Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

ACRP LRD 42   43 trine to conclude that the provisions in their state constitutions, Many of these state data security laws are recent enact- though similar to the Fourth Amendment to the U.S. Constitu- ments that provide a comprehensive approach to security.359 tion, offer more expansive protections. Some provide specific measures to protect sensitive information Campbell, Jackson, Connolly, and Weaver demonstrate the from unauthorized access, use, modification, disclosure, or de- real possibility that state courts can and will extend provisions struction.360 Many of these laws provide for the development of creating privacy rights beyond those provided by the U.S. Con- standards and guidelines, training for employees, and security stitution.356 These cases highlight the possibility that as technol- audits.361 ogy develops, states may interpret their constitutions to provide enhanced privacy protection. Thus, understanding state law is B. Data Security Laws Regulating the Private Sector essential to crafting sufficient privacy protections with respect Roughly half of the states have passed legislation to ensure to data collection. These enhanced standards will have to be ac- that private sector entities provide security for data they col- commodated in the collection and use of any unified data col- lect and retain. These enactments are in addition to measures lection and analysis system. Analysis of state court decisions on required for government organizations that collect and retain state constitutional privacy protections is necessary to assess data. The adoption of these measures has rapidly expanded in state requirements for data collection and technology imple- the past five years largely in response to concerns over iden- mentation. This is especially true for governmental entities like tity theft and data breaches. The National Conference of State airports whose collection of data is restricted by legal protec- Legislatures maintains a running reference of states with data tions for individual privacy at both state and federal levels. For security laws applicable to private sector entities.362 The thrust example, airports in Oregon will have to satisfy any federal of most of these laws is to require “’reasonable procedures and privacy requirements, but also that state’s higher constitutional practices’” regarding sensitive or personal information (PI) in standards that govern the collection of surveillance data.357 the possession or control of private entities.363 The definition of what information is covered and the determination of what VIII. STATE STATUTORY PRIVACY measures are required vary by statute.364 PROTECTIONS AND TRENDS In 2010, the Commonwealth of Massachusetts became the At the state level, there has been significant activity in first state to mandate specific security requirements for busi- address­ing issues of data privacy. State measures have served nesses that maintain electronic data on state residents with to address both government and private use of data. The types the Massachusetts Standards for the Protection of Residents of data addressed by state regulations are also expanding to of the Commonwealth.365 The Massachusetts law requires user include private consumer data. Looking at these state law de- identification, access control measures, encryption, system velopments offers both a mandatory compliance requirement monitoring, firewalls, anti-malware, and employee training.366 for airports within certain states as well as serves as a potential However, the statute requires that these security measures be guide for airports in states without regulation or that lack suffi- implemented only if “technically feasible.”367 This regulation has cient court guidance. While every state law cannot be examined, resulted in relatively weak enforcement of otherwise rigorous understanding the types of regulatory schema developed within ­requirements. various states will assist in determining trends and frameworks In contrast, the New York Stop Hacks and Improve Electron- that may eventually govern airport activity. ic Data Security (SHIELD) Act368 mandates detailed data secu- rity requirements. The SHIELD Act’s obligations apply to “[a]ny A. Data Security Laws Regulating the Public Sector person or business which owns or licenses computerized data While all states have measures in place governing personal 359   See, e.g., Conn. Gen. Stat. § 4e-70 (requiring a comprehensive data they collect and retain, in well over half of the states, those data security program applicable to any state agency with a department requirements are imposed by statute. In most states, these laws head and any state agency disclosing confidential information to a con- apply only to state government. In some states, however, the tractor pursuant to a written agreement with such contractor for the laws also apply to other public entities like public educational provision of goods or services for the state). institutions and other local governmental entities. The National 360   See, e.g., Ala. Code § 8-38-8. Conference of State Legislatures maintains a running reference 361   See, e.g., Ariz. Rev. Stat. § 18-105; Cal. Govt. Code § 11549.3 et seq.; Cal. Govt. Code § 8592.30-8592.45; Cal. Govt. Code § guide to state data security laws.358 8586.5. 362   Data Security Laws: Private Sector, Nat’l Conf. of State Legis. (May 29, 2019), https://www.ncsl.org/research/telecommunications- and-information-technology/data-security-laws.aspx#DataSecLaws. 356   It should be noted that U.S. Supreme Court’s 2012 decision in 363   See id. Jones, supra, footnote. 88, extended protections to require a warrant before placement of a GPS tracking device on a suspect’s vehicle. 364   See id. 357   See State v. Campbell, 759 P.2d 1040 (Or. 1988). 365   Mass. Gen. Laws Ch. 93H § 2. 358   Data Security Laws: State Government, Nat’l Conf. of State 366  201 Mass. Code of Regs. 17.00-17.04. Legis.(Feb.14,2020), https://www.ncsl.org/research/­telecommunications- 367  201 Mass. Code of Regs. 17.04. and-information-technology/data-security-laws-state-­government.aspx. 368   N.Y. CLS Gen. Bus. §§ 899aa-899bb. 

