On the privacy front, 2022 is already shaping up to be a busy legislative year. During the first week of January, a number of state and federal privacy bills were announced or introduced for the current legislative session. While it is too soon to tell where these bills will end up, this extensive activity is certainly indicative of another very busy privacy legislative year. Below we highlight some of these bills.
Kentucky HB32
Kentucky has introduced a new biometric privacy bill, which would require companies to obtain prior written consent from individuals and provide them with notice regarding the purpose and length of the collection, storage, and use of their biometric information.
The bill would require companies to create and publicly disclose a written policy establishing retention schedules and destruction guidelines for biometric information if the purpose for which the information was collected has been satisfied, or within three years, whichever is first. The bill places restrictions on the sale, lease, or trade of biometric information, as well as the disclosure of biometric information. In addition, the bill requires companies to apply a reasonable standard of care (within their industry) to biometric information.
The current version of this bill would also provide for a private right of action, which, if passed, would make Kentucky the second state to enact such a right; Illinois is the only current state to offer a private right of action for violations of its biometric privacy law, the Biometric Information Privacy Act (740 ILCS 14/1).
Kentucky HB75
DNA testing is also the subject of a bill in Kentucky, the Protecting DNA Privacy Act. This bill would restrict DNA testing to situations where the subject has given express consent, subject to certain exceptions (such as for criminal investigations and compliance with law purposes).
The bill indicates that results of such testing are the property of the person tested and may not be disclosed without express consent. The bill would also restrict the collection of DNA samples without express consent if the purpose is testing, would place limitations on the sale or disclosure of DNA results, and would restrict the submission of another person’s DNA for testing, and the bill includes criminal penalties.
Maryland SB11
This bill would enact the Maryland Online Consumer Protection and Child Safety Act and allow the Attorney General to adopt regulations to carry out the Act. The bill would impose a number of requirements on certain businesses, including but not limited to, the following:
- Provide notice to consumers before or at the point of collection of certain information, including: the categories of personal information collected; business purposes for which the categories of personal information may be used; categories of third parties to which the business may disclose the personal information; business purposes for third-party disclosures; and consumer rights. If the business has an online privacy policy or website, this information must be provided therein.
- Subject to certain exceptions, provide two or more methods to submit consumer rights requests (eg, delete, right to know, and opt out of third-party disclosure), and respond to verifiable consumer requests.
- Provide a clear and conspicuous link on its internet homepage that allows consumers or authorized persons to opt out of the third-party disclosures of personal information.
- Not discriminate against consumers for exercising their rights under the Act.
Please note this Act does not apply to certain employee information. A violation of the Act is considered an unfair, abusive, or deceptive trade practice.
Maryland SB207
This bill would impose…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
