The Less Than Graceful Art of Tracking State Privacy Legislation
New privacy legislation is appearing, disappearing, mutating and reappearing at a rate that boggles the mind. As soon as you wrap your arms around one proposal, it gets dumped and a new proposal or state commission on privacy law appears in its place. Trying to keep tabs on what is happening across the country results in a fair amount of flailing of the hands, sweatiness and panicky faces. Or is that just me?
A Snap-Shot of the Current State of Play
To help credit unions stay on top of privacy legislation that might be important to them, here is a brief snap-shot of what the state of play is as of today.
Florida’s S1670 /HB 963: These companion bills do not go as far as the California Consumer Privacy Act (CCPA), but would still be the state’s first omnibus privacy laws. The legislation does contain an exemption for institutions that must comply with the Gramm-Leach-Bliley Act (GLBA). It does not contain a private right of action. The bills have been introduced and are currently in committee.
Illinois’s Data Transparency Privacy Act (SB2330): This bill is very similar to the CCPA, but contains important definitions and exemptions that the CCPA does not. It does contain a private right of action and an exemption for GLBA-covered data, but not GLBA-covered institutions. The bill was introduced January 8, 2020 and is currently in committee. Multiple privacy bills have been passed by the Illinois legislature, but they have been consistently vetoed by the governor.
Massachusetts’ Consumer Data Privacy Act (S.120): This bill was modeled after the initial drafts of the CCPA. Just last week, a Joint Committee in the Massachusetts Legislature issued an order to further study this proposed Act. This makes passage of an omnibus data privacy law in Massachusetts unlikely in 2020.
The Nebraska Consumer Data Privacy Act (LB746): This bill tracks the CCPA, with some important tweaks. It includes a GLBA exemption that only applies to data rather than the organization, but there is not currently a private right of action attached to the bill. It is currently in committee where a hearing was scheduled earlier this month.
The New York Privacy Act (S5642): Last year, the New York legislature proposed the New York Privacy Act, which was called “groundbreaking” and was widely recognized as going further than the CCPA. The proposal would create a duty of care, loyalty and confidentiality with regard to consumer data, which is an extremely high legal standard of obligation. It did not make it out of committee in 2019, but it has been reintroduced in 2020 and is currently in committee. There are approximately twenty additional privacy bills floating around committees, such as the It’s Your Data Act (A7736), the Right to Know Act (S224) and the less enigmatically named A6351 and S4411.
The Virginia Privacy Act (HB 473): Virginia moves quickly. This bill is a mashup of CCPA and the European Union’s General Data Protection Regulation (GDPR) elements and does include a private right of action. There is a data-level exemption for GLBA-covered information. It was proposed in January and all indications are that consideration of the bill will be delayed until 2021 while it is studied by the Joint Committee on Technology and Science.
The Washington Privacy Act (SB 6281): This did not pass in 2019, but it may well pass in 2020. Last week, the legislation was passed by the state senate with bipartisan support. It will move on to the house where a hearing is scheduled for today. The proposal is quite comprehensive, similar to the CCPA and the GDPR. The good news is that many are calling the Washington Privacy Act a much better model than the CCPA, and reportedly the process of drafting the law involved more stakeholders than the process for the CCPA.
Tracking Privacy Laws
These laws can represent significant operational, compliance and litigation risk for credit unions. Credit unions who want to participate in the lawmaking process should contact their state legislators and make sure they fully understand the impact of these laws on credit unions. NAFCU’s Principles for a Federal Data Privacy Standard can be a useful tool for educating lawmakers on what credit unions are already obligated to do.
If there is a particular law you are keeping an eye on, many state legislatures offer “Status Alert” emails for when there is a change in the status of a particular piece of legislation. A well-drafted google news alert can also be a useful tool for tracking state privacy laws.
The IAPP has a State Comprehensive-Privacy Law Comparison chart that is easy to read and updated every few months, which can be a useful way to quickly check on multiple bills and jurisdictions. For a more thorough description of the fate of past and present state privacy laws, the National Conference of State Legislatures has a list of Consumer Data Privacy Legislation by state.
Ultimately, NAFCU believes that a federal privacy standard is necessary to resolve the risk that arises from having so many, different privacy laws out of so many different jurisdictions. If all these different proposals and uncertainty makes you queasy, consider contacting your federal legislators to tell them so. NAFCU’s Principles for a Federal Data Privacy Standard one-sheet can be a useful tool for that conversation.