Federal Laws Related to Privacy.
A sectorial framework protects personal information and privacy interests under various federal laws. Key federal statutes related to privacy include:
Comprehensive Privacy Laws in Other States.
While no single general privacy law exists at the federal level, two states have recently enacted comprehensive data privacy laws that regulate the collection and sharing of personal information.
The California Consumer Privacy Act (CCPA), which took effect in 2020, regulates the collection, use, and sharing of personal information; and provides California residents with certain data rights, such as the right to access or delete collected personal information and to opt out of the sale of personal information to third parties. In November 2020, California residents approved a ballot initiative titled the California Privacy Rights Act (CPRA), which amends and expands the CCPA and establishes a new enforcement agency dedicated to consumer privacy. The CPRA takes effect January 1, 2023.
Signed into law in early March 2021, the Virginia Consumer Data Protection Act (VCDPA) regulates the collection and use of consumer personal data and grants Virginia residents the rights to access, correct, delete, know, and opt out of the sale and processing of their personal data for targeted advertising purposes. The VCDPA goes into effect January 1, 2023.
Privacy Protection in Washington.
The Washington Constitution provides that no person shall be disturbed in their private affairs without authority of law. Similarly to the federal sectorial approach, different state statutes define permitted conduct and specify the requisite level of privacy protections for medical records, financial transactions, student information, and other personal data.
The Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection. The OPDP also serves as a resource to local governments and the public on data privacy and protection concerns.
Contact Tracing and the Use of Digital Technologies in Public Health.
Case investigation and contact tracing are core public health strategies used to reduce the spread of communicable diseases, such as COVID-19. Case investigation is the identification and investigation of patients with a confirmed and probable diagnosis of a disease. Contact tracing is the subsequent identification, monitoring, and support of a patient's contacts who have been exposed to, and possibly infected with, the virus. In Washington, local health departments, with the support of the Department of Health (DOH), are responsible for performing case investigations and contact tracing.
During the COVID-19 pandemic, digital exposure notification apps and other digital health tools have been developed for use in several countries and states in an effort to reduce reliance on human recall and to facilitate a pandemic response without relying on the resource constraints of traditional contact tracing. In December 2020, the DOH launched an exposure notification technology known as WA Notify, which works by exchanging random anonymous codes with the nearby phones that have WA Notify enabled and anonymously notifies a user if he or she has been in close contact with another user who tested positive for COVID-19. The technology does not know or track users' identity or location, and the exposure notifications do not contain any information about who tested positive or where the exposure may have happened.
Consumer Personal Data Privacy.
Part 1 of the Washington Privacy Act establishes consumer personal data rights and identifies responsibilities of controllers and processors of personal data.
Key Definitions and Jurisdictional Scope.
"Consumer" means a natural person who is a Washington resident acting only in an individual or household context. "Consumer" does not include a natural person acting in a commercial or employment context.
"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. "Personal data" includes pseudonymous data but does not include deidentified data or publicly available information.
Controllers and processors are legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents and meet the following thresholds:
For purposes of these thresholds, "consumer" does not include payment-only transactions where no data about consumers are retained.
Consumer personal data provisions do not apply to:
Certain personal data are exempt only to the extent that the collection or processing of that data is in compliance with federal and state laws to which the data are subject and which are specified in the exemptions.
Institutions of higher education and nonprofit corporations are exempt until July 31, 2026.
Consumer Rights Concerning Personal Data.
With regard to the processing of personal data, a consumer has the following rights:
The parent or legal guardian of a known child may exercise consumer personal data rights on the child's behalf. If a controller processes personal data of a consumer subject to guardianship, conservatorship, or other protective arrangement, the guardian or conservator may exercise consumer personal data rights on behalf of the consumer.
Beginning July 31, 2023, a consumer may exercise the rights to opt out of the processing for purposes of targeted advertising or sale of personal data:
Except for the right to opt out, the consumer personal data rights do not apply to pseudonymous data where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information. Additionally, a controller is not required to comply with a consumer personal data right request if the controller is unable to authenticate the request using commercially reasonable efforts. The authentication requirement does not apply to the right to opt out.
A controller must comply with the request to exercise the right to opt out as soon as feasible, but no later than 15 days of receiving the request. A controller must inform the consumer of any action taken on requests to access, correct, delete, or obtain a copy of the consumer's personal data within 45 days of receiving the request. This period may be extended once by 45 additional days where reasonably necessary, provided that the controller informs the consumer of the extension and the reasons for the delay within the first 45-day period.
