I really wish some of these lawmakers would observe some of these teams using these platforms and understand the way some of the companies are collecting the data because I think even 13 to 15 or 15 to 17, those teams are not well versed and they're all just going to hit okay because they want to move forward. And as a parent, that's just super scary. I'm hoping and crossing my toes and my fingers here that we might get some more sensible to really protect our kids' data. But I can't solve that here today.

There's passion area. Why don't you put that out there in the universe? And you did. And I did. I feel

better. Just remember, what do you think the average age of a lawmaker is? That's not the point. They should go and talk to their game kids. That's what it is actually happening. The US senators I've always said is basically now a retirement home. Yes. Well, all right, we're going to bring it back.

Okay. So

here. So if I'm a company and I'm wondering, will there be other laws like the Washington My Health My Data Act because it's so broad,

what would you

tell them? Sure. Well, yeah, first off, I would tell those companies that there are already other health laws like the Washington My Health My Data Act. Last year, Nevada asked Senate bill 370, which is of a very similar scale to the Washington state, My Health My Data Act. It doesn't have a private right of action, like the Washington law does. So I hope that would not be a reason that those companies aren't paying attention to it. The Nevada law also is more limited. It covers data that businesses actually use to reveal health information, whereas the broader My Health My Data Act standard is for information that actually identifies health status. And during the hearings in Washington state, business groups would come in and they argued that that Washington standard for information that identifies health status could encompass things like purchasing ginger at a grocery store that could have medicinal properties. It could encompass following a fitness influence on Instagram. Thanks for that nature. I also note that again, Connecticut added additional protections for consumer health data. Last year in its comprehensive privacy law, which does include nonprofits as well as small businesses. So that was a very big change in Connecticut. And then New York state also passed a law that limits geo-fencing at health care facilities, which is obviously also a component of the Washington state and Nevada health privacy laws. In terms of copycats of the My Health My Data Act framework, so far this year we have seen bills introduced in Hawaii, Vermont, Illinois, Ohio, and Mississippi. The only one to advance through a hearing so far is the bill in Hawaii. So it doesn't seem like any states currently close to another Washington state, My Health My Data Act, copycat law at least. However, I would say that the biggest lurking bill out there that businesses should be aware of is a major proposal in New York, which is Senate Bill 158D, which has actually already passed the state Senate. It is of a similar scale as the My Health My Data Act, but has different definitions and would do some very different things. One is require a one day delay between signing up for a service that uses consumer health data, and then actually obtaining a verifiable consent in order to process that health data. So something to follow closely in New York state there. This bill actually did pass the Senate last year as well and didn't find traction in the assembly in New York, but it's a new year and we will see what happens.

Is the definition of consumer health data in that New York bill as broad as it is in Washington's?

I've seen people argue that it could be even broader. I do not recall the specific language now, but hopefully the future privacy form may have some resources to make publicly available on that New York bill soon, especially if it continues to advance.

Well, that just makes our jobs all kinds of fun now, doesn't it?

So here,

obviously, all these laws

are passed and

companies comply with them because there are potential consequences. And I want to ask a question I've asked on prior episodes, and it's this as it relates to enforcement. One of the mechanisms under privacy laws for enforcement is the private right of action. But the more I see it work out

in the wild, it

seems to really only benefit the trial lawyers who bring those actions. Does it really benefit the people it's intended to protect? Or is there a better scheme of enforcement that may be out there like paying large fines that help further fund the enforcement agency? I'd love to get your perspective on that.

Sure. So it's a really important question, obviously, the decision to include a private right of action or not in the enforcement mechanism for any one of these privacy laws is often one of the most hotly debated questions. And it is ultimately a political question. It's not the place for someone sitting at a think tank like me to decide. Obviously, you have the Illinois Biometric Information Protection of Privacy Act should remember that. Whoops. That dates back to 2008 includes a private right of action. And many, many people point to that as kind of the like the key example of why we should or should not include a private right of action in any state privacy law of these comprehensive bills that I've discussed for the most part enforcement has been left to state attorneys general offices. You do have California, which has a very narrow private right of action only for data breaches though, not for violations of the privacy obligations, the pure consumer privacy obligations under the statute. And then we have the Washington My Health, my data act framework, which I mentioned that does include a private right of action, but it is tied to the state's Consumer Protection Act, which does require a showing, I believe of injury to business or property. And there was some precedent in Washington state, I think most people point to the hangman case, which I think is generally favorable to defendants in litigation involving the Washington Consumer Protection Act. So that's generally the landscape now, but overarching for the most part, most of these laws that we're talking about have decided not to include a private right of action with the exception of Washington state, which I believe takes effect end of March beginning of April of this year. And we will certainly be following very, very closely to see how that private right of action is used in Washington state and how it plays out in

practice. Speaking of enforcement, we had our second CCPA enforcement action get delivered yesterday. So for those listening, that was kind of mid February. And we have other enforcement arms who have been sharing what they're looking for. And I was, you know, those from Connecticut, California, I was wondering if you can share what you're hearing from regulators and what companies should really be mindful of this year. Obviously, we would encourage all the different components of the laws. But at the same time, when we hear regulators say, this is what's really important, it would be great to be able to highlight those for companies.

Sure. So as you mentioned, yesterday, the California Attorney General's Office just finalized its second ever settlement involving enforcement of the California Consumer Privacy Act. That was with a bill or dash, where they reached a $375,000 penalty, largely involving allegations of data sales without proper consumer opt-outs or disclosure mechanisms stemming from the organization's participation in a marketing co-op. The other CCPA final enforcement action was back in 2022, I believe, which was a $1.2 million settlement with the French retailer Sephora, which also involved that company's advertising practices. So I think we can draw the lesson from this, that online advertising practices are and will continue to be a major topic for unforces. I will back up just a little bit and say that I think there is kind of something of an unfortunate tendency for some groups to say, okay, we've got a privacy law in the books now. If we don't see multimillion dollar fines in the front page of the papers the next day, but then it's a failure. I don't necessarily agree with that. I think both businesses and regulators are going to continue to build out their compliance practices and gain experience with enforcement over time. So the ultimate impact of this new era of state privacy laws that we do have on the books right now is going to continue to evolve. We have five comprehensive state privacy laws that are mostly in effect with another eight on the way, and Utah, Virginia, Colorado, and Connecticut all still have a so-called right to cure alleged violations. And the experience in California and the, I believe Attorney General's office said this was that, about 70 percent of potential violations, they had to notify the business and that business had, I think, 30 days to bring their operations into compliance and then the matter could drop. And I think it is likely that in many of the state laws at this time, letters of inquiry will be sent, particularly in Connecticut and Colorado, which, as you mentioned, have been extremely active, but much of the enforcement activity happening this year is going to be out of the public eye. And now that is different in California where the right to cure has already expired and the CCPA just won a favorable court judgment that said it can begin immediate enforcement of its implementing regulations without being subject to a one-year delay. That decision has been appealed, so we'll see what continues to happen there. But what is also really interesting to me in California is that we have seen both the Attorney General's office and the California Privacy Protection Agency, the privacy specific regulator, pick up enforcement sweeps, in sectors outside of traditional tech companies or just online advertising. You have seen, I believe, the Attorney General initiate an enforcement inquiry involving a treatment of employee data as well as smart TVs and streaming devices. And you've seen the CPPA initiate an enforcement sweep involving connected vehicles. So I'm very interested to see outside just like online advertising and data sales, are we going to see additional enforcement in sectors outside those that are typically thought as the primary subject for commercial privacy laws?