April 16, 2019
To learn more about Lathrop GPM, click here ›
The California Consumer Privacy Act Part 3: Data Privacy Legislation in Other States
The California legislature continues to look at amendments to the CCPA. The California Senate should soon begin consideration of a large expansion of the CCPA’s narrow private right of action, currently limited to certain data security breaches, so it would include any violation of the CCPA whatsoever. Proposed changes would also eliminate the requirement that private litigants seek state AG review before filing suit.
We look at the legislative developments in three states that have reacted favorably to the CCPA: Washington, Texas and Massachusetts.
On March 11, 2019, the State Senate passed the Washington Privacy Act (WPA) by a 46-1 margin, after discussions with both business and consumer groups. The WPA borrows heavily from the CCPA, but it also lifts language directly from the EU’s GDPR regulation. The legislation has hit a snag in the State House of Representatives, however, and passage this session is uncertain.
As State Senate Bill 5376, the WPA would apply to legal entities that conduct business in Washington and either (1) control or process the data of 100,000 Washington consumers, or (2) derive 50% of their gross revenues from the sale of personal information and process or control the personal information of 25,000 or more consumers.
SB 5376 would give Washington consumers the protections found in the GDPR (access, deletion, correction, no to certain uses, profiling, etc.). It also employs GDPR terms like “controllers” (who dictate the collection and use of personal information) and “processors” (who do as told by controllers). Like the GDPR, it will require periodic risk assessments of businesses that process such information.
SB 5376 contained no private right of action. The State Attorney General could seek $2,500 per innocent violation and $7,500 per intentional violation.
Prospects are dimming, as the bill must pass the House before hitting the Governor’s desk. The House Innovation, Technology & Economic Development Committee recently amended the bill to include a private cause of action and enhanced consumer protections with respect to facial recognition and other privacy concerns.
On April 9, 2019, the State’s House Appropriations Committee stripped SB 5376 of all content, leaving its title only, as a procedural vehicle to keep it alive and hopefully resolve these differences. If no consensus is reached by April 28, 2019, the WPA will likely have to wait another year for consideration.
Texas has filed two consumer data protection bills in 2019. The proposed Texas Consumer Privacy Act (“Texas CPA”) is nearly a clone of the CCPA. The other, called the Texas Privacy Protection Act, focuses on business regulation rather than consumer rights.
The Texas Legislature regularly meets in odd-numbered years only, so if neither proposed Act passes this year, it will not be considered again until 2021, absent special action by the Governor.
Like the CCPA, the Texas CPA will cover a company that does business in Texas, collects Texas resident personal information and either (a) has annual gross revenues of more than $25 million, (b) buys, sells, receives, or shares for commercial purposes the personal information of more than 50,000 Texas residents, households or devices, or (c) derives 50% or more of its annual revenue from selling Texas resident personal information.
The Texas CPA mirrors the CCPA’s consumer protections for notice, opt-out of sales, deletion, etc., nor would it apply to information collected pursuant to HIPAA, GLBA, FCRA, or clinical trials. In addition, it excludes from coverage information wholly collected or purchased outside of Texas.
The proposed Texas CPA does NOT allow for a private right of action. Attorney General actions brought under the statute may seek penalties from $2,500 per incident (innocent) to $7,500 per incident (intentional). The Texas CPA will allow businesses 30 days to cure an alleged violation and avoid further action.
In contrast, the Texas Privacy Protection Act has fewer definitions and consumer protections, but it still allows for hefty fines of $10,000 per violation, to a maximum of $1 million.
The proposed Massachusetts Consumer Privacy Act (MCPA) also follows the CCPA’s example in terms of consumer notices and protections.
The MCPA will lower the CCPA coverage criteria to those for-profit businesses with gross revenues of just $10 million or more, or those who derive 50% or more of their annual revenues from the disclosure of Massachusetts consumers’ personal information.
The MCPA takes an extremely aggressive approach to enforcement. Not only does it allow for consumer private actions, it expressly states that a consumer bringing a private suit for an MCPA violation need not have suffered any actual harm. Violation of the MCPA is harm enough to bring suit under the MCPA. Such private rights of action, like the CCPA, would allow those bringing suit to sue for up to $750 in statutory damages per violation in addition to attorneys’ fees.
In conclusion, the laboratories of the states are hard at work in drafting new data privacy laws. Congress also continues to plow forward, taking into account these measures and contemplating whether federal legislation should preempt. Stay tuned.
© 2020 LATHROP GPM, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop GPM LLP, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.