Incoming House Commerce Committee Chairman Brett Guthrie, R-Ky., plans on introducing comprehensive and kids’ privacy bills in the new year, he told us Tuesday.
An all-time high of 11.6 million notices of data breaches were sent to citizens of Washington state from July 24, 2023, to July 23, 2024, beating the previous record of 6.5 million in 2021, according to an annual report from Attorney General Bob Ferguson (D) Tuesday. Businesses reported 112 of the year’s 279 breaches in the state, with communications firms sending the most notices to consumers: 3.4 million. A mega breach of Comcast was responsible for 3.1 million of them. This is the first time that the number of individual notices of breaches has exceeded the state’s population and is the highest number of citizen breaches affected. “The more people know about data breaches, the more they can protect themselves,” Ferguson said in a news release. Retail had the most data breach incidents, at 20, sending 88,000 consumers notices. A cyberattack was the most common way data breaches occurred, with 217 instances, said the report. Ten were the result of either theft or a mistake, and 52 happened when an unauthorized person accessed secure data through something like an unsecured network or left sensitive documents out on a desk. Ransom was behind 113 of the cyberattacks; malware, 31; phishing, nine; skimming -- using a malicious card reader on a payment terminal, two. “These statistics further underscore our state’s critical need for comprehensive data privacy regulation,” Ferguson said in the report. “Data breaches are symptomatic of gaps in data privacy policies and the standards and practices of every entity that collects or controls this information.”
Connecticut, Texas, New Jersey and California are among the states preparing to advance comprehensive AI legislation in 2025, according to lawmakers and stakeholders.
New England next year might become the first U.S. region where all states have comprehensive privacy laws, a Computer & Communications Industry Association official said Wednesday as CCIA released a report on state privacy. “Much of the activity around new privacy protections took place in northeastern states this year with New Hampshire and Rhode Island passing privacy bills, while Maine and Vermont failed to get data privacy laws across the finish line,” said Alex Spyropoulos, CCIA Northeast regional policy manager. CCIA will be watching the latter two states and Massachusetts to pass bills next year, he said. “Some of the conflicts within states that didn’t ultimately pass bills were due to disagreements over standards or definitions and trying to match those with Europe’s privacy laws.” CCIA State Policy Manager Jordan Rodell urges states considering comprehensive privacy bills in 2025 to prioritize aligning their policies with other states’ laws. The CCIA report noted that many states have harmonized definitions and business requirements, but Maryland last year diverged from the pack with strict data minimization rules. “This approach could inadvertently stifle innovation and business activity within the state by limiting the flexibility of covered entities to leverage collected data for new and potentially beneficial purposes.”
Two consumer privacy organizations assembled a model privacy bill for states that includes a private right of action, making it unlike legislation in nearly all the 20 states that have comprehensive privacy laws. Basing their model bill on the Connecticut Data Privacy Act, Consumer Reports and the Electronic Privacy Information Center said the aim of the model bill is to fill “loopholes” in that measure. Industry likes -- and many state legislators are familiar with -- the Connecticut law, CR and EPIC said Tuesday. Notably, though the model bill has a private right of action, it's narrow and wouldn’t allow lawsuits against small businesses. Under the model bill, consumers could seek relief, including at least $5,000 in damages per violation, from larger companies. Moreover, the model bill provides enforcement by a state attorney general, district attorney or city corporation counsel, and the AG would have rulemaking authority. Most states with privacy bills allow AG enforcement only. The model bill calls for a 60-day right to cure for a limited time. Also, unlike the Connecticut law, the model bill requires data minimization, which limits the amount of data businesses collect from the start. In addition, the CR and EPIC model adds protections for children and sensitive data and clarifies advertising rules contained in the Connecticut bill. When considering specific industries like healthcare that federal privacy covers, the model bill makes exemptions based on the type of data, unlike the Connecticut law, which does so based on the type of entity. As in the Connecticut law, the CR/EPIC model supports browser-based, global opt-out mechanisms. “The State Data Privacy Act was developed in an effort to more meaningfully protect user privacy than we’ve seen in many state laws, while also retaining a format more familiar to state policymakers,” said Matt Schwartz, CR policy analyst. EPIC Deputy Director Catriona Fitzgerald added, “This proposal sets out rules allowing companies to collect and use data in ways consumers expect while putting a stop to the data abuses that happen outside of their view.” Public Knowledge, the Center for Democracy and Technology and the Public Interest Research Group support the model bill, CR and EPIC said. Fitzgerald emailed us Wednesday, "Our next step is to work to get folks [committed] to introduce it."
House leaders will likely take up kids’ privacy legislation, but not before more legislative work is done on the House Commerce Committee-passed bills, a high-ranking Senate Commerce Committee staffer said Wednesday.
The lame-duck session will provide a good chance to get kids’ privacy legislation signed into law, Sen. Richard Blumenthal, D-Conn., told us Thursday.
The House Commerce Committee on Wednesday approved a pair of kids’ online safety bills on a voice vote, opening the door for potential floor action and negotiations with the Senate.
“We’re not waiting for federal leadership in privacy,” said Colorado Attorney General Phil Weiser (D) during a Silicon Flatirons event Wednesday. Amid congressional inaction, Colorado was the third state to enact a comprehensive privacy bill, after California and Virginia. The AG office has sought to be transparent as it’s worked on rules for implementing the Colorado Privacy Act, said Weiser, quipping that the FCC is a “poster child [for] how not to do rulemaking.” Colorado plans to watch how state government manages data at the same time as it oversees the private sector, he said. The AG office will take the same approach with AI, he added. Also, as the AG office moves toward enforcement, it is focused on educating businesses. Weiser's “memo” for businesses: “Stop collecting so much data … Stop storing it for so long. Stop giving so many people access to it.” The AG said the recent U.S. Supreme Court decision on Chevron deference doesn’t formally affect states. “Informally, it’s possible that some state supreme courts will look at it.” However, Weiser finds the decision “entirely unpersuasive,” he said. “I am confident that [Colorado’s] supreme court will continue to provide agency deference.” The Colorado AG office recently set a Nov. 7 hearing on the latest proposed amendments to the Colorado Privacy Act (see 2409160036).
Minnesota Gov. Tim Walz, Vice President Kamala Harris’ running mate on the Democrats’ 2024 presidential ticket, enters the national stage with a record of pro-rural broadband action but is largely a blank slate on other tech and telecom matters, observers said in interviews. Harris announced Walz as her pick Tuesday after a two-week vetting process in which other governors with stronger broadband policy backgrounds were in contention (see 2407260001). Sen. JD Vance of Ohio, the Republicans’ vice presidential nominee, has been a leading congressional advocate for injecting funding into the FCC’s lapsed affordable connectivity program (see 2407150062).