The U.S. and EU should forge a "pragmatic" digital alliance for data transfers because fully harmonized policies are unrealistic, the Information Technology and Innovation Foundation said Thursday. ITIF noted the "crisis" in digital relations and a "serious risk" of de facto data localization. It urged policymakers to create a successor to the Privacy Shield, annulled by the European Court of Justice in July 2020 (see 2007160002), as part of a broader framework that also includes new general data protection regulation-compliant personal data transfer mechanisms and better law enforcement cooperation on accessing electronic evidence. Such a cooperative agenda based on shared values would be a "strategic counterweight to authoritarian digital powers" like Russia and China, the group said: An alliance based on "digital realpolitik” is needed "now more than ever." The U.S. and EU are talking about PS (see 2103250023).

A Florida Senate committee rejected an attempt to remove a private right of action from a comprehensive privacy bill (SB-1734). The committee killed that proposed amendment by Sen. Annette Taddeo (D) in a voice vote at a livestreamed Monday hearing. The committee then cleared the bill. Taddeo said the provision is overbroad; sponsor Sen. Jennifer Bradley (R) said it's critical to enforcement. Companies are making money on consumers’ lack of information about how their data is being used, Bradley said. The bill "pulls the curtain back on that industry” and shifts power back to consumers, she said.

California banned the use of “dark patterns” and related deceptive online navigation methods, Attorney General Xavier Becerra (D) announced, with new regulations under the California Consumer Privacy Act. California’s Office of Administrative Law approved the additional regulations, giving “new tools” for protecting data privacy, effective Monday. Regulations include “an eye-catching Privacy Options icon that guides consumers to where they can opt-out of the sale of their personal information,” he said. The dark patterns provision “prohibits companies from burdening consumers with confusing language or unnecessary steps such as forcing them to click through multiple screens or listen to reasons why they shouldn’t opt out.”

California’s privacy law author criticized Virginia’s new statute at a New Jersey legislative hearing Monday. The second major state privacy bill, signed this month by Virginia Gov. Ralph Northam (D), has “many loopholes” that effectively codify existing business practices, Californians for Consumer Privacy’s Alastair Mactaggart told the Assembly Science, Innovation and Technology Committee. Mactaggart, who proposed the California Consumer Privacy Act and the newer California Privacy Rights Act, urged lawmakers to update CCPA-based measures to the CPRA. CTIA, which prefers a national law, warned against basing a New Jersey law on CPRA because it’s “still unsettled,” said Davis Wright attorney Nancy Libin. The Virginia law, while also problematic, is at least less burdensome for businesses, she said. New Jersey should align with Virginia to provide uniform rules for businesses, agreed Internet Association Legal and Policy Counsel Alexandra McLeod. New Jersey lawmakers are returning to privacy after COVID-19 derailed efforts last year, said committee Chair Andrew Zwicker (D). The panel heard testimony but didn’t vote on Zwicker’s A-3283, which would provide an opt-in right and establish a state data protection office; A-3255, to require businesses notify customers about collection and sale of personal information and give customers an opt-in right; and A-5448, to require websites notify about collection and disclosure and allows customers to opt out. Harvard Berkman Klein Center affiliate Salome Viljoen supported A-3283 setting up a special office but suggested adding a private right of action and warned not to exclude third parties not covered in the current bill. Electronic Frontier Foundation Legislative Activist Hayley Tsukayama, also urging a private right, cautioned that the proposed office would need adequate funding. TechNet is optimistic about soon getting a federal law, but if New Jersey goes ahead, attorney general enforcement is better than allowing private suits, said Executive Director-Northeast Chris Gilrein. Opting out is more difficult for consumers than opting in, said Consumer Reports Policy Analyst Maureen Mahoney.

The Washington state House wasn’t expected to have passed its privacy bill by Tuesday’s deadline for bills to clear their origin chamber. Instead, HB-1433 sponsor Rep. Shelley Kloba (D) planned to use the language in a proposed amendment to the Senate-passed SB-5062, said Kloba Legislative Assistant Brian Haifley. The House bill backed by the American Civil Liberties Union “will not be moving forward this session, but we are working to assure that any bill, including SB 5062, incorporates the most important provisions of HB 1433: opt-in consent, a private right of action, no loopholes, and no local preemption,” an ACLU-Washington spokesperson said. “These are the baseline protections needed for meaningful and effective data privacy regulation.” The Senate passed SB-5062 last week, for the third straight year (see 2103040007).

The Oklahoma House passed a comprehensive data privacy bill. Members voted 85-11 Thursday for an amended HB-1602, sending the measure to the Senate. The bill is “best described as a heavily-modified version of the California Consumer Privacy Act,” blogged Husch Blackwell privacy attorney David Stauss. Lawmakers deleted a private right of action from an earlier draft, he noted. It would take effect Jan. 1, 2023, the same date as Virginia’s privacy law, which was signed Tuesday. The Washington Senate passed a privacy bill Wednesday (see 2103040007).

The Washington Senate passed a comprehensive state privacy bill for the third straight year. Wednesday’s 48-1 vote sent SB-5062 to the House, where similar bills died in the previous two sessions due to enforcement and other concerns. “Numerous other states, including Virginia, are moving forward with strong privacy legislation,” said sponsor Sen. Reuven Carlyle (D). The House has rival HB-1433 supported by the American Civil Liberties Union that differs from Carlyle’s bill by including a private right of action and opt-in consent (see 2101290053). Tuesday is the Washington State Legislature’s cutoff to pass bills in their originating chamber. Following California in 2018, Virginia Gov. Ralph Northam (D) signed the nation’s second major privacy bill Tuesday (see 2103030060).

Gov. Ralph Northam (D) should scrap Virginia’s privacy bill that passed the legislature last week (see 2102190041), some said Thursday. The Virginia Citizens Consumer Council (VCCC), Consumer Federation of America, Electronic Frontier Foundation, Privacy Rights Clearinghouse and the U.S. Public Interest Research Group sent Northam a letter urging him to veto the legislation or send it back to the legislature for reconsideration next January. “Virginia has taken a business-first perspective that codifies business-designed obstacles to consumers having meaningful control of their personal information,” said VCCC President Irene Leech. Consumer Reports urged Northam to sign the bill but said legislators should work next session to strengthen it. “This bill has some important privacy provisions, but consumers need more practical options,” said CR Policy Analyst Maureen Mahoney. Northam's office didn’t comment.

Personal data flows to the U.K. should be permitted because its privacy laws are essentially equivalent to the EU's, the European Commission said. It published draft "adequacy" decisions under the general data protection regulation and the law enforcement directive for review by the European Data Protection Board and EU governments. The EU "has shaped the UK's data protection regime for decades," but adequacy findings must be future-proof after Brexit, the EC said. The decisions would be valid for four years and renewable. Data flows between the European economic area and U.K. continue under an interim regime that expires June 30. The decision is good news because the U.K. "remains an important trade partner of the EU," said the Computer & Communications Industry Association.

President Joe Biden should take executive action to impose a federal moratorium on face scanning and other forms of biometric technology, wrote the American Civil Liberties Union and more than 40 organizations Wednesday. He should block states and local governments from using federal funds on the technology and support legislation codifying a federal moratorium, the ACLU wrote with the Electronic Frontier Foundation, Amnesty International and others. The technology “disproportionately misidentifies people of color, women, trans people, and other marginalized groups, but its ability to track our movements across space and time would be dangerous even if it worked perfectly,” said ACLU Senior Legislative Counsel Kate Ruane. The White House didn’t comment.