If a controller does not take action on a request, the controller must inform the consumer within 45 days of receiving the request and provide reasons for not taking action, as well as instructions on how to appeal the decision with the controller.
Controllers must establish an internal process by which a consumer may appeal a refusal to take action on the consumer's personal data right requests. Within 30 days of receiving an appeal, the controller must inform the consumer of action taken or not taken in response to the appeal and provide a supporting written explanation. This period may be extended by 60 additional days, provided that the controller informs the consumer of the extension and the reasons for the delay within the initial 30-day period.
When informing a consumer of any action taken or not taken in response to an appeal, the controller must clearly and prominently provide the consumer with information about how to file a complaint with the Consumer Protection Division of the Office of the Attorney General. In addition, controllers must provide consumers with an electronic mail address or other online mechanism through which the consumers may submit the results of an appeal and supporting documentation to the Attorney General.
A controller must maintain records of all appeals and the controller's responses to appeals for at least 24 months and must compile and provide a copy of appeal records to the Attorney General upon request.
Information provided to a consumer pursuant to a personal data right request must be provided free of charge, up to twice annually. If a request from a consumer is manifestly unfounded or excessive, the controller may charge a reasonable fee or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.
Responsibilities of Controllers and Processors.
Controllers determine the purposes and means of the processing of personal data. Processors process personal data on behalf of a controller pursuant to a contract that sets out the processing instructions, including the nature, purpose, and duration of the processing. Whether an entity is a processor or a controller with respect to specific processing of personal data is a fact-based determination.
A controller or processor that uses deidentified or pseudonymous data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the deidentified or pseudonymous data are subject.
In addition, controllers must conduct a data protection assessment of each of the following processing activities:
Data protection assessments must identify and weigh the benefits of processing to a controller, consumer, other stakeholders, and the public against the risks to the rights of the consumer. Data protection assessments conducted for the purpose of complying with other laws may qualify if they have a similar scope and effect.
The Attorney General may request that a controller disclose any data protection assessment relevant to an investigation conducted by the Attorney General and evaluate the assessment for compliance with the controller responsibilities under this act and other laws, including the Consumer Protection Act. Data protection assessments disclosed to the Attorney General are confidential and exempt from public inspection.
Controllers may not process:
Additionally, controllers may not retaliate against a consumer for exercising consumer rights, including by charging different prices or rates for goods and services or providing a different quality of goods and services to the consumer. The nonretaliation requirement does not prohibit a controller from offering different prices or rates of service to a consumer who voluntarily participates in a bona fide loyalty or rewards program. If a consumer exercises the right to opt out, personal data collected as part of a loyalty or rewards program may not be sold to a third-party controller unless specified conditions are met.
Processors are responsible for adhering to the processing instructions and assisting controllers in meeting their obligations. In addition, processors must implement and maintain reasonable security procedures to protect personal data and ensure confidentiality of processing and may engage subcontractors only after specified requirements are met.
Limitations to the Responsibilities of Controllers and Processors.
Controllers and processors are not required to do the following in order to comply with this act:
In addition, the obligations imposed on controllers or processors do not restrict their ability to take certain actions, including:
The controller bears the burden of demonstrating that the processing qualifies for an exemption and complies with specified requirements. Personal data processed pursuant to an exemption may be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the exempt purposes, and must not be processed for any other purposes.
A consumer may bring a civil action for the violations of consumer rights, anti-discrimination provisions, or consent requirements for processing of sensitive data or personal data of minors. Remedies are limited to appropriate injunctive relief. The court must award reasonable attorneys' fees and costs to any prevailing plaintiff.
Except for the private right of action limited to certain violations, the Attorney General has exclusive enforcement authority under the Consumer Protection Act. Prior to filing a complaint, the Attorney General must provide the controller or processor with a warning letter identifying the alleged violations. If the controller or processor fails to cure any alleged violation within 30 days, the Attorney General may bring an action against the controller or processor. This right to cure expires July 31, 2023, after which date the courts must consider, as mitigating factors, a controller's or processor's good faith efforts to comply and any actions to cure or remedy the violations before an action is filed.