44    ACRP LRD 42 which includes private information” of a New York resident.369 D. Data Breach Laws The SHIELD Act contains a comprehensive definition of PI.370 Also consistent with the growing concern over data security A business is in compliance with the SHIELD Act if it imple- is the increase in state law provisions governing actions in the ments a data security plan that includes reasonable administra- event of data breach. All fifty states now have laws that guide tive, technical, and physical safeguards.371 Businesses that fail to public and private entities in the event of data breaches involv- comply with the SHIELD Act’s security requirements are liable ing personally identifiable information. These laws generally for civil penalties of up to $5,000 per violation, and there are outline the parties that must comply, provide definitions of crit- no penalty caps.372 There is a $250,000 penalty cap for failure to ical terms like personally identifiable information and breach, notify authorities when a breach occurs.373 Enforcement of the and establish requirements for notice (who, when, and how). SHIELD Act is limited to the Office of the New York Attorney The National Conference of State Legislatures maintains a refer- General; there is no limited private cause of action under the ence index of state security breach notification laws.383 SHIELD Act.374 For example, Vermont has a robust regulatory scheme gov- C. Data Disposal/Destruction Laws erning data breaches.384 It requires entities subject to a breach to provide notice of the breach to either the state Attorney Consistent with concerns over data security, there are a General or the Department of Financial Regulation depend- growing number of state laws concerning data disposal and ing on the type of data accessed.385 It has specific requirements destruction or otherwise deleting personal information from as to the type of notice and the timing of notice required for records. These laws frequently apply to both government and con­sumers.386 It has provisions for substitute notice and also for private organizations. In 2019, the National Conference of State various exemptions from the notice requirement.387 Lastly, it ­Legislatures reported the existence of data disposal laws applying contains an enforcement provision.388 to public and private entities in 35 states and in Puerto Rico.375 Vermont amended its data breach notification law to expand These laws are in addition to data disposal requirements set out the definition of what constitutes PII.389 The changes are effec- by the FTC Disposal Rules376 that apply to persons and entities tive on July 1, 2020, and provide that, when combined with a that use consumer reports. The FTC Disposal Rules apply to the consumer’s first name or first initial and last name, PII now in- reports themselves and the information derived from them.377 cludes the following: These state data disposal laws vary as to whom they apply as well as what documents are covered.378 For instance, the • Individual taxpayer identification number; ­Delaware data disposal law applies to businesses, but does not • Passport number; apply to government entities except in their capacities as em- • Military identification card number; ployers.379 The Wisconsin statute only applies to financial in- • Any identification number that originates from a govern- stitutions, medical business, or tax preparation entities.380 The ment identification document commonly used to verify Arizona statute only applies to paper records.381 identity for a commercial transaction; One common aspect of state data disposal laws is specificity • Biometric data generated from measurements or tech- as to methods of disposal/destruction.382 This is a point that air- nical analysis of human body characteristics used by ports and airport stakeholders should specifically note. the owner or licensee to identify or authenticate the ­consumer; • Genetic information; and • Health records or a health insurance policy number.390 369   N.Y. CLS Gen. Bus. § 899bb(1)(b). 370   N.Y. CLS Gen. Bus. § 899bb(1). Vermont may be a good example for an airport or airport 371   N.Y. CLS Gen. Bus. § 899bb(2). stakeholder to review in developing a data breach notification 372   N.Y. CLS Gen. Bus. § 899bb(2)(d). policy due to its complex and evolving data privacy regulatory 373   Id. regime. 374   N.Y. CLS Gen. Bus § 899bb(2)(e). 375   Data Disposal Laws, Nat’l Conf. of State Legis. (Jan. 4, 2019), https://www.ncsl.org/research/telecommunications-and-information- technology/data-disposal-laws.aspx. 383   Security Breach Notification Laws, Nat’l Conf. of State Legis. 376   Disposing of Consumer Report Information? Rule Tells How, FTC (July 17, 2020), https://www.ncsl.org/research/telecommunications- (June 2005), https://www.ftc.gov/tips-advice/business-center/­guidance/ and-information-technology/security-breach-notification-laws.aspx. disposing-consumer-report-information-rule-tells-how. 384   9 V.S.A. § 2435. 377   Id. 385   Id. § 2435(b)(3). 378   Id. 386   Id. § 2435(b)(4). 379   Id. 387   Id. § 2435(b)(5). 380   Id. 388   Id. § 2435(g). 381   Id. 389   Id. 382   Id. 390   Id. § 2430. 

