State Privacy Law Update
In the wake of the California Consumer Privacy Act of 2018 (“CCPA”) and an updated Nevada privacy law that took effect in October 2019, states wasted no time in introducing consumer privacy bills as the 2020 legislative sessions began. Yet, as state legislatures closed (either as scheduled or because of COVID-19), it appears unlikely that any state will join California in enacting consumer privacy legislation in 2020.
All eyes will once again be on California for the remainder of the year as we wait for final CCPA regulations, the fate of the CCPA 2.0 ballot measure, and other privacy bills being considered by the California legislature. Three states, Nebraska, Washington, and California highlight the different angles states are pursuing in their privacy legislation.
Nebraska
On the first day of the 2020 Unicameral session, the Nebraska Consumer Privacy Act (LB 746) was introduced. It was referred to the Transportation and Telecommunications Committee and a hearing was held on February 4, 2020. After the hearing, there was no additional movement on the bill. With the current session indefinitely suspended, it does not appear as if LB 746 will pass this year.
Washington
Although Washington lawmakers failed to pass the Washington Privacy Act, they did pass a bill on the use of facial recognition technology, which the Governor signed into law on March 31, 2020. The new law, which will take effect in June 2021, regulates state and local government agencies’ use of facial recognition technology. The law can only be used by local and state government agencies if the company providing the facial recognition technology uses an application programming interface (API). Use of an API will allow independent, third-party testing for accuracy or unfair performance differences across certain subpopulations. If the testing detects such materially unfair performance differences, the provider must be required to develop and implement a mitigation strategy within 90 days. The law does allow other technologies to be used if the technology can enable “legitimate, independent and reasonable tests” for “accuracy and unfair performance differences across distinct subpopulations.”
The new law also requires government agencies to file regular reports regarding the use of facial recognition technology. Law enforcement needs to obtain a warrant before using it in investigations, unless something is considered an emergency.
California
CCPA Regulations
On March 11, 2020, the California Attorney General published its second round of modified regulations. The written comment period for those regulations ended on Friday, March 27, 2020.
The Attorney General’s office has, to date, refused requests to delay the CCPA’s July 1 enforcement deadline. Therefore, as it stands, businesses will have only a short time frame to shore up compliance with the final regulations before the enforcement deadline. For the CCPA regulations to become effective on July 1st, the final regulation text must be filed with the Secretary of State by May 29th.
CCPA Implementation
With the CCPA having been in effect for almost four full months, some compliance trends have emerged in how businesses are tackling CCPA compliance efforts.
Cookie Consent Tools – although CCPA, unlike the GDPR, does not require upfront consent for the collection of data via cookies, many companies are choosing to collect consent. Cookie consent tools are readily available, inexpensive, and efficiently allow for implementation of opt-out rights where the use of cookies would be considered a sale.
Confusion About Whether Cookie Collection is a Sale – some organizations are treating such collections as sales across the board, while others are not. Some organizations have gone so far as to state in their privacy policy that they are uncertain of the meaning of “sale” under the CCPA.
Updating Service Provider Contracts – for many businesses, this process is still ongoing. The effort is also affected by confusion about what uses of data by a service provider are permissible under the definition of “business purpose.” In particular, there is confusion as to where to draw the line between “undertaking internal research for technological development and demonstration” and using data for a “commercial purpose.”
CCPA 2.0
While businesses are still trying to interpret and comply with the CCPA, real estate developer and CCPA co-creator, Alastair Mactaggart, has been gathering votes to get a new privacy initiative, the California Privacy Rights and Enforcement Act of 2020, on the November ballot.
The new initiative, known as CCPA 2.0, would amend the CCPA by imposing limitations on businesses’ use of “sensitive personal information” (such as sexual orientation, biometric, health and financial information, and precise geolocation), adding the right to correction, tripling the maximum penalties for privacy violations of children under 16, and establishing a government agency to implement and enforce the act, among other potential revisions.
Mactaggart had until April 21st to submit the requisite 623,212 verified signatures (which, as of the date of publication, have not yet been confirmed). Assuming enough signatures are gathered, the deadline by which the California Secretary of State must certify initiatives for the November ballot, and by which Mactaggart may withdraw the initiative, is June 25.