Summary of Public Hearings on Maryland Online Consumer Protection Act
Maryland held two public hearings this week concerning the Online Consumer Protection Act. One hearing was on House Bill 901 in the Economic Matters Committee on Wednesday. The other hearing was on Senate Bill 613 in the Finance Committee today (Friday). There was a fair amount of support in favor of Maryland taking action on data privacy, although plenty of asks for particular amendments by panelists and questions around how enforcement would work for non-Maryland businesses from legislators.
In the Senate Finance Committee, the chair recognized that there was a problem mid-way through the hearing but expressed doubt that they would be able to get a bill through the legislature this year. She floated the idea of creating a working group and coming back with a consensus bill next year. Several panelists also mentioned that there was potential for an amendment that narrowed the scope of a bill this year to solely children’s privacy. Much of the panel members’ testimony was limited to around one minute so they really only scratched the surface of a few issues.
House Bill 901 in the Economic Matters Committee
Below are notes highlighting the testimony.
Delegate Ned Carey Introduced
The bill is recommended by the Maryland Cybersecurity Council.
They are working with business groups about possible amendments.
Representative of the Attorney General spoke in favor of the bill:
Promoted it in part as a data minimization before a cybersecurity breach occurs.
Three years of lead time before enforcement starts in 2022.
Policy Counsel for Consumer Reports:
Testified in support of the bill.
92% of consumers want control of their data.
Representative from CASH Campaign of Maryland spoke based on its work on the Maryland Cybersecurity Council.
In favor of the bill.
Advocated for low to moderate income consumers.
Concerned about data breach impacts.
Question for Attorney General Office:
How will Maryland enforce the bill when companies are in California?
A: They have not had a problem in data breach litigation enforcing it against
Question for AGO about whether definition of personal information is too broad.
A: Defended the definition of consumer information and said the AGO is not concerned about the definition because it helps protect consumers.
Question about differences with GDPR
Rep of Center for Democracy and Technology:
Suggested changes to better protect privacy and security.
Spoke on creating meaningful enforcement and providing additional support for the Maryland AG.
Maryland Consumer Rights Coalition:
In support of the bill.
Provided concrete examples of how data is sold and used.
League of Life and Health Insurance Rep:
Wants amendments but asked for a favorable report with them.
First Data Rep:
Wants changes to allow debit/credit cards for children.
Concerned about GLBA exemption.
Provided draft of the Washington Privacy Act.
Maryland Banking Association and Maryland Property & Casualty Insurers Association Rep:
Not all aspects of insurance are covered by GLBA.
Also wants to modify definition of consumers to exclude business entities and their employees.
Would like consistency on GLBA exemption.
Maryland Retailers Association Rep:
Congress is taking this issue up at a federal level to avoid a patchwork of laws.
Wants safe harbor for businesses that provide information to service providers.
Has concerns about the right to deletion in the context of loyalty programs.
Comcast/NBC Universal Rep:
California shouldn’t be a model because it isn’t completed yet.
Working with legislature on protecting minors online.
Wants to fix the problems and bring back a consensus bill next year.
Rep for National Cable Telecommunications Association:
Concerned about unintended consequences for Maryland consumers including overbroad definition of personal information that might result in less data deidentification.
CTIA (Trade Association for Wireless Industry)
Opposes bill as California is still developing.
Concerned that portability and right to access will centralize data and result in more cybersecurity problems.
Senate Finance Committee on SB613
Panelists were limited in their time for comments so there wasn’t a lot of depth to the discussion here. Below is a summary of some of their comments.
Rep of Common Sense Media:
Testified in support of the bill because data brokers are collecting and selling information for kids as young as two.
Rep of Attorney General Office:
Concerned that surfing for plus size clothing would result in making it harder to get insurance, but didn’t have any anecdotal examples
Defended that Maryland will have jurisdiction to enforce the same way as it enforces the data breach law.
Maryland Consumer Rights Coalition Rep:
In support of the bill because it includes the right to delete and gives consumers the ability to protect their data against breaches.
CASH Campaign of Maryland Rep:
In support; Concerned about data aggregation use in insurance and infinite storage of data in light of accuracy issues and breaches.
Rep for First Data and Microsoft:
Favorable with amendment for Banks, FCRA exemptions.
Global Investigative Services & Background screening organization:
Concerns about the exemption language around FCRA and would like a small amendment.
League of Life & Health Insurance Rep:
Supports GLBA, HIPAA exemptions.
American Property Casualty Insurance, Maryland Bankers Association:
Testimony on GLBA exemption.
Comcast/NBC Universal Rep:
Recommends waiting for California to model it.
NCTA Internet & Television Association Rep:
Believes the CCPA is flawed and should not be a model.
Concerned that the right to access could lead to inadvertent disclosures of sensitive information.
Blanket prohibition on loyalty programs without any exceptions, going beyond California.
Maryland Retailers Association:
Urges non-favorable report now.
Encourages creation of federal standard rather than state-by-state.
CTIA – Wireless Communications Industry Association
Law would be in tension with data security principles.
Portability and pooling exposes data to risks.
This would create a patchwork of state laws.
California has not gone into effect yet and so we don’t yet know the major problems with it.
Other Relevant Posts:
Maine Considering LD 946 to Protect Privacy of ISP Customers
Illinois House Passes Data Transparency and Privacy Act; Senate Passes KIDS Act
Texas Considers Consumer Privacy Act and Privacy Protection Act
Update: Special Session of Appropriations Committee Saves Washington Privacy Act for Another Week
No Washington Privacy Act This Year?
Washington Privacy Act – Initial Look at the Current House Version
Summary of Connecticut SB 1108 on Data Privacy
Summary of Washington Privacy Act After State Senate Passes
Florida Legislature Considers Biometric Information Privacy Act
Maryland Considering SB613 / HB0901 – Online Consumer Protection Act
With SD341, Massachusetts Joins States Considering CCPA-like Data Privacy Laws
Public Hearing on Washington Privacy Act (SSB 5376) in Senate Ways & Means – More Work to Be Done?
State CCPA Privacy Bills in Rhode Island, Hawaii and New Jersey
North Dakota Considers Study on Privacy Practices of Data Brokers