Data the 'New Oil' in Privacy's 'Wild West,' Says Pa. State Legislator

"This is a topic I've been interested in for quite some time relative to how it affects the consumer,” said Pennsylvania House Consumer Affairs Committee’s Democratic Chair Robert Matzie. The panel’s minority leader looks forward to "getting into the meat" of HB-2202 if it advances, he said. The committee, which didn’t vote Wednesday, "will take the time to digest the information we had today,” Chair Jim Marshall (R) said as the meeting concluded.

Current data protection laws “are designed for a pre-digital era,” said HB-2202 sponsor Rep. Robert Mercuri (R): For Pennsylvania’s digital economy, privacy is “the Wild West” and data is "the new oil.” Data is “extracted for its value” and “sold to advertisers at large benefit to Big Tech companies," he said. Mercuri’s bill would require larger companies and personal information aggregators to share more information with consumers about what data is gathered, tracked and sold, said the Republican: Consumers would get rights to know what data is collected, to delete that data and to opt out, while companies could still negotiate with consumers about their data’s value, said Mercuri, adding he seeks to minimize business impact.

Pennsylvania’s bill is a “thoughtful and important step forward,” said Microsoft Senior Director-Public Policy Ryan Harkins. The company has wanted a federal law since 2005 but is now "supporting efforts in states to step into that leadership void.” Colorado and Connecticut have the best state laws, he said. Rep. Nick Pisciottano (D) asked if Microsoft already applies such privacy standards to its own company. Harkins replied: "Efforts to self-regulate our industry clearly have not worked in this space. The industry has lost the trust of the public to a large extent."

Harkins praised the Pennsylvania bill definitions for personal information and deidentified data, which he said would ensure the bill covers targeted ad profiles or other datasets associated with consumers not by their names but with cookies, IP addresses or other persistent unique identifiers. “Unfortunately, we’ve seen efforts by other industry players -- most recently in the state of Utah -- to chip away at those definitions or use concepts like pseudonymous data … in an apparent effort to argue that modern online datasets … would somehow not be subject to a privacy law’s provisions.” Pennsylvania lawmakers should avoid calls to narrow rights to delete, correct and opt out, added Harkins.

Pennsylvania should strive to make a law that is interoperable with other state laws so as not to increase business compliance costs, said TechNet Executive Director-Northeast Chris Gilrein. The tech group is “heartened” that HB-2202 mostly tracks Virginia’s law, including enforcement solely by the attorney general and a right to cure for businesses found in violation. But the bill deviates from Virginia in some ways, including a requirement to honor web browser global opt-out signals, said Gilrein, saying “open questions” remain about how those would operate.

Carve out entities already regulated by other state and federal laws like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act, the Fair Credit Reporting Act and the Driver Privacy Protections Act, said Insurance Federation of Pennsylvania President Jonathan Greer. Nonprofits like the National Insurance Crime Bureau (NICB) should also get an exemption, he said.

Louisiana’s privacy bill earlier cleared two House committees despite calls for changes (see 2205170056 and 2205110049). House members Wednesday postponed voting on HB-987 until May 31 in response to a request by sponsor Rep. Daryl Deshotel (R), who earlier said he wouldn’t run the bill until he found more agreement. The House was originally scheduled to take up the bill on Monday this week but delayed it 24 hours on that day and Tuesday. If passed by the House, HB-987 would still need Senate approval. Louisiana legislators are set to adjourn June 6.