Privacy Law Developments Thus Far In 2024
2024 marks a significant year for consumer privacy legislation in the United States, with new laws set to take effect in Florida, Oregon, Montana, and Texas, alongside stringent measures in New York, Massachusetts, and California. Notably, California’s Age-Appropriate Design Code Act expands online privacy protections for minors, Massachusetts is considering comprehensive privacy bills, and New York is advancing significant data privacy legislation, highlighting a growing trend towards stronger consumer privacy protections in the absence of comprehensive federal privacy legislation.
California Age Appropriate Design Code Act
The California Age-Appropriate Design Code Act (CAADCA), signed into law on September 15, 2022, represents a significant shift in online privacy protections for minors under 18 in California. Set to take effect on July 1, 2024, the CAADCA extends beyond the scope of the federal Children’s Online Privacy Protection Act (COPPA), which only covers children under 13.The CAADCA applies to businesses that meet the California Consumer Privacy Act (CCPA) definition and provide online services, products, or features likely to be accessed by children. This broad applicability is determined by factors such as:
- Being directed to children as defined by COPPA
- Routinely accessed by a significant number of children, based on audience composition evidence
- Marketing advertisements to children
- Utilizing design elements appealing to children (e.g., games, cartoons, celebrities)
- Internal company research indicating a significant child audience
Key requirements of the CAADCA include:
- Data Protection Impact Assessments (DPIAs): Businesses must conduct DPIAs before offering services likely to be accessed by children and review them biennially.
- Privacy by Default: Automatically configure the highest level of privacy settings for children users.
- Age Estimation: Implement methods to estimate user age with reasonable certainty.
- Transparent Communication: Provide privacy information, terms of service, and policies in clear, concise language suitable for the identified age groups.
- Monitoring Signals: Give children obvious signals when they are being monitored or tracked.
- Accessibility: Provide easily accessible tools for children to exercise privacy rights and report concerns.
- Data Minimization: Prohibit collection and use of personal information not necessary for the service.
- Geolocation and Profiling Restrictions: Ban collection of precise geolocation and profiling unless there is a compelling reason.
Enforcement of the CAADCA will be overseen by the California Privacy Protection Agency (CPPA), which must publish regulations and guidelines by April 1, 2024. Violations can result in civil penalties of up to $2,500 per affected child for negligent violations and $7,500 for intentional violations. It’s worth noting that on September 18, 2023, a preliminary injunction was issued by the District Court for the Northern District of California, preventing the enforcement of the CAADCA due to potential First Amendment violations. This legal challenge highlights the complex balance between child protection and constitutional rights in the digital age. Despite this setback, the CAADCA has already inspired similar legislation in other states, including Connecticut, Maryland, Minnesota, Oregon, New Jersey, New Mexico, and Nevada. This trend suggests a growing recognition of the need for enhanced online protections for minors across the United States.
Massachusetts Privacy Act Overview
Massachusetts is actively working towards establishing comprehensive data privacy legislation, with two key bills currently under consideration: the Massachusetts Information Privacy and Security Act (H. 60) and the Massachusetts Data Privacy Protection Act (S. 25). These proposed laws aim to position Massachusetts at the forefront of U.S. state privacy regulations.Both bills would apply broadly to organizations in Massachusetts, from small nonprofits to large multinational corporations, with varying compliance requirements based on the size and activities of the organization. Key features of these proposed laws include:
- Data Minimization: The Massachusetts Data Privacy Protection Act would impose a data minimization principle, limiting data collection, use, and disclosure to what is “necessary and proportionate” for specific enumerated purposes.
- Private Right of Action: Unlike most other state privacy laws, the Massachusetts Data Privacy Protection Act would create a private right of action for violations of any provision, potentially changing the landscape of privacy law enforcement in the U.S.
- Workplace Monitoring Restrictions: The Massachusetts Data Privacy Protection Act would impose restrictions on workplace monitoring and electronic surveillance, limiting such activities to specific enumerated purposes and requiring the least invasive methods.
- Data Broker Registry: Both bills propose establishing a data broker registry, similar to those already implemented in California and Vermont.
- Broad Applicability: The laws would apply to all organizations dealing with personal information of Massachusetts residents, not just those located in or conducting business in the state.
- Comprehensive Personal Information Definition: The laws define personal information to include first and last names, Social Security numbers, driver’s license or state-issued identification numbers, and financial account numbers.
- Written Information Security Program (WISP): Organizations would be required to implement a WISP, considering factors such as the scale, scope, nature, and quantity of data collected or stored.
- Specific Security Standards: The laws would establish minimum security standards for computer systems, including secure user authentication, data encryption, and firewall defenses.
- Third-Party Service Provider Requirements: The laws would require third-party service providers to maintain adequate security measures to protect personal information.
Enforcement of these proposed laws would likely be the responsibility of the Massachusetts Attorney General, with potential civil penalties of up to $5,000 per violation. It’s important to note that these bills are still pending before the Massachusetts Joint Committee on Advanced Information Technology, the Internet and Cybersecurity, which must finalize the proposed legislation before consideration by the General Court. The committee has indicated that it will mark up a bill based on testimony from a hearing held in October 2023, suggesting that the final legislation may incorporate elements from both proposed bills. As these bills progress through the legislative process, organizations operating in Massachusetts should closely monitor developments and begin preparing for potential compliance requirements. The proposed legislation represents a significant step towards comprehensive privacy protection in the state, potentially surpassing the strictness of existing laws in other jurisdictions.
New York Data Privacy Legislation Developments
New York is making significant strides in data privacy legislation with two key bills currently under consideration: the New York Privacy Act (S365B) and the New York Data Protection Act (S4201). These proposed laws aim to strengthen consumer privacy rights and impose new obligations on businesses handling personal data.The New York Privacy Act (S365B) is the more comprehensive of the two bills, having passed the Senate on June 3, 2024, with a vote of 41-19. Key features of S365B include:
- Applicability: The act applies to businesses that conduct operations in New York or produce products/services targeted at New York residents, and meet one of the following criteria:
- Data Controller Categories: The act defines three distinct categories of entities handling consumer data:
- Consumer Rights: The act grants New York consumers several rights regarding their personal data, including:
- Sensitive Data: The act establishes a category of “sensitive data” requiring higher protections, including health information, racial/ethnic origin, precise geolocation, and government-issued identifiers.
- Transparency Obligations: Businesses must provide clear disclosures about their data collection and processing practices.
The New York Data Protection Act (S4201), while less comprehensive, focuses on government entities and contractors. Key provisions include:
- Disclosure Requirements: Government entities and contractors must disclose certain personal information collected about individuals.
- Individual Rights: The act grants individuals the right to request disclosure and deletion of their personal information held by government entities and contractors.
- Shared Information Regulations: The act outlines rules for sharing personal information between government entities or contractors.
- Non-shareable Information: Certain types of personal information are designated as non-shareable.
Both bills are still in the legislative process. S365B has passed the Senate and is currently in the Assembly Consumer Affairs and Protection Committee. S4201 is in the Senate Investigations and Government Operations Committee. These proposed laws represent a significant shift in New York’s approach to data privacy, aligning the state more closely with other jurisdictions that have enacted comprehensive privacy legislation. If passed, these laws would require businesses and government entities operating in New York to substantially revise their data handling practices and privacy policies. It’s worth noting that the potential enactment of federal privacy legislation, such as the proposed American Privacy Rights Act (APRA), could preempt these state laws. However, until such federal legislation is passed, New York’s efforts to strengthen data privacy protections continue to progress through the state legislature.