State(s) of Play — Oct 17, 2023

Welcome to State(s) of Play! Every two weeks, we publish a snapshot on what's moving at the U.S. state level when it comes to privacy bills, to help inform your own privacy project prioritization.

State Privacy Law Updates

California

On October 10, California Governor Gavin Newsom signed into law multiple bills related to data brokers, in-vehicle cameras, and data pertaining to reproductive health and immigration. SB 362, The Delete Act, a measure that will establish a statewide deletion mechanism that allows individuals to submit centralized deletion requests that data brokers must universally honor. Some of the provisions of the law, including the enhanced registry requirements, go into effect as soon as January 31, 2024. 

Additionally, AB 947, a bill amending the definition of sensitive personal information to additionally include personal information that reveals a consumer’s citizenship or immigration status and AB 1194, a bill ensuring that businesses can’t use exemptions under the Consumer Privacy Rights Act (CPRA) to share information about “a consumer accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services.” were also signed into law.

Finally, SB 296, a bill related to in-vehicle cameras was also signed by Newsom. This measure requires that drivers be notified when photographs and video recordings are captured by in-vehicle cameras and would also prohibit companies from selling such data for advertising purposes. 

New York

On October 11, New York Governor Hochul announced a series of bills that would help protect children’s online privacy, including S 3281, the New York Child Data Protection Act. The bill would prohibit all online sites from collecting, using, sharing, or selling personal data of anyone under the age of 18, unless they receive informed consent or unless doing so is strictly necessary for the purpose of the website.

For users under 13, this informed consent must come from a parent. The bill authorizes the NY Attorney General to enforce the law and may enjoin, seek damages, or civil penalties of up to $5,000 per violation. We’ll continue to monitor and provide updates on the bill’s likelihood of passage.

Massachusetts

The state legislature’s Joint Committee on Advanced Information Technology, the Internet and Cybersecurity has scheduled a public hearing for October 19 at 1ET to discuss a number of bills related to data use and data privacy. The bills range from a comprehensive privacy framework to more specific bills relating to biometric and children’s data. We will monitor the hearing and report back on what’s discussed and which bills, if any, are advancing forward.

Maine

State lawmakers are meeting this week to discuss the reintroduction of a statewide privacy bill in 2024. The bill is said to mirror the law that was debated this year, LD 1977, and would seek to prevent companies from collecting unnecessary information, tamp down the use of sensitive data and restrict ads targeted at children. We will report back on what is discussed and what to expect when the legislature reconvenes in January.

Maine's privacy law that prevents voter registration data from being posted online was heard in the First Circuit Court in Boston on October 5. The Public Interest Legal Foundation, which brought the lawsuit, argued federal law allows data to be available for public inspection. 

Federal Privacy Law Updates

Privacy Advocacy Group EPIC Calls on FTC to Investigate Grindr

On October 4, the Electronic Privacy Information Center (EPIC) filed a formal complaint to the FTC on Grindr's potentially unlawful retention and disclosure of users’ sensitive personal data. In its complaint, the group argues Grindr's apparent data practices "expose users to security breaches of highly sensitive data," including health information, sexual preference, age and location data.

FTC, CFPB Announce Settlement Over Fair Credit Reporting Act Violations

On October 12, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) announced a $23 million settlement with credit reporting agency TransUnion over alleged violations of the Fair Credit Reporting Act (FCRA) regarding improper records and report filings.

Advertising Industry Group Pushes Congress on National Privacy Law

The Association of National Advertisers and 4A's kicked off a campaign to influence Congress to pass a national privacy framework. The groups' "Responsible Privacy in Advertising Initiative" builds upon their previously shared self-regulatory code.