State Privacy Updates - 5/26

Welcome to The Patchwork Dispatch, a fortnightly (maybe) newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. The year is dragging on and a majority of U.S. states are now out of session, but there is no sign of slowdown in privacy developments. Here's what you need to know:

1. New York State on the Move

In the waning weeks of New York's legislative session there has been a flurry of activity involving Senator Thomas' 'New York Privacy Act' (S 365). On May 18, Senator Thomas introduced a set of amendments to the NYPA which removed the bill's private right of action and standardize requirements around risk assessments and automated decisionmaking systems. The NYPA subsequently advanced from the Senate Committee on Information and Technology to the Finance Committee. Over in the Assembly, on May 19 a companion bill (A 7423) was introduced by Rep. Rozic and on May 23 that bill advanced from the Committee on Consumer Affairs and Protection to the Standing Committee on Codes.

Compared to past versions of the New York Privacy Act which leaned very heavily into concepts like duties of "loyalty" and "care" with respect to consumer data, this iteration is significantly closer to dominate trends in state privacy law. Nevertheless, as presently drafted it contains numerous unique provisions that stakeholders should be aware of.

• Broad Applicability: The NYPA would arguably have the broadest applicability of any comprehensive state privacy law. Companies doing business in New York would be subject to the law if they have $25 million or more in gross annual revenue or process the personal data of at least 50,000 New York residents.
• Targeted Advertising: Unlike all other state privacy laws, the NYPA defines targeted advertising as "advertising based upon profiling", which would likely extend opt out rights to a broad range of advertising based on first-party data. Furthermore, the NYPA lacks the common carveout for data processed for the purposes of measuring advertising frequency, performance, or reach.
• Opt-Out Preference Signals: The NYPA appears to require companies to respond opt-out requests sent through user-enabled device signals. Unlike other state laws which provide for the use of such signals in opting-out of targeted advertising and data sales, the NYPA would also require businesses to treat these signals as valid requests to opt-out of profiling with legal or similarly significant effects.
• Prescriptive consumer rights: The NYPA contains numerous familiar consumer rights but with some unusually prescriptive requirements. For example, privacy notices would have to be written at an eighth grade reading level or lower and be provided in at least twelve point font.
• Data Broker Registry: The NYPA would require “data brokers”, defined as controllers that collect and sell personal data of consumers with whom it does not have a direct relationship (exempting FCRA and GLBA covered entities) to annually pay a fee and register with the attorney general. Businesses would further be required not to sell personal data to organizations reasonably believed to be ‘data brokers’ that have failed to register.

New York's legislative session is scheduled to adjourn on June 8th with only a handful of work days left on the calendar. However, if we have learned anything from Florida's Digital Bill of Rights, it's that where there's a (political) will, there's a way.

2. Nevada Health Data Bill Has Traction

As the Dispatch has (exhaustively) covered throughout the year, the biggest story in U.S. Privacyland for 2023 is likely the enactment of the Washington State 'My Health, My Data' Act. Now, we are approaching the first major test for whether the MHMD approach can serve as a template for other states. Nevada's SB 370 is a MHMD-style health privacy proposal that passed the State Senate by a 13-8 vote in late April and was favorably reported out of the Assembly Commerce and Labor Committee on May 19th.

However, in its current form SB 370 is far from a carbon-copy of MHMD. For example:

• Scope of Covered Data: While MHMD broadly applies to information that identifies physical or mental health status, SB 370 is more narrowly focused on information "that a regulated entity uses to identify" consumer health status.
• Regulated Entities: Neither MHMD nor SB 370 include small business carveouts; however, SB 370 does exempt HIPAA and GLBA regulated entities while also excluding "information that is used to provide access to or enable gameplay by a person on a video game platform."
• Consumer Rights: Unlike MHMD, SB 370 provides greater leeway (a 2-year window) to organization for complying with deletion requests involving information stored in archival or backup systems.
• Biometric Identifiers: MHMD treats all biometric information as covered health data. In contrast, SB 370 would create a separate privacy framework governing the collection and use of a distinct category of "biometric identifiers"
• Enforcement: Unlike MHMD, SB 370 would not provide for enforcement through a private right of action.

