Significant state law developments in Maine, New York, and Massachusetts
By Evan Enzer
Northeastern states are making major changes to their privacy laws. Maine enacted a narrow bill, New York significantly amended one of its pending comprehensive privacy proposals, and the Massachusetts House shelved its flagship privacy bill.
Maine’s governor recently signed the Maine Data Collection Protection Act (MDCPA). Perhaps unexpectedly, the MDCPA is a relevantly narrow law compared to many other state proposals.
The heart of the act prohibits “data collectors” from aggregating, selling, or using some documents to determine “a consumer’s eligibility for consumer credit, employment or residential housing.” In short, the MDCPA only allows data collectors to consider records that are part of a “court case or government action or investigation” when they indicate wrongdoing or liability on the consumer’s part. For example, a data collector may not consider documents resolved in the consumer’s favor, documents that do not allege wrongdoing on the consumer’s part, or documents resolved by the consumer’s agreement, as opposed to an adverse judgment. Data collectors also may not use an eviction judgment against a consumer if the court issued the ruling during the COVID pandemic.
Additionally, the MDCPA requires “data collectors” to obtain a license before operating a business in the state. The statute defines data collectors as (1) “A person that collects or attempts to collect data, directly or indirectly, from publicly maintained records and sells that data to 3rd parties for any purpose,” (2) any person that obtains data from such a person, and (3) any person that uses public records to “determine an individual’s eligibility for consumer credit, employment or residential housing.”
Consumers can enforce the act through individual lawsuits as well as class actions. In such a suit, the data collector is liable for actual and punitive damages as the court sees fit. However, the data collector can avoid liability if it shows that the violation was not intentional and resulted from a bona fide error” that occurred despite taking reasonable precautions. Similarly, the court may award attorney’s fees and other costs to the defendant if it finds the plaintiff brought the suit in bad faith.
B. New York
Down the East Coast, New York’s Senate made significant amendments to its marquee privacy proposal, the New York Privacy Act. The changes make the bill significantly more business friendly.
Where the previous bill required covered entities to obtain consumer’s opt-in consent, the new proposal uses an opt-out requirement in most cases. Now, covered entities only need to collect opt-in consent in the case of “sensitive data,” such as geolocation, biometric identifiers, and some demographic information.
The amendments may be bittersweet for consumer privacy advocates. While they watered down the proposal’s opt-in framework, they may also represent a compromise, suggesting a renewed push to enact comprehensive privacy law in the state.
After an amendment process that significantly rewrote the original bill, the Massachusetts Information Privacy and Security Act (MIPSA), the state’s high-profile comprehensive privacy proposal, is unlikely to pass this session. Reports show that the Joint Committee on Health Care Financing sent the House bill to “study,” a designation that effectively shelves the bill. The Senate version remains under consideration, so it is still technically possible that MIPSA could advance this session.
While there are clearly still disagreements about how to best approach privacy statutes on the East Coast, the Northeastern states continue to develop their laws at a quick pace.