ACRP LRD 42   45 E. Consumer Protection a. The California Online Privacy Protection Act (CalOPPA) A variety of state statutes are directed at consumer protec- tion. These range from general unfair and deceptive acts and The CalOPPA applies to “[a]n operator of a commercial web practices (UDAP) laws to more targeted consumer data privacy site or online service that collects PII through the Internet about laws. individual consumers residing in California who use or visit its commercial web site or online service . . . .”398 The C ­ alOPPA 1. Unfair and Deceptive Acts and Practices Laws defines PII as “individually identifiable information about an All 50 states have UDAP statutes. The National Consumer individual consumer collected online by the operator from Law Center (NCLC) conducted a 50-state evaluation of UDAP that i­ndividual and maintained by the operator in an accessible statutes.391 Among the key findings in the Executive Summary form.”399 The CalOPPA does not apply to Internet Service Pro- section of the NCLC report is a comment on the variance in viders or to other services that process PII on behalf of a third laws from state to state.392 For example, the NCLC found that party.400 The CalOPPA does apply to mobile app providers.401 Hawaii’s UDAP statute contained “strong prohibitions and ­ What is critical to note is that the CalOPPA not only applies strong provisions for enforcement by both the state and by con- to California-based businesses, but to any business that affects sumers and no carve-outs for major industries.”393 The NCLC California consumers.402 While government-operated airports was most critical of UDAP statutes in Michigan and Rhode are not themselves subject to the CalOPPA, airlines and other Island as court decisions have interpreted the statutes as being airport tenants that operate commercial websites or online ser- applicable to almost no consumer transactions.394 Overall, the vices are. NCLC report is a useful resource as to the range of specific pro- The CalOPPA requires that covered websites or online ser- tections and distinct limitations of UDAP statutes in all states. vices display a privacy policy that discloses basic information about the website or online service’s privacy practices.403 The 2. Consumer Data Privacy privacy policy must disclose (1) the categories of personal infor- The existence of comprehensive state laws addressing con- mation collected; (2) the categories of third-parties that might sumer data privacy is a relatively new phenomenon, with receive the information; (3) whether the website or online ser- ­California at the forefront. Two statutes in particular are impor- vice has a process that allows consumers to review and request tant to understand. In 2004, California enacted the C ­ alifornia changes to the information held on them, and if so, there must Online Privacy Protection Act of 2003 (CalOPPA).395 This be a description of that process; (4) a description of the process statute addresses privacy in connection with internet use. The used to inform consumers of any changes to the privacy policy; California Consumer Privacy Act of 2018 (CCPA)396 is perhaps and (5) the date from which the privacy policy takes effect.404 the most comprehensive statute in the United States addressing The privacy policy must be “conspicuously posted.”405 consumer data protection. While the implications of this statute The CalOPPA was amended in 2014 to require privacy poli- are still unfolding, it has already significantly affected the legal cies to include technical information as to whether the website landscape. A number of states are looking to enact similar legis- honors “Do Not Track” (DNT) signals.406 The CalOPPA does lation to address consumer data privacy, but no other state has not have a requirement on how to treat DNT signals, but only to yet done so. Moreover, many large companies that operate in disclose whether the website