USA: 2020 privacy legislation - Part 1: New York and California
In this two-part Insight series, James Snell, Marina Gatto, Zachary Watterson, Nathan Duletzke and Kayla Lindgren, of Perkins Coie LLP, provide an overview of the evolution of consumer privacy legislation in in the US in 2020, including a recap of the bills that failed, and an overview of the privacy-related bills that remain pending. In this first part, they outline and analyse state consumer protection and contact tracing bills in New York and California, whilst Part 2 focuses on the same categories of legislation in other US states.
With the passage of the California Consumer Privacy Act of 2018 ('CCPA'), many speculated that the advent of broad privacy legislation would be imminent. At the start of this year over a dozen states had introduced omnibus consumer privacy bills and more than half of all states had introduced at least one sector-specific privacy bill. More recently, however, many of those bills failed to pass and the number of pending privacy bills across the US has drastically declined. The unexpected global pandemic has certainly contributed to the decline in pending privacy legislation. In response to COVID-19, legislatures adjourned sessions, tabled bills, and shifted priorities away from privacy legislation. Global pandemic aside, it appears that privacy legislation is nevertheless relatively hard to pass. Despite changes to many legislative agendas, however, consumer privacy legislation remains pending in a handful of states, and at least one state—California—will have a comprehensive consumer privacy initiative on the November 2020 ballot.
Despite the push by many states at the beginning of this year to enact privacy legislation, California currently stands out as the only state that will likely pass a comprehensive privacy bill to appear on the ballot this November— the California Privacy Rights Act ('CPRA'). Currently, only four states maintain any form of pending omnibus privacy legislation: California, Illinois, New Jersey, and New York. The following is a summary of New York and California's pending consumer protection legislation, whilst Illinois and New Jersey's bills are analysed in Part 2.
California's omnibus consumer privacy statute, the CCPA, took effect 1 January 2020, and the California Attorney General began enforcing the statute on 1 July 2020. Even though there is still much uncertainty surrounding this statute, and the implementing regulations were approved only recently on 14 August 2020 by the Office of Administrative Law, California will have another omnibus consumer privacy initiative on the November 2020 ballot—the CPRA. There is also pending legislation which seeks to amend certain provisions of the CCPA.
The CPRA is an omnibus consumer privacy initiative that, if enacted by the State's voters, would amend the CCPA in significant ways, some of which are discussed below.
The CPRA would go beyond the CCPA and extend additional rights to consumers, including the right to correct inaccurate information and the right to limit use and disclosure of sensitive personal information. The CPRA could also require businesses to place two clear and conspicuous links on their website homepage: a 'Do Not Sell or Share My Personal Information' link and a 'Limit the Use of My Sensitive Personal Information' link, where applicable.
In addition to the right to opt-out of sales, the CPRA would also grant consumers the right to opt-out of 'sharing' of their personal information. Such 'sharing would encompass the transfer of a consumer's personal information by the business to a third party for cross-context behavioural advertising, regardless of whether the transfer was made for valuable consideration. Thus, under the CPRA, California consumers would have broader rights to opt-out of transfers of their data than they currently have under the CCPA.
If enacted, the CPRA would be enforced by the California Privacy Protection Agency, a wholly new administrative agency created by the CPRA. Violations of the statute would result in administrative fines of up to $2,500 per violation or up to $7,500 per intentional violation or violations involving minors under the age of 16. The CPRA would also allow a private right of action for security breaches but would also extend liability to include unauthorised access or disclosure of an email address in combination with a password or an email-access security question.
There are also two privacy bills currently pending in California which would amend certain provisions of the CCPA: AB 1281 and AB 713.
AB 1281 was passed by the legislature on 31 August 2020 and would extend the business-to-business and employee exemptions currently in the CCPA from 1 January 2021 to 1 January 2022. However, the enactment of AB 1281 is contingent upon the failure of the CPRA (which would extend the business-to-business and employee exemptions to 1 January 2023).
AB 713 was passed by the California legislature on 1 September 2020 and is soon to arrive at Governor Gavin Newsom's desk to be signed. AB 713, if enacted, would exempt from the CCPA information that is derived from medical information; information that is collected for, used in, or disclosed in research; and information that is used and disclosed only for public health activities. Additionally, AB 713 would prohibit reidentifying information that was deidentified, unless an exception applies. AB 713 would also require any contract for the sale or license of deidentified information to detail the prohibition of reidentification.
Both AB 1281 and AB 713 are expected to be signed into law as Governor Newsom has not indicated he will veto either piece of legislation.
New York has four pending consumer privacy bills: S5642/A8526, S244/A3739A, AB 6351/SB 4411, and A7736. Notably, the New York legislature has not acted on these bills since early 2020. Moreover, these bills were reintroduced after failing to advance in 2019. Most of the New York bills are very comprehensive and contain substantial consumer privacy protections. Thus, regardless of whether any action is taken on these bills this year, New York's privacy bills are trending toward more robust consumer protection.
