Last summer we told you that California had passed a new digital privacy law, similar to parts of GDPR. Last month we told you that Vermont had just passed a similar law. Now there is a groundswell of similar privacy legislation being introduced in several states, with laws to protect the privacy of online personal information and data being introduced in Washington, Massachusetts, Maryland, New York, Rhode Island and Hawaii. New Mexico and Mississippi also had pending Internet data privacy legislation going, however it was killed in both states. North Dakota this month passed a law saying that they would look into data privacy protection management.
(You can read about California’s law here, and about Vermont’s law here. You can read about GDPR here.)
Much of this recently introduced legislation closely resembles California’s new law, which isn’t surprising as California is known as a legal trend-setter. Some of the bills also contain language which closely follows the GDPR equivalent.
The Pending Internet Personal Data Privacy Laws in Washington, Massachusetts, New York, Maryland, Rhode Island, and Hawaii
Washington’s ‘An act relating to the management and oversight of personal data’ Bill SB 5376
The Washington bill, SB 5376 specifically references GDPR, and in fact emulates it with definitions for and references to data “controllers” and data “processors”. Section 6 of SB 5376 specifically spells out the rights of consumers with respect to their personal data, and very much like GDPR, those rights include the rights to know what personal data is being held by the entity, to access that personal data, the right to have errors in that personal information corrected, and the right ‘to be forgotten’ (to have their personal data be deleted). The proposed Washington law applies to both companies that do business in Washington and/or who intentionally (which undoubtedly will be construed as ‘knowingly’) target Washington residents, where the company either derives at least half of their revenue from the sale of personal data, or processes data for at least 100,000 consumers.
Massachusetts’ ‘An Act relative to consumer data privacy’ S.120
Massachusetts’ pending privacy legislation, S.120 is not dissimilar to the others, except for a couple of added features: A right to specifically opt out of the holder of their information sharing it with third-parties (the Section 6 Right to Opt-out of Third Party Disclosure), and a private right of action, meaning that “A consumer who has suffered a violation of this chapter may bring a lawsuit against the business or service provider that violated this chapter.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
Maryland’s ‘Online Consumer Protection Act’ SB0613
Many of the proposed Internet personal data privacy laws include biometric data as one of the protected types of data, as all of the bill are about protecting data with which an individual can be identified. The proposed Maryland law, SB0613, is notable as it explicitly includes keystroke patterns (yes, that’s exactly what it sounds like) in its definition of biometric data.
New York’s ‘Right to Know Act’ HB 224
New York’s effort is an amendment to existing law, and is known as the ‘Right to Know Act’ This amendment to New York’s general business law statute would change the section currently known as ‘NOTIFICATION OF UNAUTHORIZED ACQUISITION’ to, instead, ‘ACQUISITION AND USE OF PRIVATE INFORMATION.’
Explains the prefatory language to New York HB 224 “Businesses are now collecting personal information and sharing and selling it in ways not contemplated or properly covered by the current law. Some web sites are installing up to one hundred tracking tools when consumers visit web pages and sending very personal information such as age, gender, race, income, health concerns, and recent purchases to third-party advertising and marketing companies. Third-party data broker companies are buying, selling, and trading personal information obtained from mobile phones, financial institutions, social media sites, and other online and brick and mortar companies.
Some mobile applications are sharing personal information, such as location information, unique phone identification numbers, and age, gender, and other personal details with third-party companies. Consumers need to know the ways that their personal information is being collected by companies and then shared or sold to third parties in order to properly protect their privacy, personal safety, and financial security.”
Rhode Island’s ‘Consumer Privacy Protection’ Act SB234
Rhode Island’s SB234 also calls out keystroke data specifically, and applies to any business that does business in the state of Rhode Island and meets one or more of the following criteria:
(A) Has annual gross revenues in excess of five million dollars
(B) Alone or in combination, annually buys, receives for the business’commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of fifty thousand or more consumers, households, or devices
(C) Derives fifty percent (50%)or more of its annual revenues from selling consumers’ personal information
Note that Rhode Island also includes ‘devices’, as does the new California law, which defines devices as “Device means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.” The Rhode Island bill defines device as “means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device” Hrrrm…word for word California’s definition (see, such a trend-setter!)
Hawaii’s ‘Bill for an Act Relating to Privacy’ SB418
Hawaii’s SB418 also includes devices, and also defines them as “any physical object that is capable of electronic communication through connecting to the Internet, directly or indirectly, or to another device.”
All of this is to protect data that can uniquely be tied to an individual (or individual device), meaning that a consumer or device can be identified from that data. Hawaii elaborates that a “‘Unique identifier’ means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including but not limited to a device identifier; Internet protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone number; or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device,” adding that “‘Identifying information’ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including but not limited to the following categories:
(1) Identifiers such as a real name, alias, postal address, unique identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, signature, or other similar identifier;
(2) Characteristics of protected classifications under Hawaii or federal law;
(3) Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming history or tendencies;
(4) Biometric information;
(5) Internet and other electronic network activity information including but not limited to browsing history, search history, and information regarding a consumer’s interaction with an internet web site, application, or advertisement;
(6) Geolocation data;
(7) Audio, electronic, visual, thermal, olfactory, or similar recordings;
(8) Professional or employment-related information;
(9) Education records, as defined in title 20 United States Code section 1232g(a)(4);
(10) Medical data;
(11) Insurance information;
(12) Financial information; or
(13) Profiles about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes that are created from inferences from any other information collected from a consumer.”
However, note that, in the Hawaii bill, they specifically state that “‘Identifying information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.” This means that if your personal information is made available to the general public via government records, it may not be covered by some of the protections otherwise afforded to identifying personal information by Hawaii’s SB418.
North Dakota’s ‘Act to provide for a legislative management study of consumer personal data disclosures’ HB 1485
North Dakota’s HB 1485 has the longest name, but the shortest text:
During the 2019-20 interim, the legislative management shall study protections, enforcement, and remedies regarding the disclosure of consumers’ personal data. The study must include a review of privacy laws of other states and applicable federal law. The legislative management shall report its findings and recommendations, together with any legislation required to implement the recommendations, to the sixty-seventh legislative assembly.
North Dakota’s HB 1485 was signed into law at the beginning of this month (April, 2019)
New Mexico and Mississippi
Unfortunately, New Mexico’s SB 176, and Mississippi’s HB 1253, were both killed. But we give both states credit for trying to do the right thing!
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.