International Trade Today is a Warren News publication.
Conn. Model

Md. Urged to Align Privacy Enforcement Plan With Other States

Industry groups urged Maryland legislators to remove a private right of action (PRA) from a comprehensive privacy bill. The Maryland House Economic Matters Committee considered two privacy bills by Del. Sara Love (D) at a livestreamed hearing Wednesday. Industry urged Maryland to follow Connecticut’s approach, but the Electronic Privacy Information Center (EPIC) said to instead base the bill on a proposal by Congress. Internet groups slammed a separate bill to regulate social media platforms for children.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

Maryland can’t keep delaying action on privacy, said Chair C.T. Wilson (D). Legislation doesn’t have to be perfect, he said. HB-807 is a comprehensive privacy bill that includes rules for biometrics. HB-33 would cover only biometrics and is a carryover from a 2022 bill that passed the House but failed in the Senate. The Senate Finance Committee weighed a biometric privacy measure (SB-169) at a hearing earlier this month (see 2302080067) and plans a March 8 hearing on a comprehensive privacy bill (SB-698).

Del. Pam Queen (D) doesn’t see support for a private right of action, she said. The will in the legislature is to have enforcement only from the state attorney general, she said. Love prefers a bill with a PRA in addition to AG enforcement, but it’s up to the committee to decide, she said. Del. Christopher Adams (R) later said the legislation would give a “sloppy wet kiss” to lawyers who sue on behalf of consumers.

The State Privacy & Security Coalition would support HB-807 if amended to be more like Connecticut’s privacy law, said General Counsel Andrew Kingman. Connecticut’s framework better balances business implementation concerns, he said. That law includes a right to cure and no private right of action, said Kingman. Including a PRA will spur class-action lawsuits brought only to “extort businesses” and “encourage and obtain settlements.”

The wireless industry appreciates that HB-807 “closely mirrors” Connecticut’s law, but the PRA “is inevitably a problem for us,” said CTIA Director-State Legislative Affairs Jake Lestock. The Maryland Chamber of Commerce also opposed including a PRA. What happened in Illinois with its Biometric Information Privacy Act is a worst-case scenario of what can happen when a private right is included, said Andrew Griffin, senior vice president-government affairs.

Delay the proposed Oct. 1 date to launch enforcement, which should be handled solely by the AG, said Computer & Communications Industry Association State Policy Director Khara Boender: California, Colorado and Virginia delayed enforcement of their privacy laws by two years. Ensure definitions are interoperable with other state laws to avoid unnecessary costs for businesses, the CCIA official said.

HB-807 is a “good start,” but Maryland should base its state privacy bill on the federal bill that failed to pass Congress last year rather than Connecticut’s law, said EPIC Deputy Director Caitriona Fitzgerald. Fitzgerald also supported HB-33 but urged lawmakers to bring back the less-limited private right of action from last year’s biometric privacy bill. It will be too difficult for many consumers to sue if they have to prove personal injury, she said.

Law enforcement raised concerns about unintended consequences from biometric privacy restrictions. Public safety would be exempted, but private contractors they work with to analyze DNA may be covered, said Andrea Mansfield, representing the Maryland Chiefs of Police Association and the Maryland Sheriffs’ Association.

Del. David Fraser-Hidalgo (D) proposed a “blunt instrument” for stopping social media platforms from targeting kids. His HB-254 would require platforms to obtain parental permission before allowing use by kids ages 14 to 17. Social media would have to take down accounts by younger children. The bill would fine $100,000 per violation for not pulling down a profile, and $5 million if the company doesn’t submit a required report to the state AG. Fines would help fund a digital literacy education campaign.

Children are just "dollar signs" to social media companies, said Fraser-Hidalgo, and the federal government hasn't done anything about it. But Del. Carl Jackson (D) asked how tech companies would verify a child received parental consent. Fraser-Hidalgo said that’s not his problem: "I am sure there are ways for them to do it.” Del. Steven Arentz (R) agrees there's a problem with social media, but the situation seems “unmanageable,” he said.

HB-254 “takes unconstitutional cues” from states like Texas and Florida that NetChoice is suing over their social media laws, warned Deputy Director-State and Federal Affairs Zach Lilly. It would chill free speech in violation of the First Amendment, he said. Having an education campaign is a good idea, he said. No system could 100% verify a child's age, said TechNet’s Mid-Atlantic Executive Director Margaret Durkin. TechNet members are committed to providing an age-appropriate experience for kids and would support establishing curriculum about social media at schools, she said. CCIA raised similar concerns.

In Hawaii, the Senate Ways and Means Committee deferred voting on a comprehensive privacy bill (SB-974) until Monday at 10:30 HST, Chair Donovan Dela Cruz (D) said at a livestreamed meeting Wednesday.