Ind., Wash. Privacy Bills Advance Amid Action Elsewhere
Comprehensive state privacy bills marched forward in Indiana and Washington state. The Indiana Senate passed SB-358 in a unanimous 49-0 vote Tuesday, and a Washington House panel narrowly cleared an amended HB-1850 Wednesday. Elsewhere, a Virginia Senate panel cleared edits to its 2021 law and a Maryland committee heard testimony on a biometrics privacy bill.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Indiana senators sent the House its bill Wednesday, which is modeled after Virginia’s privacy law and cleared the Senate’s Commerce Committee last week (see 2201270066). The House will take up the Senate bill next week, Sen. Liz Brown (R) told us before the vote Tuesday. On criticisms about the bill lacking a private right of action (PRA), she said there shouldn’t be any concerns about Indiana Attorney General Todd Rokita (R) bringing action against Big Tech platforms, citing his recent multistate lawsuit against Google (see 2201240028).
Many states are proposing privacy measures this year (see 2201120021). Brown doesn’t want a state patchwork of laws, but state bills like those in Indiana and Virginia are “a good start,” she said. “You want something you can enforce and something businesses can respond to. They need certainty” if they’re going to be regulated.
Virginia’s privacy law is a “good first step,” but it doesn’t go far enough, U.S. Senate Intelligence Committee Chairman Mark Warner, D-Va., told us: “I give Virginia credit for putting some points on the board. We can’t say the same thing for the federal government.” With a developing patchwork of state laws, Congress continues to cede its authority, said Warner.
Big Tech and the U.S. Chamber of Commerce prefer Virginia’s law because it allows “24/7 surveillance advertising,” said Ed Mierzwinski, U.S. PIRG federal consumer program senior director. “California's privacy law isn't perfect, but it’s a much better starting point."
Indiana’s bill “doesn’t adequately protect consumers’ privacy,” said Consumer Reports Senior Policy Analyst Maureen Mahoney in a statement Tuesday. It was weak before an amendment that made it “even weaker and moving in the wrong direction,” she said. “We urge lawmakers to pause and consider improvements, such as adding a global opt out, eliminating loopholes for targeted advertising, and strengthening enforcement, before advancing further.”
In Washington state, two Democrats joined six Republicans opposing a privacy bill that drew mixed reviews at a hearing last week (see 2201250060). The House Judiciary Committee cleared HB-1850 by 9-8.
Republicans don’t like adding a state privacy commission, and having enforcement by that body, the AG and a private right of action is even more “confusing and confounding” than last year’s bill without a commission, said ranking member Jim Walsh (R). The bill won’t adequately protect consumers because it has “too many exceptions,” but it will “generate a lot of lawsuits,” he said.
The panel adopted a proposed substitute by Chairman Drew Hansen (D). One change delays the proposed effective date by one year to July 31, 2023. The substitute modified the bill’s definitions of “targeted advertising” and “share,” removing from the latter exemptions including for disclosures to processors and personal data transfers as part of takeovers.
The committee adopted three of nine amendments by seven members to the substitute. The committee changed PRA language to say civil actions may be brought under the state’s consumer protection law. Another accepted change modified proposed right-to-cure language so the 30-day shot clock starts after the privacy commission determines reason to believe a violation has occurred, rather than when the complaint is filed. Another edited procedures for enforcement coordination between the AG and the privacy commission. The committee rejected other proposals including to kill the PRA completely, to remove a one-year sunset on the right to cure and to remove exemptions for government entities and nonprofits.
The Virginia Senate Technology Committee voted 15-0 for SB-584 on handling personal data obtained from sources other than the consumer. Also at the livestreamed hearing, the panel voted 14-0 for SB-393 to allow a data controller to treat a consumer request to delete information obtained by a third party as an opt-out for targeted ads, personal data sale and from “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” A similar House bill advanced last week (see 2201280031).
A Maryland bill regulating how private companies collect and use biometric data received support from the AG's office and consumer privacy groups, while raising tech industry concerns, at a livestreamed hearing. Following the example of a similar 2008 Illinois law, Maryland’s HB-259 would include a PRA, said sponsor Del. Sara Love (D) at the livestreamed hearing: "That's what gets companies to change their behavior."
Use of biometric data is a “critical threat to privacy as well as civil liberties,” said Maryland Assistant AG Hanna Abrams. Without such protections, more “dystopian nightmares [will] come true,” said Electronic Privacy Information Center Senior Counsel Jeramie Scott.
Tech groups balked. The Illinois biometric law generated more than a thousand lawsuits in the past five years, said TechNet Executive Director-Northeast Chris Gilrein. Don’t stifle innovative uses of biometric technology, warned NetChoice Policy Counsel Jennifer Huddleston.
In other states, Mississippi privacy bill SB-2330 died in committee Tuesday. Alaska's HB-159 is scheduled for a Judiciary Committee hearing Friday.