As the trend of state laws granting more privacy and greater control over personal information continues in the US, the fate of privacy bills in Washington State, Oklahoma and Florida serve as a reminder that as with any other issue, political compromise is still a necessity in order for legislation to progress. This is an update on our prior post published on April 5th, analyzing the chances that privacy bills introduced in Washington, Oklahoma, Florida and Connecticut will be enacted.
Washington Privacy Act
For the third year in a row, a comprehensive privacy bill titled the Washington Privacy Act found support in both legislative houses in Washington State, but failed to be reconciled with each other and were not enacted.
The Washington House’s failure to advance the bill by the Sunday, April 11th deadline for non-fiscal bills to pass out of the House means that it is dead this legislative session. However, sponsor State Sen. Reuven Carlyle (D) tweeted on Monday that “the bill remains alive through the end of the legislative session,” which is April 25th. After the April 11th deadline, the House can only consider “initiatives, alternatives to initiatives, budgets and matters necessary to implement budgets, differences between the houses, and matters incident to the interim and closing of the session.” It is not clear whether or how the bill would fit into one of these exceptions.
As was the case in 2019 and 2020, the inclusion of a private right of action for violations of the law proved to be an insurmountable obstacle to getting the bill passed. In early March, the Senate passed a version of the bill that did not include a private right of action by a 48–1 vote. In a surprise move, on March 26th, the Senate bill was amended to add a private right of action allowing state residents to sue over alleged violations. Significantly, however, the private right of action did not include a provision for monetary damages—leaving residents with the exclusive option of seeking injunctive relief (or alternatively filing a complaint with the consumer protection division of the Attorney General’s office). On April 1st, a bill containing this limited private right of action passed the House Civil Rights & Judiciary Committee and was sent to the floor of the House. Since then, state Representatives proposed 25 amendments to the bill that would have required debate, among them a full private right of action to enforce the law, with statutory damages of up to $10,000 per violation.
Oklahoma Computer Data Privacy Act
As we previously posted on April 5th, after passing the Oklahoma House in early March, the Oklahoma privacy bill (titled the Oklahoma Computer Data Privacy Act) ground to a halt in early April after the Chair of the Judiciary Committee refused to allow the bill to have a hearing. On April 8th, the bill officially died when it failed to get passed out of the Senate Judiciary Committee by the legislative deadline for passing bills out of committee. The primary reason for the failure of the bill to advance appears to be a provision that required businesses in most cases to obtain the consent of consumers prior to collecting, using or selling personal information about them. This provision was unpalatable for many and tech and communication companies were reported to be active in opposing the bill.
Florida Privacy Protection Act
The chances of a comprehensive privacy law passing in Florida remain strong, but a Florida Senate committee recently amended its version of a privacy bill that the House is also considering, in order to lessen the burden on businesses. On April 6th, the Senate Rules Committee amended SB 1734, which would create the “Florida Privacy Protection Act.” The proposed amendments to SB 1734 take two significant steps to lessen the compliance burden, specifically by:
- limiting the bill’s scope by deleting the revenue threshold for triggering the applicability of the bill (the previous version of the bill would have applied to any business with more than $25 million in revenue and that met other, more general criteria). As amended, the bill would apply only to companies that annually buy, sell or share the personal information of 100,000 or more Florida residents, households or devices, or derive 50% or more of their global annual revenue from selling or sharing personal information.
- removing the private right of action in its entirety. As with the existing Florida data privacy law, enforcement would be left to the Florida Attorney General.
However, many businesses remain opposed to the bill and consumer advocates will undoubtedly oppose the House adopting the Senate’s amendments. The new version of the bill will now go to the Senate floor for an eventual vote from the full Senate. In the meantime, its House counterpart, HB 969, continues to work through House Committees.
Many more state privacy bills, including a bill in Connecticut, remain pending and have reasonable prospects of passing before the end of the states’ respective legislative sessions. We will continue to provide updates on these bills status changes in their respective legislatures.