U.S. Privacy Law Update: Analyzing the Status of the CCPA, CCPA 2.0, and Other Proposed State Privacy Legislation
After an active winter of proposed state privacy laws, it appears that all eyes will once again be on California for the remainder of the year as we wait for final CCPA regulations, the fate of the CCPA 2.0 ballot measure, and other privacy bills being considered by the California legislature.
April 06, 2020 at 02:30 PM
7 minute read
Over the past few months, there has not been a lack of things to talk about as it relates to U.S. privacy law developments. Between the CCPA, Washington Privacy Act, CCPA 2.0, and numerous privacy bills proposed in state legislatures, practically every day brought a new story. However, a lot has changed in a short period of time.
First, the Washington Privacy Act failed to pass (although Washington did enact a facial recognition bill). Then, the world changed with the coronavirus pandemic.
Yet, there are still developments in U.S. privacy law. Below is an overview of the ones that we have been tracking over the past few weeks.
|California
CCPA. On March 11, 2020, the California Attorney General published another round of modified regulations. The written comment period for those regulations ended on Friday, March 27, 2020. The Attorney General's office has not yet posted the written comments on its website but should do so soon.
Presumably, the Attorney General will now publish final regulations and a final statement of reasons (instead of another round of modifications). Although it is anyone's guess when the final regulations will be published, the Attorney General's office published its last round of modifications two weeks after the written comment period ended. If that same time frame holds true, the final regulations would be published sometime in mid-April.
The Attorney General's office has – to date – refused requests to delay the CCPA's July 1 enforcement deadline. Therefore, as it stands, businesses will have only a short time frame to drive compliance to the final regulations before the enforcement deadline.
CCPA 2.0. Just weeks ago it seemed like a foregone conclusion that privacy advocates would collect enough signatures for CCPA 2.0 to qualify for the November ballot. Yet, the California Governor's stay-at-home order has no doubt curtailed the signature-collection efforts.
In a recent article, a campaign spokesman reported: "We're in pretty good shape with the numbers that we have, but are adhering to public health requirements and putting public safety first. Like most ballot measure campaigns out there, we'd always love more signatures, but we're dealing with a stark new reality while the state is on lockdown."
According to the California Secretary of State, the deadline for proponents to file petitions with county election officials is April 21st. Advocates must collect 623,212 signatures. On January 30, 2020, Alastair Mactaggart reported to the California Secretary of State that they had collected 25% of the required signatures. On March 3, 2020, Amy Miller from MLex reported that they had gathered 500,000 signatures but needed around 1 million because many signatures would likely be found invalid.
Other California Privacy Legislation. The California legislature is considering two privacy-related bills (unrelated to the CCPA) that are worth discussing.
The first bill – AB-2414 – would amend the California Online Privacy Protection Act (CalOPPA) to require operators of mobile applications to (1) provide clear and conspicuous notices that fully inform a consumer when, how, and why the consumer's recordable information will be collected, used, and shared upon installation of the application, (2) obtain a user's affirmative express consent before collecting or using the user's recordable information, and (3) separately obtain the user's affirmative express consent before disclosing the user's recordable information.
The bill defines "recordable information" as "information that is capable of being recorded by the device on which the mobile application operates, including, but not limited to, audio or visual information collected by a camera or microphone and geolocation information."
The second bill – AB-2261 – would limit the use of facial recognition technology by the private sector along with state and local government. The bill would require processors that provide facial recognition services to:
- Make "available an application programming interface or other technical capability, chosen by the processor, to enable controllers or third parties to conduct legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations";
- Provide documentation that explains the capabilities and limitations of the services in plain language and enables testing of the services; and
- Prohibit, in the contract by which the controller is permitted to use the facial recognition service, the use of the facial recognition services by a controller to unlawfully discriminate under federal or state law against an individual or groups of individuals.
Among other things, the bill also would create notice, consent, testing, and training requirements around the use of facial recognition technology.
Both bills were introduced in February and referred to the Committee on Privacy and Consumer Protection. The bills are sponsored by Assembly Member Edwin Chau, who was an important figure in the CCPA amendment process. He also chairs the Committee on Privacy and Consumer Protection.
|Other State Consumer Privacy Legislation
Just a few weeks ago we were tracking numerous consumer privacy bills proposed in Arizona, Connecticut, Florida, Hawaii, Illinois, Maryland, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Rhode Island, Utah, Vermont, Virginia, Washington, and Wisconsin.
Yet, after the Washington Privacy Act failed to pass and state legislatures closed (either as scheduled or because of coronavirus), it appears unlikely that any state will join California in enacting consumer privacy legislation (at least this year).
|Washington State
Although Washington lawmakers failed to pass the Washington Privacy Act, they did pass a bill on the use of facial recognition technology, which the Governor signed into law on March 31, 2020 (with a partial veto). The law, regulates state and local government agencies' use of facial recognition technology. Among other things, the law will require those entities to:
- File a notice of intent to develop, procure, or use a facial recognition service with the respective city, county, or other local governmental agency's council, commission, or other body in which legislative powers are vested;
- Produce an "Accountability Report" prior to developing, procuring, or using a facial recognition service;
- Allow for a public review and comment period, holding at least 3 community consultation meetings, and considering the issues raised in these meetings prior to finalizing the Accountability Report;
- Update the final Accountability Report every two years and submit the updated report to the applicable legislative authority;
- Communicate the final Accountability Report to the public at least 90 days before the agency deploys the facial recognition services;
- Require that vendors disclose any complaints or reports of bias regarding the facial recognition service; and
- For any new services not disclosed in the existing Accountability Report, seek public comment and community consultation on the updated Accountability Report
Covered entities also must require a facial recognition service provider to make available an application programming interface or other technical capability, chosen by the provider, to enable legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct populations.
David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate b reach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at [email protected].
Malia Rogers is an associate in Husch Blackwell LLP's Denver office and advises clients of all sizes and across industries on data privacy and security compliance. She leverages her prior professional experience in digital marketing to develop and implement privacy programs compliant with emerging and differing privacy frameworks, including the European Union's General Data Protection Regulation and the California Consumer Privacy Act.
Megan Herr is an attorney in the firm's Denver office and assists clients on emerging data privacy issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readLaw Firms Mentioned
Trending Stories
- 1How I Made Practice Group Chair: 'Think About Why You Want the Role, Because It Is Not an Easy Job,' Says Aaron Rubin of Morrison Foerster
- 2People in the News—Nov. 22, 2024—Marshall Dennehey, Buchanan Ingersoll
- 3$83M Verdict After $100K Demand Rejected in Henry County
- 4Samsung Flooded With Galaxy Product Patent Lawsuits in Texas Federal Court
- 5How Marsh McLennan's Small But Mighty Legal Innovation Team Builds Solutions That Bring Joy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250