State Privacy News - 8/9

The Patchwork Dispatch staff spent the latter half of this fortnight in Louisville, Kentucky for the National Conference of State Legislatures annual summit. It was a pleasure speaking with so many policymakers and staffers who are hard at work addressing some of the thorniest challenges emerging from advancements in data-intensive technologies. However, there is no rest for the weary, so please enjoy the following legislative, regulatory, and enforcement state privacy law updates:

1. Texas Enters Biometrics Settlement with Meta

On July 30 the Texas Attorney General's Office announced that it has entered a $1.4 billion dollar settlement with Meta for alleged violations of the Texas Capture or Use of Biometric Identifier ("CUBI") Act and the Texas Deceptive Trade Practices Act.

Originally passed in 2009, CUBI requires informed consent in order to capture an individual's biometric identifier for a commercial purpose. The settlement emerges from a February 2022 lawsuit alleging that the Facebook social media platform's practice (running from 2011 to 2021) of using facial recognition technology on user-uploaded photos to make "tag suggestions" violated the law. This is the first public settlement under the CUBI statute though the Texas Attorney General initiated a separate CUBI suit against Google in October, 2022 based on "face group" practices for Google Photos and Nest voice matching.

Our sources tell us that one point four billion dollars is a lot of money. Meta already holds the record for the largest ever global privacy regulatory fine (a $5 billion settlement with the Federal Trade Commission in 2019 regarding multiple alleged violations of an existing consent decree), but the Texas settlement may take the second spot on that list. The AG's press release notes that this settlement 'dwarfs' the previous state record, a 40-state Attorneys General $390 million settlement with Google from late 2020. Meanwhile, the largest GDPR fines have tallied in at €1.2 billion and €746 million. Our Texan readers should not expect a big payday however, up to $225 million of the Meta fine shall go to the state's outside counsel while the bulk of the remaining penalties will be paid over 4 years into the state's general revenue fund.

Looking beyond the numbers, the final order also establishes a potentially significant 'safe harbor'-style program for Meta that may provide valuable legal clarity to the company. It provides that Meta may seek and receive (within 30 days) information from the Attorney General's office regarding the potential application of the state's biometrics laws to Meta's conduct, including the "anticipated or ongoing training of models, algorithms, or programs by processing images, video, audio, or other content of individuals." If the AG's office does not raise an objection to a practice that Meta brings before it, the ability for the state to subsequently take an enforcement action regarding disclosed conduct will be significantly curtailed.

This was a big month for the ancient (in state privacy terms) biometric privacy laws as Illinois Governor Pritzker signed?SB 2979 into law. This amendment to the Biometric Information Privacy Act (BIPA) of 2008 fixes the White Castle holding which found that statutory damages under BIPA's private right of action accrue on a ‘per-scan’ basis. It also modernizes the law by explicitly providing for obtaining informed consent through electronic signature. The amendment takes effect immediately.

2. CCIA Sues Texas over Broad Social Media Law

July 30 was clearly a big day for privacy in Texas as the Computer & Communications Industry Association (CCIA) and NetChoice filed suit seeking to enjoin the provisions of Texas House Bill 18 that regulate social media companies, raising First Amendment and Section 230 preemption grounds. HB 18 was enacted in 2023 and is scheduled to take effect on September 1, 2024.

HB 18 is broader than many of the red state social media age verification laws that were previously sued (typically successfully) by NetChoice. Instead of explicitly covering social media companies it applies to "digital service providers" that allow users to 'socially connect' and share content with each other. The law contains a number of controversial provisions including that users must "register" their age with digital service providers; limits on the collection and use of the information of minors (under age 18); a 'duty of care' to prevent the exposure of minors to "harmful material" through specific (potentially ineffective) technological means; requirements for services to create parental tools to allow supervision of a minor's use of a digital service; and a private right of action.

CCIA highlights the inherent tension between many online safety proposals and free speech rights. For example, the complaint lays out works of popular media that social media companies would plausibly be required to (and likely be chilled into) suppressing per the law's vague and broad definition of "harmful content," such as "The Weeknd’s Kids’-Choice Award-nominated Can’t Feel My Face (2016), and multiple Emmy-Award-winning series such as Euphoria (2019-present)."

3. New York Initiates Child Privacy Rulemaking

On August 1 the Office of the New York Attorney General issued two Advanced Notices of Proposed Rulemakings (ANPRM) for the state's new child online privacy and safety laws, the Stop Addictive Feeds Exploitation for Kids Act (SAFE for Kids) and the New York Child Data Protection Act (NYCDPA).

These two laws were covered in the June 14 edition of the Dispatch but in short, the SAFE for Kids Act requires social media platforms to conduct age verification of users and obtain verifiable parental consent in order to algorithmically curate the presentation of content to minors under the age of 18. In contrast, the NYCDA is primarily a data minimization law that restricts processing of the personal information of minors to what is "strictly necessary" for a permissible purpose (e.g. providing or maintaining a requested product or service; conducting internal business operations; complying with legal obligations; preventing security threats) or with informed consent (which can be from teens themselves). The NYCDPA also provides for the creation of a novel class of "age-flag" device signals intended to communicate whether a user is a covered minor.

The ANPRM poses dozens of questions and sub-questions for public input, with particular attention to the topics of: (1) current best-practices in age determination, (2) standards for obtaining verifiable parental consent, (3) what constitutes an "addictive social media platform", and (4) standards for determining whether a service is child-directed. Despite the novelty and both technical and policy challenges raised by the concept of "age-flags", the ANPRM provides little information on the OAG's approach instead requests high-level input on "factors" and "standards" that the OAG should consider for acceptable device signals.

Members of the public have until September 30 to respond to the ANPRM. The filing page notes that while these questions are "not part of the formal rulemaking" required by the NYS Administrative Procedure Act the submission will become part of the "official record." Information gathered through the process will inform a future Notice of Proposed Rulemaking (NPRM) which will be subject to its own comment period.

Separately, on July 15 the New York Attorney General's Office published detailed cookie banner guidance following an enforcement sweep. As New York does not have a comprehensive consumer privacy law, the AG ties these actions to the state's authority to regulate deceptive practices. See part of the guidance below:

4. New Hampshire Removes (Limited) Rulemaking Authority From Privacy Law

One regulatory process opens, while another closes. On July 19 Governor Sununu signed HB 1220 into law, which makes minor amendments to New Hampshire's comprehensive consumer privacy law (SB 255) which was enacted in March of this year.

SB 255 is largely a bog-standard Connecticut-style privacy law but stood out from the pack by requiring the secretary of state to establish requirements for privacy notices and the means by which consumers may exercise their privacy rights. HB 1220 removes this power and makes the provisions self-executing under the law.

HB 1220 is not a major amendment in the grand scheme of things (not even in the grand scheme of this hyper-specific newsletter); however, it does provide some helpful framing for considering what makes an effective privacy law. Some organizations view any form of rulemaking as an inherent virtue for state privacy laws and credited New Hampshire for this unique authority/obligation. However, as a practical matter HB 1220 will likely be a net positive for New Hampshirites, who will now have legally guaranteed privacy rights when the New Hampshire law takes effect on January 1, 2025 without having to wait for the completion of a regulatory process to duplicate statutory requirements that have already been established by a dozen previously enacted state laws. Presumably, the Secretary of State's office will also be able to use its limited time and resources on other, hopefully more important, matters.

5. A Suspenseful Month In California

The sink or swim moment for most California legislation comes in the Appropriations Committees, where costly bills are sent to the 'Suspense File' - many of which are never to be heard from again. This year's brigade of California privacy and AI bills experienced mixed results in Appropriations hearings this week, with several bills passing while more ended up on the Suspense File. These bills must be voted off the file and through committee by August 16 in order to remain alive for this session. (Ed. note: I think this is correct, but someone more familiar with the CA legislative process please feel free to weigh in in the comments).

The following bills that passed through cross-chamber Appropriations:

• AB 3048, a California Consumer Privacy Act (CCPA) amendment to mandate that browsers and mobile operating systems provide native support for individuals to send 'opt out preference signals' invoking their rights to opt out of sales and sharing of personal data by default.
• AB 1008, a CCPA amendment providing that personal information ‘can’ ‘exist in’ artificial intelligence systems that are capable of outputting personal information (potentially wading in to an active debate to suggest that LLMs can indeed contain PII and running counter to recent findings of the Hamburg DPA).?
• SB 1233, a CCPA amendment explicitly classifying neural data as "sensitive" under the Act. The CCPA famously does not extend its core opt-out right to sensitive data collected without the purpose of "inferring characteristics about a consumer" so it is interesting to consider what use cases of neural data would fall in or out of this exception.

The following bills were referred to the Suspense Files including:

• AB 1949, CCPA amendment to raise the law's age threshold to 18 and provide for age-flag device signals.
• AB 2877, CCPA amendment to bar using youth data to train AI systems unless with consent and such data is both deidentified and aggregated. These restrictions would appear to make the use of youth data to train AI systems functionally impossible (apart from a narrow exception where such training is necessary to protect the data subject from an "imminent" threat to their health or safety).
• AB 2930, a standalone bill to establish requirements for developers and deployers to limit discriminatory use of Automated Decision Tools.?
• AB 1047, a highly controversial bill to place broad regulations on so-called ‘frontier models’?AI systems.
• AB 3211 , an AI provenance, authenticity, and watermarking bill.
• SB 942, a bill to establish disclosure and detection requirements concerning AI-generated content

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum