State Privacy Updates - 2/10

Welcome to The Patchwork Dispatch, a fortnightly (maybe) newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states.?We are pleased to report that thanks to California, we actually have some regulatory and enforcement items to cover in this installment of the Dispatch. You know the drill by now, on to the updates!

1. Utah Storms Ahead With Social Media Bills

The Utah Consumer Privacy Act is widely considered to be the most business-friendly of the five comprehensive state privacy laws, so it may have taken some observers by surprise as the restrictive Utah Social Media Regulation Act (SB 152 / HB 311) rapidly gained traction in recent weeks. As initially drafted, these proposals sought to establish a flat prohibition on anyone under the age of 16 holding a social media account (House), require social media companies to verify the age of all users, create parental consent requirements, mandate that social media platforms build monitoring systems to allow parents to view all messages sent and received through their child's accounts (Senate), and establish a private right of action for violations.

These proposals are a prime example of how privacy interests can intersect with other important societal values such as online safety, free expression, and individual autonomy in complex ways. In an era of increasing calls to ban or force the divestiture of certain foreign-owned apps and websites such as TikTok due to privacy and security concerns, there is an obvious tension with proposals like the Utah Social Media Regulation Act that would likely require TikTok to collect sensitive personal information such as biometric data and government-issued identification from users in order to verify their age and identity.

While both bills quickly cleared their committee processes, late Thursday the full Utah House threw us a curveball by significantly revising HB 311 before passing it on a 68-6 vote. The provisions requiring age verification were removed and the proposal now creates a rebuttable presumption that individuals under the age of 16 are harmed by the use of social media with a private right of action for "any addiction, financial, physical, or emotional harm suffered" as a consequences of a minor using social media. Practically speaking, these revisions may move the bill even closer to a de facto ban on the operation of social media in Utah (which may be the intent), though it is also not fully clear which companies and services would qualify as "social media platforms" as drafted. The next big question for these proposals is whether the Senate version of the bill will be similarly rewritten.

2. California Privacy Regulatory Updates and an Enforcement Sweep

On February 3, the California Privacy Protection Agency (CPPA) board voted 4-0 to submit its initial California Privacy Rights Act (CPRA) rulemaking package to California’s Office of Administrative Law (OAL) for approval. Despite the unanimous vote, board member de la Torre noted that her preference would have been to withhold Section 7002 from the draft regulations at this time, this provision seeks to create a novel "reasonable expectations" standard for data minimization. She noted that as drafted, the standard lacks common carve outs for journalistic, research, archiving, and statistical uses of data and that “I don’t think we want to be more restrictive than Europe.” We understand that once submitted, the OAL has 30 working days to review the proposed regulations. A reminder that back in 2020, the OAL required only relatively minor revisions to the California AG’s regulations to implement the underlying California Consumer Privacy Act (CCPA).

The CPPA also voted to initiate a 45-day public comment period on preliminary rulemaking questions to gather information on three important CPRA topics that were not addressed in the initial set of implementing regulations: cybersecurity audits, risk assessments, and automated decisionmaking (ADM). Two key points of note here: first, the CPRA is unique among U.S. privacy laws in requiring companies to affirmatively submit risk assessments to regulators (rather than making them available upon request). The questionnaire suggests that the Agency is considering slightly backing off from this approach by only requiring businesses to affirmatively submit "a summary risk assessment" on a regular basis.

Second, while the CPRA provides a vague direction for rulemaking on ADM and does not clearly contemplate an independent consumer right to opt-out of ADM, members of the CPPA routinely elevated this provision as a core part of their argument that the CPRA is a stronger privacy framework than the American Data Privacy and Protection Act (ADPPA) that the House Energy & Commerce Committee advanced last Congress. The pre-rulemaking questions provide additional evidence that the Agency is contemplating a broad range of rights and restrictions with respect ADM and will not necessarily follow the lead of the states that have directly created consumer rights over ADM through legislation.

