State Privacy News - 11/15

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement from across the U.S. states.

1. Blockbuster CPPA Board Meeting

The California Privacy Protection Agency (CPPA) held a significant board meeting on November 8, here’s what you need to know (and possibly a little extra):

The board voted 4-1 to initiate formal rulemaking on draft regulations involving automated decisionmaking technology (ADMT), risk assessments, cybersecurity audits, and more. Normally, this vote would set in motion a 45 day public comment process; however, Chairperson Urban requested that Agency staff be flexible with the comment period given upcoming holidays. Additional procedural steps are required before the comment period formally opens so we do not yet know what due date for comments will be.

While the entire regulatory package is significant, provisions governing ADMT provoked the most discussion and generated substantial business group pushback during public comments. Numerous industry speakers balked at the estimated $3.5 billion year-one costs of the proposed regulations (see analysis from the California Chamber of Commerce contesting that figure here) and suggested that the Agency was overstepping its statutory authority. Husch Blackwell’s David Stauss has a great webinar overview of the ADMT provisions here. 

Board Member Mactaggart (the sole vote against advancing the regulatory package), raised numerous specific concerns with the ADMT provisions and argued that overall the rules could undermine privacy rather than protect it. Mactaggart objected to the the breadth of in-scope systems, questioned whether ADMT opt-outs (or, alternatively, rights to appeal) could be operationalizable at scale, contested the focus on systems impacting “access to” life opportunities rather than their provision or denial, and the use of ADMT as a standalone trigger for conducting a risk assessment.

In contrast, Chairperson Urban emphasized that process-wise, entering formal rulemaking is what will actually allow the Agency to make additional changes to the current regulatory package. In response to industry calls for a further delay, she reminded stakeholders that the Agency is under a statutory obligation to write these rules and that in fact, the CPPA has previously been sued by industry for not writing regulations in accordance with statutorily envisioned deadlines (aside: that litigation appears to be wrapping up). Board Member Le appeared responsive to certain industry concerns and noted that ‘we will likely have to narrow the scope’ of the proposed rules, but emphasized changes should happen during the formal rulemaking process on the basis of feedback from all stakeholder groups, not just the largely industry participants who spoke during public comments.

The Board voted 5-0 to finalize Delete Act Registration Rules: The new rules could significantly expand the number of businesses required to register as ‘data brokers’ (and to ultimately be subject to bulk deletion requests) in California. In particular, the rules provide that any “sale” of personal information that is not collected directly from a consumer can make a business a data broker, regardless of any other connection between the business and consumer.

The Board voted 5-0 to increase annual data broker registration fees from $400 to $6,600: The increase was calculated by dividing the estimated cost of building the “Delete Request and Opt-Out Platform (“DROP”) bulk deletion system by the current number of registered data brokers (527 registered entities). This is noteworthy because, again, the number of registered “data brokers” will likely spike given the Agency's new interpretation of registration requirements. Board members recognized that this was a significant increase, but emphasized that the law requires that regulated industry pays for building the DROP mechanism, not taxpayers, so really there is no other option. Related, on February 14 the Agency announced two settlements with brokers that failed to register, with fines of $35,400 and $34,400 (those $200/day penalties for non-registration can really add up).

Executive Director Soltani to depart Agency in early 2025: Executive Director Soltani (who became the Agency’s first employee in 2021) announced that he will stand down in early 2025. Board members reflected on how far the CPPA has come under Soltani's leadership - from overcoming California's administrative hurdles to purchase printers to emerging as a 45+ employee, globally-recognized regulatory and enforcement authority.

AB 3048 veto response: Board Member Mactaggart strongly criticized what he perceived as an industry campaign of fear, uncertainty, and doubt that led Governor Newsom to veto AB 3048 (which would have required native opt-out preference signal settings in browsers and mobile OS and has been endorsed by the Agency). Mactaggart called for the enactment of similar legislation next session.

Future Rules(?): Neither the Agency board nor staff appeared in any great hurry to initiate additional rulemaking processes, but possible future regulatory topics were discussed. These included respect for consumer rights exercised by authorized agents, the CCPA's application to employee data, and financial incentives / loyalty programs. Chairperson Urban also raised the idea of the Agency releasing examples of required notices and risk assessments required under the CPPA. 

