As noted in our two prior alerts, CCPA Part 1 and Part 2, the California Consumer Privacy Act (CCPA) is bringing GDPR-like data protection to the United States. Other states are now following suit.
The California legislature continues to look at amendments to the CCPA. The California Senate should soon begin consideration of a large expansion of the CCPA’s narrow private right of action, currently limited to certain data security breaches, so it would include any violation of the CCPA whatsoever. Proposed changes would also eliminate the requirement that private litigants seek state AG review before filing suit.
We look at the legislative developments in three states that have reacted favorably to the CCPA: Washington, Texas and Massachusetts.
State of Washington Privacy Act
On March 11, 2019, the State Senate passed the Washington Privacy Act (WPA) by a 46-1 margin, after discussions with both business and consumer groups. The WPA borrows heavily from the CCPA, but it also lifts language directly from the EU’s GDPR regulation. The legislation has hit a snag in the State House of Representatives, however, and passage this session is uncertain.
As State Senate Bill 5376, the WPA would apply to legal entities that conduct business in Washington and either (1) control or process the data of 100,000 Washington consumers, or (2) derive 50% of their gross revenues from the sale of personal information and process or control the personal information of 25,000 or more consumers.
SB 5376 would give Washington consumers the protections found in the GDPR (access, deletion, correction, no to certain uses, profiling, etc.). It also employs GDPR terms like “controllers” (who dictate the collection and use of personal information) and “processors” (who do as told by controllers). Like the GDPR, it will require periodic risk assessments of businesses that process such information.
SB 5376 contained no private right of action. The State Attorney General could seek $2,500 per innocent violation and $7,500 per intentional violation.
Prospects are dimming, as the bill must pass the House before hitting the Governor’s desk. The House Innovation, Technology & Economic Development Committee recently amended the bill to include a private cause of action and enhanced consumer protections with respect to facial recognition and other privacy concerns.
On April 9, 2019, the State’s House Appropriations Committee stripped SB 5376 of all content, leaving its title only, as a procedural vehicle to keep it alive and hopefully resolve these differences. If no consensus is reached by April 28, 2019, the WPA will likely have to wait another year for consideration.
Texas Consumer Privacy Act and Texas Privacy Protection Act
Texas has filed two consumer data protection bills in 2019. The proposed Texas Consumer Privacy Act (“Texas CPA”) is nearly a clone of the CCPA. The other, called the Texas Privacy Protection Act, focuses on business regulation rather than consumer rights.
The Texas Legislature regularly meets in odd-numbered years only, so if neither proposed Act passes this year, it will not be considered again until 2021, absent special action by the Governor.
Like the CCPA, the Texas CPA will cover a company that does business in Texas, collects Texas resident personal information and either (a) has annual gross revenues of more than $25 million, (b) buys, sells, receives, or shares for commercial purposes the personal information of more than 50,000 Texas residents, households or devices, or (c) derives 50% or more of its annual revenue from selling Texas resident personal information.
The Texas CPA mirrors the CCPA’s consumer protections for notice, opt-out of sales, deletion, etc., nor would it apply to information collected pursuant to HIPAA, GLBA, FCRA, or clinical trials. In addition, it excludes from coverage information wholly collected or purchased outside of Texas.
The proposed Texas CPA does NOT allow for a private right of action. Attorney General actions brought under the statute may seek penalties from $2,500 per incident (innocent) to $7,500 per incident (intentional). The Texas CPA will allow businesses 30 days to cure an alleged violation and avoid further action.
In contrast, the Texas Privacy Protection Act has fewer definitions and consumer protections, but it still allows for hefty fines of $10,000 per violation, to a maximum of $1 million.
Massachusetts Consumer Privacy Act
The proposed Massachusetts Consumer Privacy Act (MCPA) also follows the CCPA’s example in terms of consumer notices and protections.
The MCPA will lower the CCPA coverage criteria to those for-profit businesses with gross revenues of just $10 million or more, or those who derive 50% or more of their annual revenues from the disclosure of Massachusetts consumers’ personal information.
The MCPA takes an extremely aggressive approach to enforcement. Not only does it allow for consumer private actions, it expressly states that a consumer bringing a private suit for an MCPA violation need not have suffered any actual harm. Violation of the MCPA is harm enough to bring suit under the MCPA. Such private rights of action, like the CCPA, would allow those bringing suit to sue for up to $750 in statutory damages per violation in addition to attorneys’ fees.
In conclusion, the laboratories of the states are hard at work in drafting new data privacy laws. Congress also continues to plow forward, taking into account these measures and contemplating whether federal legislation should preempt. Stay tuned.