House Speaker Mike Johnson, R-La., should bring up kids’ online safety legislation in September, Republican senators told us in interviews after the Senate's overwhelming passage of the measures last week.
The Senate voted 91-3 on Tuesday to approve a pair of kids’ online safety bills, shifting attention to the House, where the legislation awaits committee consideration.
Maine and Vermont legislators will reintroduce comprehensive privacy bills next session, lead sponsors told us in interviews. Republican Gov. Phil Scott’s veto of Vermont’s privacy bill hasn’t discouraged supporters from seeking a private right of action (PRA) that Scott and industry opposed, Rep. Monique Priestley (D), the comprehensive measure’s sponsor, said. Meanwhile, in Maine, a veto threat from Gov. Janet Mills (D) means neither party will pursue a PRA in the upcoming session, Sen. Lisa Keim (R) told us. Mills' opposition to a PRA made it a nonstarter this session.
Rhode Island’s comprehensive privacy bill will become law without the state's governor’s signature. It will become the 20th state with a privacy law. Gov. Dan McKee (D) sent H-7787 to the secretary of state with no signature earlier this week, meaning it will become law under state rules. H-7787 is based on Connecticut’s privacy law. Industry groups, including TechNet, supported it. The legislature approved the measure earlier this month, despite some consumer privacy advocates saying the bill is too weak, including because it doesn’t require companies to honor browser-based privacy signals as global opt-outs and exempts pseudonymous data (see 2406140017 and 2406120012). Rhode Island’s law will take effect Jan. 1.
A Pennsylvania Senate panel delayed the effective date of a comprehensive privacy bill to one year after it’s enacted. That would be six months later than proposed in a previous version of HB-1201, which unanimously cleared the Communications Committee with the amendment at a livestreamed hearing Wednesday. The change would “give businesses enough time to make the appropriate process changes to comply,” said Chair Tracy Pennycuick (R). “Additionally, the amendment clarifies that a private right of action is not open in conjunction with any other law.” The bill had already said that nothing in it “shall be construed as providing the basis for a private right of action for a violation of the provisions of this act,” with enforcement to be conducted solely by the Pennsylvania attorney general. Sponsor Rep. Ed Neilson (D) said Pennsylvania should pass the “bipartisan” measure to join nearly 20 other states with privacy bills. "We are falling behind the other states that are doing it all across the country." The bill will likely need approval from the Appropriations Committee before it can go to the Senate floor, a Pennycuick spokesperson said. The House voted 139-62 last March to pass HB-1201 (see 2403190009). Microsoft supported Pennsylvania’s privacy bill last year (see 2309060060).
Sen. Ted Cruz, R-Texas, told us Thursday he supports allowing victims of deepfake porn to sue violators, as Senate Judiciary Committee Chairman Dick Durbin, D-Ill., proposed.
Vermont legislators failed to override a veto of the state's comprehensive privacy bill. Last week Gov. Phil Scott (R) vetoed H-121, which controversially included a private right of action and a kids code section similar to a California law that was temporarily enjoined. The tech industry lauded Scott's veto, while consumer advocates and the bill’s sponsor urged a legislative override (see 2406140017). Overrides require a two-thirds majority from each chamber. On Monday, the House met that threshold with a 128-17 vote, but the effort died in the Senate, where members voted 14-15. “Industry feared this legislation and worked so hard to kill it because it had real teeth to prevent their harmful data practices,” Consumer Reports Policy Analyst Matt Schwartz said. But the fight for strong Vermont privacy protections will continue, he added. The failure also disappointed Design It For Us, said co-Chair Zamaan Qureshi: The bill “would have been a much-needed step toward protecting youth from the sustained exploitation and undue harms that we experience from social media.”
Vermont’s comprehensive data privacy bill “creates an unnecessary and avoidable level of risk,” said Gov. Phil Scott (R) Thursday as he vetoed H-121. It was a win for tech industry opponents (see 2405300038) and a setback for consumer group supporters of the bill that would have made Vermont the first state with a broad private right of action (PRA). It's possible, however, for lawmakers to override Scott’s veto with a two-thirds vote in each chamber. Also Thursday, the Rhode Island legislature approved a privacy bill that consumer groups say is too weak.
Incorporating kids’ privacy language is complicating the House Commerce Committee's effort to move ahead with a comprehensive bill, members told us in interviews last week. A full committee markup is possible when the chamber returns the week of June 24.
Multiple consumer privacy advocates urged Rhode Island legislators to halt passage of weak privacy protections. The Senate voted 36-1 to pass the comprehensive bill (S-2500) on Wednesday. The “critical bill” is a “marriage” of Connecticut’s privacy law and the work of a Rhode Island commission, said sponsor Sen. Louis DiPalma (D) at the livestreamed floor session. The commission included five legislators, Attorney General Peter Neronha (D) and Verizon, TechNet and the New England Cable and Telecommunications Association. Sen. Samuel Bell (D) voted no. He said the bill was too weak during a committee meeting earlier this week. The House passed the similar H-7787 earlier. Consumer Reports, which signaled its opposition previously (see 2406110033), joined with the Electronic Privacy Information Center and Restore the Fourth in a Tuesday letter. The proposed comprehensive privacy law “would do little to protect Rhode Island consumers’ personal information, or to rein in major tech companies like Google and Facebook,” they wrote. “The bill needs to be substantially improved before it is enacted; otherwise, it would risk locking in industry-friendly provisions that avoid actual reform.” The groups suggested several changes, including adding data minimization rules and requiring that companies honor browser-based privacy signals as global opt-outs. Also, they said the bill's privacy notice rules should cover all data controllers, not just commercial websites and ISPs. Cut the proposed exemption for pseudonymous data and narrow another carveout for loyalty programs, they said. In addition, adding a private right of action will strengthen enforcement, the groups said.