- Similar to California’s Proposition 12, Massachusetts’ Prevention of Farm Animal Cruelty Act (also known as “Question 3”) imposes animal welfare standards for hens, sows, and veal calves raised in Massachusetts and makes it unlawful for businesses to sell eggs, veal, or pork that they know to be in violation of these standards (even if the animals were raised out of state).
- A July 22nd order from the U.S. District Court of Massachusetts dismissed a challenge to the law brought by various pork producers, holding that the law was not preempted by the Federal Meat Inspection Act (FMIA) because it does not regulate how slaughterhouses operate. This decision has been appealed to the First Circuit Court of Appeals.
- Last month the pork producers’ appeal was joined by Iowa (the top pork-producing state) as well as 21 other states. The states’ brief argues that the law will increase costs for pork producers (and prices for consumers) and that such state laws, if upheld, could create a regulatory maze of differing state requirements. We note that such arguments were not foreclosed by the Supreme Court’s 2023 Proposition 12 decision (National Pork Producers Council v. Ross) which held that such laws violate the dormant commerce clause if the “burden imposed on interstate commerce” is “clearly excessive in relation to the putative local benefits.” Nevertheless, it’s not clear how such a fact-based argument can be evaluated on appeal. The states’ brief also latches onto Justice Kavanaugh’s concurring opinion in National Pork Producers Council v. Ross and states that Question 3 “may also implicate other constitutional provisions like the Import-Export Clause and the Full Faith and Credit Clause.”
Tag: IOWA
Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025
Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.
Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.
Over the next year, the following laws will become effective:
- Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
- Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
- Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
- Nebraska Data Privacy Act (effective Jan. 1, 2025)
- New Hampshire Privacy Act (effective Jan. 1, 2025)
- New Jersey Data Privacy Act (effective Jan. 15, 2025)
- Tennessee Information Protection Act (effective July 1, 2025)
- Minnesota Consumer Data Privacy Act (effective July 31, 2025)
- Maryland Online Data Privacy Act (effective Oct. 1, 2025)
These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here. All nine laws listed above contain the following familiar requirements:
(1) disclosing data handling practices to consumers,
(2) including certain contractual terms in data processing agreements,
(3) performing risk assessments (with the exception of Iowa); and
(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.
The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.
With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.
With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.
Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:
- A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
- A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
- Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
- A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.
While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches. Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.
We Put the “Ow!” in Iowa
I woke up this morning to a text from a close friend wondering how long it would take me to write about the fact that as of this writing, we still do not have results from the Iowa caucuses last night due to problems with its untried voting app. I guess I’m firmly established on the “get off my lawn” beat.
The little-known corollary to the time-honored maxim “if it ain’t broke, don’t fix it” is “if it’s broke, don’t replace it with something worse.” The list of potential problems with using mobile technology for something as important as voting is long. Rule One might be “don’t hire a company named ‘Shadow, Inc.’ to build your app.” A fellow Hoya, Matt Blaze, a professor of computer science and law at Georgetown, said that “any type of app or program that relies on using a cellphone network to deliver results is vulnerable to problems both on the app and on the phones being used to run it . . . and that “[t]he consensus . . . is unequivocal . . .[i]nternet and mobile voting should not be used at this time in civil elections.”
Any remote access application will add complexity to a task due to the need for identification, authentication, authorization, and security, of both the device and the person using it, as opposed to a simpler system based on paper or a single machine for each location where any caucus participant could authenticate herself in person. Multiple technology platforms simply increase complexity and likelihood of error. And, as I learned in the mobile payment world, if you are relying on good cell service or wifi availability for your app to do its work, you’re gonna have some unhappy end-users.
Add to these inherent problems that the app was reportedly only put together over the last two months and was inadequately tested. (Apparently, it was the back-up plan; the original plan was to use the phone to call in votes. “Hi, do you have Pete Buttigieg in a can?”)
Just because you can doesn’t mean you should. I have been bringing a yellow legal pad and ballpoint (or “ink pen” down here) to meetings for years. Clients and colleagues regularly smile indulgently, as if I had just set a butter churn down on the table. My stock response might be appropriate for the beleaguered folks in Iowa and I offer it here for free: Paper rarely goes down, never needs to be recharged, doesn’t need an adapter and, best of all: I know how it works.
Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.
Read this article on the Hey Data Data blog.
For more on election regulations, see the National Law Review Election Law & Legislative News section.