All receipts from the imposition of civil penalties must be deposited into the Consumer Privacy Account created in the State Treasury. Funds in the account may be used only for purposes of recovery of costs and attorneys' fees accrued by the Attorney General in enforcing this act and for the Office of Privacy and Data Protection.
Local governments are preempted from adopting any laws, ordinances, or regulations regarding the processing of personal data by controllers or processors. Local laws, ordinances, or regulations adopted prior to July 1, 2020, are not superseded or preempted.
Report by the Office of Privacy and Data Protection.
The OPDP, in collaboration with the Attorney General, must research and examine existing analysis on the development of technology, such as a browser or global device setting, indicating a consumer's affirmative choice to opt out of certain processing, and the effectiveness of allowing a consumer to designate a third party to exercise a consumer right on their behalf. The OPDP must submit a report of its findings by December 1, 2022.
Review by the Joint Legislative Audit and Review Committee.
The Joint Legislative Audit and Review Committee (JLARC) must review the efficacy of the Attorney General providing controllers and processors with warning letters and the 30-day period to cure alleged violations. The report must include specified information, such as the number of warning letters sent and a recommendation on whether the Attorney General should continue providing warning letters. The JLARC report is due by December 1, 2023.
Data Privacy and Public Health Emergency — Private Sector.
Part 2 of the Washington Privacy Act identifies the responsibilities of controllers and processors and establishes consumer rights with regard to covered data processed for covered purposes.
Key Definitions and Jurisdictional Scope.
"Covered data" includes personal data and one or more of the following: specific geolocation data; proximity data; or personal health data.
"Covered purpose" means the processing of covered data concerning a consumer for the purposes of:
Covered data privacy provisions do not apply to:
Consumer Rights Concerning Covered Data.
With regard to processing of covered data for covered purposes, a consumer has the following rights:
Consumer covered data rights may be exercised in the same manner as the consumer personal data rights in Part 1 of the bill.
Responsibilities of Controllers and Processors.
Controllers that process covered data for a covered purpose have the same responsibilities as controllers that process personal data with regard to privacy notice, purpose specification, data minimization, data security, and anti-discrimination requirements.
It is unlawful for a controller or processor to process covered data for a covered purpose unless the controller or processor provides the consumer with the required privacy notice prior to or at the time of the processing, and the consumer consents to the processing. Additionally, controllers may not:
A controller must delete or deidentify all covered data processed for a covered purpose when the covered data are no longer being used for the covered purpose.
Limitations to the Responsibilities of Controllers and Processors.
The obligations imposed on controllers or processors of covered data do not restrict their ability to:
The controller bears the burden of demonstrating that the processing qualifies for an exempt purpose and complies with the requirements applicable to the exempt health care-related information. Covered data processed for exempt purposes may be processed solely to the extent that the processing is necessary, reasonable, and proportionate to these purposes, and must not be processed for any other purposes.
A consumer may bring a civil action for violations of consumer rights or anti-discrimination provisions. Remedies are limited to appropriate injunctive relief. The court must award reasonable attorneys' fees and costs to any prevailing plaintiff.
The Attorney General's authority to enforce violations under the Consumer Protection Act is identical to that in Part 1 of the bill.
Local governments are preempted from adopting any laws, ordinances, or regulations regarding the processing of covered data for a covered purpose by controllers or processors. Local laws, ordinances, or regulations adopted prior to July 1, 2020, are not superseded or preempted.
Data Privacy and Public Health Emergency — Public Sector.
Part 3 of the Washington Privacy Act identifies the responsibilities of public entities that process technology-assisted contact tracing information.
Key Definitions and Jurisdictional Scope.
"Technology-assisted contact tracing" (TACT) means the use of a digital application or other electronic or digital platform that is capable of independently transmitting information and is offered to individuals for the purpose of notifying, through data collection and analysis, those who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.
"Technology-assisted contact tracing information" (TACT information) means any information, data, or metadata received through TACT.
"Controller" means the local government, state agency, or institution of higher education that determines the purpose and means of the processing of TACT information.
"Processor" means a natural or legal person, local government, state agency, or institution of higher education that processes TACT information on behalf of a controller.
Responsibilities of Controllers and Processors.
Responsibilities of controllers and processors that process TACT information are substantively identical to those of controllers and processors that process covered data for covered purposes pursuant to Part 2 of the bill.
Limitations to the Responsibilities of Controllers and Processors.
Limitations to the responsibilities of controllers and processors that process TACT information are substantively identical to those of controllers and processors that process covered data for covered purposes pursuant to Part 2 of the bill.
