Update: June 10, 2019: The original version of this introduction letter mistakenly stated that Maine’s newly passed Act to Protect the Privacy of Online Customer Information will go into effect July 1, 2019. Rather, it will go into effect July 1, 2020.
Greetings from Portsmouth, New Hampshire!
It was a significant week for privacy law at the state level. Continuing on my notes from last week, Maine Democratic Gov. Janet Mills signed the Act to Protect the Privacy of Online Customer Information into law Thursday. The APPOCI (it doesn't really roll off the tongue, does it?) prohibits internet service providers from using, selling or distributing consumer data without user consent. The law will go into effect July 1, 2020. Mills described the law as "common sense" and noted that Maine residents (like me!) "value their privacy, online and off." It's also worth pointing out that this law garnered unanimous approval in the Maine Senate. The bill was sponsored by State Sen. Shenna Bellows, D-Maine, and by the looks of it, she won't stop here. Bellows plans in the next legislative session to introduce what appears to be a more comprehensive internet privacy bill. Something to keep an eye on, no doubt.
Maine wasn't alone this week. Nevada passed Senate Bill 220, which prohibits website operators and online services from selling "certain collected consumer information in Nevada if directed by the consumer." In a Privacy Tracker post this week, Hawah Ahmad analyzed the law, which she notes is "one step of a multi-step approach to Nevada's privacy legislation." This one goes into effect Oct. 1. New York also held hearings this week on a privacy law of its own.
Not all state bills passed, however. The Illinois Data Transparency and Privacy Act did not make it through this week, after an amendment to provide class-action enforcement was added at the last minute. In a Privacy Perspectives post, DLA Piper's Jim Halpert discussed some of the bill's recent history and likened some of its scope to the California Consumer Privacy Act. He also argued that adding the class-action amendment and the inclusion of "several exemptions not found in the CCPA" is what led to the bill's demise. He went further, suggesting that a lesson can be derived from the Illinois bill — namely, "that outlier requirements beyond the CCPA and private rights of action to enforce the highly operational CCPA rights both make omnibus state privacy bills more difficult to pass, even in deep blue states such as Illinois. By this measure, pending privacy bills in New York and Puerto Rico look like long shots to pass this year."
Speaking of the CCPA, we released a "CCPA Amendments Tracker" this week to help members visualize all the pending amendments in one easy-to-read location. That said, we weren't the only ones constructing such an effort. Future of Privacy Forum Fellows Michelle Bae and Jeremy Greenberg have also written about and included a summary of the 12 bills that made it through the assembly and an analysis of two bills that failed in the Senate.
And what about the national stage? According to a report from Politico, and in line with some of Jim Halpert's concerns about a private right of action in state bills, federal lawmakers involved in drafting a national privacy bill so far have not been able to agree on the inclusion of a private right of action. Unsurprisingly, Democrats, such as Sen. Richard Blumenthal, D-Conn., back the idea, but Republicans fear it will lead to a cacophony of private litigation. "I don't want to end up creating a platform that looks a lot like patent trolls," said Rep. Greg Walden, R-Ore.
If you're looking for a good read this weekend on all the state and federal action right now, be sure to check out this Brookings Institution post by Cameron Kerry and Daniel Weitzner.
If you want to comment on this post, you need to login.