Md. Senate Privacy Bill Needs Work, Says Finance Chair

Maryland senators will convene a workgroup to hash out differences with opponents to a state privacy bill, they said at a livestreamed Senate Finance Committee hearing Wednesday. SB-11 sponsor Sen. Susan Lee (D) said Maryland shouldn’t model a bill on Virginia’s law and can’t wait for a national law. TechNet Executive Director-Northeast Chris Gilrein said Virginia’s law is best in the absence of congressional action.

Finance Chair Delores Kelley (D) said Lee made “a good case that there is a real bad problem” but asked how Maryland can take responsibility for international companies. Kelley suggested a “two- or three-week work group” to “look at the alternative that many with expertise think might be better and more reasonable.” Lee agreed. Sens. Ben Kramer (D) and Katherine Klausmeier (D), plus bill opponents from the Maryland Retailers Association and Consumer Data Industry Association, said they would join.

Virginia’s law "does not protect children,” and top consumer advocates say it was passed without their input, Lee said earlier. "We should start with our own standards." The state senator doubted there will be a federal law soon. A Congress "that can't even pass voting rights with a simple majority is certainly not going to move the privacy law," said Lee. "If anything, they will block the gains made in states like California.” Lee added that she’s "not moving to California just to get common-sense privacy protections.”

Based partly on the California Consumer Protection Act, Maryland’s SB-11 would use California’s thresholds for determining to whom the bill applies and let consumers opt out of selling personal data, said Lee: Children under 16 would be automatically opted out. It would amend an existing state consumer protection law that allows enforcement through the attorney general and private lawsuits. Sen. Justin Ready (R) raised concerns that SB-11 puts the onus on businesses that might not be the entity sharing the data. Ready said he isn’t against more disclosure.

Maryland’s AG office supports SB-11, said Maryland Assistant Attorney General Hanna Abrams. Maryland has authority if companies are dealing with state residents, she said. The bill considers some business concerns by choosing an opt-out rather than opt-in model and incorporating some exemptions, and it applies only to companies that already have to comply with California’s law, Abrams said.

Virginia’s law is better for businesses, said TechNet’s Gilrein: SB-11’s private right of action (PRA) “creates massive liabilities for companies.” If TechNet members can all comply with California’s law, "why would the same 80 companies not be able to comply with the exact same law in the state of Maryland?" Kramer asked. Gilrein responded, "They are in compliance. The question is, at what cost?" The “dream scenario” is a federal privacy law, but second best would be state laws that are “as interoperable and clear and explicit as possible,” he said.

Consumer Reports supports SB-11 because it includes a PRA, requires companies to honor browser opt-outs and gives the AG rulemaking authority to keep the measure updated, said Senior Policy Analyst Maureen Mahoney.

The Maryland bill "uses confusing language that will prevent essential data sharing required in an online ecosystem,” said Maya McKenzie, Entertainment Software Association tech policy counsel. Don’t include a PRA, she said. "The plaintiffs’ bar is very likely to go after businesses alleging the smallest of violations, resulting in costly legal expenses."

Maryland’s House Economic Matters Committee plans a hearing Feb. 2 on a biometric privacy bill. Delaware and Washington state legislators held privacy hearings Tuesday (see 2201250060).