Two State Privacy Bills Advance
OK and WA could join CA and VA in enacting privacy bills, possibly adding to the motivation in Washington to enact a national privacy statute.
In two state legislatures, one chamber sent a comprehensive privacy bill to the other, signaling the possibility the United States (U.S.) may soon have four state privacy laws companies will have to obey. Whether this possibility forces the hand of Congressional stakeholders is not clear as few of the major privacy bills unveiled in the last Congress have been reintroduced yet. Moreover, just because a bill makes it out of one chamber and into another is no guarantee enactment is certain, for privacy bills have died annually in one chamber of Washington state’s legislature over the last few years.
In Washington, D.C., there has been silence from most of the Congressional stakeholders and the White House on privacy legislation, suggesting at least two possibilities. First, there are higher priorities occupying the legislators, officials, and staff that would normally be focused on privacy legislation such as the “American Rescue Plan Act of 2021” (H.R.1319), the $1.9 trillion package Democrats are poised to send to President Joe Biden. Second, silence means stakeholders are working behind the scenes, possibly productively, on a compromise bill. However, there are some factors that do not lend themselves to this hypothesis, especially that talks are productive. First, the chair and ranking member of the Senate Commerce, Science, and Transportation Committee were close in the last Congress with whether people would be able to sue and if a federal bill would replace all state bills being the two issues that were not worked out. Aside from these two issues, their bills tracked closely in terms of the rights people would receive, the responsibilities covered entities would need to meet, and how the bill would be enforced (the Federal Trade Commission and state attorneys general). Undoubtedly, lines of communication are open, but there are no indications that compromises are close. Second, other technology issues have come to the fore, notably online misinformation and extremism and whether and how 47 U.S.C. 230 (Section 230) should be reformed and how to reform antitrust laws to address competition issues in online and digital markets. And, there are other issues splintering attention on privacy. For example, Congress has before it the massive SolarWinds and Microsoft Exchange hacks. There is bipartisan talk of enacting a new information sharing regime with expanded liability protection. Finally, Congress has unfinished business from last year, a reauthorization of what have been termed key provisions in the “Foreign Intelligence Surveillance Act” (FISA): the Section 215 business records exception, roving wiretaps, and the “lone wolf” surveillance language, to say nothing of how Congress chooses to deal with the now shut down bulk metadata collection program. And it bears note the Biden Administration is still staffing the White House and agencies that would weigh in on privacy legislation, limiting its ability to engage.
Recently, the Oklahoma House of Representatives sent the “Oklahoma Computer Data Privacy Act” (HB 1602) (see here for more details and analysis on the bill as reported out of committee) to the State Senate after modifying the privacy bill, most notably through stripping the private right of action. As I noted about the initial version of the bill, it was one of the strongest reported out of committee in the U.S. over the last few years.
Two definitions were tweaked, First, “business purpose” now includes “retention of employment date” as that personal information a business or service provider may collect or process. The definition of “publicly available information” was widened to include “information received from widely distributed media or by the consumer in the public domain,” and, of course, this class of information is outside the bill and businesses may use this information as they like.
The entities subject to the bill was expanded to include those businesses “that share the same or substantially similar brand name and/or common database for consumers’ personal information” according to a bill summary.
The substitute amendment adopted on the House floor expands the universe of information not subject to the bill:
The original bill exempted “[p]rotected health information governed by state [and federal] health privacy laws;” it was amended to include “[m]edical information,” a broader category.
Business associates of health care entities are exempted
Personal information that was de-identified and then subsequently re-identified would no longer be exempted unless a specified event is occurring (e.g., “[t]reatment, payment or health care operations”)
The bill explicitly makes re-identified data subject to federal and state privacy laws
“Pursuant to a contract where the lawful holder of the de-identified information expressly engages a person or entity to attempt to re-identify the de-identified information in order to conduct testing, analysis, or validation of de-identification, or related statistical techniques, if the contract bans any other use or disclosure of the re-identified information and requires the return or destruction of the information that was re-identified upon completion of the contract.”
