Business groups weakening, defeating state privacy bills

Business groups have managed to defeat or significantly weaken a flurry of comprehensive consumer privacy bills in states across the US this year.

At least 16 states introduced privacy proposals modeled, to varying degrees, after California’s sweeping new privacy law, which gives consumers the right to know what information businesses collect about them, and to opt out of sharing or selling that data.

A coalition of industry groups, however, has convinced state legislators to either not take up the bills or water them down, arguing that Congress should enact comprehensive privacy legislation to avoid a patchwork of overlapping, confusing regulations. And the California Consumer Privacy Act, while well intentioned, is a flawed work in progress, they claimed.

But some state legislators said they’re not giving up yet and will introduce privacy legislation again. Congress could fail to enact privacy legislation anytime soon, they said, which could give their proposals added momentum in the next legislative session.

So far this year, Nevada has been the only state to enact a new comprehensive privacy law. Nevada consumers can now opt out of the sale of their personal information to third parties, but the law is weaker than originally intended.

Governor Steve Sisolak signed SB 220 into law on May 28, only after legislators removed a provision that would have allowed consumers to sue companies under the law. They also introduced several business-friendly exemptions and narrowed the definition of “sale” to “monetary consideration." Under the CCPA, a sale can be for money, or “other valuable consideration.”

Giving consumers the right to sue has been a tough sell in state legislatures, and even led to the demise of some proposals. Business opposition to private rights of action helped kill privacy bills in Washington state and Illinois this year. Privacy bills in both states sailed through one chamber of their state legislature, but stalled and died in the second chamber after legislators tried to introduce a private right of action.

California legislators, backed by the state attorney general, also tried to pass a bill adding a private right of action to the CCPA this year, and failed.

Meanwhile, state legislators in Texas, North Dakota and Connecticut have significantly scaled back their respective privacy proposals to instead create task forces that will study the need for privacy legislation and present recommendations.

On May 27, Texas legislators passed a bill creating a “Texas Privacy Protection Advisory Council” and sent it to the governor for his signature. The bill also stiffens Texas’ data breach notification requirements. Texas Governor Greg Abbott has until June 16 to veto it.

The bill was originally a comprehensive privacy proposal that would have provided notice to Texas residents about what information businesses collect about them and included an opt out provision, said the bill’s sponsor, Representative Giovanni Capriglione, a Republican. It also included safe harbor provisions for companies and excluded small businesses, to make it more business-friendly and less strict than the CCPA, he said.

Representative Trey Martinez Fischer, a Democrat, also proposed a stricter consumer privacy bill more closely resembling the CCPA that also included an opt out provision. Neither proposal contained a private right of action.

“I thought we were going to get somewhere and be able to do it,” Capriglione said.

After the first committee hearing on the bills, however, a wide range of industry groups made their opposition to the proposed legislation loud and clear, he said.

“They tried to do everything possible to kill our bill,” Capriglione said. “It was just mounting, mounting opposition.”

Although Capriglione’s bill survived after being turned into a study, Fischer’s bill was left pending in committee.

Capriglione, however, said Texas legislators are not giving up on trying to pass privacy legislation. The council’s recommendations will likely form the basis for a privacy bill when the Texas legislature reconvenes in January 2021, he said.

“Everyone is now on notice,” he said. “We’re going to work on this.”

Privacy bills in Hawaii, Maryland, New Mexico, and Mississippi also stalled in committees or were never taken up by state legislators at all.

There’s still a chance other states could enact privacy legislation this year. Comprehensive CCPA-style privacy bills are still in play in New York and New Jersey.

New York’s privacy bill is similar to the CCPA, but arguably tougher. Like the CCPA, it would allow residents to know what data companies collect from them, who they share it with, request that it be corrected or deleted, and opt out of having their data shared with third-parties altogether.

It also contains a private right of action, and would require businesses to act as “data fiduciaries,” which would prevent them from using data in a way that benefits the companies over their users.

Not surprisingly, the proposal hasn't gone over well with businesses. At a hearing in Albany this week, business and industry groups were vocal in their opposition, again arguing that the federal government, not states, should be enacting privacy legislation and that the CCPA is a poor model for any proposed law.

New York state Senator John Liu, a Democrat, pointed out that Congress is often slow to act, and that this proposal could spur federal lawmakers to act. If the same provisions in New York’s bill were enacted at the federal level, would business groups support it, he asked?

“We would oppose it at the federal level as well,” said Ted Potrikus, president and chief executive officer of the Retail Council of New York State.

Perhaps the bill just needs a few “tweaks” to make it more workable at the federal level, Liu said.

“With all due respect,” said John Olsen with industry lobbying group Internet Association, “this bill is unworkable.”