A number of important new privacy law developments arrived in the month of August, chiefly enactment of the new Illinois Protecting Household Privacy Act, which restricts law enforcement access to data collected from the home devices of Illinois residents.

The California Senate Appropriations Committee held a number of bills for later, further discussion, including bills regarding: automated decision making in state procurement, contract tracing limitation and businesses providing hardware or software that disseminates personal health information.

The Ohio Attorney General (AG) also expressed his belief in a cautious approach towards a private right of action in privacy law, stressing the need to prevent a litigation "feeding frenzy."

Below, please find a high-level overview of states' recent legislative efforts in this space.

Illinois

On August 27, 2021, Illinois Gov. JB Pritzker signed House Bill 2553—the Protecting Household Privacy Act. This law limits the ability of Illinois law enforcement agencies to obtain household electronic data from "smart devices." Under the new law, law enforcement is not permitted to access household data from a private third party, such as in the case of an Amazon Alexa, Ring doorbell or smart appliance, absent a judicial warrant or under other specific exceptions, such as an emergency situation. Even in an emergency situation, the information will be inadmissible in court if law enforcement does not successfully apply for a warrant within 72 hours after the collection. This law takes effect on January 1, 2022.

California

The Senate Appropriations Committee considered a number of bills during a hearing on August 16, including the following:

  • Assembly Bill 13: in the context of the state's procurement policies, would promote oversight over automated decision systems that pose a high risk of adverse impacts on individual rights.
  • Assembly Bill 814: would prohibit data collected, received or prepared for purposes of contact tracing from being used for any purpose other than facilitating contact tracing efforts.
  • Assembly Bill 1436: would deem any business a provider of health care subject to the requirements of the California Confidentiality of Medical Information Act (CMIA) if that business offers software or hardware to a consumer that is designed to make personal health information available to an individual or a provider.

On August 26, the Senate Appropriations Committee held another hearing for a number of bills including Assembly Bill 1436, Assembly Bill 814 and Assembly Bill 13, which was made a two-year bill. All three bills were held under submission, meaning the Committee intends to work on or discuss the bills further at a later date.

California AG Rob Bonta issued guidance on August 24 to health care facilities and providers, reminding them of their obligation to comply with state and federal health data privacy laws. In a bulletin sent to stakeholders, including the California Hospital Association, the AG reminded entities that they must notify the California Department of Justice (DOJ) when the health data of more than 500 California residents has been involved in a data breach.

On Wednesday, July 28, a number of advertising industry groups, including the Association of National Advertisers, and the California Chamber of Commerce sent a letter to California AG Rob Bonta regarding global privacy controls. The groups particularly express concern that the office's new FAQ response regarding user-enabled global privacy controls will cause confusion for consumers and businesses, rather than effectuating user choices, and the group has called on the office to reconsider the FAQ response, as well as its enforcement approach concerning user-enabled global privacy controls. Instead, the groups urge the AG to defer to the California Consumer Privacy Act (CCPA) on the issue.

Ohio

The week of August 23, Ohio AG Dave Yost discussed his views on privacy trends in the United States and preventing ransomware, among other things. He particularly discussed his views on including a private right of action in state privacy laws, outlining the need to be cautious about "taking steps that open businesses up to a feeding frenzy of private litigation." Yost further stated that the merit of providing a private right of action depends on the resources available to a state attorney general, outlining the need for each state to answer the question individually.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.