State Privacy Updates - 3/31

Welcome to The Patchwork Dispatch, a fortnightly (yet again!) newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states.?Some folks have asked whether I will be attending next week's IAPP Global Privacy Summit in DC, the answer is "No." However, I will be skulking around the hallways of the convention center like a spectre haunting Europe - so feel free to drop me a line if you'd like to grab coffee and chat U.S. privacy law. On to the updates!

1. California Privacy Rulemaking Updates

On March 30th, the California Privacy Protection Agency (CPPA) announced that the Office of Administrative Law (OAL) approved the initial set of California Consumer Privacy Act (CCPA) implementing regulations in their entirety - a major victory for the nascent agency. While the formal enforcement date for the California Privacy Rights Act (CPRA) amendments to the CCPA remains July 1st, the approved regulations take effect immediately.

Of course, there is no rest for the weary and the Agency is already getting started on a second round of rules. On March 27th, the public comment period on the Agency's preliminary rulemaking questionnaire on the topics of cybersecurity audits, risk assessments, and automated decisionmaking closed. The Agency has yet to formally publish the comments it received, but the good folks at Alliance for Automotive Innovation, BSA, CCIA, CDT, CIPL, Consumer Reports, Consumer Watchdog, FPF and NAI have independently posted their submissions.

The OAL's blanket approval of the initial draft regulations (which in some cases significantly expand privacy rights and obligations beyond the plain text of the statute) suggests that the Agency will enjoy broad latitude in choosing how to craft further CCPA implementing regulations. There are early indications that the Agency is planning to take full advantage of this authority. For example, a recent tweet from the IAPP's DC Bureau Chief signals that the Agency is considering applying CCPA opt-out rights with respect to automated decisionmaking to certain algorithmic recommendation systems for online content.

2. Progress on the Tennessee Information Protection Act

For the first time this year, we cover the Tennessee Information Protection Act (TIPA) (SB 73 / HB 1181). Admittedly, this proposal did not start off high on our watchlist, largely because a prior version of TIPA became one of the few comprehensive privacy proposals to actually fail a vote in 2022 when it was rejected in the Senate Labor & Commerce Committee by a 6-3 margin. However, TIPA is back, revised, and appears in position to make a push for the finish line before Tennessee's May 4th end-of-session date.

The proposal's apparent viability this year is likely due in large part to a set of amendments made to the Senate bill on March 21st. Eric Reagan has a good rundown of how the bill has evolved this year on the Data v. Privacy blog.

At a high-level though, the amended TIPA is predominantly a Virginia-style proposal with a few notable wrinkles:

• To be in scope, companies must exceed $25 million in revenue and process the personal data of 175,000+ Tennessee residents.
• Exceptions for pseudonymized data apply to consumer opt-out rights.
• Businesses will have an affirmative defense in an AG enforcement action if they 'reasonably conform' to the NIST Privacy Framework or "other documented policies, standards, and procedures designed to safeguard consumer privacy..."

It is hard to predict when the next action on TIPA will occur as there have been postponements in both chambers; however, the bill is currently scheduled for Senate floor time on April 6 and a hearing in the House Commerce Committee on April 4.

3. Age Appropriate Design Codes on the March

Advocates of the Age Appropriate Design Code approach to regulating the privacy, design, and content practices of online products, services, and features that are likely to be accessed by children have scored big wins in recent weeks. First, in Maryland an AADC bill (HB 901) passed the State House by a 110-26 vote. Second, in Minnesota, an AADC bill has been added to the House Commerce Committee's 195-page omnibus finance bill. Both bills have received minor amendments during their legislative journeys that appear partly due to the fact that neither state has an underlying comprehensive privacy statute that their Design Code would plug into, as was the case for the adoption of California's AADC.

4. Florida Stays Weird

The Dispatch has previously covered Governor DeSantis' "Digital Bill of Rights" legislative package. The data privacy element of the 'bill or rights' has now been introduced as HB 1547 / SB 262. Florida has an established history of creative scoping when it comes to technology legislation, and the new proposal is no exception. In fact, in order to be covered under the bill, a business would need to make in excess of $1 billion in gross annual revenue and either (a) make more than half of its revenue from online ad-related business or (b) operate "a consumer smart speaker and voice command?component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation." Huh. Given these thresholds, should the Florida proposal be enacted in its current form, it would likely apply to only a very small handful of very large companies.

Substantively, the proposal contains many familiar elements such as a California-style right to opt out of the sale or sharing of personal information as well as transparency and data security requirements. In a unique privacy element, the proposal would also require covered entities to adopt a retention schedule that would provide for the deletion of certain personal data two years following the last interaction with a consumer. The proposal also occasionally ranges far afield of traditional privacy topics, such as prohibiting government employees from entering working relationships with social media platforms for the purposes of content moderation and requiring search?engines to disclose how their "algorithm prioritizes or deprioritizes political partisanship or political ideology in its search results."

The Senate bill is on the agenda for a Commerce and Tourism Committee hearing on April 4th while the House Bill was reported out of the Regulatory Reform & Economic Development Subcommittee on March 30th. The House Committee threw us another screwball by adopting a sponsor's amendment to incorporate Age Appropriate Design Code-style language into the Act. However, the amendment appears to take the NetChoice litigation against the California AADC seriously and takes steps to avoid similar constitutional challenges. For example, the Florida bill does not require "age estimation", it uses a "predominantly accessed by children" rather than "likely to be accessed" standard for coverage, and would not give regulators the authority to second guess a platform's enforcement of published terms, policies, and community standards.

5. Quick Bites

There's a lot going on in the states right now, so let's close the newsletter out with a series of short updates on legislation covered in previous editions of the Dispatch:

• Iowa: On March 28, Governor Reynolds signed SF 262 into law, making Iowa the sixth state to enact baseline privacy legislation. As I told the Washington Post, SF 262 has a strong argument for being the narrowest of all six state laws.
• Utah: On March 23, Governor Cox signed SB 152 and HB 331 into law, far reaching social media bills that threaten the privacy, liberty, and safety of Utahns, particularly adolescents.
• Kentucky: On March 30, Kentucky's legislative session closed without adopting the GDPR-inspired SB 15 that previously passed the State Senate by a 32-2 vote.
• Indiana: SB 5 has been scheduled for a House Judiciary Committee hearing on April 5. This Virginia-style proposal previously passed the State Senate by a 49-0 vote.
• Texas: HB 4 is scheduled for floor time on April 4, the Virginia-style proposal has been amended with a novel requirement that small businesses to obtain affirmative consent in order to sell sensitive data.
• New Hampshire: The Connecticut-style SB 255 cleared the State Senate on March 16 and is currently pending in the House Judiciary Committee.
• Oregon: The Washington Privacy Act-style SB 619 is scheduled for a Senate Judiciary Work Session on April 3. Proposed amendments have been added to the bill page that would remove the legislation's private right of action.
• Montana: The Virginia-Connecticut hybrid SB 384 has been pending for two weeks in the House Energy, Technology and Federal Relations Committee after passing the State Senate 50-0.

In a moment of weakness earlier this week, I broke my one cardinal rule and made an actual legislative prediction, putting the line of additional states to enact comprehensive privacy legislation in 2023 at over/under 3.5. Let me know down in the comments how you'd wager this.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the?Future of Privacy Forum.