Apple CEO Tim Cook’s comments last week criticizing new antirust legislation on privacy grounds suggest he’s “terrified” of competition, and that the company doesn’t want U.S. consumers circumventing the App Store (see 2204120062), said Sens. Marsha Blackburn, R-Tenn., and Richard Blumenthal, D-Conn., in a statement Friday. Cook spoke about privacy concerns about the Open App Markets Act (S-2710), introduced by Blackburn and Blumenthal, leaders of the Senate Consumer Protection Subcommittee. “It misses the mark to say we can’t have both consumer privacy and competition in the app marketplace,” they said. The Senate Judiciary Committee-passed bill “acknowledges this balance. Suggesting otherwise is a scare tactic to justify closing markets off to competition.” They agreed with Cook about the need for comprehensive privacy legislation and said there are active discussions among parties.

The California Privacy Protection Agency scheduled stakeholder sessions starting May 4 on its upcoming California Privacy Rights Act rulemaking, the CPPA said Wednesday. Meetings will be videoconferenced and more dates might be added depending on the number of signups, it said. The CPPA had informational sessions last month (see 2203300064). A Michigan privacy bill surfaced Tuesday. Rep. Sarah Anthony introduced HB-5989 with 14 other Democrats. It was referred to the House Communications and Technology Committee. The bill would give consumers the right to know what data is collected and whether and to whom it was sold, and a right to “say no” to personal data sale, targeted advertising and “profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Also, consumers could access collected personal data and request that businesses delete or correct it. It would prohibit discrimination of customers that exercise privacy rights. It would apply to businesses that control or process personal data of at least 100,000 consumers yearly or that get more than 50% of gross revenue from selling personal data of at least 25,000 consumers yearly. The Michigan attorney general would be sole enforcer of the proposed law, which wouldn’t provide a private right of action.

One comprehensive state privacy bill moved forward while two others died last week. Connecticut privacy bill SB-6 advanced Thursday to the joint Judiciary Committee. The General Law Committee weighed the bill last month (see 2203030059). Meanwhile, Maryland’s House Economic Matters Committee voted 20-0 Friday against SB-11 to set up a privacy study group. The Maryland bill was originally a comprehensive measure, but the Senate scaled it back (see 2203300064). Georgia privacy bill SB-394 died when legislators adjourned last week.

Consumers face common barriers to exercising their right to opt out of selling data under the California Consumer Protection Act (CCPA), said Deputy Attorney General Lisa Kim at a California Privacy Protection Agency (CPPA) virtual meeting Tuesday. It was the first day of informational sessions on the upcoming California Privacy Rights Act (CPRA) rulemaking. “Sometimes businesses are not clear with regard to their representations that they do not sell personal information, when in fact they do,” said Kim, who works for California DOJ, the department that enforces CCPA. CCPA doesn’t require verification to opt out of sale, but “oftentimes, businesses may require some type of verification,” said the deputy AG: Businesses may ask some questions to identify consumers, but “we often see abuses in this area.” Because CCPA requires businesses only to disclose the category of third parties with whom they shared or sold personal information, consumers seeking to opt out frequently don’t know who got their information, she said. “There’s no way to go down the stream and ensure that people that the first-party business sold information to also honors the consumer’s right under the CCPA.” A consumer can try by going through California DOJ’s data broker registry, but with more than 450 brokers registered, it can be difficult to opt out for every business that might have the individual’s personal data, said Kim. CPPA Chairperson Jennifer Urban said this week’s informational sessions are meant to provide background information potentially relevant to the agency’s CPRA rulemaking. CPPA will hold partially virtual pre-rulemaking stakeholder sessions in about a month, but exact dates aren’t set because CPPA hasn’t confirmed an in-person location, she said.

