Vermont and Washington state will soon introduce comprehensive privacy bills, while Connecticut will have a bill that would add data minimization rules and make other changes to its 2022 law, legislators told Privacy Daily ahead of sessions starting this month. Also, legislators in Oklahoma and South Carolina prefiled bills last month for the 2025 legislative sessions. Additional privacy bills are expected this year in several other states, said privacy lawyers and consumer advocates in other interviews.
New England next year might become the first U.S. region where all states have comprehensive privacy laws, a Computer & Communications Industry Association official said Wednesday as CCIA released a report on state privacy. “Much of the activity around new privacy protections took place in northeastern states this year with New Hampshire and Rhode Island passing privacy bills, while Maine and Vermont failed to get data privacy laws across the finish line,” said Alex Spyropoulos, CCIA Northeast regional policy manager. CCIA will be watching the latter two states and Massachusetts to pass bills next year, he said. “Some of the conflicts within states that didn’t ultimately pass bills were due to disagreements over standards or definitions and trying to match those with Europe’s privacy laws.” CCIA State Policy Manager Jordan Rodell urges states considering comprehensive privacy bills in 2025 to prioritize aligning their policies with other states’ laws. The CCIA report noted that many states have harmonized definitions and business requirements, but Maryland last year diverged from the pack with strict data minimization rules. “This approach could inadvertently stifle innovation and business activity within the state by limiting the flexibility of covered entities to leverage collected data for new and potentially beneficial purposes.”
Tech industry groups urged South Dakota lawmakers to hit the brakes on a possible age-verification bill. The legislature’s Study Committee on Artificial Intelligence and Regulation of Internet Access is weighing proposals (one, two and three) requiring age verification of children when accessing apps from app stores. “If enacted, such proposals would almost assuredly violate South Dakotans’ First Amendment rights, weaken their privacy, and fail to keep kids safe online,” NetChoice wrote Wednesday. Industry is litigating age-verification measures in several other states. “Implementing such a measure in South Dakota would likely meet the same fight and lead to costly legal challenges without providing any real benefits to the state's residents,” NetChoice added. Requiring companies to verify ages and parental consent “raise[s] significant privacy concerns,” the Computer & Communications Industry Association wrote to the study committee earlier this week. “The proposed act suggests imposing a government-mandated requirement that conflicts with data minimization principles ingrained in standard federal and international privacy and data protection compliance practices,” said CCIA. The association added, “Age verification solely at the device operating system or application store level overlooks access to websites via desktop or other devices.”
Two consumer privacy organizations assembled a model privacy bill for states that includes a private right of action, making it unlike legislation in nearly all the 20 states that have comprehensive privacy laws. Basing their model bill on the Connecticut Data Privacy Act, Consumer Reports and the Electronic Privacy Information Center said the aim of the model bill is to fill “loopholes” in that measure. Industry likes -- and many state legislators are familiar with -- the Connecticut law, CR and EPIC said Tuesday. Notably, though the model bill has a private right of action, it's narrow and wouldn’t allow lawsuits against small businesses. Under the model bill, consumers could seek relief, including at least $5,000 in damages per violation, from larger companies. Moreover, the model bill provides enforcement by a state attorney general, district attorney or city corporation counsel, and the AG would have rulemaking authority. Most states with privacy bills allow AG enforcement only. The model bill calls for a 60-day right to cure for a limited time. Also, unlike the Connecticut law, the model bill requires data minimization, which limits the amount of data businesses collect from the start. In addition, the CR and EPIC model adds protections for children and sensitive data and clarifies advertising rules contained in the Connecticut bill. When considering specific industries like healthcare that federal privacy covers, the model bill makes exemptions based on the type of data, unlike the Connecticut law, which does so based on the type of entity. As in the Connecticut law, the CR/EPIC model supports browser-based, global opt-out mechanisms. “The State Data Privacy Act was developed in an effort to more meaningfully protect user privacy than we’ve seen in many state laws, while also retaining a format more familiar to state policymakers,” said Matt Schwartz, CR policy analyst. EPIC Deputy Director Catriona Fitzgerald added, “This proposal sets out rules allowing companies to collect and use data in ways consumers expect while putting a stop to the data abuses that happen outside of their view.” Public Knowledge, the Center for Democracy and Technology and the Public Interest Research Group support the model bill, CR and EPIC said. Fitzgerald emailed us Wednesday, "Our next step is to work to get folks [committed] to introduce it."
