State Privacy Updates - 11/9

Welcome to The Patchwork Dispatch, a (sometimes) fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. Here are the major developments since our last issue:

1. California Sets Date for Next Rulemaking Hearing

The California Privacy Protection Agency (CPPA) has announced that its next board meeting will be held on December 8. According to the agenda, staff will present proposed California Consumer Privacy Act (CCPA) regulations on risk assessments, cybersecurity audits, and automated decisionmaking technology (ADMT). The public has already seen proposed regulations from the Agency on risk assessments and cybersecurity audits, but the regulations on ADMT will be new. Significantly, the Agency's approach to regulating Artificial Intelligence is likely to diverge considerably from comparable U.S. laws, based on the Agency's public statements and previously released "conceptual language" for rulemaking. We understand that per California's Bagley-Keene Open Meeting Act, all materials must be posted 10 days prior to a meeting being held, so make sure you save room for a sizeable helping of Artificial Intelligence policy during your Thanksgiving festivities.

The Agency has already posted proposed revisions to its draft cybersecurity audit regulations. The revisions appear to be largely focused on closing areas of possible ambiguity, but they do confirm that the Agency intends to establish thresholds for conducting audits that are based on the volume and sensitivity of personal data that a business processes, rather than on a business's revenue or number of employees.

Please note that the agenda does not include an item for "possible action" on any of these three issues (risk assessments, cybersecurity audits, ADMT). Therefore, Dispatch staff do not currently expect formal rulemaking procedures (which would kick-off a 45 day public comment period) to be initiated at the December 8 Board meeting, despite earlier comments from Board members that this was a goal.

Separately, the agenda includes a staff presentation on "proposed updates to existing regulations" which we will be following closely. Recall that back in May, the CPPA published a chart of 21 potential future rulemaking topics (some of which would involve revisions to existing rules and some of which would break new ground) in addition to an assessment of how difficult each possible rulemaking topic would be.

Finally, the meeting will end with a closed session where board members will discuss Cal. Chamber v CPPA, ongoing litigation in which the Agency has appealed a court holding that the CPPA cannot enforce CCPA regulations until one year after they are finalized.

2. Wisconsin Privacy Proposal Clears Committee

Last edition we covered AB466, a comprehensive privacy proposal recently introduced in Wisconsin. On November 2, the bill was amended and passed out of the Assembly Committee on Consumer Protection. The changes largely move the bill from a Virginia-style framework to a Connecticut-style framework. However, the proposal does retain certain distinct elements, such as rulemaking authority and a larger than average $10,000 upper limit for penalties.

On November 7, an apparent Senate companion bill was introduced (SB462), but at present it lacks the strengthening amendments that the House bill received in the Consumer Protection Committee.

3. Pennsylvania Sets up a Committee Vote

Originally introduced back in May, the Pennsylvania Consumer Data Privacy Act (HB1201) has been scheduled for a House Commerce Committee "Voting meeting" on November 15. HB1201 is largely a Connecticut-style bill, but contains several notable distinctions, including: (1) a standalone applicability threshold of $10 million in annual gross revenue, (2) a largely California-style definition of "personal data", which includes household-level information and categories such as "olfactory" information, (3) the definition of exempt "publicly available information" does not include data that is used for an incompatible purpose from which it was made available in government records, (4) the Act would provide for Attorney General rulemaking authority, and (5) the Act would take effect immediately upon enactment.

Following the November 15 meeting, Pennsylvania's legislature is only scheduled to meet for three additional days this year, so realistically this bill will not make it over the finish line this session. However, it is never too early (and now is actually precisely the ideal time), to be looking ahead to 2024.

4. New Hampshire Continues on Dual Privacy Track

On November 8, the House Judiciary Committee amended and passed SB255, a Connecticut-style comprehensive privacy bill, by a 17-3 vote. The amendments lowered the primary applicability threshold to cover businesses that process the personal data of 35,000 or more New Hampshire residents and, more importantly, charge the Secretary of State with developing uniform procedural requirements for the exercise of data subject rights. SB255 passed the New Hampshire Senate back in March.

Next week, the Committee intends to amend and vote on another commercial privacy bill, HB314, which would strictly regulate data disclosures by “third party providers of information and services.” One Committee member shared that the more stringent requirements would apply in cases of conflict between HB314 and SB255 should both be enacted.

Unfortunately, our ability to provide analysis at this time is limited as the current versions of SB255 and HB314 do not appear to be publicly available.

5. Maine Continues Privacy Hearings

On November 8, Maine's Joint Judiciary Committee held a work session that covered numerous consumer privacy bills including three proposalss from Representative O'Neil: LD 1977 (HP 1270) (ADPPA-style); LD 1705 (BIPA-style); LD 1902 (Washington MHMD-style); and a comprehensive privacy bill from Senator Keim: LD 1973 (SP 807). LD 1973 is a largely Connecticut-style proposal that would require opt-in (not opt-out) consent for targeted advertising; sale; and significant profiling decisions and would supersede the Maine ISP Privacy Law. Significantly, during the work session Senator Keim shared that she is considering amendments that would add a limited private right of action, narrow the exceptions, and expand applicability to small businesses.

At the end of the 4+ hour work session, the Chair suggested the Committee move forward with a focus on comprehensive privacy (rather than health or biometrics) which was generally favorably received. Additional Committee hearings on consumer privacy are scheduled for November 29 and December 11. 

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum