Update on 2019 Privacy Legislation

As legislative sessions came to a close around the United States late last month, a number of proposed state laws around privacy currently in flight failed to move out of their house of origination in Nevada, New York, New Mexico and Hawaii. This effectively ends their entry into the 2019 legislative session, with just a miniscule chance for being reintroduced by mechanical measures such as a tack-on budget amendment. A number of other bills, predominantly “copycat” bills emulating the California Consumer Privacy Act (CCPA) in states including Connecticut and Texas, were referred to committee, presumably to pause and watch developments with the CCPA.

Aside from the CCPA copycats, the “main attraction” bills did see some major movement in late April, particularly in light of California’s hearings on all-bills-privacy on Tuesday, April 23. Highlights from those states include:

California – On April 23, the California Assembly addressed several proposed bills to amend the CCPA. One of the successfully proposed amendments (AB 25) would amend the language for “consumer” to exclude employees from the law’s coverage. This bill is currently in the hands of the Committee Chair and will move onto the Senate next. May 3 is the deadline for reporting out to the Senate. Additionally, Assembly Bill 846 proposes to amend §1798.125 to distinguish discrimination in the form of differing rates, prices, and quality of goods or services to allow for a “consumer’s voluntary participation in a loyalty, rewards, premium features, discount, or club card program.” Assembly Bill 874 would add clarity by specifying that “personal information” would not include de-identified or aggregate consumer information. Another amendment most noted for expanding the private right of civil action – essentially deputizing plaintiff’s attorneys to enforce privacy via class action suits – met with stiff corporate opposition and was withdrawn on April 23. While all of these are clarifying developments, the timeline for finalizing any additional changes could stretch into early 2020.

Washington – The Washington Privacy Act (SB 5376), an oft-described “GDPR-lite” bill, did not make it out of the House of Representatives after previously passing the Senate. Having failed to pass by the April 28 deadline for passing out of the House, the bill may still hold a very minute chance of being passed as a budget amendment. Most signs seem to indicate this legislation will not proceed in 2019.

Federal – Many optimists have been hoping for a federal bill to preempt the emerging topography of state privacy laws for some time now. A federal working group convened many weeks ago with no results to show. Among their findings, the watershed questions continue to be a position on preemption of state privacy laws and who would enforce this law (State Attorneys General? FTC? SEC?)It appears unlikely we will see any such bill in the foreseeable future.

Practical Impacts – While a good number of 2019 legislative sessions have come and gone, the U.S. privacy legislative landscape is far from settled. April did bring closure to a number of proposed bills, and further advanced potential clarifications to some key elements of the CCPA. From a practical perspective, what does this mean for your privacy program and compliance planning?

Agility is key: The fate of the above amendments is still uncertain. If one these assembly bills holds particular importance for your organization (Significant reliance on aggregated/deidentified data sets? Many unknowns regarding employee data? Large or popular loyalty program?), it’s important to capture the potential decisions you might have to make related to these developments and plan accordingly. You may not be able to officially cross “employee systems” off your list of CCPA concerns just yet, but you should be capturing the salient questions, likely stakeholders, and anticipated adjustments in approach you’ll have to make if one of these amendments fails to pass.

Consider phases: The fate of a proposed change to the law can represent more than a change to the scope of your compliance work – perhaps it may represent a timing consideration? In a perfect world, privacy data discovery and inventorying would be an exercise with perfectly understood parameters and little rework. If, however, you know that your rewards program or internal employee systems may present a moving target, phase that work appropriately. Account for it in your potential discovery approach and proposed privacy inventory, but take the opportunity to focus on other priority systems first and benefit from lessons learned in other areas wherever possible

Start assessing your privacy posture (“Privacy is here to stay”): While individual laws will come and go and all will continue to evolve, the one clear takeaway from the global emergence of privacy regulations is that a comprehensive privacy program or function will be a core competency for modern enterprises. While it’s impossible to know exactly what will be required of our privacy functions in the future, you should be taking stock of what feels “appropriate” for your organizational privacy posture. As we’re addressing individual regulatory requirements, we should be divining a notion for how privacy should be reflected in organizational risk appetite, data governance, software/product development, security operations, vendor contractual terms, corporate policy, etc.  We may not know what future requirements lie ahead, but we can start uncovering how we as an organization are best equipped to react.

Until we get definitive answers to the above legislative questions and considerations, we will continue to monitor developments in committees and other background action that may impact state or federal privacy legislation throughout the balance of this year as state lawmakers work to adapt the CCPA to meet their states’ unique needs.

Paul Laurent

Associate Director
Technology Consulting – Security and Privacy