State Privacy Updates - 3/10

Welcome to The Patchwork Dispatch, a fortnightly (maybe) newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. March is upon us and madness is in the air, so be sure to fill out The Dispatch's annual state privacy bracket challenge for your chance to win absolutely nothing, this is just a fun way to represent the current comprehensive legislative landscape:

Enough fun and games, here are the updates you came for:

1. Comprehensive Montana Bill Unanimously Clears Senate

Our top story this issue is number one with a bullet - over the past two weeks, Montana's SB 384 has rocketed through its legislative process, culminating in a 50-0 vote in the Senate. The Montana House has until April 12 to act on the proposal.

The Montana bill is a classic 'Washington Privacy Act' (WPA)-style data protection framework, requiring opt-in consent for processing sensitive data and creating opt-out rights over data "sales" (defined broadly), targeted advertising, and significant profiling decisions. The proposal lacks specific protections for adolescent data and while it does not specifically address Universal Opt-Out Mechanisms, it does provide for the exercise of opt-out rights through authorized agents.

It is important to note that even as states increasingly coalesce around the 'Washington-style' approach to adopting comprehensive privacy protections, this framework will not necessarily apply evenly in each state if the typical coverage threshold requiring the processing of the personal data of 100,000 in-state individuals is applied. As Husch Blackwell's David Stauss has observed , the small population of Montana means that if SB 384 is enacted, a company would have to process data on approximately 9% of the entire population of Montana in order to be subject to the law.

2. Emerging Amicus Support in NetChoice Lawsuit Against California Age Appropriate Design Code

Last year California enacted the Age Appropriate Design Code Act (AB 2273 ), a broad children's privacy, product design, and content moderation law that will require businesses to estimate the ages of their users in a manner that is appropriate for the risk of harm in using a service. As previously covered in The Dispatch, the trade association NetChoice rapidly filed suit to block the law from taking effect on a series of constitutional grounds. In recent weeks, the N.D. California's docket has begun to swell with a series of amicus filings supporting NetChoice:

• Professor Eric Goldman argues that the age assurance requirements would create onerous barriers to accessing online content and chill speech online.
• The Chamber of Commerce argues that the AADC is preempted by the federal COPPA statute.
• The Chamber of Progress, IP Justice, & LGBT Tech argue that the AADC's undefined terms and potential liability will cause websites to self-censor, ultimately depriving underprivileged children of access to critical content.
• The Computer & Communications Industry Association (brief on file with author) argues, in part, that the AADC's DPIA requirements (which must include non-privacy elements such as the risks of exposing children to "potentially harmful" content and are required for every online "feature") constitute compelled speech in violation of the First Amendment. Comprehensive state privacy laws are increasingly requiring (significantly narrower) risk assessments, so it will be interesting to explore how these arguments might apply to traditional consumer privacy statutes.

To date, The Dispatch is not aware of any amicus briefs positing that the AADC is constitutional. As for next steps, the California Attorney General's response is due on April 21, 2023 (motion to change time pending) and the NetChoice reply will be due on May 19, 2023.

Meanwhile, observers are wondering how the NetChoice lawsuit will impact the legislative campaign to adopt copycat Age Appropriate Design Codes across the country. AADC-style bills are currently pending in: Connecticut ; Illinois ; Maryland ; Minnesota ; New Jersey ; New Mexico ; New York ; and Oregon . Another AADC is expected to be introduced in Nevada . At present, there is little direct evidence that the NetChoice challenge has done anything to chill policymaker enthusiasm. At a recent committee hearing in Maryland, we learned that the state AG's office does not see constitutional weaknesses with the AADC. In contrast, a New Mexico Attorney General report did raise constitutional concerns with the state's Age Appropriate Design Code proposal, but that analysis was subsequently withdrawn .

3. Weak Iowa Proposal Clears State Senate

Iowa could be close to becoming the sixth state to adopt 'comprehensive' privacy legislation (though other jurisdictions like Indiana and Montana are certainly in the running). On Monday, March 6th, the Iowa Senate passed?SF 262 , an Act relating to consumer data protection, by a 47-0 vote. Companion legislation,?HF 346 ?is currently eligible for a vote in the Iowa House. Furthermore, a similar proposal overwhelmingly cleared the state House, but not the Senate last year.

As presently drafted, SF 262 would be the least protective of any 'comprehensive' state privacy law. While the proposal appears to be modeled after the Utah Consumer Privacy Act, it has been modified to be weaker in key areas. For example, the Iowa proposal omits a specific right to opt-out of targeted advertising (this may be a drafting error as the bill separately makes reference to such a right) and extends both the right for businesses to "cure" any alleged violations prior to enforcement and the time that businesses have to respond to consumer rights requests.

There is an unfortunate tendence in the privacy community (of which The Dispatch has at times been guilty) to refer to all the non-California state privacy laws in similar terms. The Iowa proposal is a good occasion to remind ourselves that there are significant differences between the various 'Washington-style' bills in terms of consumer rights, business obligations, and enforcement authority. To emphasize this point and help stakeholders assess SF 262, my colleague Mercedes Subhani and I have prepared a chart comparing the proposed Iowa state to Connecticut's Data Protection Act, available here .

4. Promising Proposals in New Hampshire and Oregon Brought into Greater Alignment with Dominant Trends

Two promising 'Washington-style' bills that The Dispatch has followed closely this year in New Hampshire and Oregon are being brought into greater alignment with the existing state laws.

On March 8th, New Hampshire's bipartisan, bicameral SB 255 cleared the State Judiciary Committee on a 5-0 vote, setting up floor consideration for March 16. While the proposal initially lacked a carve-out for small businesses and exceptions from consumer rights for data held in a 'pseudonymous' format, the Committee amended the proposal to add these typical state privacy law elements.

On March 7th, the Oregon Senate Judiciary Committee heard SB 619 which included supportive testimony from Attorney General Rosenblum. The bill's proponents introduced a set of amendments that would add common exceptions such as processing information necessary to effectuate a product recall; conduct internal research to develop, improve, or repair a product; and to perform internal operations reasonably aligned with a consumer's expectations. The bill also initially contained a "constructive knowledge" standard for children's data protections, but the amendments would adopt the typical "actual knowledge" or "willfully disregards" standard. Despite these anticipated revisions, there is still plenty in SB 619 bill that would be unique to Oregon. For example, the current proposal includes "devices" in the definition of personal data, requires businesses to share a "specific list" of third parties to whom consumer data has been disclosed, and, of course, provides for a private right of action.

5. Colorado Privacy Act Implementing Regulations (Almost) Finalized

On Friday February 24, the Colorado Attorney General's Consumer Protection Section submitted its final Colorado Privacy Act implementing regulations for review and approval. David Stauss of Husch Blackwell has posted a redline of changes in this latest version and Sophie Baum of Hogan Lovells has an overview of these changes and further procedural context. While the Colorado Privacy Act only requires the promulgation of rules on the exercise of certain consumer rights through Universal Opt-Out Mechanisms, the final rule package touches on almost every aspect of the Act, running 44 pages in total.

The Attorney General's office deserves credit for this initiative, which was completed an impressive 318 days after the publication of the Agency's rulemaking 'roadmap' and well in advance of the Act's July 1 effective date. The Agency also seriously engaged with stakeholders in iterative review through verbal and written feedback cycles. As the only 'Washington-style' law that currently provides for rulemaking, we are interested to see whether the forthcoming Colorado regulations impact the interpretation and enforcement of similar privacy frameworks in Virginia, Connecticut, and elsewhere.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the?Future of Privacy Forum