide a private right of action under the Washington Consumer Protection Act for any violation of the Privacy Act.
Despite the lack of uniformity among the recently proposed bills across the country, three key trends are emerging:
Trend #1 – Increased Push for a Private Right of Action
In Washington, pending legislation would extend the private right of action beyond alleged harm arising from data breaches to any violation of the proposed Washington Privacy Act. While prior versions of the legislation vested exclusive enforcement authority in the Washington Attorney General—with penalties up to $7,500 per violation—late last week, the Innovation, Technology and Economic Development Committee in the Washington House approved an amendment to SB 6281 under which any violation of the Privacy Act would be deemed a per se violation of Washington’s Consumer Protection Act. While it is unclear exactly how damages will ultimately be calculated, a broad private right of action is a significant enforcement mechanism for Washington consumers. Supporters of the amendment argued that without a private right of action, companies would have little incentive to comply with the law because the Attorney General’s office lacks the resources to undertake many enforcement actions.
Recent bills propose legislation that closely tracks the CCPA’s private right of action for individuals who allege that they were harmed by data breaches caused by a business’ failure to implement “reasonable security” measures. Both the Illinois Data Transparency and Privacy Act (SB 2330) and New Hampshire’s proposed privacy law, HB 1680, provide consumers with private right of action where personal information is (i) unencrypted and unredacted; and (ii) subject to exfiltration, theft or disclosure due to failure to implement reasonable data security procedures. Consumers may seek damages the greater of $100 – $750 per consumer, per incident or actual damages.
If Washington or other states enact data privacy laws with such provisions, the potential liability for organizations affected by data breaches or failing to comply with sweeping new privacy obligations could rapidly become substantial, if not staggering. The private rights of action in the proposed state laws make it imperative for businesses to inventory the personal data they hold, practice data minimization principles, and invest in reasonable cybersecurity measures to mitigate exposure in the event of a data breach and implement comprehensive compliance programs.
Trend #2 – Data Controllers to Undertake Risk Assessments
Recently proposed legislation reflects not only provisions drawn from the CCPA, but also those based on the GDPR, most notably the definition of data controller and data processor roles and responsibilities. In addition, at least three states include a requirement for data controllers to perform risk assessments of their data. A data controller is an entity who, alone or jointly with others, determines the means and purpose of the processing of personal data. For example, in the Washington Privacy Act, data controllers must conduct and document data protection assessments for:
- Targeted advertising data processing;
- The sale of personal data;
- When profiling of data creates a foreseeable risk of injury (financial, physical or reputational), unfair impact or intrusion on the private affairs of consumers;
- For the processing of sensitive data; and
- Any processing activity that represents a heightened risk of harm to consumers. In addition, the assessments must weigh the benefits and risks of processing.
Similarly, both the Virginia Privacy Act (HB 473) and Illinois Data Transparency and Privacy Act require controllers to perform a risk assessment for each processing activity involving personal information, and an additional risk assessment each time there is a change in processing that “materially increases the risk to consumers.” The proposed Virginia and Illinois laws assert that if the privacy harm risks to consumers outweigh the interest of a controller, business or other stakeholder, then consumer consent is required for processing. If such consumer consent is sought by a controller, it should be easily given and withdrawn.
Of note, all three states include a provision that the risk assessments must be provided to the state’s Attorney General upon written request; however, the assessments are confidential and exempt from public disclosure. Businesses subject to GDPR will likely have already performed internal data privacy impact assessments (DPIAs), which are a demanding exercise. For organizations without EU-facing operations, the compliance burden is likely to increase should these laws pass in their current form.
Trend #3 – Increased Protection for Biometric Data
Likely a result of publicity surrounding litigation arising out of the Illinois Biometric Information Privacy Act (BIPA) and recent media attention regarding the increased prevalence of biometric technologies, a number of the newly proposed data privacy laws focus on strengthening protections for biometric data. Several states proposing recent legislation—Illinois, Nebraska, New Hampshire, Virginia and Washington—include biometric identifiers in the definition of either personal information or sensitive data.
Notably, the Washington Privacy Act would require controllers to obtain opt-in consent from consumers to process biometric data and would include a section devoted exclusively to the requirements for data controllers with respect to Facial Recognition Technology (FRT). Examples of such requirements include:
- Obtaining consent from consumers prior to enrolling a consumer’s image in FRT;
- Separating FRT databases from other databases and reviewing FRT databases annually;
- Ensuring that any FRT that may have a legal effect is subject to human review; and
- Requiring periodic training of those who operate a FRT service.
Due to the increased focus on these technologies, companies should carefully and thoroughly evaluate the privacy implications of any biometric or FRT product or service prior to launch. For example, facial recognition technology has reportedly been deployed in certain countries to identify those with elevated temperatures in order to prevent the spread of COVID-19. How these new laws in the United States will mesh with biometric technologies in the event of a public health crisis remains to be seen.
Time will tell as to whether the 2020 crop of CCPA-like proposed statutes will eventually become law—many similar CCPA copycat proposals failed in 2019—but it is apparent that there is a strong movement to enact stricter data privacy legislation. As Washington’s legislature approaches the end of its legislative session early this month, there is keen interest in the outcome of the Washington Privacy Act, which has a proposed effective date of July 31, 2021. While a similar measure failed in Washington last year, now that CCPA is in effect, the landscape has changed.
Businesses should closely monitor the developments in Washington and other states, particularly with respect to the trend of increased private rights of action and the resulting liability. While these state legislative proposals share a common goal, the lack of standardization among federal, state and international data privacy regimes is cause for significant concern in the business community, which bears the brunt of complying with competing and sometimes conflicting legal and regulatory obligations. These trends show no signs of abating, so stay tuned.