S5642/A8526: New York Privacy Act
S5642/A8526, the New York Privacy Act, is a comprehensive consumer privacy bill that, if enacted, would amend the general business law1 in New York, as it relates to the management and oversight of personal data. The New York Privacy Act would apply to legal entities that conduct business in New York or intentionally direct services or products to residents of New York.
The New York Privacy Act would grant consumers the rights to correct, delete, access, and to opt-in or opt-out of the processing of their data, as well as the right to be free from a decision based solely on profiling (such as for employment opportunities or health care services). The New York Privacy Act is the only Act discussed in this article that would explicitly grant a consumer a right to opt-in or opt-out, meaning that the consumer must either affirmatively consent or deny consent to the processing of their data.
The New York Privacy Act would impose transparency obligations on controllers, such as to include a clear privacy notice to consumers detailing consumer rights and the purpose for each category of information collected. Controllers would also be required to disclose any profiling practices to consumers at or before the point of collection. Unique to the New York Privacy Act is the classification of entities subject to the Act as fiduciaries to New York residents, which imposes the fiduciary duties of care, loyalty, and confidentiality to consumers.
The New York Privacy Act would grant consumers the right to bring a private right of action for any violation of its provisions. The New York Privacy Act would also be enforced by the New York Attorney General ('NY AG') and preempts enforcement by a local government.
The New York Privacy Act failed to advance in 2019, when it was originally introduced, and has remained stagnant in both the House and the Senate since January 8, 2020. Thus, although this bill threatens to impose substantial obligations on businesses, whether it will progress remains to be seen.
S244/A3739A: Right to Know Act
Like the New York Privacy Act, S244/A3739A, the Right to Know Act, is an omnibus consumer privacy bill that, if enacted, would amend the general business law in New York. The Right to Know Act declares that the right to privacy is a fundamental right protected by the United States Constitution. Notably, the Right to Know Act does not provide as many enumerated rights as do other omnibus consumer privacy bills. Instead, the Right to Know Act focuses on consumer privacy protections and disclosure obligations from businesses to consumers.
The Right to Know Act contains a broad enforcement provision: a customer, the NY AG, a district attorney, a city attorney, or a city prosecutor may bring a civil action against any business that violates its provisions. The Right to Know Act was introduced on 9 January 2019, but has not been acted on until it was re-referred to the Consumer Protection Committee on 8 January 2020. The New York legislature has not acted on this bill since.
AB 6351/SB 4411
Like the other omnibus consumer privacy bills in New York, AB 6351/SB 4411 (AB 6351), if enacted, would amend the general business law in New York. AB 6351 would apply to any for-profit legal entities that collect consumer personal information, do business in New York, and meet at least one of three specific thresholds pertaining to revenue or sale of consumer information. AB 6351 would only grant rights to consumers that are residents of New York.
If enacted, AB 6351 would grant consumers the right to opt-out of the sale of personal information, the right to access and know the details of the personal information collected and the categories of third parties to whom it has been shared, and the right to non-discrimination for exercising these rights. AB 6351 does not currently provide consumers the right to delete.
AB 6351 would also place disclosure obligations on businesses, such as providing notice of consumer rights, disclosing any personal information sold in the preceding twelve months, and including a 'Do Not Sell My Personal Information' link on the website homepage. AB 6351 would impose many more disclosure requirements with an emphasis on providing clear and conspicuous information to consumers concerning their rights.
AB 6351 would grant consumers the right to bring a private action for any violations of its provisions and allows statutory damages for the greater of $1,000 or actual damages, per violation. Additionally, AB 6351 would be enforced through a civil penalty brought by the NY AG or a private citizen who becomes aware of a potential violation through non-public information, subject to making a prior request to the NY AG to commence the action. If the NY AG does not file suit within ninety days from the individual's request then the individual would be able to file a civil action against the business.
AB 6351 is a comprehensive privacy bill that provides for substantial consumer protections. That said, like the other New York bills, AB 6351 was referred to a committee in early 2019, re-referred to the same committee in January 2020, and the New York legislature has not acted on the bill since. Thus, although noteworthy in substance, it appears unlikely that AB 6351 will advance this session.
A7736: It's Your Data Act
A7736, the It's Your Data Act, is the fourth pending omnibus privacy bill in New York. If enacted, the It's Your Data Act would amend the civil rights law2 and the general business law in New York. The It's Your Data Act is the only pending omnibus privacy bill that creates both criminal and civil liabilities for violations.
The amendment to the civil rights law would apply to individuals, firms, and corporations. If enacted, the It's Your Data Act would make it a criminal misdemeanor for a person, firm, or corporation to collect, store, or use for commercial purposes the personal data of any living person without their consent. Even with consent, one could be guilty of a misdemeanor under this Act if they failed to exercise reasonable care with personal data. The It's Your Data Act appears to borrow heavily from established Right of Publicity laws, which prohibit the commercial use of one's name, image, likeness, or person (in other words, one's individual identity). The It's Your Data Act would extend the categories of one's individual identity to include biometric information and location data.