2. Virginia JCOTS Lays Out Legislative Agenda for 2025

The Virginia legislature’s influential Joint Commission on Technology and Science (JCOTS) met on November 6 to establish an online and data protections workplan for 2025. The Commission recommended two bills with qualifications:

• SB 252: A Virginia Consumer Data Protection Act (VCDPA) amendment that (paradoxically) would create both opt-in and opt-out requirements - that must be exercised through a privacy notice - for use of all non-strictly necessary browser cookies. Despite recommending the bill for further work, JCOTS appeared to suggest that a different approach (such as creating a global opt-out mechanism) might be a preferable way to address the topic.
• SB 359: A VCDPA amendment to require social media platforms to conduct age verification and obtain parental consent in order to offer so-called “addictive feeds” to children under 18. This proposal contains clear similarities with the New York SAFE for Kids Act enacted this year. 

JCOTS also declined to recommend three additional bills that were on the agenda, SB 684 (a modified Age Appropriate Design Code), SB 432 (which would require verifiable parental consent for any child or teen to register to use an online service), and SB 532 (which would seek to limit minors’ access to social media accounts between midnight to 6am). 

Virginia has a notoriously short and fast moving legislative session, which is scheduled to run from January 8th through February 22nd in 2025. Consequently, this pre-session work and priority setting is a very important part of the Old Dominion’s lawmaking process. 

We thank The Patchwork Dispatch's Richmond Bureau Chief Daniel Hales for his contributions to this update.

3. Reproductive Health Privacy on the Agenda in Michigan ‘Lame Duck’ Session?

Republicans have won a modest majority in the Michigan State House, flipping control of the chamber and breaking up the Democratic trifecta government in Lansing. However, Michigan’s 2024 legislative session does not close until late December, creating a ‘lame duck’ period where Democrats may seek to advance policy priorities likely to be opposed by their future Republican colleagues. While state Democrats could seek to advance legislation on a number of topics, Governor Whitmer has identified the protection of reproductive health data as a priority for her administration. 

It is therefore notable that on November 7th (almost immediately after the election), 19 Michigan state senators introduced SB 1082, “The Reproductive Health Data Privacy Act.” This bill has already received a Committee on Housing and Human Services hearing and a House companion (HB 6077). 

The Reproductive Health Data Privacy Act appears modeled on the highly restrictive Washington State My Health, My Data Act (MHMDA), but instead of sweeping in any information that identifies past, present or future physical or mental health status, the bill is more narrowly focused on “reproductive health status.” However, for covered data, SB 1082 is arguably even more restrictive than the MHMDA as collection and processing of such information requires both (1) “clear consent” and (2) adherence to one of only four permissible purposes (to provide a requested product or service; to complete a financial transaction; complying with legal obligations; or protecting public health and safety). Unlike the MHMDA, the Michigan proposal would create standalone limitations on the disclosure of reproductive health data to the government. SB 1082 further models the MHMDA by creating a heightened tier of consent (“valid consent”) for sales of covered data, though it is not obvious how this provision would interact with (and potentially override) the permissible purposes restriction. Finally, SB 1082 would provide for enforcement by a private right of action and provide for Attorney General rulemaking.

4. Montana Bill Request Season

It is bill request season in Montana, a period where lawmakers can ask professional staff to draft a bill on a particular topic. While this is just the beginning of a long legislative process, we note several interesting requests including: LC 844 / LC 845 (to establish artificial intelligence law); and LC 343 / LC 344 (regarding ownership of biometric data). At present, just the titles of these bill requests are available - tantalizing!

5. CFPB Throws Shade at State Privacy Laws

The Consumer Financial Protection Bureau (CFPB) has issued a report on “State Consumer Privacy Laws and the Monetization of Consumer Financial Data”. The report provides a handy overview of the comprehensive state privacy landscape (except for Tennessee, which the authors appear to have overlooked), the federal Gramm-Leach-Bliley Act (GLBA) and Fair Credit Reporting Act (FCRA), and raises concerns about the typical state privacy law approach of broadly excluding financial entities and data subject to these federal laws from new privacy rights and protections. The November 12 release date for the report was timed to coincide with the twenty-five year anniversary of the passage of the Gramm-Leach-Bliley Act (GLBA) and, presumably, to underscore how old - some might even argue outdated - that framework is. 

The report concludes by noting that: “The GLBA and the FCRA give States latitude to offer consumers greater protections than what those federal laws provide for consumers. Absent action to enhance federal privacy protections, States may need to amend privacy laws to adequately protect consumers’ personal financial data.”

Of course, this is not a new issue to state lawmakers. Recently enacted comprehensive privacy laws in Oregon and Minnesota have taken steps to limit the range of entities that can take advantage of GLBA carveouts under their laws, responding to concerns that organizations like payday lenders and car dealerships could exclude themselves from regulation under the typical approach A February, 2024 report from the Connecticut Attorney General also recommended that the state legislature scale pack entity level exceptions in the Nutmeg State’s data privacy law.

As always, thanks for stopping by.

Keir Lamont is Senior Director for U.S. Legislation at the Future of Privacy Forum