International Trade Today is a Warren News publication.

Consumer Groups Seek Limited Private Right of Action in Model State Privacy Bill

Two consumer privacy organizations assembled a model privacy bill for states that includes a private right of action, making it unlike legislation in nearly all the 20 states that have comprehensive privacy laws. Basing their model bill on the Connecticut…

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

Data Privacy Act, Consumer Reports and the Electronic Privacy Information Center said the aim of the model bill is to fill “loopholes” in that measure. Industry likes -- and many state legislators are familiar with -- the Connecticut law, CR and EPIC said Tuesday. Notably, though the model bill has a private right of action, it's narrow and wouldn’t allow lawsuits against small businesses. Under the model bill, consumers could seek relief, including at least $5,000 in damages per violation, from larger companies. Moreover, the model bill provides enforcement by a state attorney general, district attorney or city corporation counsel, and the AG would have rulemaking authority. Most states with privacy bills allow AG enforcement only. The model bill calls for a 60-day right to cure for a limited time. Also, unlike the Connecticut law, the model bill requires data minimization, which limits the amount of data businesses collect from the start. In addition, the CR and EPIC model adds protections for children and sensitive data and clarifies advertising rules contained in the Connecticut bill. When considering specific industries like healthcare that federal privacy covers, the model bill makes exemptions based on the type of data, unlike the Connecticut law, which does so based on the type of entity. As in the Connecticut law, the CR/EPIC model supports browser-based, global opt-out mechanisms. “The State Data Privacy Act was developed in an effort to more meaningfully protect user privacy than we’ve seen in many state laws, while also retaining a format more familiar to state policymakers,” said Matt Schwartz, CR policy analyst. EPIC Deputy Director Catriona Fitzgerald added, “This proposal sets out rules allowing companies to collect and use data in ways consumers expect while putting a stop to the data abuses that happen outside of their view.” Public Knowledge, the Center for Democracy and Technology and the Public Interest Research Group support the model bill, CR and EPIC said. Fitzgerald emailed us Wednesday, "Our next step is to work to get folks [committed] to introduce it."