While the CPPA continues its Herculean task of drafting implementing regulations for the CPRA, the California Attorney General's Office remains responsible for enforcing the underlying CCPA. On January 27, the AG's Office announced a new enforcement sweep of "popular apps in the retail, travel, and food service industries." A notable focus of this sweep compared to previous enforcement activities is on allegations of non-compliance with consumer rights requests exercised through "authorized agents", specifically the Permission Slip tool developed by Consumer Reports. We are also watching to see what, if any, impact the expiration of the CCPA's 30-day right to cure will have on this wave of enforcement.

3. Washington State 'My Health My Data' Act Amended and Advanced

As first reported by Felicity Slater, a substitute Washington State My Health My Data Act (HB 1155 / SB 5351) was released on February 2nd. Numerous significant changes have been made to the proposal. For example, the flat prohibition on the "sale" of consumer health data was withdrawn and replaced with a "valid authorization" standard. The definition of "consumer health data" remains broad, but has been modified to more closely track U.S. privacy standards by including personal information that is "linked or reasonably linkable" to a consumer. The revised bill also now restricts geofencing within 2,000 feet of a health care facility, rather than focusing on just the perimeter of such a building.

At a February 3rd Executive Session of the House Civil Rights & Judiciary Committee, the substitute bill was accepted and the proposal was advanced on a 7-4 party line vote. Numerous amendments offered by Rep. Walsh (R) were rejected, such as language to weaken the bill's 'backdoor' private right of action and to remove the restrictions on geofencing. However, the committee did seriously debate a proposal to add a right to cure to the Act.

4. Hawaii Hearings

Two Virginia-style bills titled the "Consumer Data Protection Act" were introduced in Hawaii on January 20th: SB 974 and SB 1110 / HB 1497. While very similar proposals, there are some distinctions: SB 974 would provide for the exercise of consumer rights through global device settings while SB 1110 contains a private right of action. Notably, the bills also share two common sponsors: Senators Keith-Agaran and McKelvey.

Last week, HB 1497 was amended and advanced by the House Committee on Higher Education and Technology on a 9-2 vote. The Committee struck the right of consumer access (while leaving the right of data portability untouched), struck the bill's private right of action, and made the bill's opportunity to cure permanent. Finally, in a fun local-practices twist, the bill's effective date was amended to June 30 in the Year 3000 in order to "encourage further discussion." Later today, SB 974 is scheduled for a hearing in the Committee on Commerce and Consumer Protection.

Separately, two sectoral privacy bills, an Illinois Biometric Information Privacy Act-copycat (SB 1085) and a bill restricting the sale of geolocation and internet browser information without consent (SB 1180) are scheduled for action in the Senate Committee on Labor and Technology later today. This will be the second time the Committee discusses these bills.

5. D.C.'s 'Stop Discrimination by Algorithms Act' Reintroduced

Closing out with an update from close to home, five Washington D.C. City Councilmembers have reintroduced the Stop Discrimination by Algorithms Act (SDAA) as B25-0114. While most comprehensive privacy bills have sought to tackle the threats of discriminatory AI by creating a consumer right to opt out of significant automated profiling decisions, the SDAA potentially represents a new regulatory model.

The SDAA would prohibit businesses from making discriminatory algorithmic eligibility determinations with respect to important life opportunities (involving credit, education, employment, housing, or public accommodation) on the basis of an individual's actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, source of income, or disability. The proposal further includes notice, reporting, and auditing requirements for the use of algorithmic decision-making systems while providing for enforcement by both the Attorney General and through private litigation.

Last year, the SDAA received an almost 7-hour hearing in the Committee on Government Operations and Facilities. However, then-sponsor Robert White ultimately suspended activity on the legislation noting that "[unfortunately,] there is not enough time before the end of the Council period to move this bill forward in a way that effectively bars harmful discrimination without substantially disrupting the central and often positive role that algorithms play in broad swaths of our economy." Could SDAA be better positioned to move this session?

As always, thanks for stopping by.

Keir Lamont is the Director of U.S. Legislation at the Future of Privacy Forum