With No Unifying U.S. Federal Privacy Law, States Are Implementing Their Own
Pending Privacy Bills Will Have Critics and Face Lobbying From Vested Interests
With Europe’s GDPR and the California Consumer Privacy Act (CCPA) as templates, and almost all large companies having to conform to one or both, it is little wonder that the U.S. is being forced to consider a unifying federal law on consumer privacy. But progress is slow — and even with the potential for a federal law to supersede state laws, the states are not waiting to implement their own.
Many of the new local privacy bills tend to focus on narrow aspects of privacy rather than attempt the wide-ranging privacy control of GDPR and CCPA. Eight are worth considering: New York City, New York State, North Carolina, Oregon, Utah, Virginia, Washington, and Wyoming.
New York City
New York City is focusing on biometric identification. It is described as ‘A Local Law to amend the administrative code of the city of New York, in relation to requiring businesses to notify customers of the use of biometric identifier technology”, and was introduced in October 2018.
Official enforcement involves a fine of $500 for each day an organization is in violation. Private action is allowed, with damages of up to $1000 for negligent violation, and $5,000 for intentional or reckless violation — plus reasonable legal costs.
Noticeably, there is no restriction on organizations collecting and using biometric identification, nor any insistence that user consent is required. The theory is that if anybody objects, they can walk away.
New York State
On January 9, 2019, Sen. Brad Hoylman introduced ‘The Right to Know of 2019‘. Its purpose is described as amending “the general business law, in relation to restricting the disclosure of personal information by businesses. The purpose is to give consumers greater clarity over the collection and use of their personal data.
It would require businesses that retain personal user information to make details of what is held available on demand, together with details of any third-party with which the data is shared. Personal data is widely defined, including identity; address; phone; account name; SSN and other government-issued numbers; DoB, physical characteristics; sexual characteristics; racial, religious, political, professional, educational, medical, and commercial information; internet history; and content provided by the customer.
The bill is more limited in scope than the CCPA, but like the CCPA seems to be relevant to any company that does business within the state — regardless of their physical location.
North Carolina has not yet unveiled specific privacy legislation, but Attorney General Josh Stein and N.C. House Rep. Jason Saine have indicated an intention to do so. This is likely to focus on identity theft protection by strengthening existing breach notifications, and will potentially be called the “Strengthen North Carolina Identity Theft Protection Act”.
It will redefine what constitutes a ‘breach’ to include a ransomware attack. It will require companies to maintain “reasonable security procedures and practices”., and adds medical, genetic and health insurance details to the definition of protected information.
Most of the new proposals relate to a post-breach situation. Notification is to be as soon as possible, but no later than 30 days. People can place or lift a credit freeze on their credit report at any time to prevent stolen information being used to open any fraudulent credit lines. Victims must be given 2 years free credit monitoring (4 years if the breached company is a consumer reporting agency like Equifax).
Furthermore, companies seeking to obtain or use a person’s credit score will need to disclose the purpose of the request and gain the person’s permission. North Carolina citizens will be able to request all data held on them by a consumer reporting agency, details on how the data was obtained, and a list of any person or entity to which it was disclosed.
More than 40 state legislators introduced the Health Information Property Act (PDF) in Oregon at the end of January. The purpose is to give citizens greater control over the use of their personal medical information by increasing the current protections afforded by HIPAA.
It states, ” A covered entity, business associate, subcontractor or other third party doing business in this state may not engage in the commercial sale of protected health information, health information or de-identified data without first obtaining a signed authorization from the individual.” It further states that no consumer may be penalized for refusing to sign an authorization, nor for accepting — if offered — payment to sign.
One of the chief sponsors, Rep. David Gomberg, commented, “Consumers are now realizing how little privacy we have and how often we sign it away. By treating personal data as property, legislators can empower individuals to better control information about themselves and how it is used by others.”
It is worth noting that all the pending privacy bills will have critics and face lobbying from vested interests. Adam Greene of the law firm David Wright Tremaine, has commented on this proposal that it “would reduce any of the useful research, public health and other benefits that are provided by de-identified information today, and would at the same time create privacy and security risks for individuals by forcing companies to retain a link between the de-identified data and an identifiable individual.”
Rep. Craig Hall introduced a new privacy bill (HB 57) at the beginning of the year. The purpose is to provide digital content privacy for digital communications — such as emails and instant messages. The creator of the content would be the presumed owner, and any third-party — such as government — that wanted access would require a warrant from a judge. “I want to make clear that the protections that we now have in the paper world are also in place for the electronic world,” said Hall.
Such a bill would undoubtedly attract the attention of the big tech giants. Google, for example, scans all emails sent via Gmail. Any provider of messaging services that do not provide end-to-end encryption would also be wary of the detail.
For the moment, they don’t need to worry. The other vested interest — government — has voiced its own concerns; and the bill has been paused. On January 31, it was decided to hold the bill following opposition from state and local prosecutors. Their view is that the bill would interfere with criminal investigations, possibly disrupt consumer-protection probes, and potentially cripple online child pornography investigations.
On 18 January, Democrat Hala Ayala introduced HB 2793 requiring ‘care and disposal of customer records’. “A business,” it states, “shall take all reasonable steps to dispose of, or arrange for the disposal of, customer records within its custody or control containing personal information when the records are no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.”
The bill also imposes requirements on the manufacturers of ‘connected devices’. They must be equipped with reasonable security features designed to protect the device and any information it contains from unauthorized access, use or modification; and be in compliance with the best practices of OWASP and IoT Security Foundation guidelines for IoT devices.
If a manufacturer becomes aware of a vulnerability that puts more than 500 users at risk, it must be reported to the chief information officer of the Commonwealth of Virginia and remediation steps provided to consumers without unreasonable delay.
The Washington Privacy Act was introduced on January 18, 2019 (Senate Bill 5376) (PDF). This is more wide-ranging than the other pending state privacy bills, and bears similarities with both the CCPA and the GDPR. Like CCPA, it applies to organizations that conduct business within the state, or produce services targeted at residents of the state.
From GDPR it borrows the concept of data controller and data processor in order to delineate the different responsibilities toward personal data.
Consumers will have the right to access personal data being held, can demand its deletion if it is no longer required for the purpose it was collected, restrict its use for direct marketing, and know and object to it being sold to third parties.
It also addresses the use of facial recognition technologies. Consumer consent must be obtained by organizations that deploy facial recognition services. State and local government agencies are prohibited from using facial recognition for the surveillance of specific individuals in public places.
Although there is no right of private action under the bill, the Washington State Attorney General would enforce the bill with fines of up to $2,500 for each violation, or up to $7,500 for each intentional violation.
Finally, we have something a little different from Wyoming. SF0125 — Digital assets-existing law — was presented on 18 January 2019, has already been adopted, and is due to come into effect on 1 March. It ensures that cryptocurrencies can be recognized as real money.
The bill is for “classifying digital assets within existing laws; specifying that digital assets are property within the Uniform Commercial Code; authorizing security interests in digital assets; establishing an opt-in framework for banks to provide custodial services for digital asset property as directed custodians; specifying standards and procedures for custodial services under this act; clarifying the jurisdiction of Wyoming courts relating to digital assets; specifying applicability; authorizing the promulgation of rules.”
While this is not a privacy bill per se, it gives the citizens of Wyoming privacy over financial transactions to the extent provided by their cryptocurrency of choice.