State Consumer Privacy Law Round-Up

As the likelihood of the federal government passing a timely, workable national consumer privacy law before the November election decreases, states from coast to coast have been busy. According to the National Conference of State Legislatures, over 150 new consumer privacy bills were introduced in 25 states and Puerto Rico in 2019.

The year also saw numerous federal privacy law proposals in the form of bills, discussion drafts, frameworks, and white papers. Early signs indicate that legislators have no intent of slowing down this year.

Here is our cheat sheet to the comprehensive consumer privacy bills introduced thus far in 2020.

Washington

Approach

It looked like a sure thing that Washington was going to pass the “Washington Privacy Act” (WPA) last year, so it is no surprise that the legislature is actively back at it. The proposed WPA (SB 6281) (and its companion House Bill 2742) is modeled after the GDPR, but contains a more expansive requirement to conduct data protection assessments and lacks a lawful basis for processing requirement.

The bill’s authors attempted to avoid one sticking point in last year’s bill by carving out the issue of law enforcement’s use of facial recognition and placing it in its own bill (SB 6280). The Washington legislature is also considering a number of other discrete privacy bills on topics such as biometrics, internet of things, artificial intelligence, and use of bots.

• Notable Distinctions: SB 6281 differs significantly from the CCPA in that it focuses more on an organization’s own use of data, requiring privacy protections across all personal information and not just that belonging to people who reach out to the company. It also provides opt-out rights for any use of personal information for targeted advertising, not only where the use involves a sale.
• Enforcement: The failure of SB 6281 to include a private right of action for violations is expected to cause debate.
• Proposed Effective Date: July 1, 2021.
• Legislative Action: Several public hearings were held in January. Due to the short legislative session, bills must clear their house of origin by February 19 to stand a chance of being enacted this year.

New Hampshire

Approach

HB 1680-FN, a copycat of the CCPA which would provide the same access, deletion, and opt-out of sale rights to consumers without placing significant restrictions on organization’s internal uses of data.

• Notable Distinctions: Because the bill was copied from the original version of the CCPA—prior to the 2019 amendments—it would cover data collected in employment and business-to-business contexts.
• Enforcement: Like the CCPA, the law would provide a private right of action to individuals whose data is subject to unauthorized access due to the failure of an organization to adopt reasonable security—but enforcement of other violations is left to the state attorney general.
• Proposed Effective Date: January 1, 2021.
• Legislative Action: A public hearing was held on Jan. 23, and the bill is currently in committee.

Virginia

Approach

The proposed “Virginia Privacy Act,” HB 473, would provide consumers the right of access, correction, and deletion, as well as the right to demand restriction of processing where the processing is not consistent with the purpose of collection or disclosed to the consumer at the time of collection.

The draft also allows consumers to opt-out of the use of their information for targeted advertising, regardless of whether a sale of data occurs. Further, it would require data protection assessments in all instances where an organization processes personal information. (The GDPR requires such assessments only in certain situations the law deems high risk; the CCPA does not require them at all).

• Notable Distinctions: The draft recognizes entities that collect and sell information about consumers with whom they do not have a direct relationship as “data brokers” and would require an organization to specifically disclose whether it sells personal information to data brokers.
• Enforcement: HB 473 would provide for a 30-day cure period for violations. After this time, violations that are not cured could be prosecuted under the Virginia Consumer Protection Act, which allows the private right of action to recover actual damages, or $500, whichever is greater.
• Proposed Effective Date: Not specified.
• Legislative Action: The Committee on Communications, Technology, and Innovation voted on January 27 to table the bill until 2021. Bills proposed in even years (VA has a 2-year legislature) that are designated to continue to the next year are often voted down during the process later in the year.

New York

Approach

The “New York Privacy Act” (A8526/S5642), which failed to emerge from committee before the legislative session ended last year, has been reintroduced. The draft bill was previously described by Wired as “even bolder” than the CCPA, and would prohibit personal data from being “used, processed or transferred to a third party” without opt-in consent.

NY state senators have expressed “impatience and frustration on Congress’ lack of haste in addressing the issue of data collection and privacy with New York state businesses” during the public hearing on the bill. Additional bills introduced this year, including the “It’s Your Data Act” (A7736), as well as Assembly Bill 6351/Senate Bill 4411, relating to the notification of acquisition and control of personal information, further demonstrate New York’s interest in passing a comprehensive privacy law.

• Notable Distinctions: The law would also create a “duty of care, loyalty, and confidentiality” with respect to “securing the personal data of a consumer against a privacy risk.”
• Enforcement: The bill would offer a private right of action to “anyone injured” through a violation of the law.
• Proposed Effective Date: 180 days after enactment.
• Legislative Action: The bill is currently in committee.

New Jersey

Approach

Draft bill A2188 would regulate owners/operators of websites and online services in their use of “personally identifiable information.” The bill, which is identical to one that stalled in the legislature in 2019, would offer consumers the right to opt out of sales of their information, require organizations to use a “Do Not Sell” link, and allow consumers to request access to copies of the information that an organization has sold to third parties.

• Notable Distinctions: Online services is defined as “a commercial information service provided over the Internet”—a definition that is vague and raises significant questions as to applications beyond the use of website cookies.
• Enforcement: The bill would make a violation simultaneously a violation of the state’s Consumer Fraud Act. That law allows consumers to sue for violations, but they must show an “ascertainable loss” to succeed.
• Proposed Effective Date: Immediately upon enactment.
• Legislative Action: The bill is currently in committee.

Florida

Approach

HB 963/AB1670 would permit a consumer to opt-out of the sale of covered information by request submitted to a “designated request address,” but does not contain other consumer rights such as access or deletion.

• Notable Distinctions: Covered information would include information maintained by the operator “in an accessible format” such as contact information, social security number, and “any other information concerning a consumer” that is collected and maintained in combination with an “identifier in a form that makes the information personally identifiable.” The bill also would prohibit the use of public records requested from state agencies for contacting, marketing, or soliciting the consumer without opt-in consent.
• Enforcement: An operator has the right to cure any failure to comply within 30 days of notice, but would be in violation for failure to do so timely, or for publishing a privacy notice containing material misrepresentations or omissions. The bill would not establish a private right of action and could only be enforced by the state Department of Legal Affairs.
• Proposed Effective Date: July 1, 2020.
• Legislative Action: The bill is currently in committee.

Nebraska

Approach

The Nebraska Consumer Data Privacy Act (LB 746) takes a “consumer rights” approach similar to the CCPA. The bill would create the right to access, delete, and opt-out from sale of a consumer’s information, without imposing restrictions on internal data use.

• Notable Distinctions: The revenue threshold for determining if an entity is a business covered by the law would be $10 million, instead of $25 million as established in the CCPA. “Consumer” is defined to exclude a person acting in a commercial or employment context.
• Enforcement: The attorney general would be able to bring a civil action for penalties of up to $7,500 for each violation. The bill does not provide for a private right of action.
• Proposed Effective Date: July 1, 2020.
• Legislative Action: The bill is currently in committee with a hearing set for February 4, 2020.

Illinois

Approach

The Illinois Data Transparency and Privacy Act, SB 2330, would implement CCPA-like consumer rights in Illinois, but adds a requirement to conduct Data Protection Assessments for all activities involving the processing of personal information. The legislature also revived last year’s HB 2736 “Right to Know Act” which is modeled on California’s Shine the Light Act, but requires all companies to have a “data protection safety plan.”

• Notable Distinctions: Opt-out rights extend to “disclosures to third parties and affiliates” and processing of personal information by “the business, third parties, and affiliates,” not just sale. No specific mention is made of targeted advertising, however.
• Enforcement: The bill would provide a private right of action to consumers whose data is subjected to unauthorized access, but it states explicitly that it does not create a private right of action under any other laws. The attorney general can enforce other violations under the Consumer Fraud and Deceptive Business Practices Act.
• Proposed Effective Date: July 1, 2021.
• Legislative Action: The bill has been referred for assignment to committee.

Arizona

For a twist, a bi-partisan group of legislators in Arizona has announced (by concurrent resolution HCR 2013, prefiled Jan. 10, 2020) that the members “oppose the enactment of laws, the adoption of regulations or the imposition of out-of-state standards that would restrict or otherwise dictate standards related to consumer data privacy, absent a clear nexus with consumer harm” and “believe a single federal standard for comprehensive consumer data privacy regulation is preferable to a state-by-state approach.”

Vermont

H.899 seeks to regulate the use of facial and voice recognition technology consumer data use by social media platforms. It would also impose requirements on all organizations that collect personal information to disclose the monetary value of consumer data they collect.

The short bill (4 pages) lacks definitions of relevant terms and contains few details as to the scope of its restrictions. It was introduced on Jan. 23, 2020 and is currently in committee.

Additional States To Watch from 2019

Bills in Minnesota (HF2917) and Massachusetts (S120) had activity that could be revisited this year. Maryland, Rhode Island, and Oregon had bills that stalled out. Connecticut, Texas, Hawaii, and North Dakota decided to study consumer privacy; however, Texas, and North Dakota do not have regular session in 2020.

Putting the Pieces Together

The map shows the comprehensive consumer privacy bills that have been passed in the United States or have been introduced in 2020.

This article was originally featured as a privacy and security advisory on DWT.com on February 04, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.