Louisiana Panel Clears Eleventh-Hour Edits to Privacy Bill
Some bristled at a Louisiana legislator proposing changes to a sweeping privacy bill on the Friday before a Monday legislative hearing. The House Commerce Committee cleared HB-987 by voice with Microsoft-backed amendments. Committee members from both parties listed issues they want addressed as the bill moves to the floor.
Louisiana’s bill initially looked more like Utah’s privacy law, which many state bill watchers consider to be one of the most business-friendly measures. Amendments included adding a section requiring data protection assessments and changing definitions of sale, consent, identifiable individual and biometric data. Sale would now mean exchanging data for not only monetary but also other valuable considerations. Other amendments would give consumers a right to correct inaccurate data and to delete all their personal data, rather than only data they provided to the controller as under the earlier draft.
Amendments weren’t made public until Friday, noted Rep. Thomas Pressly (R) at the livestreamed hearing. “The timeline on that … is a little bit challenging with a 9:30 [a.m.] meeting on Monday.” TechNet supported the original bill but didn’t have time to form a consensus among members about amendments, said its lobbyist Larry Murray of The Capitol Group: "Fair to say people had problems with the amendments." The group is “prepared to continue working” with sponsor Rep. Daryl Deshotel (R), Murray said.
Seeking “total transparency,” sponsor Deshotel said he tried to send a redlined version of the bill Friday to as many people as possible. Deshotel didn’t get some comments back until Monday morning, when it was too late to make more changes at the committee level, he said. However, he promised to work with parties on concerns before the bill goes to the floor. Describing his amended bill as a combo of Utah, Colorado and Virginia laws, Deshotel said he wants to avoid creating a “hodgepodge” of data privacy laws across many states. Louisiana legislators adjourn June 6.
Pressly asked if Microsoft helped draft HB-987. Microsoft reviewed “the amendments and we like them,” said Jadzia Pierce, the company’s director-global privacy policy. She sat next to Deshotel and answered multiple questions for him during the hearing.
"I'm not saying that it's an unworkable bill," said Rep. Edmond Jordan (D), but "it's a bill that needs a lot of work still.” He asked if the bill might be outdated in a few years with the rise of Web 3.0 and blockchain. Deshotel agreed Web 3.0 is the future but thinks his bill sets a framework that can be updated.
Jordan raised concerns about no private right of action, with the bill proposing that penalty revenue, based on actual damages, goes into a fund rather than back to the consumer. “If it's my actual damages, why can't I recover my actual damages?” he asked. "That just doesn't make a lot of sense to me." The current bill would be enforced solely by the Louisiana attorney general.
Jordan sought more limits on to whom companies can sell data, and asked why the bill’s protections for kids don’t define a child as 17 or 18 and younger, rather than at most 13 years old in the bill. Deshotel said he’s open to raising the age and agreed a 14-year-old needs as much protection as a 13-year-old.
Consumers should be able to opt out from many sites at once using their web browser, said Rep. Eric Tarver (R). HB-987 doesn’t currently allow that, though some other states require it, said Pierce.
Other States
Connecticut could soon become the fifth state to pass a comprehensive law after California, Virginia, Colorado and Utah. Its bill passed the legislature but needs gubernatorial approval (see 2204290036). Gov. Ned Lamont (D), who has until May 20 to act on the bill or it automatically becomes law, is expected to sign, Foley & Lardner attorney Steven Millendorf blogged Thursday.
Some trends became clear after Connecticut's bill passed, Holland & Knight attorneys Rachel Marmor and Ashley Shively blogged last week. “California is an outlier in extending rights to workforce members and business-to-business contacts” and “in containing any sort of private right of action,” they said. “The emerging trend is for laws to require notice and certain consumer rights, opt-in consent for processing of sensitive personal information in some circumstances, data minimization and other data management obligations, to require data protection impact assessments, and protection of personal information when shared with vendors.”
“The question remains regarding how many states must pass similar laws” before the federal government acts, Epstein Becker attorneys blogged Monday. A federal law seems unlikely soon, with “privacy legislation fizzling at various stages within Congress,” but “even in these early days of state action on privacy … the writing on the wall appears to be coming into focus.”
The Delaware House voted 27-13 Thursday to pass a data broker transparency bill HB-262. The measure would require companies that collect and sell information of more than 500 Delawareans to register and fill out a questionnaire with the state's DOJ, which then would share information with consumers on a website (see 2204130067). It went to the Senate Banking, Business and Insurance Committee.
A Pennsylvania privacy bill is scheduled for hearing May 25 in the House Consumer Affairs Committee.