Any controller that violates, proposes to violate, or has violated the TACT information provisions may be enjoined. Any individual injured by a violation may institute a civil action to recover damages. Where more than one controller or processor, or both a controller and a processor are in violation of this chapter, the liability must be allocated among the parties according to principles of comparative fault.
The amended bill makes the following changes in Part 1 of the bill relating to consumer personal data privacy:
Additionally, the amended bill adds a private right of action and modifies enforcement by the Attorney General in Part 2 of the bill relating to data privacy and public health emergency (private sector); these revisions align with the same provisions in Part 1 of the bill. The amended bill also modifies the definitions of "consent" and "deidentified data" in Part 2 and Part 3 of the bill to align with the same definitions in Part 1.
Lastly, the amended bill makes nonsubstantive technical corrections, such as correcting "if" to "is" in the definition of "technology-assisted contact tracing" in Part 3 of the bill.
(In support) This comprehensive legislation is the result of a three-year process of looking at evidence-based best practices and other privacy laws around the world. This bill is what makes sense for Washington, given our strong constitutional language and our uniqueness as a state for both defending civil liberties and being the home of technology and innovation.
The consumer rights created by this bill are substantial and real and none of them exist today. It is easy to jump to assumptions that other laws are stronger, but there are several key areas where this law would be stronger than other privacy laws: requiring opt-in consent for the use of sensitive data; providing an opt-out option from processing for profiling purposes and for targeted advertising; requiring deletion of data regardless of its source; and requiring data stewardship and data minimization. Opt-in consent for all data collection does not protect consumers. Instead, it overwhelms them with consent requests and leads to notice fatigue. Consent ought to be reserved for sensitive data or sensitive uses where consumers are in a position to exercise a meaningful choice.
Any privacy law should impose strong obligations on all companies that handle consumer data and ensure that the rights given to consumers and the obligations imposed on businesses function in a world where different types of companies play different roles in handling consumer data. This bill protects consumers, is operationally workable for the industry, and aligns with the global standards embodied in privacy laws and voluntary frameworks worldwide, which benefits both consumers and companies. Consumers can easily understand and exercise their rights, and companies can comply with global privacy standards, which opens the doors to global markets.
This bill has carefully crafted and narrowly drawn exemptions for health care information, which is already subject to protection and oversight under other comprehensive and complex privacy laws that are specifically tailored to the healthcare context. There is no gap in privacy protection for personal data because data will be protected either by this bill or by one of the specific state or federal laws listed in the bill.
Technology companies are deeply committed to the protection of consumer data and support the key principles of this legislation, as well as enforcement solely by the Attorney General. All privacy laws should have strong enforcement, but private right of action is not required for that. The right to cure and the enforcement by the Attorney General represent a fair and balanced approach that avoids regulation by litigation. It is the right level of enforcement for our state.
Passing this law is not the end of the conversation on privacy because the nature of technology and the pace at which it changes means that lawmakers will have to continue working on regulating privacy.
(Opposed) While this bill ostensibly gives people privacy rights, these are severely undermined by loopholes, exemptions, the opt-out framework that largely maintains the status quo, and a weak enforcement mechanism. These loopholes make it difficult for ordinary people to understand what limited rights they do have. Creating an entirely opt-in system is the only way to address all the loopholes in this bill.
This bill is not unique and is nearly identical to the industry-sponsored proposals in other states. It memorializes as state law the current practices of the largest manipulators of personal data and endorses today's morass of long privacy statements and diligent investigations before people can opt out. This bill is so favorable to the tech industry that it is unfair to Washingtonians and some Washington businesses.
Providing the right to opt out of certain usages of personal data is not equivalent of informed consent. Defaulting people into having their data collected is not informed consent. Opt-out does not work; once people's data is shared online, it is too late to take back control of it. The opt-in model is the only responsible approach.
All data can be used for sensitive purposes, whether or not the data itself is sensitive, but the bill does not require consent for all data collection. Seemingly innocuous information can be used to paint an intimate portrait of someone's life. Asking people for their consent before using their data is the bare minimum standard.
The opt-out approach has threatened the personal safety of the lives of many survivors of domestic violence and abuse. Passing this bill would tell these survivors and every future victim of these crimes that any sort of relief is not coming any time soon because it would delay the passing of a truly effective privacy bill. Washingtonians deserve the right to privacy in practice, not in theory.