Nevada's legislative session is scheduled to end on June 5th, so keep a close watch on this proposal over the coming weeks.

3. Setbacks for the 'Age Appropriate Design Code' Framework

Last year, California adopted the Age-Appropriate Design Code Act (AB 2273), a sweeping effort to regulate privacy, design, and content for online products, services, and features likely to be accessed by children and adolescents. While AADC-style bills were introduced in numerous states in 2023 with much fanfare, it now appears that no state will succeed in enacting their own design code framework this year. Of the top-prospects:

• New York's unique-take on the AADC model (S3281) failed to advance from the Senate Internet and Technology Committee on May 22.
• Minnesota's AADC legislation almost hitched a ride on a budget bill and separate legislation involving 'deep fakes' (HF 1370), but formally failed on May 15.
• Nevada's AADC (AB 320) failed without receiving a hearing on April 15.
• Maryland's AADC (HB 901) passed the State House by a 110-26 vote, but was unable to clear the Senate by the end of session on April 10.
• New Mexico's AADC (SB 319) passed the Senate Tax, Business, and Transportation Committee, but failed to be adopted before session closed on March 18.

Note, however, that statutory provisions that appear inspired by the Age Appropriate Design Code framework (though lacking many of the more controversial elements such as age assurance) have been enacted as part of the Florida Digital Bill of Rights and are included in Connecticut SB 3 which has passed the State Senate.

Meanwhile, the docket continues to expand in the NetChoice effort to strike down California's Age Appropriate Design Code before it goes into effect. For your awareness, here are the notable amicus filings since we the last time we covered this litigation:

• The Electronic Privacy Information Center filed on April 28 contesting NetChoice's Communications Decency Act Section 230 claims and arguing that the AADC's DPIA requirements do not fun afoul of the First Amendment as they "are not directed at specific speech or expressive content."
• On April 28 a coalition of organizations including Archwell (founded by the Duke and Duchess of Sussex) filed an amicus arguing that the Children's Online Privacy Protection Act (COPPA) does not preempt the AADC.
• The New York Times filed in support of NetChoice on May 15 describing how the AADC imposes content-based regulation on online publishers, including mainstream news websites.

The first hearing in the NetChoice suit remains scheduled for July 27th.

4. Many Maine Bills

With Maine in a special legislative session, a series of privacy proposals have been filed, many by the same lawmaker. For your awareness:

• The Maine Consumer Privacy Act (LD 1973) was filed by Senator Kleim on May 18 with bipartisan support. The proposal would create opt-in (not opt-out) requirements for targeted advertising, data sales, and significant profiling decisions. It would also override Maine's ISP privacy law.
• The Data Privacy and Protection Act (LD 1977) was filed by Representative O'Neil on May 25, also with bipartisan support. The proposal is essentially a state-level version of the ADPPA that was considered in Congress last summer.
• The My Health My Data Act (LD 1902) was filed by Representative O'Neil on May 9. The bill closely matches the Washington State 'My Health, My Data' Act.
• The Act to Give Consumers Control over Sensitive Personal Data by Requiring Consumer Consent Prior to Collection of Data (LD 1705) was filed by Representative O'Neil on April 18 with bipartisan support. This is an Illinois Biometric Information Privacy Act-style proposal. Last year, Maine came close to enacting a similar effort.

With a special session underway, it is unclear what, if any, momentum these privacy proposals will gain.

5. Montana Consumer Data Privacy Act Enacted

On May 19, Governor Gianforte signed SB 384, the Montana Consumer Data Privacy Act into law. Montana becomes the ninth state (and fourth this year) to enact comprehensive consumer privacy protections. Montana's new law is closely aligned with the Connecticut Data Privacy Act and stands out for being the most protective privacy framework adopted in a Republican-led state by a wide margin.

Our state privacy patchwork quilt has been updated accordingly:

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum.