5 Data Privacy Reforms Making Headlines in State Legislatures
August 22, 2023
Article courtesy MIRS News for SBAM’s Lansing Watchdog e-newsletter
Director Keir Lamont of the Future of Privacy Forum’s American legislation team and David Stauss, a partner for Husch Blackwell, were the expert voices Wednesday during a forum at the National Conference of State Legislatures’ 2023 summit in Indiana, spotlighting what various states are doing in concerns with internet privacy.
“What is the intersection between privacy issues and issues around competition? Privacy and content moderation?” Lamont said. “I think we see privacy and online safety and autonomy intersecting, and sometimes conflicting (in) really interesting ways.”
According to Stauss specifically, the current status on the “comprehensive” privacy front seems calm. But as state legislatures begin diving into certain variations of privacy – such as health data proposals following the U.S. Supreme Court’s overturn of Roe v. Wade, calls for child privacy regulations and ideas to outlaw “algorithmic discrimination” – “chaos” ensues.
In a 2019 report by the Pew Research Center, which was not discussed Wednesday, 62% of surveyed Americans – or approximately six-in-ten adults – believed it wasn’t possible to go through daily life without companies gathering data on them. Additionally, 81% of respondents believed the potential risks of having data about them collected outweighed the benefits.
It’s against this backdrop that states are looking into variations of privacy legislation. Here are five highlights:
Washington State’s ‘My Health My Data Act’
Democratic Washington Gov. Jay Inslee signed in April legislation requiring that data collection be based on necessity or consent, with a consumer needing to provide “special written and signed authorization” before their data can be sold.
According to a breakdown from the International Association of Privacy Professionals, a consumer must consent to having their health data processed or shared. They can withdraw their consent, opening up a 45-day window for an entity to respond to their request. The entity can be granted an additional 45 days in certain circumstances, as well.
The context of the law is related to reproductive (including abortion) or sexual health information, a consumer’s interest in gender-affirming care services, genetic data, and other health-related data.
However, the Act’s broad scope has been most criticized for applying to any entity, including small businesses and nonprofits that conduct business in Washington or produce or provide goods and services targeted toward the state’s residents, according to the Sidley Austin law firm.
Oregon’s ‘Bill Relating To Registration of Business Entities that Qualify as Data Brokers’
Following Vermont, California, and Texas, Democratic Oregon Gov. Tina Kotek signed legislation on July 27 requiring business entities that stockpile, sell, or license “brokered personal data” of the state’s residents to register annually with the Oregon Department of Consumer and Business Services.
Failure to file with the department can result in a $500-per-violation civil penalty, according to the JD Supra intelligence publication, with each day that a violation continues resulting in an extra $500 fine – although “the total amount of penalties against a data broker cannot exceed $10,000 in a calendar year.”
A data broker does not need to disclose information about its employees, customers, donors, or investors while filing with the department under Oregon’s new law.
The California Age-Appropriate Design Code Act (CAADCA)
Starting on July 1, 2024, for-profit organizations performing business in California – with an annual gross revenue of $25 million or more, using the personal data of more than 50,000 users for commercial reasons or generating 50% or more of its revenue from personal data sales – will be subjected to new regulations related to minor users.
If an organization’s services or products are likely to be utilized by youths, it must conduct a Data Protection Impact Assessment to recognize and minimize the risks of its personal data processing.
An organization must also choose between developing an appropriate method for age estimations or subjecting all consumers to the new level of heightened security standards.
If possible, an organization is moreover obligated to inform a parent or guardian if the young user is being tracked.
The Utah Social Media Regulations Act
In March of this year, Utah made headlines by approving legislation requiring any individual to verify their age ahead of using a social media platform, and mandating youths under 18 to have parental consent. Between 10:30 p.m. and 6:30 a.m., minors are blocked from accessing social media.
“There has not been a lawsuit filed against the Utah bill, yet,” Stauss said during Wednesday’s session. “But by all accounts, we expect that there will be…”
The Updated Connecticut Data Privacy Act
On Jun. 26, legislation updating the Connecticut Data Privacy Act – in a manner described by Wednesday’s panelists as being less restrictive than Washington’s My Health My Data Act – was signed into law.
It requires opt-in consent before a consumer’s health data, including a potential mental health condition or sexual health concern, can be sold or offered up for sale. Additionally, a consumer cannot be geographically tracked within 1,750 feet of a mental health or sexual health facility.
With certain exceptions, an online service operating in Connecticut would be generally banned from collecting a minor’s exact geolocation, as well as processing a minor’s personal data for targeted advertising or specific kinds of profiling. It also could not deploy a system designed to notably increase or prolong a minor’s use of the online platform or feature at-hand.