“Beginning January 1, 2023, any contract for the sale or license of de-identified information” must meet certain requirements
Additionally, there is now a definition for "re-identify" which means “the process of reversal of de-identification techniques, including, but not limited to, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage.”
The bill adds another carve out for business by specifying that the act does not restrict a business from “detect[ing] a security incident; protect[ing] against malicious, deceptive, fraudulent or illegal activity; or prosecut[ing] those responsible for any illegal activity.”
The Oklahoma House of Representatives added language making clear comprehensive privacy legislation would preempt its bill: “should the federal government pass comprehensive data privacy regulations that conflict with the provisions herein, federal law shall prevail.”
In another significant change, the Oklahoma Corporation Commission would no longer enforce the bill; rather the state attorney general would get the job. However, accompanying this change in the state entity charged with enforcement is the striking of the language directing the OCC to promulgate regulations. Consequently, the “personal information” that contributed to the bill’s strength has been weakened, for the OCC had been empowered to change this definition as technology and times change through regulation. Additionally, under the original bill, the OCC was required to promulgate regulations to implement, administer, and enforce the Oklahoma Computer Data Privacy Act on the following:
Procedures related to verifying requests
Opting in or opting out of the sale of one’s personal data
A universal opt-in button for people to consent to the sale of their personal information
Intelligible and easily understood notices and information
The OCC was granted discretion on whether to implement other regulations, including
Expanding the definition of personal information to keep it current and relevant
Revising the definition of identifier, which the bill defines as “data elements or other information that alone or in conjunction with other information can be used to identify a particular consumer, household or device that is linked to a particular consumer or household”
Updating the methods by which one may submit a request to exercise a right; and
Establishing exceptions for businesses to comply with federal or state law.
The attorney general is not given any authority to draft regulations, which considerably weakens the overall bill. Moreover, any points of contention would ultimately be resolved through the attorney general’s enforcement actions with judges construing the bill.
On the point about the attorney general enforcing the bill. The bill does not provide additional resources for enforcement and specifies that any monetary damages or restitution would not be kept by the attorney general. Therefore, it is likely the attorney general will be limited in which alleged violations he or she may try to punish with the majority of violations going unpunished, a situation the office of California’s attorney general predicted in testimony to the legislature in enforcement of the “California Consumer Privacy Act” (AB 375).
Finally, the bill’s effective date is pushed back from 1 November 2021 to 1 January 2023.
The Washington State Senate also recently passed the “Washington Privacy Act” (SB 5062) by a 48-1 vote. SB 5062 tracks closely with the two bills produced by the Washington Senate and House last year lawmakers could not ultimately reconcile. However, there are no provisions on facial recognition technology, which was largely responsible for sinking a privacy bill in Washington State two years ago. (see herefor analysis.) However, there is a rival bill in the House, perhaps the first among others, the “People’s Privacy Act” (HB 1433), is among the strongest privacy bills introduced in the United States (U.S.) (see here for more analysis.) Getting to agreement on privacy legislation in Washington will likely not prove easy.
Nonetheless, the bill as passed differs in a few ways from the legislation introduced. First, the passed bill carves out the state’s judicial branch and airlines. Second, it is made clear that controllers and processors are responsible only for the responsibilities the bill assigns them, suggesting there was concern that some ambiguities may have made controllers responsible for obligations processors are to meet and/or vice versa. Thirdly, the language barring the sale of personal information to third parties under loyalty and rewards programs was weakened. Previously, these sales could not occur unless three conditions were met; in the revised bill, controllers still cannot sell a person’s information unless the three conditions are met and the person has exercised her right to opt of the selling of her information. Fourth, the Joint Legislative Audit and Review Committee (a body consisting of four Representatives and four Senators) “must review the efficacy of the attorney general providing controllers and processors with warning letters and 30 days to cure alleged violations in the warning letters…and report its findings to the governor and the appropriate committees of the legislature” by 1 December 2025.