honors such signals.407 California in addition to other states are changing their operat- The CalOPPA does not contain a private cause of action as ing procedures nationwide to conform to the rules of the CCPA. a remedy. The law is enforced solely by the California Attorney Statutes in Maine and Nevada have also sought to deal with General. In May, 2014, the California Attorney General pub- this subject, although in a less comprehensive manner.397 Exam- ining the CalOPPA, the CCPA, and some of the other devel- oping statutes on consumer privacy protection, will help define some of the measures that airports should consider as potential 398   Cal. Bus. & Prof. Code § 22575(a). future regulatory regimes governing data programs. 399   Id. § 22577(a). 400   Id. § 22577(c). 401   Attorney General Kamala D. Harris Secures Global Agreement to Strengthen Privacy Protections for Users of Mobile Applications, Cal. Dep’t of Justice (Feb. 22, 2012). https://oag.ca.gov/news/press- 391   Consumer Protection in the States: A 50 State Evaluation of Unfair releases/attorney-general-kamala-d-harris-secures-global-agreement- and Deceptive Practices Laws, Nat’l Consumer Law Ctr. (Mar. 2018), strengthen-privacy. https://www.nclc.org/images/pdf/udap/udap-report.pdf. 402   Cal. Bus. & Prof. Code § 22576. 392   Id. at 1-4. 403   Id. § 22575(a). 393   Id at 2. 404   Id. § 22575(b). 394   Id. at 1. 405   Id. § 22575(a). 395   Cal. Bus. & Prof. Code § 22575 et seq. 406   Id. § 22575(b)(5)-(6). DNT is a browser setting which requests 396   Cal. Civ. Code § 1798.100. that a website not apply tracking technology to the visitor. 397   Me. Rev. Stat. Ch. 94; Nev. Rev. Stat. Ch. 603(a). 407   Id. 

46    ACRP LRD 42 lished recommendations on developing a privacy policy.408 The Entities must be CCPA compliant if they (1) do business in Executive Summary includes highlights of recommendations California; (2) collect California residents’ PI; and (3) meet one including readability, online tracking/do not track, data use and of the following thresholds: have annual gross revenue of over sharing, individual choice and access, and accountability. The $25 million; buy, receive, sell or share PI of 50,000 or more con- penalty for noncompliance with CalOPPA is a maximum of sumers, households, or devices for commercial purposes each $2,500 per violation.409 year; or derive 50% or more of annual revenue from selling con- sumer PI.418 The CCPA has specific requirements for privacy b. California Consumer Privacy Act (CCPA) policies and notices.419 Businesses that are covered by CCPA The CCPA went into effect on January 1, 2020, and required must update this information annually.420 the Office of the California State Attorney General to adopt The CCPA contains two exemptions. First, it exempts from regulations on or before July 1, 2020.410 On August 14, 2020, the its provisions certain information collected by a business about final text of the CCPA regulations was approved by the Office a natural person in the course of the natural person acting as of Administrative Law (AOL).411 \\Enforcement by the Office of a job applicant, employee, owner, director, officer, medical staff the California State Attorney General began on July 1, 2020.412 member, or contractor, as specified.421 Second, the CCPA also The activity covered under the CCPA includes “[i]nternet exempts from specified provisions personal information reflect- or other electronic network activity information, including, but ing a written or verbal communication or a transaction between not limited to, browsing history search history, and information the business and the consumer, if the consumer is a natural regarding a consumer’s interaction with an internet web site, ap- person who is acting as an employee, owner, director, officer, plications, or advertisement.”413 or contractor of a company, partnership, sole proprietorship, The CCPA has codified California