It appears House Republican leadership isn’t willing to bring the House Commerce Committee’s bipartisan privacy bill to the floor because it lacks the necessary votes to pass, members and sources close to discussions told us Wednesday.
Sen. Ted Cruz, R-Texas, told us Thursday he supports allowing victims of deepfake porn to sue violators, as Senate Judiciary Committee Chairman Dick Durbin, D-Ill., proposed.
New York City Council Member Gale Brewer (D) introduced legislation Thursday that would prohibit the Department of Correction from "recording voice communications or electronic communications" made to or by individuals in DOC custody except when there is a warrant or express consent. The bill, End Correctional Community Surveillance (ECCos) Act, was co-sponsored by Council Members Shekar Krishnan, Carlina Rivera, Yusef Salaam, Sandy Nurse and Diana Ayala, all Democrats. The bill would also bar the DOC from collecting or buying location data of such calls and establish a "private right of action for anyone whose voice or electronic communications were unlawfully recorded, monitored, or otherwise surveilled."
Vermont legislators failed to override a veto of the state's comprehensive privacy bill. Last week Gov. Phil Scott (R) vetoed H-121, which controversially included a private right of action and a kids code section similar to a California law that was temporarily enjoined. The tech industry lauded Scott's veto, while consumer advocates and the bill’s sponsor urged a legislative override (see 2406140017). Overrides require a two-thirds majority from each chamber. On Monday, the House met that threshold with a 128-17 vote, but the effort died in the Senate, where members voted 14-15. “Industry feared this legislation and worked so hard to kill it because it had real teeth to prevent their harmful data practices,” Consumer Reports Policy Analyst Matt Schwartz said. But the fight for strong Vermont privacy protections will continue, he added. The failure also disappointed Design It For Us, said co-Chair Zamaan Qureshi: The bill “would have been a much-needed step toward protecting youth from the sustained exploitation and undue harms that we experience from social media.”
Vermont’s comprehensive data privacy bill “creates an unnecessary and avoidable level of risk,” said Gov. Phil Scott (R) Thursday as he vetoed H-121. It was a win for tech industry opponents (see 2405300038) and a setback for consumer group supporters of the bill that would have made Vermont the first state with a broad private right of action (PRA). It's possible, however, for lawmakers to override Scott’s veto with a two-thirds vote in each chamber. Also Thursday, the Rhode Island legislature approved a privacy bill that consumer groups say is too weak.
Incorporating kids’ privacy language is complicating the House Commerce Committee's effort to move ahead with a comprehensive bill, members told us in interviews last week. A full committee markup is possible when the chamber returns the week of June 24.
Multiple consumer privacy advocates urged Rhode Island legislators to halt passage of weak privacy protections. The Senate voted 36-1 to pass the comprehensive bill (S-2500) on Wednesday. The “critical bill” is a “marriage” of Connecticut’s privacy law and the work of a Rhode Island commission, said sponsor Sen. Louis DiPalma (D) at the livestreamed floor session. The commission included five legislators, Attorney General Peter Neronha (D) and Verizon, TechNet and the New England Cable and Telecommunications Association. Sen. Samuel Bell (D) voted no. He said the bill was too weak during a committee meeting earlier this week. The House passed the similar H-7787 earlier. Consumer Reports, which signaled its opposition previously (see 2406110033), joined with the Electronic Privacy Information Center and Restore the Fourth in a Tuesday letter. The proposed comprehensive privacy law “would do little to protect Rhode Island consumers’ personal information, or to rein in major tech companies like Google and Facebook,” they wrote. “The bill needs to be substantially improved before it is enacted; otherwise, it would risk locking in industry-friendly provisions that avoid actual reform.” The groups suggested several changes, including adding data minimization rules and requiring that companies honor browser-based privacy signals as global opt-outs. Also, they said the bill's privacy notice rules should cover all data controllers, not just commercial websites and ISPs. Cut the proposed exemption for pseudonymous data and narrow another carveout for loyalty programs, they said. In addition, adding a private right of action will strengthen enforcement, the groups said.
Another comprehensive state privacy bill is moving quickly toward the finish line. The Rhode Island House voted 70-1 on Monday, approving H-7787 with some floor amendments. Meanwhile, the state's Senate Commerce Committee voted 7-1 to advance the similar S-2500. Tech industry groups supported the measure; however, a state senator and a consumer group said the Rhode Island legislation is too weak.
State Rep. Evan Shanley (D) predicted Friday the Rhode Island House will vote on his comprehensive privacy bill this week. A House committee advanced an amended version of H-7787 on Thursday (see 2406060071). Shanley expects the Senate version (SB-2500) by Sen. Louis DiPalma (D) “will advance as well,” he told us. Meanwhile, the Vermont legislature delivered a privacy bill (H-121) to Gov. Phil Scott (R) Friday. He has five days to veto the bill, or it will become law. The tech industry seeks a veto due to differences with other state laws, including that Vermont’s bill has a broad private right of action (see 2405300038).
The tech industry urged Vermont Gov. Phil Scott (R) to veto the state’s privacy bill. Vermont could be the first state to include a broad private right of action. That and other “outlier provisions” have led businesses to lobby Scott to kill the measure, a Wiley lawyer said Wednesday (see 2405290072). In a Thursday letter to Scott, the Computer & Communications Industry Association said it was concerned about differences between Vermont’s bill and other states’ privacy laws, such as “the inclusion of a private right of action, the definition of ‘sale’, the language included around targeted advertising, and data minimization principles.” Allowing consumers to sue businesses, “the measure would open the doors of Vermont’s courthouses to plaintiffs advancing frivolous claims with little evidence of actual injury,” CCIA wrote, adding that other states vest enforcement with their attorneys general. “We encourage you to resist signing legislation that poses significant compliance and constitutional concerns.” The legislature passed the bill (H-121) May 10 but hasn't sent it to Scott yet. Once the governor receives the bill, he will have five days to veto it or it will become law. Scott's office didn’t comment.