Data PrivacyOver the past few months, there has not been a lack of things to talk about as it relates to U.S. privacy law developments. Between the CCPA, Washington Privacy Act, CCPA 2.0, and numerous privacy bills proposed in state legislatures, practically every day brought a new story. However, a lot has changed in a short period of time.

First, the Washington Privacy Act failed to pass (although Washington did enact a facial recognition bill). Then, the world changed with the coronavirus pandemic.

Yet, there are still developments in U.S. privacy law. Below is an overview of the ones that we have been tracking over the past few weeks.

|

California

CCPA. On March 11, 2020, the California Attorney General published another round of modified regulations. The written comment period for those regulations ended on Friday, March 27, 2020. The Attorney General's office has not yet posted the written comments on its website but should do so soon.

Presumably, the Attorney General will now publish final regulations and a final statement of reasons (instead of another round of modifications). Although it is anyone's guess when the final regulations will be published, the Attorney General's office published its last round of modifications two weeks after the written comment period ended. If that same time frame holds true, the final regulations would be published sometime in mid-April.

The Attorney General's office has – to date – refused requests to delay the CCPA's July 1 enforcement deadline. Therefore, as it stands, businesses will have only a short time frame to drive compliance to the final regulations before the enforcement deadline.

CCPA 2.0. Just weeks ago it seemed like a foregone conclusion that privacy advocates would collect enough signatures for CCPA 2.0 to qualify for the November ballot. Yet, the California Governor's stay-at-home order has no doubt curtailed the signature-collection efforts.

In a recent article, a campaign spokesman reported: "We're in pretty good shape with the numbers that we have, but are adhering to public health requirements and putting public safety first. Like most ballot measure campaigns out there, we'd always love more signatures, but we're dealing with a stark new reality while the state is on lockdown."

According to the California Secretary of State, the deadline for proponents to file petitions with county election officials is April 21st. Advocates must collect 623,212 signatures. On January 30, 2020, Alastair Mactaggart reported to the California Secretary of State that they had collected 25% of the required signatures. On March 3, 2020, Amy Miller from MLex reported that they had gathered 500,000 signatures but needed around 1 million because many signatures would likely be found invalid.

Other California Privacy Legislation. The California legislature is considering two privacy-related bills (unrelated to the CCPA) that are worth discussing.

The first bill – AB-2414 – would amend the California Online Privacy Protection Act (CalOPPA) to require operators of mobile applications to (1) provide clear and conspicuous notices that fully inform a consumer when, how, and why the consumer's recordable information will be collected, used, and shared upon installation of the application, (2) obtain a user's affirmative express consent before collecting or using the user's recordable information, and (3) separately obtain the user's affirmative express consent before disclosing the user's recordable information.

The bill defines "recordable information" as "information that is capable of being recorded by the device on which the mobile application operates, including, but not limited to, audio or visual information collected by a camera or microphone and geolocation information."

The second bill – AB-2261 – would limit the use of facial recognition technology by the private sector along with state and local government. The bill would require processors that provide facial recognition services to:

  • Make "available an application programming interface or other technical capability, chosen by the processor, to enable controllers or third parties to conduct legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations";
  • Provide documentation that explains the capabilities and limitations of the services in plain language and enables testing of the services; and
  • Prohibit, in the contract by which the controller is permitted to use the facial recognition service, the use of the facial recognition services by a controller to unlawfully discriminate under federal or state law against an individual or groups of individuals.

Among other things, the bill also would create notice, consent, testing, and training requirements around the use of facial recognition technology.

Both bills were introduced in February and referred to the Committee on Privacy and Consumer Protection. The bills are sponsored by Assembly Member Edwin Chau, who was an important figure in the CCPA amendment process. He also chairs the Committee on Privacy and Consumer Protection.

|

Other State Consumer Privacy Legislation

Just a few weeks ago we were tracking numerous consumer privacy bills proposed in Arizona, Connecticut, Florida, Hawaii, Illinois, Maryland, Minnesota, Mississippi, Nebraska, New Hampshire, New Jersey, Rhode Island, Utah, Vermont, Virginia, Washington, and Wisconsin.

Yet, after the Washington Privacy Act failed to pass and state legislatures closed (either as scheduled or because of coronavirus), it appears unlikely that any state will join California in enacting consumer privacy legislation (at least this year).

|

Washington State

Although Washington lawmakers failed to pass the Washington Privacy Act, they did pass a bill on the use of facial recognition technology, which the Governor signed into law on March 31, 2020 (with a partial veto). The law, regulates state and local government agencies' use of facial recognition technology. Among other things, the law will require those entities to:

  • File a notice of intent to develop, procure, or use a facial recognition service with the respective city, county, or other local governmental agency's council, commission, or other body in which legislative powers are vested;
  • Produce an "Accountability Report" prior to developing, procuring, or using a facial recognition service;
  • Allow for a public review and comment period, holding at least 3 community consultation meetings, and considering the issues raised in these meetings prior to finalizing the Accountability Report;
  • Update the final Accountability Report every two years and submit the updated report to the applicable legislative authority;
  • Communicate the final Accountability Report to the public at least 90 days before the agency deploys the facial recognition services;
  • Require that vendors disclose any complaints or reports of bias regarding the facial recognition service; and
  • For any new services not disclosed in the existing Accountability Report, seek public comment and community consultation on the updated Accountability Report

Covered entities also must require a facial recognition service provider to make available an application programming interface or other technical capability, chosen by the provider, to enable legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct populations.

David M. Stauss is a partner at Husch Blackwell and co-leader of the firm's privacy and data security practice group. He regularly assists clients in preparing for and responding to data security incidents, including managing multistate b reach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA), and state information security statutes. He can be reached at [email protected].

Malia Rogers is an associate in Husch Blackwell LLP's Denver office and advises clients of all sizes and across industries on data privacy and security compliance. She leverages her prior professional experience in digital marketing to develop and implement privacy programs compliant with emerging and differing privacy frameworks, including the European Union's General Data Protection Regulation and the California Consumer Privacy Act.

Megan Herr is an attorney in the firm's Denver office and assists clients on emerging data privacy issues.