consumers’ rights to: nonprofit, or government agency and whose communication or (1) opt-out of the sale of their PI to third parties; (2) request transaction with the business occurs solely within the context to know what PI businesses have collected about them and of the business conducting due diligence regarding, or provid- how businesses have sold or disclosed that PI to third parties; ing or receiving a product or service to or from that entity.422 (3) request that businesses delete PI that has been collected On September 1, 2020, the CCPA was amended to extend these about them; and (4) not be discriminated against on the basis exemptions until January 1, 2022.423 that they have exercised their rights under the CCPA. The Enforcement of the CCPA is also largely left to the Office of CCPA also requires an affirmative opt-in to any sale of children’s the California Attorney General, which can issue penalties of up personal data.414 to $2,500 per violation under Section 17206 of the Business and In contrast to the CalOPPA, the CCPA defines “personal Professions Code.424 The CCPA also provides that busi­nesses information” much more expansively than PII as “information may also be fined up to $7,500 for each violation.425 Lastly, that identifies, relates to, describes, is capable of being associ- a consumer may bring private claims under the CCPA where a ated with, or could reasonably be linked, directly or indirectly, business allows “unauthorized access and exfiltration, theft, or with a particular consumer or household.”415 This definition is disclosure” of a consumer’s data due to a failure to maintain similar to the GDPR and may even be broader by including “reasonable security procedures.”426 Under such circumstances, “household.”416 The CCPA specifically refers to IP Addresses and each consumer can recover between $100 and $750 per incident location data as PI.417 or actual damages–whichever is greater.427 The final regulations under the CCPA provide guidance on a number of statutory requirements including definitions (Ar- ticle 1), notice requirements (Article 2), businesses’ obligations 408   See Kamala D. Harris, Making Your Privacy Practices Public: Rec- ommendations on Developing a Meaningful Privacy Policy, Cal. Dep’t in handling consumer rights requests (Article 3), verification of of Justice (May 2014), https://oag.ca.gov/sites/all/files/agweb/pdfs/ cybersecurity/making_your_privacy_practices_public.pdf. 418   Cal. Civ. Code § 1798.140(c). 409   Cal. Bus. & Prof. Code § 17206. 419   Cal. Civ. Code § 1798.100 (b)-(d). 410   Cal. Civ. Code §§ 1798.100-199. 420   Cal. Civ. Code § 1798.130(a)(5). 411   See Final Text of Proposed Regulations, Cal. Office of A.G., 421   Cal. Civ. Code § 1798.145(h)(1). https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text- 422   Cal. Civ. Code § 1798.145(n)(1). of-regs.pdf. 423   AB-1281, An Act to Amend Section 1798.145 of the Civil Code, 412   Attorney General Becerra Issues Statement on Day One of CCPA relating to privacy. See Cal. Civ. Code §  1798.145(h)(4) and (n)(4). Enforcement: Know Your Responsibilities, Cal. Dep’t of Justice (July 1, N.B.: Sec. 2 of AB-1281 provides “This act shall become operative only 2020). if the voters do not approve any ballot proposition that amends Section 413   Cal. Civ. Code § 1798.140(o)(1)(F). 1798.145 of the Civil Code at the November 3, 2020, statewide general 414   Cal. Civ. Code § 1798.120 (c)-(d). election.”  This ballot proposition is discussed infra under State Legisla- 415   Cal. Civ. Code § 1798.140(o) (emphasis added). tive Initiatives and Trends. 416   Article 4(1) of the GDRP defines personal data as any informa- 424   Cal. Civ. Code § 1798.155(a). tion related to an identified or identifiable natural person. Gen. Data 425   Cal. Civ. Code § 1798.155(b). Protection Reg., 2016/679, art 4(1) (EU). 426   Cal. Civ. Code § 1798.150(a)(1). 417   Cal. Civ. Code § 1798.140(o). 427   Id. 

