Recent trends have been developing related to the substance of comprehensive state privacy bills and whether they will pass a given legislature. However, moves and a lack thereof on bills in Connecticut and Tennessee, respectively, prove unpredictability still exists with state-level efforts to legislate on data privacy.

The Connecticut General Assembly's General Law Committee voted 14-4 to advance Senate Bill 6, an act concerning personal data privacy and online monitoring, to the Senate floor for further debate and consideration. SB 6, proposed by state Sen. James Maroney, D-Conn., is an amended version of a retread bill from 2021 that tracks closer to the Colorado Privacy Act than laws passed in Utah and Virginia, which have become the basis for many 2022 state privacy proposals.

Meanwhile, the Tennessee Senate decided the popular frameworks from Utah and Virginia won't work at this time in the Volunteer State. The Tennessee Senate Commerce & Labor Committee voted down Senate Bill 1554 on a 6-3 vote following wide-ranging debate on how burdensome the proposed bill would be to Tennessee businesses.

Connecticut gets greenlight

A year after getting his privacy bill approved by one chamber before it was fleshed out of a larger omnibus budget implementer bill, Maroney is ahead of schedule with Senate Bill 6 this time around.

The most noticeable differences out of the chute between Connecticut's bill and what's been done in Utah and Virginia are the significantly lower coverage thresholds. SB 6 would cover entities that collect data on more than 65,000 consumers or those making 25% of their revenue from selling the data on more than 25,000 consumers. Additional contrasts include provisions for "dark patterns," recognition of global opt-out mechanisms, explicit children's privacy measures and a right to cure that sunsets. The bill's effective date is July 1, 2023.

"Much is made of the cost that comes from compliance, but we don't speak enough about the cost of not doing anything," Maroney said. "The cost of identity theft in 2020 across the country was $720 billion and 6,281 residents in Connecticut had their identity stolen. The cost of a data breach for a company has also increased to $4.21 million. This bill requires data protection assessments, so it's prevention rather than a cure. And we all know prevention is cheaper."

The common refrain during committee debate was the fear that such a low threshold would swallow up small and medium-sized businesses, specifically to Connecticut's restaurant industry that shifted to digital offerings during the COVID-19 pandemic. Maroney said he touched base with one of the leading third-party online dining facilitators used by Connecticut restaurants and was assured that the company's compliance with a potential Connecticut law would not cost restaurants.

"One of the things when they estimated the cost of compliance (for the California Consumer Privacy Act) was California's initial estimates didn't include the infrastructure for compliance there is now," Maroney said. "There are a lot of resources. For instance with restaurants, there's a website that will automate your compliance with California. The services exist."

State Sen. John Kissel, R-Conn., openly indicated he opposed much of the bill and even suggested it should be broken up into separate proposals to make it more digestible. Even still, Kissel voted up on the bill in order to work toward ultimately regulating the egregious monetization of personal information. 

"It's amazing how fast technology moves and so much of our information is up in the cloud and the ether, and there's people making tons of dough off every movement I make," Kissel said. "It's very bothersome to me to learn  ... they're tracking everything I do through my cellphone. That can't be the wild west. I thought I had a right to privacy. They don't care who John Kissel is, but really just what I like as far as products and what can they sell me."

Failure to launch in Tennessee

There was a sense the recent passage of the Utah Consumer Privacy Act and momentum to pass a similar bill in Iowa were signs of things to come in Tennessee. None of that registered in the Commerce & Labor Committee, where the stumbling blocks souring members on SB 1554 weren't clear before or after the down vote.

State Sen. Mike Bell, R-Tenn., was carrying the Senate version of House Bill 1467  for Rep. Johnny Garrett, R-Tenn., who came before the committee to explain the types of companies he was aiming at in this "unregulated space."

"I don't know if you all receive letters in the mail where they're saying they can give you $100,000 worth of term life insurance and you call them right up, but that company is not the life insurance company," Garrett said. "That's a data mining company. They're providing your information (to companies) and trying to connect you to sell a product or target you."

Much of the talk among committee members and witnesses focused on potential increased burdens on covered entities stemming from the proposal, an argument rarely heard to this point with bills in other states that align with Utah and Virginia's laws. The bill applied to companies holding personal data on 100,000 consumers or generating 50% of their revenue from selling the data of more than 25,000 consumers.

NetChoice Vice President and General Counsel Carl Szabo, CIPP/US, didn't specify what the compliance burdens were in his testimony, but said there were "areas where this deviates" from the desired frameworks from Utah and Virginia, adding that "just like in horseshoes and hand grenades, close doesn't always cut it."

Tennessee Chamber of Commerce Vice President of Government Affairs Ryan King raised a January report from the Information Technology & Innovation Foundation that estimated a Tennessee privacy law would come with a $1.1 billion combined compliance price tag for all businesses in the state. He noted the estimation "keeps us uncomfortable" despite it being among the lowest figures in the study. Overall, King would rather see the states with existing laws "sand off the edges" before Tennessee acts.

The perceived burdens were likely tied to SB 1554's requirements to establish a privacy program and carry out data privacy assessments. Working to companies' advantage, however, were the inclusion of 24 exemptions to the law and a 60-day cure period.

Szabo and King each took aim at potential unintended consequences the bill would have on SMEs by the perceived wide net being cast. Committee members responded in a way that did note reflect the final unfavorable vote.

"I think the sponsors point is that a mom-and-pop (business) that puts out a fishbowl to attract people to come into the boutique, this law would not apply to them," state Sen. Bo Watson, R-Tenn., said. "But to a large industry and industrial giant that puts out a fishbowl, all of the sudden their reach is much different. He doesn't want to affect the mom-and-pops. My point is I think your analogy was a little bit of an exaggeration."

Despite the "no" vote, the Senate might see this bill again if Garrett can navigate HB 1467 through the House. It's unclear if HB 1467 would wind up back with the Senate Commerce & Labor Committee or on another committee's agenda.

Photo by John-Mark Smith on Unsplash