Most States are still in session although they have narrowed their focus and are now concentrating on the bills that are likely to garner serious consideration. This report covers those select few of greatest interest – or threat – to the nonprofit sector.
Arizona HCR 2013, sponsored by Rep. Shawna Bolick, R-Phoenix, passed the House Technology Committee on February 19. The resolution would express the support of the legislature for a single federal privacy standard rather than a state-by-state approach.
Illinois SB 3299, sponsored by Sen. Laura Fine, D-Glenview, was referred to the Senate Assignments Committee on February 11. The bill, to be known as the Consumer Privacy Act, is similar to the California Consumer Privacy Act and would grant the consumer a right to request that a business disclose to that consumer the categories and specific pieces of personal information the business has collected. The bill would also allow the consumer the right to opt out of having their data sold to third parties. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request.
Maryland HB 784, sponsored by Del. Ned Carey, D-Brooklyn Park, was referred to the House Economic Matters Committee on February 3. The broad privacy bill, to known as the Online Consumer Protection Act, would provide that every consumer has the right to request a company to disclose the categories and specific pieces of personal information that the business has collected about the consumer. A business that collects a consumer’s personal information would be required to inform the consumer at or before the point of collection regarding the categories of personal information to be collected and the purpose for which each category will be used. If a business receives a verifiable consumer request to access personal information, they would be required to promptly take steps to disclose and deliver the requested information free of charge.
The bill would also provide that a consumer has the right to request the deletion of their personal information. The consumer would also have the right to require a business that sells or discloses personal information to disclose the categories of personal information that the business collects and the categories of information that were sold or disclosed. A third party would be prohibited from selling the personal information it has been sold unless the consumer has been notified and been given the opportunity to opt-out. A consumer would also have the right, at any time, to opt-out of having their information sold. A business that is required to comply with this section would have to set up a link on their homepage to allow consumers to opt-out.
The bill contains a broad definition of personal information including, but not limited to, real name, internet or other electronic network activity information, commercial information, and geolocation information, but would not include publicly available information. The bill contains a private right of action, but only for the provisions relating to data breach. Prior to initiating any action against a business, a consumer would be required to provide a business 30 days written notice identifying the specific provisions of the law that are alleged to have been violated.
Nebraska LB 746 was heard in the Senate Transportation and Telecommunications Committee on February 4. The bill, to be known as the “Nebraska Consumer Privacy Act,” is similar to the California Consumer Privacy Act and would grant the consumer a right to request that a business disclose to that consumer the categories and specific pieces of personal information the business has collected. The bill would also allow the consumer the right to opt out of having their data sold to third parties. The bill would grant a consumer the right to request deletion of personal information and would require the business to delete upon receipt of a verified request.
New Hampshire HB 1680 would grant consumers the right to:
- Know what personal information is being collected about them.
- Know whether their personal information is sold or disclosed and to whom the information is being sold.
- Decline or opt-out of the sale of their personal information.
- Access the personal information that has been collected.
The consumer would have the right to request that the business disclose specified information, including the categories of personal information collected, the business or commercial purpose for collecting the information and the specific pieces of information collected. A consumer would also be able to request that a business delete any personal information collected about the consumer with certain specified exemptions, including to detect security incidents or to comply with a legal obligation. The business would be required to provide a clear and conspicuous link to a page entitled “Do Not Sell My Personal Information” that contains the business’ privacy policies and a description of the consumer’s rights. The bill would take effect January 1, 2021.
New Jersey AB 1257, sponsored by Rep. Troy Singleton, D-Delran, was referred to the Senate Commerce Committee on February 3. The bill would require commercial internet websites and online service operators to notify consumers of the collection and disclosure of personally identifiable information to third parties. An operator would be required to create a webpage that, by verified request, allows a consumer to opt out of the sale of their personally identifiable information.
Oklahoma Rep. Logan Phillips, R-Mounds, has filed several placeholder data privacy bills that were referred to the House Rules Committee including:
- HB 3728, which would enact the “Technology Consumer Right to Know Act.”
- HB 3768, which would enact the “Data Selling Regulatory Policy Act of 2020.”
- HB 3778, which would enact the “Oklahoma Digital Public Forums Act of 2020.”
- HB 3799, which would enact the “Digital Data Collection Oversight Act of 2020.”
