State Privacy News - 3/8

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. Here's everything you need to know since our last issue:

1. California Issues Revised Draft Regulations on AI and Risk Assessments

On Friday, February 23 the California Privacy Protection Agency released revisions and an explainer for their draft implementing regulations concerning opt-out rights with respect to automated decisionmaking technologies (ADMT) and risk assessments. The new text of these proposed regulations will be discussed at an Agency Board meeting today, March 8.

The original version of the draft ADMT regulations from last November prompted widespread concern (including from the Agency's own Board) for lacking limiting principles on the scope of either the technologies at issue or the circumstances in which consumers could exercise opt-out rights. In response, the proposed revisions narrow the draft in various ways including:

• Defining ADMT to include technologies that "substantially facilitate" human decisionmaking which is further defined as using the output of the technology as a "key factor" in decisionmaking. The prior version of the regulations included technologies used to merely "facilitate" human decisionmaking.
• Explicitly excluding certain technologies from the scope of ADMT, such as web-site loading, firewalls, spellchecking, calculators, databases, spreadsheets, "or similar technologies."
• Excluding businesses from the requirement to offer an opt-out for the use of ADMT for significant decisions where they, in the alternative, provide an opportunity to appeal the outcome to a qualified human decisionmaker with authority to overturn the decision.
• Excluding businesses from offering an opt-out of ADMT in certain educational and employment contexts where the system has been evaluated and includes accuracy and nondiscrimination safeguards.

Certain aspects of the regulations were also broadened. For example, the definition of "profiling" was amended to include analysis of or making predictions concerning an individual's "intelligence, ability, aptitude" as well as their "predispositions." Furthermore, the proposed definition of "significant decision" was expanded beyond comparable state laws by providing examples of essential goods and services encompassing "groceries, medicine, hygiene products, or fuel." The revised draft regulations also now propose a definition of "behavioral advertising" which clarifies that the Agency intends to use its rulemaking on ADMT to expand the CCPA's opt-out rights with respect to targeted advertising to first party ads.

The Agency will also discuss proposed revisions to its existing regulations that should not be overlooked. The revisions appear focused on clarifications and instructions for providing notices and consumers controls. However, several proposed modifications are substantive, including (1) Updating the definition of sensitive personal data to include the information of consumers that a business has actual knowledge are under 16 years of age (which would be a first for state privacy law); (2) Tying the CCPA's coverage thresholds and penalties to the Consumer Price Index; (3) Seemingly expanding the CCPA's comparatively narrow statutory right to delete to encompass information obtained about a consumer from third party sources; and (4) Requiring businesses to display whether an opt-out request has been honored.

2. Privacy Bills on the March in the South East this March

Three southeastern states are in position to advance Virginia-style privacy proposals in the coming weeks.

• Georgia: The Georgia Consumer Privacy Protection Act (SB 473) passed the State Senate by a 37-15 vote on February 27th and is currently pending in the House Technology and Infrastructure Innovation Committee. This is a Tennessee-style bill containing its characteristic high coverage thresholds and an affirmative defense for businesses that reasonably conform to the NIST privacy risk management framework. Critically, as currently drafted this proposal lacks common exceptions for data and entities subject to existing federal privacy laws. Georgia's legislative session concludes on March 28.
• Kentucky: The Kentucky Consumer Data Privacy Act (HB 15) passed the House by a 92-0 vote in February and has now passed the Senate Economic Development, Tourism, & Labor Committee. It is essentially a VCDPA copycat with a somewhat broader definition of biometric data. Two minor Floor Amendments are currently pending on the bill in the Senate, which may vote on the proposal as soon as Monday. Kentucky's legislative session concludes on April 15.
• West Virginia: The West Virginia Consumer Data Protection Act (HB 5698) has passed the State House by an 86-7 vote and is currently pending in Senate Judiciary. This is essentially a VCDPA-copycat but would require the Attorney General to "establish a process whereby a consumer may seek to utilize" any of their personal data rights through the agency of the AG's office. This proposal was originally packaged with a bill to create an Ohio-style affirmative defense in data breach litigation for complying with an industry recognized cybersecurity framework, but these proposals have been split into separate bills. West Virginia's legislative session is scheduled to conclude on March 9 so time is very much of the essence for HB 5698.

Assuming Georgia's bill is modified to include common carveouts for federally regulated entities, none of these proposals promise to raise the bar for privacy protections within the United States. However, they would collectively extend baseline privacy rights to a further 17 million Americans.

3. Virginia Adds New Child Protections to the VCDPA

Virginia's legislative session opened this year with nearly a dozen proposals to amend the landmark Virginia Consumer Data Protection Act of 2021. However, with the dust settling the only reform to cross the finish line will be HB 707 / SB 361 from Delegate Maldonado and Senator VanValkenburg that will add new protections for children to the VCDPA.

HB 707 is a more modest proposal than other recently enacted child focused laws (in a literal-sense, not a Jonathan Swift-sense). It does not seek to regulate teen data, does not stray into content moderation, does not seek to impose a duty of care, and does not require platforms to estimate the age of their users. Such attributes have led to a series of lawsuits and injunctions against other recent child online privacy laws that HB 707 will likely be better positioned to avoid.

Instead, HB 707 is primarily a data minimization bill that will restrict controllers from processing the data of a "known child" unless "reasonably necessary" to provide an online service, product or feature. This standard appears to exceed existing (and proposed) COPPA requirements which focus on requiring that data collection be "reasonably necessary." It will further expand the VCDPA's data protection impact assessment requirements to require that businesses review online services, products or features directed towards known children. Notably, a late Senate Republican amendment that would have raised the bill's age threshold to individuals under 18 was narrowly defeated in a 20-19 vote.

Should Governor Youngkin enact this proposal, it will take effect on January 1, 2025.

4. Minnesota Comprehensive Proposal Moves in Both Chambers

Long time state privacy watchers will already be familiar with the "Minnesota Consumer Data Privacy Act" which has been introduced over successive sessions in the Gopher State.

This year's iteration of the proposal (HF 2309 / SF 2915) has gained traction in recent weeks as the House version advanced from the Commerce and Judiciary Committees while the Senate version advanced from the Commerce Committee. Recent amendments have brought the proposal into greater alignment with existing state privacy laws, but there are still various unique elements including:

• A definition of "specific geolocation data" the eschews the standard (inherently arbitrary) 1,750 foot radius and instead focuses on lat/long coordinates or data with sufficient specificity to identify a street address.
• More detailed requirements for conducting "data privacy and protection" assessments that must also include the name of the organization's "chief privacy officer or other officer with primary responsibility for" complying with the Act.
• A consumer right to challenge the result of significant profiling decisions, beyond the right to opt-out of being subject to such processing.

5. ...And New Hampshire Makes Fourteen

Governor Sununu has signed SB 255 into law, making New Hampshire the fourteenth state to enact a comprehensive consumer privacy law. Overall, this bill is largely aligned with existing Connecticut-style laws, but it will provide the Secretary of State with authority to establish standards for privacy notices and for the "secure and reliable" exercise of consumer privacy rights. The Act will take effect on January 1, 2025. Our state privacy patchwork quilt has been updated accordingly.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum