Source - Privacy and Data Security Alert | July 2019

States Continue to Lead the Way on Privacy Legislation

New York Privacy Act Would Create Private Right of Action

Introduced on May 9, 2019, the New York Privacy Act continues the trend of states considering broader, privacy-focused legislation. The Act would require companies to disclose their methods of de-identifying personal information, place special safeguards around data sharing, and allow consumers to obtain the names of all entities with whom their information is shared. Also included is a private right of action for any violation of the Act, though no provision is made for statutory damages; plaintiffs would be limited to actual damages and attorney’s fees. The bill is currently awaiting action by the Senate Consumer Protection Committee.

Update: Maine Bill Signed into Law Requiring ISPs to Obtain Opt-In Consent from Customers

Following Governor Janet Mills’ signature, Maine’s privacy law will take effect on July 1, 2020. The law requires ISPs operating in Maine to obtain express, affirmative consent from customers before using, disclosing, selling or permitting access to a customer’s personal information, which would include web-browsing history, application-usage history, geolocation information, financial information and health information. With certain exceptions, the bill would prohibit a provider from discriminating against customers who refuse to provide consent.

Oregon Enacts Amendments to Data Breach Notification Law

Oregon Governor Kate Brown has approved five amendments to the Oregon Consumer Identity Theft Protection Act (including a name change to the “Oregon Consumer Information Privacy Act”), with the changes taking effect January 1, 2020. The amendments impose additional reporting requirements in the event of a breach (such as notification to the attorney general when more than 250 consumers are affected), redefine the term “covered entity,” expand the definition of personal information to include online-account information, and allow vendors and covered entities to use their compliance with federal data-security laws as an affirmative defense to violations of the Act.

Bill to Exempt Employee Information from CCPA Advances and Changes

AB 25, one of the most closely watched bills that would amend the California Consumer Privacy Act (CCPA), overcame a major hurdle by passing the California Assembly shortly before the May deadline to do so. A June 28 amendment then made significant changes to the structure and content of the bill. Previously, AB 25 modified the definition of “consumer” to exclude employees, etc., but the later amendment cancels that definition change in favor of three explicit exemptions from the CCPA for the personal information of “a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of” a business where the information is collected and used: 1) solely within the context of that person’s role; 2) as emergency-contact information; and 3) to administer benefits. (Definitions are also provided for the various individuals covered by the exemptions.)

The amendment to AB 25 would also allow businesses to require reasonable authentication of a consumer and to require a consumer to submit a request through her account if she maintains one with the business.


Until preemptive federal legislation is passed, the patchwork of state privacy laws will continue to expand and diversify.

Read more in the full July issue of the Privacy and Data Security Client Alert.