ACRP LRD 42   47 consumers making requests (Article 4), rules regarding minors tions provide four examples to illustrate discrimination.436 The (Article 5), and use cases for the nondiscrimination mandate regulations also provide eight different methods of calculating (Article 6).428 the value of a consumer’s PI to the business.437 c. Notice Requirements f. Minors The final regulations provide guidance on three areas of The regulations require that a business’s privacy policy ­notices businesses must provide under the CCPA:429 must contain an affirmative statement on whether the busi- ness has a­ ctual knowledge that it sells the PI of minors under 1. for businesses that collect personal information directly 16.438 ­Parental verification requirements are triggered only by from customers, a notice to consumers about the collec- a business’s actual knowledge of selling minors’ PI, not by the tion of PI at or before the point of collection; collection or maintenance.439 The regulations provide parental 2. for businesses that sell PI, a notice of the right to opt out consent verification standards for children under 13.440 For sales and a notice of sale details; and of PI from minors between the ages of 13 and 16, there is a re- 3. for businesses that offer financial incentives430 or a price quirement of an affirmative opt-in using a two-step process.441 or service difference, a notice of financial incentive. F. State Legislative Initiatives and Trends As a separate matter from the notice requirements, the final regulations instruct that “[t]he purpose of the privacy policy 1. California Privacy Rights Act of 2020 (CPRA) Ballot is to provide consumers with a comprehensive description of Initiative a business’s online and offline practices regarding the collec- On June 24, 2020, the California Secretary of State certi- tion, use, disclosure, and sale of personal information and of the fied the CPRA to appear on the November, 2020 ballot after it rights of consumers regarding their personal information.”431 gained the requisite number of signatures.442 The ballot initia- d. Consumer Rights Requests tive was adopted in the November 3, 2020 general election. The new law, with the exception of the right of data access, will go The identity verification requirements in the regulations into effect on January 1, 2023, and apply only to data collected focus on proving that requesters are who they claim to be rather after January 1, 2022.443 Enforcement would begin on July 1, than on proving that each requester is a California resident.432 It 2023.444 While the regulations and implementing guidance for is not clear what a business can do to verify residency beyond the CRPA are not yet established, the following observations are an attestation. drawn from an evaluation of the ballot initiative. The regulations require that accessibility for persons with Like the CCPA, the proposed CPRA would not apply to disabilities follow generally recommended industry standards, government entities, but would cover airlines and other airport and for website accessibility, they specifically adopt the Web tenants who operate commercial websites or otherwise provide Content Accessibility Guidelines (WCAG), version 2.1 of June online services and who meet the statutory threshold tests.445 5, 2018, authored by the World Wide Web Consortium.433 The The proposed CPRA significantly expands the CCPA and close- WCAG outlines how to make websites accessible for people ly parallels the EU’s GDPR.446 Also, because the CPRA would with visual, auditory, physical, speech, cognitive, language, be enacted by voters, rather than the California legislature, the learning and neurological disabilities.434 legislature would be constrained in passing amendments that e. Nondiscrimination and Loyalty Programs lower the level of consumer privacy protection contained in the The regulations instruct that a financial incentive or a price or service difference is discriminatory only if the consumer is treated differently by the business because the consumer exer- 436   Id. cised a right under the CCPA or the regulations.435 The regula- 437   Id. § 999.337. 438   Id. § 999.308. 439   Id. § 999.332. 440   Id. § 999.330. 428   Cal. Code Regs. tit. 11, ch. 20 (California Consumer Privacy 441   Id. § 999.331. Act Regulations). 442   New Measure Eligible for California’s November 2020 Ballot, Cal. 429   Id. § 999.304. Sec’y of State (June 24, 2020), http://www.sos.ca.gov/administration/ 430   Id. § 999.301(j) (“Financial Incentive” means a program, benefit, news-releases-and-advisories/2020-news-releases-and-advisories/ or other offering, including payments to consumers, related to the col- ap20058-new-measure-eligible-californias-november-2020-ballot/. lection, retention, or sale of personal information). 443   Cal. Privacy Rights Act of 2020, Version 3, No. 19-0021, Cal. 431   Id. § 999.308. Office of A.G. (received Nov. 13, 2019), § 31, https://oag.ca.gov/­system/ 432   Id. § 999.323. files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20 433   Id. § 999.308. Version%203%29_1.pdf. 434   Web Content Accessibility Guidelines (WCAG), Web Accessibil- 444   Id. ity Initiative, https://www.w3.org/WAI/standards-guidelines/wcag/. 445   Id. § 14. 435   Cal. Code of Regs. tit. 11, § 999.336. 446   Gen. Data Protection Reg., 2016/679, art 4 (EU). 