The bill allows consumers to opt out of processing for purposes of profiling that result in legal effects for a consumer, but this is not the only context in which profiling is harmful. Automatic consent to this kind of processing should not be the default anyway. In no other area of our lives do we consider profiling to be an acceptable practice that requires people to affirmatively object in order to be protected. Proponents of the bill point to the anti-discrimination provisions, but any civil rights attorney can point out how difficult it is to make the case that an action with discriminatory impact was done on the basis of a protected characteristic.
The bill requires controllers and processors to comply with governmental demands for personal data. This could be a subpoena or summons, but it also covers loose terms like "investigations" and "regulatory inquiries." All of this could be done without any notice to consumers. As data brokers accumulate more data, immigrant communities see the full impact of weak privacy protections. We know that data brokers sell information to federal immigration authorities, and this, in turn, fuels the detention and deportation of immigrants on a mass scale. This data has also been used for digital redlining. Data as innocuous as the number of times a person opens a prayer app may result in increased government surveillance of that person or their neighborhood. Lower English proficiency, lower reading proficiency, poorly designed websites, or the use of accessibility software should not impact a person's data privacy rights.
Data minimization is to everyone's advantage, and only the opt-in approach sets the stage for data minimization. Opt-in improves the marketability of a product since consumers would have greater trust in that business. Opt-in is a better business model and a better security model. Most data breaches are financially motivated. Identity theft can have cascading negative consequences as new fraudulent resources, such as credit cards, can be used to further illegal activity both in real life and online.
The bill prohibits people from enforcing their rights. The Attorney General has stated that they support the private right of action because people deserve the right to hold companies accountable. Providing a meaningful accountability mechanism is not a radical idea but a bare minimum to start disrupting the nonconsensual commodification of our personal information.
We should be setting a standard that protects all Washingtonians instead of passing a bill that gives only the illusion of privacy and creates a false sense of security. We can and should do better than this bill, and there are better alternatives.
(Other) The Attorney General should not be in the business of serving warning letters to make businesses aware that they are violating the law. The right to cure should expire after a year to ensure that the transition into compliance with the bill does not continue into perpetuity and that the Attorney General maintains proper enforcement authority. Critical staff resources should not be spent on issuing warning letters once businesses have the opportunity to understand what the law means.
This bill has been improved since its introduction three years ago, but still does not acknowledge the heightened privacy interests of teenagers or do much about the huge amounts of data extracted by big companies and then used to micro-target consumers not just with advertising, but also with content that divides people into their own filter bubbles. The bill does very little to stop first-party data sharing or potentially let consumers easily access opt-out. Additionally, the bill provides the Attorney General with just three people to police data brokers who see privacy as a compliance checklist rather than an important right.
Like the California Consumer Privacy Act (CCPA), this bill is largely based on the opt-out model, but the CCPA does have some elements that make the opt-out model more workable for consumers, such as requiring that companies honor browser privacy signals as a global opt-out and allowing consumers to delegate to authorized agents to submit requests on their behalf. Unless these elements are required, it is unlikely that companies will comply.
The opt-in consent does not work for every aspect of digital life. Forcing people to make choices nonstop is fatiguing. The bill does have a requirement for affirmative consent where it is appropriate, such as the processing of sensitive data. One of the things that this bill does well is requiring data minimization and purpose limitation, in addition to the opt-in and opt-out approach, but those provisions can still be strengthened.
As drafted, the bill is a net negative for privacy rights because it does not provide any private right of action and states that a violation cannot be subject to action under any other law. There needs to be some kind of damages remedy. Courts have allowed damages for privacy abuses for decades because there is real harm when someone steals or misuses personal information. There need to be incentives to prevent companies from developing new ways of violating privacy rights. Injunctive relief or the small number of actions that the Attorney General may bring is insufficient. The only way to incentivize compliance is to put a price on violations. Everyone should have access to the courts to enforce their rights, including privacy rights, so the bill should have a private right of action.
This bill leaves consumers powerless when their data is misused or misappropriated. Big companies love this bill, and privacy advocates oppose it, and that indicates that the bill needs some changes.
No new changes were recommended.
(In support) The bill will extend important new rights to access, delete, and stop the sale of consumers' information, with additional protections for sensitive data. The bill also takes important steps to ensure that the opt-out is comprehensive and workable for consumers by requiring that companies honor a browser privacy signal.
