2022 – a busy year for privacy legislation has already started

Mother and child on tablet

Data Protection, Privacy and Security Alert

By:

On the privacy front, 2022 is already shaping up to be a busy legislative year. During the first week of January, a number of state and federal privacy bills were announced or introduced for the current legislative session.  While it is too soon to tell where these bills will end up, this extensive activity is certainly indicative of another very busy privacy legislative year.  Below we highlight some of these bills.

Kentucky HB32

Kentucky has introduced a new biometric privacy bill, which would require companies to obtain prior written consent from individuals and provide them with notice regarding the purpose and length of the collection, storage, and use of their biometric information.

The bill would require companies to create and publicly disclose a written policy establishing retention schedules and destruction guidelines for biometric information if the purpose for which the information was collected has been satisfied, or within three years, whichever is first.  The bill places restrictions on the sale, lease, or trade of biometric information, as well as the disclosure of biometric information.  In addition, the bill requires companies to apply a reasonable standard of care (within their industry) to biometric information.

The current version of this bill would also provide for a private right of action, which, if passed, would make Kentucky the second state to enact such a right; Illinois is the only current state to offer a private right of action for violations of its biometric privacy law, the Biometric Information Privacy Act (740 ILCS 14/1).

Kentucky HB75

DNA testing is also the subject of a bill in Kentucky, the Protecting DNA Privacy Act.  This bill would restrict DNA testing to situations where the subject has given express consent, subject to certain exceptions (such as for criminal investigations and compliance with law purposes). 

The bill indicates that results of such testing are the property of the person tested and may not be disclosed without express consent.  The bill would also restrict the collection of DNA samples without express consent if the purpose is testing, would place limitations on the sale or disclosure of DNA results, and would restrict the submission of another person's DNA for testing, and the bill includes criminal penalties.

Maryland SB11

This bill would enact the Maryland Online Consumer Protection and Child Safety Act and allow the Attorney General to adopt regulations to carry out the Act. The bill would impose a number of requirements on certain businesses, including but not limited to, the following:

  • Provide notice to consumers before or at the point of collection of certain information, including: the categories of personal information collected; business purposes for which the categories of personal information may be used; categories of third parties to which the business may disclose the personal information; business purposes for third-party disclosures; and consumer rights. If the business has an online privacy policy or website, this information must be provided therein.
  • Subject to certain exceptions, provide two or more methods to submit consumer rights requests (eg, delete, right to know, and opt out of third-party disclosure), and respond to verifiable consumer requests.
  • Provide a clear and conspicuous link on its internet homepage that allows consumers or authorized persons to opt out of the third-party disclosures of personal information.
  • Not discriminate against consumers for exercising their rights under the Act.

Please note this Act does not apply to certain employee information. A violation of the Act is considered an unfair, abusive, or deceptive trade practice.

Maryland SB207

This bill would impose cybersecurity standards on carriers, including insurance carriers, health maintenance organizations, and third–party administrators, with the stated purpose of establishing data security standards and cybersecurity event investigation and notification requirements.

The bill would require carriers to meet certain cybersecurity requirements, including:

  • Develop, implement, and maintain a comprehensive information security program and security measures that are based upon the carrier’s risk assessment and meets certain requirements.
  • Designate a contact responsible for the information security program.
  • Identify certain internal and external threats, assess the likelihood and potential damage of such threats, and assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage such threats.
  • Stay updated on emerging threats or vulnerabilities and use reasonable security measures when sharing information.
  • Provide cybersecurity awareness training to personnel.
  • Require third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure information systems and nonpublic information accessible to or held by them.
  • Establish written incident response plan meeting certain requirements.
  • Annually certify that an information security program has been adopted and carrier is in compliance with SB207.
  • Conduct an investigation when a cybersecurity event has or may have occurred, and under certain circumstances, notify the Maryland Insurance Commissioner of the cybersecurity event.

Oklahoma HB2968/HB2969

This bill would enact the Oklahoma Computer Data Privacy Act of 2022, which would be enforced by the Attorney General.  The bill would impose a number of requirements on certain businesses, including but not limited to, the following:

  • Provide certain information to consumers in its privacy policies, including the length of time personal information is retained by the business.
  • Collect and/or share consumer personal information with third parties only as reasonably necessary to provide a good or service to consumers, or as reasonably necessary for security purposes or fraud detection.
  • Limit use and retention of consumer personal information to only as reasonably necessary to provide the requested service or for a related operational purpose.
  • Notify consumers of their right to opt out of personalized ads.
  • Subject to certain exceptions, provide at least two methods to submit consumer rights requests (eg, delete, right to know, and correction), and respond to verifiable consumer requests.
  • Not discriminate against consumers for exercising their rights under the Act.
  • Not design, modify, or manipulate a user interface to obscure, subvert, or impair user autonomy, decision-making or choice.
  • Implement and maintain reasonable security procedures and practices.
  • Enforce compliance requirements upon service providers (who must also implement and maintain reasonable security procedures and practices).

Please note that the Act would not apply to certain business information, as the Act does not apply to “an employee or contractor of a business acting in his or her role as an employee or contractor.” 

The bill, if enacted, would be enforced by the Attorney General, and has penalties attached that range from $2,500 to $7,500 per violation.

Vermont H515

This bill would enact the Vermont Insurance Data Security Law, which largely mirrors Maryland SB207 (discussed above), and sets cybersecurity standards as well as reporting requirements for certain regulated entities.  However, it should be noted that the bill contains an exception from compliance if the entity is in compliance with New York Department of Financial Services requirements and submits a certification to that effect to the Commissioner. 

The bill would require regulated entities to meet certain requirements, including:

  • Develop, implement, and maintain a comprehensive written information security program and security measures that are based upon the entity’s risk assessment and meets certain requirements.
  • Designate a contact responsible for the information security program.
  • Identify certain internal and external threats, assess the likelihood and potential damage of such threats, and assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage such threats.
  • Stay updated on emerging threats or vulnerabilities and use reasonable security measures when sharing information.
  • Provide cybersecurity awareness training to personnel.
  • Require third-party service providers to implement appropriate administrative, technical, and physical measures to protect and secure information systems and nonpublic information accessible to or held by them.
  • Establish written incident response plan meeting certain requirements.
  • Annually certify that an information security program has been adopted and entity in is compliance with the Insurance Data Security Law.
  • Conduct an investigation when a cybersecurity event has or may have occurred, and under certain circumstances, notify the Commissioner of the cybersecurity event.

Florida SB1864

This bill proposes the Florida Privacy Protection Act and if enacted would introduce a number of requirements on controllers similar to those applicable under the California Privacy Rights Act (which takes effect January 1, 2023).  These obligations include notice at or before the collection of personal information, consent requirements related to the collection of sensitive data, and requirements for responding to verified consumer requests, as well as minimum contractual requirements and other obligations related to processors.   

The bill would also introduce a number of rights for Florida residents, including rights to opt out of the sales and targeted advertising, rights of access, correction and deletion.  Similar to the Virginia Consumer Data Protection Act and the Colorado Privacy Act (both effective January 1, 2023), it would not generally apply to personal information collected in the employment context or related to business-related communications and transactions.   

The Act would be enforced by the Consumer Data Privacy Unit within the Florida Department of Legal Affairs, which could bring actions against controller and processors for alleged violations, but does not provide a private right of action.

Going forward

Many more bills are sure to follow, and we will be publishing future alerts on these new bills as well as the progress of those we discussed above.

To learn more about the implications of this legislative activity, contact our data privacy team via PrivacyGroup@dlapiper.com.