Amazon, Meta, Google, TikTok and other companies should change their data “surveillance” practices to improve user privacy, the FTC said Thursday, concluding a probe the Trump administration started. The FTC issued a staff report with recommendations for nine companies that received orders in December 2020 (see 2012140054). Republican commissioners said in statements that some of the recommendations exceed the FTC’s authority. The report details how companies “harvest an enormous amount” of data and monetize it for billions of dollars annually, Chair Lina Khan said. “These surveillance practices can endanger people’s privacy, threaten their freedoms, and expose them to a host of harms.” The agency issued Section 6(b) orders to Amazon, Facebook, YouTube, X, Snap, ByteDance, Discord, Reddit and WhatsApp. Staff recommended data minimization practices, targeted advertising limits and more-stringent restrictions for children. The commission voted 5-0 to issue the report, but Commissioners Andrew Ferguson and Melissa Holyoak dissented in part. Ferguson argued that some of the FTC’s recommended actions for companies exceed agency authority: “We are not moral philosophers, business ethicists, or social commentators. ... [A]s Beltway bureaucrats, our opinion on these matters is probably worth less than the average American’s.” Some of the recommendations are “thinly-veiled threats,” he said. Ferguson cited the recommendation that companies not willfully ignore user age because it won’t “help companies avoid liability under” the Children’s Online Privacy Protection Act. Holyoak said some of the agency’s recommendations could chill online speech. For example, should a company follow recommendations to redesign algorithms for classes the agency deems “protected,” it could undermine the speech rights of certain populations. The report “fails to robustly explore the full consequences of its conclusions and recommendations,” she added. Khan in her statement denied the report “somehow endorses or encourages the platforms to disfavor certain viewpoints.” The report directly states that it doesn’t “address or endorse any attempt to censor or moderate content based on political views,” said Khan.
Responding to state budget cuts in the Broadband Loan Loss Reserve Fund Program (BLLRF), the California Public Utilities Commission clarified Thursday during a meeting that it will award just $50 million of the originally planned $750 million. The program was meant to support broadband deployment costs for nonprofits, local and tribal governments. But at the same livestreamed session, commissioners approved about $91 million in grants from the federal funding account (FFA) for 10 last-mile projects.
The FTC should rely more heavily on statutory text when writing rules, given the U.S. Supreme Court’s recent reversal of Chevron, FTC Commissioner Melissa Holyoak told us Wednesday (see 2407090044 and 2406280043). Chevron could significantly affect the FTC, given its aggressive rulemaking approach under Chair Lina Khan, legal experts told us in interviews.
Multiple consumer privacy advocates urged Rhode Island legislators to halt passage of weak privacy protections. The Senate voted 36-1 to pass the comprehensive bill (S-2500) on Wednesday. The “critical bill” is a “marriage” of Connecticut’s privacy law and the work of a Rhode Island commission, said sponsor Sen. Louis DiPalma (D) at the livestreamed floor session. The commission included five legislators, Attorney General Peter Neronha (D) and Verizon, TechNet and the New England Cable and Telecommunications Association. Sen. Samuel Bell (D) voted no. He said the bill was too weak during a committee meeting earlier this week. The House passed the similar H-7787 earlier. Consumer Reports, which signaled its opposition previously (see 2406110033), joined with the Electronic Privacy Information Center and Restore the Fourth in a Tuesday letter. The proposed comprehensive privacy law “would do little to protect Rhode Island consumers’ personal information, or to rein in major tech companies like Google and Facebook,” they wrote. “The bill needs to be substantially improved before it is enacted; otherwise, it would risk locking in industry-friendly provisions that avoid actual reform.” The groups suggested several changes, including adding data minimization rules and requiring that companies honor browser-based privacy signals as global opt-outs. Also, they said the bill's privacy notice rules should cover all data controllers, not just commercial websites and ISPs. Cut the proposed exemption for pseudonymous data and narrow another carveout for loyalty programs, they said. In addition, adding a private right of action will strengthen enforcement, the groups said.
Another comprehensive state privacy bill is moving quickly toward the finish line. The Rhode Island House voted 70-1 on Monday, approving H-7787 with some floor amendments. Meanwhile, the state's Senate Commerce Committee voted 7-1 to advance the similar S-2500. Tech industry groups supported the measure; however, a state senator and a consumer group said the Rhode Island legislation is too weak.
The tech industry urged Vermont Gov. Phil Scott (R) to veto the state’s privacy bill. Vermont could be the first state to include a broad private right of action. That and other “outlier provisions” have led businesses to lobby Scott to kill the measure, a Wiley lawyer said Wednesday (see 2405290072). In a Thursday letter to Scott, the Computer & Communications Industry Association said it was concerned about differences between Vermont’s bill and other states’ privacy laws, such as “the inclusion of a private right of action, the definition of ‘sale’, the language included around targeted advertising, and data minimization principles.” Allowing consumers to sue businesses, “the measure would open the doors of Vermont’s courthouses to plaintiffs advancing frivolous claims with little evidence of actual injury,” CCIA wrote, adding that other states vest enforcement with their attorneys general. “We encourage you to resist signing legislation that poses significant compliance and constitutional concerns.” The legislature passed the bill (H-121) May 10 but hasn't sent it to Scott yet. Once the governor receives the bill, he will have five days to veto it or it will become law. Scott's office didn’t comment.