This bill is a good compromise that will improve how companies protect our most sensitive information. Industry claims that they do not want to be subjected to excessive liability, but in reality, they want to avoid as much liability as possible. The enforcement provisions help ensure that the Attorney General's efforts to enforce this measure will be effective, given the relatively few resources that they have. The right to cure provision sunsets after a year so that the Attorney General does not waste resources building cases that go nowhere.
(Opposed) This is a weak, industry-formed bill. Under its current structure and fiscal note, it will result in no enforcement and no protection for individuals. The funding to the Attorney General will allow only three full investigations a year and no litigation. That is grossly inadequate to address the problem. European countries with smaller population than Washington spend 15 times as much for data protection authorities and still find it insufficient.
The alleged private right of action in the bill is illusory; the only remedy is an injunction, and very rarely do attorneys receive all of their fees back. No attorney will take on a case where the best outcome is an injunction and maybe most of the attorneys' fees. Unless the funding to the Attorney General is dramatically increased, the bill must be amended to create a true private right of action or it will be completely ineffective.
The bill does not provide strong prescriptive rules or transparency requirements, nor does it adequately fund agencies to develop the expertise to enforce and evolve rules as challenges to privacy emerge. The bill also does not provide for the transparency and evolution of law by healthy engagement in the courts. Instead, the bill relies on consumers to chase after their rights based on scant information about how their personal information is used. The cost of this approach comes when a significant breach or an egregious violation of Washingtonians' privacy comes to light; the Attorney General is then solely responsible for addressing the issue, without the benefit of deep institutional knowledge, consistent transparency records, bright line rules, or precedent.
The bill does not adequately protect the privacy of the immigrant and refugee communities. Many members in these communities have a limited understanding of technology, as well as limited English language skills. Those who do have access to some technology are unlikely to understand how they can utilize the opt-out framework of this bill. This will leave this group a target for data harvesting, without their understanding of the potential ramifications. An opaque opt-out process, rather than a transparent consensual opt-in process, makes it much more difficult to limit the exploitation of personal information and increases the costs to the state.
Industry claims that even a limited private right of action will be a burden; this should be taken with a grain of salt. The private right of action should be strengthened and the right to cure removed.
The unemployment data breach shows how vulnerable personal information is in the hands of private companies. Criminals used personal information stolen in large-scale hacking to file fraudulent unemployment claims, causing the state to lose millions of dollars. These fraudulent claims were only possible because people cannot meaningfully control or protect their data. It is cost effective for the state to help people protect their private information. This bill falls short of providing meaningful privacy protections and could create conditions that would cost the state in the same way the fraudulent unemployment claims did.
The bill as it passed the Civil Rights and Judiciary Committee makes significant policy changes to the bill with zero public input and introduces new and vague terms, untested in any legislation around the country. It places significant burdens on the businesses wishing to comply with the law because it is now very unclear how they can do that.
The bill passed by the Senate provided for enforcement by the Attorney General, with legal presumptions and funding necessary to enforce the data protections. The Attorney General should be provided with more resources to extend the right to cure and to provide assistance to the businesses that make mistakes. The private right of action should be removed. If necessary, additional resources to the Attorney General should be provided to help with compliance.
The right to cure achieves the same goal as injunctive relief, but at a much lower cost to consumers and businesses and in a much more expedited fashion, without opening the flood gates for class action liabilities. The bill as it passed the previous committee sunsets the right to cure. There should be no expiration date on the consumers' ability to get a timely remedy from a company.
The bill makes significant changes by calling for a new and unproven universal opt-out mechanism without establishing any rulemaking or regulatory process.
The bill applies to any entity that processes the personal data of 100,000 consumers or more, with no time limit. This means that a typical neighborhood coffee shop will eventually have compliance obligations. Instead of the private right of action, resources should be spent assisting businesses with compliance because this will impact many small businesses.
(Other) The bill as it left the Senate represents years of negotiations and stakeholder input, and it would create important protections for consumers while increasing trust in technology industry. Significant changes adopted in the Civil Rights and Judiciary Committee were not subject to a public hearing. The bill now includes a private right of action which would subject businesses of all types to frivolous lawsuits without creating protections for consumers. At the same time, the right to cure sunsets after just one year. This is a meaningful enforcement provision that helps ensure that consumer protection concerns are addressed.