48    ACRP LRD 42 CPRA.447 Among the differences between the CCPA and the password or a security question-and-answer that would proposed CPRA are the following: permit access to the account.454 • The CPRA would create new requirements for data re- • The CPRA would raise one of the threshold tests of appli- tention that must be disclosed in a company’s privacy cability from processing personal information of 50,000 ­notice.455 or more California consumers or households to process- • The CPRA would expand a consumer’s right to know and ing personal information of 100,000 or more California access specific pieces of personal information and includes consumers or households.448 a portability-type requirement similar to the GDPR.456 • The CPRA would create a new right for data subjects to • The CPRA would create a new category of “contractor” correct inaccurate personal data held by a business.449 along with the CCPA’s “service provider” category. There • The CPRA would establish a new category of “sensitive would be mandatory written contract and auditing re- personal information,” which would include govern- quirements for both contractors and service providers.457 ment identification, such as social security numbers and • Perhaps most significantly, the CPRA provides for a new driver’s license numbers; precise geolocation; and racial, agency to be established, the California Privacy Protec- ethnic, genetic, and biometric data. Significantly, the tion Agency (CPPA), which will assume the authority contents of a consumer’s mail, email, and text messages currently held by the California Attorney General to issue would also be in this category unless the business is the regulations, bring enforcement actions, and determine intended recipient. Consumers would be allowed to limit administrative fees. The CPRA provides that the CPPA the use of sensitive personal information to what is neces- would issue regulations requiring companies determined sary to provide the goods or services requested and other to be involved with high-risk data processing to have compatible purposes. A business would be required to annual audits and providing for consumer access and display clearly and conspicuously a “Limit the Use of My opt-out rights with respect to automated profiling and Sensitive Information” link on its website unless it allows ­decision-making, similar to GDPR requirements.458 consumers to exercise this option using a preference sig- nal from a browser.450 The focus of attention on the CPPA and the subsequent CRPA • The CPRA would expand CCPA’s right to know obliga- ballot initiative is reflective of the influence that C ­ alifornia has tions to include “sharing” and disclosure of personal had on the development of privacy law in the U.S. The docu- information by a covered business and also expands the mented “California Effect,”459 owing to the size of the state’s opt-out for sale of such personal information. A business economy and the predominance of technology companies would be required to clearly and conspicuously display ­located in the state, has influenced both large corporate enti- a “Do Not Sell or Share My Personal Information” link ties in shaping their data protections and privacy policies as well on its website unless it allows consumers to opt out from as the protections offered in other states. Thus, the influence of both selling and sharing by using a preference signal from prior statutes like CalOPPA and now the CCPA and anticipated a browser.451 influence of CPRA, are factors airports and airport stakeholders • The CPRA would extend a consumer’s right to know should consider in trying to discern legal trends. beyond the twelve-month lookback provided under CCPA.452 G. Other State Legislative Bills • The CPRA would increase administrative fines to up to Nine other states have introduced draft bills that would im- $7,500 for an intentional violation or one where the vio- pose varying requirements on business in the consumer data lator has actual knowledge that the personal information privacy area.460 Hawaii, Maryland, Massachusetts, Mississippi, involved someone under the age of 16.453 • The CPRA would grant a private cause of action for data 454   Id. § 16. breaches caused by a company’s failure to use reason- 455   Id. §§ 3-4. able security measures for additional types of personal 456   Id. § 7. information, specifically an email address and either a 457   Id. § 13. 458   Id. § 24. 447   Cal. Const. art. II, § 10(c). 459   See, e.g., Anupam Chander, Margot E. Kaminski, & William 448   Cal. Privacy Rights Act of 2020, Version 3, No. 19-0021, Cal. McGeveran, Catalyzing Privacy Law, Georgetown L. Fac. Publ’ns & Office of A.G. (received Nov. 13, 2019), § 14, https://oag.ca.gov/system/ Other Works 2190, at 27 (2019), available at https://scholarship.law. files/initiatives/pdfs/19-0021A1%20%28Consumer%20Privacy%20-%20 georgetown.edu/facpub/2190. Version%203%29_1.pdf. 460   S.B. 418, 2019 Leg., 30th Sess. (Haw. 2019); S.B. 613, 2019 Reg. 449   Id. § 6. Sess. (Md. 2019); S.D. 341, 191st Leg., Reg. Sess. (Mass. 2019); H.B. 450   Id § 13. 1253, 2019 Leg., Reg. Sess. (Miss. 2019); S.B. 176, 54th Leg., 1st Sess. (N.M. 2019); S. 224, 2019-2020 Gen. Assemb., Reg. Sess. (N.Y. 2019); 451   Id. H.B. 1485 2019 Leg., 66th Sess. (N.D. 2019) (enacted);  S. 0234, 2019 452   Id. Gen. Assemb., Reg. Sess. (R.I. 2019); S.B. 6281, 66th Leg., 2020 Reg. 453   Id. § 17. Sess. (Wash. 2020).