State Privacy Updates - 8/18

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. Here's everything you need to know since our last issue:

1. California Regulators Challenge Court Holding on Timeline for CCPA Enforcement

On August 4 the California Privacy Protection Agency (CPPA) and Attorney General's Office filed a petition with the California 3rd District Court of Appeal seeking to overturn the Sacramento Superior Court’s June 30 holding that California Consumer Privacy Act (CCPA) implementing regulations cannot be enforced until a year after they are finalized (March, 2024 for the CPPA's first set of regulations).

The regulators' brief (1) emphasizes that the overall point of the CPRA ballot initiative was to strengthen and provide for vigorous enforcement of California privacy law, (2) asserts that the CCPA's direction that the “timeline for adopting final regulations... shall be July 1, 2022” is not expressly connected to the originally envisioned July 1, 2023 enforcement date, and (3) argues that the Sacramento Court's order is "unworkable in many respects," creating uncertainty around privacy rights and obligations in California (recall that the Superior Court delayed enforcement of the CPPA's regulations, but not the underling text of the CCPA as amended by the CPRA or the AG's original CCPA regulations - confusing indeed!)

Whether or not this issue can be fully resolved prior to the new March 2024 enforcement date, the real stakes of this litigation may be the enforcement timeline for future regulations that are currently in the pre-rulemaking process (the Dispatch previously covered the CPPA’s far-reaching “conceptual language” on automated decisionmaking technology, risk assessments, and cybersecurity audits). On this point, the regulators argue that the Superior Court order creates perverse incentives for businesses to try to "manipulate and delay" the rulemaking process and for the CPPA itself to promulgate regulations as quickly as possible by forgoing voluntary pre-rulemaking steps.

The CPPA's press release on the petition states that the Agency expects the Court of Appeal to decide whether to take up the petition "in the coming weeks, if not sooner."

2. California Data Broker Bill Sent to "Suspense File"

California is the second U.S. state after Vermont to establish a data broker registry (browse the 500+ data brokers that are registered in California here). The Delete Act (SB362) seeks to transfer management of the registry from the California Attorney General's Office to the California Privacy Protection Agency and charge the CPPA with developing an "accessible deletion mechanism" to allow individuals to transmit a single request to every registered data broker requiring the deletion of their personal data. The Delete Act represents a facially simply and potentially promising approach to easing the burdens of privacy self-management, especially in the context of often opaque third-party data markets.

SB362 has been widely framed as seeking to create a simpler way for individuals to exercise their CCPA right to delete personal information. However as drafted, SB362 would actually create a novel deletion standard under U.S. privacy law as the proposal lacks many of the safeguards, exceptions, and procedural requirements that characterize the CCPA. This raises obvious questions about how businesses and consumers would manage two distinct (potentially conflicting) data deletion standards. Politico's Alfred Ng covered some of the recent advocacy efforts surrounding SB362, here.

SB362 previously cleared the California Senate on a 32-8 vote. On August 16, the House Appropriations Committee placed SB362 on the 'Suspense File' - a procedural step taken for any bill that is determined to have an annual cost of more than $150,000. Note also that a similar bill (SB 1059) from the same sponsor failed to pass the State Senate's Suspense File back in 2022.

3. DIFC Makes California First State to Receive an "Adequacy" Determination

On August 9 the Data Protection Commission of the Dubai International Financial Centre (DIFC) - a special economic zone within the United Arab Emirates - issued an adequacy decision for California. The decision finds California privacy law have equivalence with the DFIC's Data Protection Law of 2020 and will ease the process of transferring personal information from within the DIFC to California-based entities. The press release does not state when this decision takes effect, but teases the possibility of “building similar relationships with various US states” in the future.

While California is still in the process of finalizing its privacy rights and protections and is currently under a court order preventing some enforcement (discussed above), we speculate that the CCPA's establishment of an independent, internationally active privacy enforcement authority played a key role in making California the first U.S. state to receive an adequacy decision.

4. Wisconsin Social Media Bill Gives Us an 'Age Estimation' Standard

A primarily Republican set of lawmakers in Madison have introduced AB373 / SB385 which would establish broad restrictions and parental access rights for youth social media accounts (non-emancipated minors under the age of 18). The bill would require social media companies to restrict youth accounts from messing with users that they have not previously connected with, remove youth accounts from search results, prevent "targeted or suggested" content being delivered to youth accounts, prevent user access to a youth account from 10pm to 7am, and give the youth's parent or guardian access to the account.

Wisconsin's proposal most closely resembles Utah's recently enacted Social Media Law. However, although the Wisconsin bill would still require age verification of social media account holders through process(es) established by rulemaking, it uniquely provides that covered platforms may remove account restrictions if they estimate “that the account holder is not a minor through employment of a process or program that provides a 95 percent accuracy rate of estimating age within 24 months of actual age.” Age estimation is a common feature (as a requirement) under Age-Appropriate Design Code proposals, but this is the first time that Dispatch staff have seen an explicit accuracy standard for age estimation in any legislative context.

It is unclear whether the intent for Wisconsin's age estimation range is within 24 months on either side of a user's actual age (a four year span), or one year on either side with a total range of 24 months. Nevertheless, should this relatively exacting standard become a template for "age estimation" accuracy across the states, it may shape which age estimation methods are acceptably, potentially requiring the collection of additional data from all users in order to satisfy the 95 percent accuracy threshold.

5. Privacy on the Agenda as State Lawmakers Gather in Indy

The National Conference of State Legislatures (NCSL) convened in Indianapolis this week for its annual legislative summit. Panel discussions included important privacy issues such as "Protecting Kids on Social Media," "Artificial Intelligence", and "State Privacy Laws." I was fortunate to be invited to present on a panel with Connecticut Senator Duff, Texas Representative Capriglione, and Husch Blackwell's David Stauss.

The conference coincided with the release of new report on "Approaches to Regulating Artificial Intelligence" from the NCSL's Executive Task Force on Cybersecurity and Privacy. The report gives an overview of technology, existing frameworks, the benefits and risks of AI, and offers various considerations for policymakers, including:

• "While no definition is perfect, lawmakers will need to coalesce on an acceptance of concepts and potential impacts before being able to effectively intervene and create meaningful policy." (The report positive notes the definitions used by CA AB331.)
• A section on practical options that policymakers can take in approaching regulation, exploring "sector-specific scoping," "regulatory refinement," and "cross-cutting or data-focused interventions."

Separately, Indiana enacted a comprehensive privacy law (SB5) this year which is unique in excluding licensed riverboat casino facial recognition programs from its obligations. I took a break from the conference to stroll over to the White River to see if I could spot any of these riverboats, but no dice!

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum.