Free subscription to the Capitol Journal keeps you current on legislative and regulatory news.
States Sue to Block H-1B Visa Fee The attorneys general of 20 states, led by California and Massachusetts, filed a federal lawsuit aimed at blocking the Trump administration’s new $100,000 fee...
Florida House Speaker Daniel Perez (R) unveiled a two-bill healthcare package aimed at aligning the state with President Trump’s new federal framework. HB 693 would tighten eligibility for Medicaid...
President Donald Trump has waded into one of the most pressing and prevalent issues in state capitols these days: regulating artificial intelligence. In early December, the president said on his Truth...
Federal Government’s Penny Pinching Could Spur States to Set New Rounding Rules for Cash Sales Retailers are pushing for national rules to allow businesses to round cash sales to the nearest nickel...
OH Gov Vetoes Bill to Expand Youth Work Hours Ohio Gov. Mike DeWine (R) vetoed a bill ( SB 50 ) that would have allowed 14- and 15-year-olds to work until 9 p.m. year-round. DeWine said in his veto message...
* The views expressed in externally authored materials linked or published on this site do not necessarily reflect the views of LexisNexis Legal & Professional.
With no action at the federal level, over a dozen states have enacted comprehensive consumer privacy legislation since 2018.
Many of these bills, however, have been significantly watered down by the influence of Big Tech. A recent joint report by the Electronic Privacy Information Center (EPIC) and the Public Interest Research Group (PIRG) gave six of the 14 state laws that had been enacted at that time a grade of F for how well they protect consumers’ privacy. Another three received Ds and two got C-minuses.
That’s 11 state comprehensive privacy laws (nearly 80 percent) with fairly poor grades.
“All across the country, tech and other companies are pushing for weak laws,” wrote R.J. Cross, the director of PIRG’s Don’t Sell My Data Campaign. “Of the 14 laws states have passed so far, all but California’s closely follow a model that was initially drafted by industry giants such as Amazon. From tech to telecomms, there’s a lot of companies making a lot of money in data.”
One of PIRG’s biggest concerns is that these weak laws give companies a great deal of latitude to harvest consumers’ personal information.
But change may be on the horizon with recently passed legislation in Maryland and Vermont bucking Big Tech’s wishes.
Most of the comprehensive data privacy laws states have passed since 2018 do a poor job of protecting consumers’ personal information, according to a recent joint report from the Electronic Privacy Information Center (EPIC) and the Public Interest Research Group (PIRG). Only three of the 14 laws enacted as of the end of January received grades of C or better from the two organizations. But Maryland enacted, and Vermont’s legislature passed, strong data privacy laws last month.
<p> </p>
In early May Maryland’s governor, Wes Moore (D), signed companion bills HB 567 and SB 541, known as the Maryland Online Data Privacy Act or MODPA, which limits the scope of information companies can collect about online users “to what is reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer to whom the data pertains”—a legal standard stricter than other state privacy laws.
“MODPA grants Maryland residents a broad range of data protection rights and requires covered businesses to comply with new data privacy and information security requirements,” wrote attorney Steven G. Stransky, co-chair of the law firm Thompson Hine’s Privacy and Security practice. “In addition, MODPA essentially prohibits targeted advertising with respect to minors under the age of 18, unless proper consent is obtained or other limited exceptions apply. This is a significant deviation from other data privacy laws, which often only require opt-in consent for targeted advertising for consumers who are 13 (or in some instances, 16) years of age or younger.”
A few days after Moore signed MODPA into law, the Vermont legislature passed what PIRG has called “one of the strongest privacy bills nationwide,” HB 121, the Vermont Data Privacy Act, which not only limits the amount of personal information companies can collect on consumers, but also establishes a minimum duty of care for minors and a private right of action allowing individuals to sue businesses for violating the law.
Businesses from Microsoft to the Vermont Country Store have pushed back on the legislation.
“While we wholeheartedly support consumer privacy, we are extremely concerned about provisions in the current version of H.121 that would affect the ability of our businesses and other small to mid-size companies that also do business online,” Vermont Country Store President and CEO Jim Hall wrote in an email to legislators, as VTDigger reported.
Hall’s top two requests were raising the bill’s “way too low” 6,500-customer threshold for applicability and eliminating its private right of action provision.
Those concerns spurred changes to the measure in the Senate, including the quadrupling of the business applicability threshold to 25,000 customers. And Sen. Kesha Ram Hinsdale (D), the chair of the Senate Committee on Economic Development, Housing and General Affairs, considered doing away with the private right of action completely to avoid potential class-action lawsuits that could “annihilate a business.”
But the version that was ultimately approved by both chambers retained the private right of action, applicable to companies that collect data on more than 100,000 consumers a year.
The bill’s enactment is not a slam dunk, however. Vermont Public reported that Gov. Phil Scott (R) is considering a veto, largely because of the bill’s inclusion of a private right of action.
Still, the bill’s passage on the heels of Maryland’s law suggests a counter trend may be emerging.
—By SNCJ Correspondent BRIAN JOSEPH
Visit our webpage to connect with a LexisNexis® State Net® representative and learn how the State Net legislative and regulatory tracking service can help you identify, track, analyze and report on relevant legislative and regulatory developments.