State Data Privacy Bills Stumble


Florida Republicans making last-minute changes to internet privacy legislation that died last week ran into a similar stumbling block as Democrats who failed to pass a law in Washington last month: how to enforce it.

The statehouses’ disagreements over whether consumers should be able to sue companies for abusing their data illustrate the thorny politics of privacy enforcement and underscore businesses’ fear of litigation, according to elected officials and data-protection experts.

The debates also preview battles in other state capitals and Congress. Lawmakers from both parties have proposed federal laws but failed to advance them in part due to disagreements over the so-called private right of action, a wedge issue for corporate lobbyists and consumer advocates attempting to shape privacy rules.

“It’s incredibly easy to kill a bill,” said Washington Sen. Reuven Carlyle, whose Washington Privacy Act failed last month for the third time in three years. “It’s hard to pass one.”

A private right of action exposes companies to more lawsuits, which businesses argue can be frivolous and benefit lawyers more than consumers. Advocates say such legal action, coupled with enforcement by attorneys general, is key to holding companies accountable.

“If you want something that’s meaningful, you need to focus on that enforcement piece,” said Mary Stone Ross, who co-wrote the California Consumer Privacy Act, which includes a provision allowing consumers to sue companies for damages over data breaches.

Ms. Ross said she and others who pushed for California’s landmark 2018 statute admired Illinois’s biometric privacy law, which has a private right of action that helped consumers reach a $650 million class-action settlement with

Facebook Inc.

this year. The social media company didn’t admit wrongdoing in the deal, which ended a suit accusing it of using facial-recognition technology on users without their consent.

In Florida, the House last month voted 118-1 to pass a privacy bill that included a broad private right of action. Last week, however, the Senate advanced a bill with no such provision and pared-down definitions of what types of activity to regulate.


It’s incredibly easy to kill a bill. It’s hard to pass one.


— Washington Sen. Reuven Carlyle

Rep. Fiona McFarland, a Republican who sponsored the House bill, said she was prepared to drop the private right of action during negotiations to reconcile the proposals. Lawmakers also tried to iron out additional differences, such as whether to regulate data sharing in addition to data sales, she said. But time ran out on the state’s legislative session on April 30.

“Although enforcement is the shiny object because companies are worried about the legal risk, I almost feel that that distracted from a more productive conversation about these definitions,” Ms. McFarland said.

The enforcement debate in Washington moved in the other direction.

Previous versions of the Washington Privacy Act, which passed the state Senate 48-1 and drew industry support, would create data rights for consumers without allowing them to sue companies, giving the attorney general enforcement power.

House lawmakers last month tweaked the bill to allow residents to sue businesses for court-ordered relief, rather than financial damages, and attorneys’ fees. The revised proposal would also allow companies to change their data practices before complaints could become full-on lawsuits for a year after the statute took effect. A representative for Washington Attorney General Bob Ferguson said in a statement that the provision was a “major concession” from his office.

more from wsj pro cybersecurity

But business groups came out against the new version, while some consumer advocates said it didn’t go far enough.

The bill stalled and the legislature adjourned on April 25.

Mr. Carlyle, a Seattle Democrat, attributed the opposition to “religious fervor” among some progressive activists, trial lawyers and the attorney general to oppose collaboration with businesses, such as Washington-based

Microsoft Corp.

and

Amazon.com Inc.,

on enforcement.

“They’d rather remain ideologically pure and lose than take a meaningful step forward,” Mr. Carlyle said.

The gridlock in Florida and Washington stands in contrast with Virginia, the lone state to pass a privacy law this year, where lawmakers never seriously considered a private right of action and drew support from firms including Amazon, which is building a second headquarters in the state. Del. Cliff Hayes and Sen. David Marsden, who led the process, said that attorneys general could better identify trends affecting large numbers of people.

The impact of such consumer lawsuits remains unclear in California.

Plaintiffs’ attorneys cited the state’s privacy law in 76 class-action lawsuits last year, the first year of enforcement, said Natasha Kohne co-head of the cybersecurity, privacy and data protection practice at law firm Akin Gump Strauss Hauer & Feld LLP. Companies still await opinions that could hint at how courts will interpret the statute.

“There’s an experiment going on,” she said, “and we’re waiting for the first real decision.”

Write to David Uberti at david.uberti@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *