California banned the use of “dark patterns” and related deceptive online navigation methods, Attorney General Xavier Becerra (D) announced, with new regulations under the California Consumer Privacy Act. California’s Office of Administrative Law approved the additional regulations, giving “new tools” for protecting data privacy, effective Monday. Regulations include “an eye-catching Privacy Options icon that guides consumers to where they can opt-out of the sale of their personal information,” he said. The dark patterns provision “prohibits companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out.”
California’s privacy law author criticized Virginia’s new statute at a New Jersey legislative hearing Monday. The second major state privacy bill, signed this month by Virginia Gov. Ralph Northam (D), has “many loopholes” that effectively codify existing business practices, Californians for Consumer Privacy’s Alastair Mactaggart told the Assembly Science, Innovation and Technology Committee. Mactaggart, who proposed the California Consumer Privacy Act and the newer California Privacy Rights Act, urged lawmakers to update CCPA-based measures to the CPRA. CTIA, which prefers a national law, warned against basing a New Jersey law on CPRA because it’s “still unsettled,” said Davis Wright attorney Nancy Libin. The Virginia law, while also problematic, is at least less burdensome for businesses, she said. New Jersey should align with Virginia to provide uniform rules for businesses, agreed Internet Association Legal and Policy Counsel Alexandra McLeod. New Jersey lawmakers are returning to privacy after COVID-19 derailed efforts last year, said committee Chair Andrew Zwicker (D). The panel heard testimony but didn’t vote on Zwicker’s A-3283, which would provide an opt-in right and establish a state data protection office; A-3255, to require businesses notify customers about collection and sale of personal information and give customers an opt-in right; and A-5448, to require websites notify about collection and disclosure and allows customers to opt out. Harvard Berkman Klein Center affiliate Salome Viljoen supported A-3283 setting up a special office but suggested adding a private right of action and warned not to exclude third parties not covered in the current bill. Electronic Frontier Foundation Legislative Activist Hayley Tsukayama, also urging a private right, cautioned that the proposed office would need adequate funding. TechNet is optimistic about soon getting a federal law, but if New Jersey goes ahead, attorney general enforcement is better than allowing private suits, said Executive Director-Northeast Chris Gilrein. Opting out is more difficult for consumers than opting in, said Consumer Reports Policy Analyst Maureen Mahoney.
Rep. Suzan DelBene, D-Wash., introduced privacy legislation Wednesday, as expected (see 2101220048). The Transparency and Personal Data Control Act would establish a preemptive national law that gives the FTC targeted rulemaking authority and the ability to fine on first offenses.
The Washington state House wasn’t expected to have passed its privacy bill by Tuesday’s deadline for bills to clear their origin chamber. Instead, HB-1433 sponsor Rep. Shelley Kloba (D) planned to use the language in a proposed amendment to the Senate-passed SB-5062, said Kloba Legislative Assistant Brian Haifley. The House bill backed by the American Civil Liberties Union “will not be moving forward this session, but we are working to assure that any bill, including SB 5062, incorporates the most important provisions of HB 1433: opt-in consent, a private right of action, no loopholes, and no local preemption,” an ACLU-Washington spokesperson said. “These are the baseline protections needed for meaningful and effective data privacy regulation.” The Senate passed SB-5062 last week, for the third straight year (see 2103040007).
Utah Gov. Spencer Cox (R) “intends to sign” a bill to require smartphones and tablets to include pre-installed and automatically activated adult content filters, a spokesperson said Monday. The Senate voted 19-6 for HB-72 Thursday after the House passed it 41-30 last month. It could be some time before it takes effect because the requirement is contingent on five other states enacting similar laws. TechNet and CTA opposed the bill in a Feb. 22 letter to Utah Senate Technology Committee Chair Wayne Harper (R). Many free and paid content filtering services exist, completely reliable filters are not technically feasible, and the bill would inappropriately "place device manufacturers in the role of deciding what content is obscene and whether it should be restricted," said the letter emailed to us by CTA.
The Oklahoma House passed a comprehensive data privacy bill. Members voted 85-11 Thursday for an amended HB-1602, sending the measure to the Senate. The bill is “best described as a heavily-modified version of the California Consumer Privacy Act,” blogged Husch Blackwell privacy attorney David Stauss. Lawmakers deleted a private right of action from an earlier draft, he noted. It would take effect Jan. 1, 2023, the same date as Virginia’s privacy law, which was signed Tuesday. The Washington Senate passed a privacy bill Wednesday (see 2103040007).
The Washington Senate passed a comprehensive state privacy bill for the third straight year. Wednesday’s 48-1 vote sent SB-5062 to the House, where similar bills died in the previous two sessions due to enforcement and other concerns. “Numerous other states, including Virginia, are moving forward with strong privacy legislation,” said sponsor Sen. Reuven Carlyle (D). The House has rival HB-1433 supported by the American Civil Liberties Union that differs from Carlyle’s bill by including a private right of action and opt-in consent (see 2101290053). Tuesday is the Washington State Legislature’s cutoff to pass bills in their originating chamber. Following California in 2018, Virginia Gov. Ralph Northam (D) signed the nation’s second major privacy bill Tuesday (see 2103030060).
The FCC proposed updates to the purpose and definitions of the commission's 1974 Privacy Act rules, an NPRM said Thursday. The commission also proposed streamlining rules for publication of a "systems of records notice" and modifying the process for individuals to determine whether the commission is withholding information about them. Comments deadlines will be triggered by Federal Register publication.
Sen. Ed Markey of Massachusetts and four other members of the Democratic caucus pressed Amazon Wednesday about reports of AI-capable surveillance cameras in its delivery vehicles. The cameras reportedly used Driveri software to “constantly record video footage when drivers are on their delivery routes and reportedly also capture footage of the roads and sidewalks,” Markey’s office said. “Although community and automobile safety are of the utmost importance, they must not come at the expense of workers and the publics’ safety, privacy, and wellbeing,” the senators said in a letter to CEO Jeff Bezos. They asked Bezos to detail whether the Driveri cameras also “employ facial recognition technology or other biometric recognition technology” and whether any “driver of Amazon’s vehicles” can opt out. Richard Blumenthal, D-Conn.; Cory Booker, D-N.J.; Markey; Bernie Sanders, I-Vt.; and Elizabeth Warren, D-Mass., asked whether footage will be used for personnel reasons and under what circumstances the e-tailer might share the content with law enforcement. The company didn’t comment.
The Health Insurance Portability and Accountability Act doesn’t apply to all health data collected by apps, reported Consumer Reports Tuesday. Its testers observed apps sharing unique IDs, specific to a smartphone, with companies including Facebook. Apps that provide guided meditations, mood-tracking diaries, therapy chatbots and cognitive behavioral therapy exercises sometimes ask users to complete data about mental health symptoms that might not be treated as confidential, it said. "You should be able to reach out for help without worrying about how that data might be shared or misused,” said Justin Brookman, CR director-privacy and technology policy.