Utah will be the fourth state with a comprehensive privacy law. Gov. Spencer Cox (R) signed SB-227 Thursday. The bill takes effect Dec. 31, 2023. The state law “establishes important new rights for consumers over the collection and use of their personal information, while simultaneously providing businesses with clarity regarding the responsible processing of data,” said Computer & Communications Industry Association State Policy Director Alyssa Doom. Consumer privacy groups urged Cox to reject Utah’s bill (see 2203030059). The Oklahoma House voted 74-15 to pass a comprehensive privacy bill Wednesday. HB-2969 by Rep. Collin Walke (D) is mostly based on the California Consumer Privacy Act, but would require opt-in consent and set a lower monetary threshold for those to whom it would apply, blogged Husch Blackwell privacy attorney David Stauss. It would be enforceable by the state attorney general and take effect Jan. 1. The bill goes to the Senate, where Walke’s privacy bill last year stalled.

A Rhode Island privacy bill “would provide little useful information to consumers, and could be harmful to consumers by failing to reveal the extent to which their data is collected, used, and shared,” Consumer Reports Senior Policy Analyst Maureen Mahoney said in written testimony Monday. CR opposed H-7400, which was scheduled for a House Innovation, Internet and Technology Committee hearing later Tuesday afternoon. “Limiting the definition of personal information to a limited set of identifiable data would essentially exempt ad tech companies and data brokers from the bill, who typically keep data in pseudonymous form, though such data can be easily reidentified.” Its definition of “disclose” also is too narrow, said Mahoney: it could fail to capture most online data sharing. The American Property Casualty Insurance Association opposed H-7400 as “confusing in terms of what it requires and who needs to be in compliance.”

Voxx’ EyeLock introduced the NanoAccess access control system that uses cellphones and smartwatches as secure credentials vs. access cards or touch-based personal identification number keypads. NanoAccess supports EyeLock's Portable Templates feature, which stores a user's biometric template on a smart card or mobile device instead of on a computer or in a database, the company said Monday. Because it’s web-based, NanoAccess software doesn’t have to be installed or updated in the future; it works with standard web browsers on Windows and MacOS-based computers, the company said. EyeLock customers had been asking for an affordable, biometric-based access control system, said EyeLock Senior Vice President-Global Business Development Chris Jahnke. The combination of NanoAccess with EyeLock's NanoFace facial recognition technology announced last week (see 2203170005) is a “major step in that direction.”

The California Privacy Protection Agency board plans informational sessions later this month before starting its rulemaking to implement the California Privacy Rights Act, the CPPA said Friday. The virtual meetings will be March 29 at 11 a.m. PDT and March 30 at 9 a.m. PDT, said the notice. CPPA plans overviews of the CPRA, personal information, risk assessments and consumer rights regarding automated decision-making. Also, the CPPA expects to hold April sessions to gather stakeholder input, it said. CPRA enforcement starts Jan. 1, but the CPPA rulemaking is delayed (see 2202280040). Also, the CPPA expects to hold April sessions to gather stakeholder input, it said.

Voxx International’s EyeLock segment is diversifying into facial biometrics with its introduction of NanoFace facial recognition, said the company Thursday. “For the past decade, EyeLock has been focused on iris recognition, building a strong portfolio of intellectual property with over 100 patents or patents pending,” it said. Though iris authentication remains EyeLock’s “forte,” it will also offer other biometric applications “as enterprises and consumers continue to gravitate towards multi-modal applications,” it said. EyeLock President Allen Ibaugh said “the expansion into facial authentication is a natural fit.” The EyeLock biometrics segment generated $800,000 for Voxx in the fiscal nine months ended Nov. 30.

Congress should consider approaches that avoid regulating “particular types of content” when legislating online child safety, the Congressional Research Service said in a report released Monday. Laws restricting the “provision of expressive material” could face First Amendment issues, and laws targeting “specific categories of speech based on its content are subject to the demanding strict scrutiny standard of judicial review,” the report said. Congress tried to criminalize the “provision of internet content” for minors, but courts “applying the strict scrutiny standard have struck down these statutes as unconstitutional,” the report said. CRS noted two potential examples of bills seeking to regulate child internet use without banning a particular type of content: the Kids Internet Design and Safety Act and the Protecting the Information of our Vulnerable Children and Youth Act.