The amendment to the general business law would apply to for-profit legal entities that collect consumers' personal information, do business in New York, and meet at least one of three thresholds pertaining to revenue or the commercial use of personal information. The It's Your Data Act would only extend rights and protections to consumers that are residents of New York.
If enacted, the It's Your Data Act would grant consumers the rights to delete, access, port, and affirmatively opt-in to the collection and disclosure of their personal information, and the right to non-discrimination for exercising these rights. It's Your Data Act would impose disclosure and transparency obligations on businesses and require businesses to implement and maintain reasonable security measures to protect consumer personal information.
The It's Your Data Act could be enforced through a private right of action for any violation of its provisions and by the NY AG, county district attorney, or a city corporation counsel. The bill declares that a violation of this Act would constitute an injury in fact, sufficient to satisfy standing.
As with the other New York bills, the It's Your Data Act contains substantial consumer protections, going as far as making it a crime to collect, store, or use personal information without consent and declaring any violation an injury in fact. A7736 was first referred to the Consumer Affairs and Protection Committee in May 2019 but was not acted on until 8 January 2020, when it was re-referred to the Committee. The legislature has not acted on the bill since.
There has recently been an uptick in contact tracing legislation in several states, most likely in response to COVID-19. Contact tracing may take place through verbal interviews (traditional) or through digital contact tracing methods, which can utilise Bluetooth or GPS to assist in collecting the relevant data. Many of the bills incorporate elements of either traditional or digital methods of contact tracing. Below is an overview of the bills proposed in California and New York. A further selection of contact tracing bills from other US states are looked at in Part 2.
California debated two contact tracing bills this legislative session: AB 1782 and AB 660. California refers to digital contact tracing as 'Technology-Assisted Contact Tracing,' or TACT. AB 1782 and AB 660 were both placed on the suspense file by the California Senate's Appropriations Committee and were not taken off of the suspense file before the legislative session concluded on 1 September 2020. Thus, AB 1782 and AB 660 did not pass and will not be enacted into law. The following summaries of AB 1782 and AB 660 provide insights into what the potential scope of California's contact tracing efforts would have been had the bills been passed and enacted into law.
AB 1782: TACT-PACT
AB 1782, the Technology-Assisted Contact Tracing Public Accountability and Consent Terms Act ('TACT-PACT'), applied to both businesses and public health entities. TACT-PACT would have required affirmative consent to conduct digital contact tracing. It would have required businesses and entities to offer a 'simple mechanism' for the user to revoke their consent. Businesses and public health entities would have been required to disclose the categories of data to be collected, used, or disclosed, as well as the public health purposes for each category of collection, use, or disclosure. TACT-PACT would have granted consumers the right to access, correct, and delete their personal information; the right to not participate in TACT; and the right to non-discrimination for participating, or not participating, in TACT.
TACT-PACT would have also imposed restrictions on TACT contracts. Public entities, excluding public health entities, would have been prohibited from entering into TACT contracts. And certain limitations, along with security and data breach disclosure requirements, would have been imposed on TACT contracts. These contracts would have been governed under existing contract law.
Overall, TACT-PACT focuses on disclosure and consumer protective TACT procedures. TACT-PACT was placed on the Senate Appropriations Committee's suspense file by a unanimous vote by the committee on 18 August 2020 and remained there as the 2020 legislative session came to a close.
AB 660 pertained to the data collected, received, and prepared for contact tracing. AB 660 would have prohibited such data from being shared with any entity other than a public health entity and prohibited law enforcement from engaging in contact tracing. No other rights or obligations would have been created under AB 660 and the bill did not contain an enforcement provision.
Like AB 1782, AB 660 was placed on the Senate Appropriations Committee's suspense file by a unanimous vote by the committee on 18 August 2020 and was not taken off of suspense before the legislature finished their work for the year.
There is currently at least one contact tracing bill pending in New York, A10500A, which would regulate the confidentiality of contact tracing information.
A10500A was introduced on 11 May 2020, as a bill to keep confidential any contact tracing information collected by contract tracers and contact tracing entities. A10500A has passed both the Senate and the assembly and on 23 July 2020, returned to the assembly. Relative to the other bills discussed in this article, A10500A is advancing quite quickly, and may be enacted this year.
If enacted, A10500A would make all contract tracing information confidential and give individuals the right to waive confidentiality in a written, informed, and voluntary manner. Entities that possess or use contact tracing information would be subject to certain confidentiality safeguards, policies, and procedures. A10500A would prohibit law enforcement agents and entities, as well as immigration authorities, from engaging in contact tracing. A10500A would also prohibit contact tracing entities from disclosing information to law enforcement or immigration authorities. As it currently stands, A10500A does not include an enforcement provision.
James Snell Partner
Marina Gatto Associate
Zachary Watterson Associate
Nathan Duletzke Associate
Kayla Lindgren Summer Associate
Perkins Coie LLP
1. General Business, N.Y. St. Senate, https://www.nysenate.gov/legislation/laws/GBS
2. Civil Rights, N.Y. St. Senate, https://www.nysenate.gov/legislation/laws/CVR.