Washington State Privacy Bill Hits 'Impasse'; Maryland Reconsiders Its Bills

Washington state lawmakers couldn’t agree on a privacy bill for the second straight year, appearing to run out of time on the session's last day, amid a growing public health crisis. A related facial recognition bill was still alive Thursday afternoon. Maryland legislators punted privacy and net neutrality proposals until next year, legislators told us Thursday. California Attorney General Xavier Becerra (D) sought comments Wednesday on a second set of revisions to proposed regulations to implement the California Consumer Privacy Act.

“The impasse remains a question of enforcement,” said Washington state Sen. Reuven Carlyle (D), sponsor of SB-6281. “I continue to believe that strong attorney general enforcement to identify patterns of abuse among companies and industries is the most responsible policy and a more effective model than the House proposal to allow direct individual legal action against companies.” Carlyle is “deeply disappointed” after two near unanimous votes in the Senate this year and last on the bill.

Washington's facial recognition bill (SB-6280) was headed back to conference committee Thursday afternoon. A House-Senate conference committee appeared to agree Wednesday on that measure. But senators Thursday didn't adopt the SB-6280 committee’s report, which followed the House’s preference of including the private usage section that the Senate originally put in the main privacy bill, as expected (see 2003090051).

One complication was the novel coronavirus taking legislators’ attention. The COVID-19 outbreak in Washington state “demanded a lot more attention in the final hours from pretty much everyone on the legislative campus,” emailed a House Democrats spokesperson.

Maryland lawmakers plan to consider comprehensive privacy legislation next year rather than act now on the proposed Maryland Consumer Protection Act by Del. Ned Carey (D). HB-784, based on CCPA, “will be amended to provide that the Joint Cyber Security Committee form a workgroup to study the issue for the purpose of developing legislation for next year,” House Economic Matters Vice Chair Kathleen Dumais (D) emailed us Thursday. Carey didn’t comment.

A separate Maryland bill to create net neutrality and ISP privacy rules like those repealed at the federal level is dead for the third straight year, said Dumais and sponsor Del. Kirill Reznik (D). HB-957 “was definitely up for a vote and going to get voted down,” Reznik said. “The advocates asked me to withdraw the bill so it didn't get a negative vote. We will try again next year.” Dumais opposed the measure (see 2003060037).

Economic Matters voted unanimously against a location privacy bill to require opt-in consent and disclosure before businesses can collect, use, store or disclose geolocation information from a location-based app. Comcast urged lawmakers last month to wait on HB-1389 until a Maryland working group looks at privacy issues over the summer (see 2002260057).

The California AG’s latest edits to CCPA rules respond to about 100 comments on a first set of edits released last month (see 2002070054), the AG office said Wednesday. Comments are due by March 27 on the modifications. CCPA took effect Jan. 1 and the AG expects to start enforcing the law July 1.

The additional comment period “delays publication of final regulations and further shortens the time businesses will have to drive compliance before the July 1, 2020, enforcement date,” Husch Blackwell attorneys blogged Thursday. “Given that final regulations will not be published until April (at the earliest), businesses will only have three months to comply with the final regulations.” Kelley Drye lawyers blogged, “The limited number of changes signals that the rulemaking process is reaching an end.”

“A business that does not collect personal information directly from a consumer does not need to provide a notice at collection to the consumer if it does not sell the consumer’s personal information,” said one proposed addition. Privacy policies should identify categories of sources from which personal information is collected and the business or commercial purpose for collecting or selling that information, said another change. Upon receiving a consumer request, businesses should “inform the consumer with sufficient particularity” that it collected sensitive information without actually disclosing that information.

The AG fleshed out an exemption for when it’s OK for service providers to retain, use or disclose personal information obtained while providing service. It was to “perform the services specified in the written contract with the business that provided the personal information.” Now, it reads: “To process or maintain personal information on behalf of the business that provided the personal information, or that directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA.” Information maintained for record-keeping purposes shouldn’t be shared with third parties “except as necessary to comply with a legal obligation,” said another change.

The AG scrapped a suggested opt-out button and guidance on how to interpret if information is personal. Employee notices no longer must provide a link to any privacy policies.