Washington SB 6281 passed the Senate and is now pending in the House Innovation, Technology and Economic Development Committee. The bill, to be known as the Washington Privacy Act, would grant a consumer the right to:
- Confirm whether a controller is processing their personal data and access that data.
- Correct inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of that data.
- Delete their personal data.
- Obtain their personal data from a controller in a way that allows the consumer to transmit the data to another controller.
- Opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal effects concerning a consumer.
Controllers would be required to:
- Provide consumers with a meaningful privacy notice.
- Limit collection of personal data to what is required or relevant for a specified purpose.
- Establish and implementing data security practices.
- Prohibit processing that violates state or federal law.
- Obtain consumer consent in order to process sensitive data.
- Respond to consumer requests within 45 days.
The bill would require controllers to provide consumers with a secure and reliable way to submit a request to exercise a consumer right. The committee substitute would specify that the bill applies to nonprofit corporations and higher education institutions but would include a delayed effective date of July 31, 2024 for those entities. The bill does not contain a private right of action.
House companion HB 2742 is pending in the House Appropriations Committee and looks quite a bit different from the Senate bill.
- The House version does include a private right of action, with penalties up to $50,000 per violation, and $100,000 per intentional violation.
- Unlike the Senate’s narrow opt-outs, the House bill allows for opt-outs of data processing for any reason.
- Controllers under the House bill would be accountable for transmitting consumer requests to third parties with which it has shared consumer data, and respond to requests within 21 days.
- The House bill has a lower threshold of compliance requirement (e.g., businesses deriving 5% of revenue from sale of data, versus the Senate bill’s 50% threshold).
Wisconsin Asm. Shannon Zimmerman, R-River Falls, has introduced several bills relating to data privacy modeled after the European Union’s General Data Protection Regulation which were heard in the Assembly Science and Technology Committee on February 12 including:
- AB 870, which would require controllers of consumers’ personal data to provide a consumer with the information that the controller has on that consumer as well as make other specified disclosures.
- AB 871, which would allow consumers to request controllers stop collecting their personal data and delete what they already have.
- AB 872, which would prohibit companies from collecting or selling any personal data that is not public record.
Federal – Senator Kirsten Gillibrand (D-NY) introduced a data privacy bill yesterday. It does not yet have a bill number, nor is actual legislative language available. Based on press reports, the bill would create a new federal agency, The Data Protection Agency. The legislation apparently does not have a federal preemption of existing or future state privacy statutes.
It is unclear at this time how much momentum will be behind enactment of this bill.
The House passed H.R. 2382, the USPS Fairness Act, by an overwhelming vote of 309-106. This legislation would repeal the requirement that the postal service prepay future retiree healthcare benefits, placing it on a footing similar to most other government agencies and reducing pressure on raising postal rates. Identical legislation, S. 2965, sponsored by Senator Steve Daines (R-MT) has been introduced in the Senate.
In spite of the fact the House passed this legislation by a wide margin, it is uncertain at this time if the Senate will act on this measure.
Nonprofits submitted upwards of 150 comment letters to the Postal Regulatory Commission by the February 3 deadline for comment on the proposed rate increase. We’ve received quite a few questions about the timeline from here, and in particular how soon a rate increase could take effect. While an official timeline has not been released, following is a possible schedule based on a combination of law and past experience:
1. There is a 30-day “reply-to-comments” period that follows the Feb. 3 comment due date. That takes us to Mar. 4.
2. Assume 30 additional days for the PRC to consider comments and deliberate. Now it’s April 3.
3. In early April, PRC could post a “final rule” in the Federal Register that would be effective 30 days from posting. So, new ratemaking could be law on May 3. Assuming PRC – and USPS – are anticipating the new regime and ready with new, higher rates, they might be proposed by USPS to PRC as soon as May 3. But there’s a 45-day wait period by law. That takes us to June 17.
4. It takes USPS – and customers – time to prepare. Add 45 days for rate-increase prep (it’s usually 90). That takes us to August 2 as the “as soon as it could possibly happen.”
For now, this is a best guess of the worst case. The outpouring from our sector may give some PRC commissioners second thoughts or external political pressure could make the PRC reverse course, both of which would postpone rate changes and increase the likelihood of more reasonable increases when they do occur.