Summer days bring with them BBQs, trips to the beach, ice cream cones, and in many states, the end of the state legislative sessions. This past winter, the possibility that 2019 would end with a patchwork of consumer privacy reforms across the country seemed strong, but with only a few weeks remaining for laws to pass, those prospects are dimming. Similarly, despite consistent buzz and multiple hearings over the past year, the Financial Times has reported that Congress’s progress on federal privacy legislation has stalled in recent months, with Bloomberg reporting a potential fracture in the group of six senators who formed a working group on this issue.


State legislators in Illinois, who charted new territory over 10 years ago when they passed the Biometric Information Privacy Act (BIPA), introduced multiple privacy bills during the latest legislative session, but none appear poised to pass before the end of the legislative session on June 30. The Illinois House passed the Data Transparency and Privacy Act (House Bill 3358) earlier this year, and the bill initially cleared the Senate Committee on the Judiciary, before languishing in another Senate subcommittee. This bill was similar to the CCPA in that it included consumer rights to receive notice and opt out of the sale of personal data, but it exempted from the definition of “sale” the use of data for advertising: a significant carve-out. This bill would also have included general exemptions for licensed hospitals, public utilities, retailers, and telecommunication companies.

The bill was subsequently amended to include provisions related to class-action enforcement, the addition of a right to know the “approximate number of all third parties that received the consumer’s personal information,” and limited the definition of “de-identified data” to data that could not “reasonably be used to infer information about” consumers. State legislators have also proposed more targeted legislation. The Illinois Senate passed the Keep Internet Devices Safe Act (KIDS Act) (Senate Bill 1719), which prohibited private entities from using digital devices to record consumers without their consent and required “reasonable security measures” to protect any recordings made with consent from unauthorized access, use, deletion, modification, and disclosure. This more focused bill is now pending before the House, but passage looks unlikely given the impending end of the session.


State legislators in Texas also proposed privacy-related bills during the most recent legislative session. The Texas Consumer Privacy Act (House Bill 4518), which was similar to the CCPA, ultimately was not passed. The Texas Privacy Protection Act (House Bill 4390) began as comprehensive privacy legislation, including rights to notice, to opt out of the sale of information, and to deletion, but had a much narrower focus by the time it was signed into law on June 14, 2019. The only substantive changes that this Act makes to Texas law are updates to the state’s breach notification rules and the creation of a 15-member Texas Privacy Protection Advisory Council. The council is tasked with studying “data privacy laws in this state, other states, and relevant foreign jurisdictions,” and issuing an initial report and recommendations on statutory changes to the state’s privacy laws by September 1, 2020. Although this session did not result in dramatic changes to Texas state privacy legislation, the topic may be raised again against the backdrop of what may be a very different U.S. privacy landscape during the next Texas legislative session in 2021.

New York

New York legislators held hearings before the state Senate’s Committee on Consumer Protection on the New York Privacy Act (Senate Bill 5642) toward the end of their session, but the bill failed to emerge from committee before the legislative session ended on June 21, 2019. The New York Privacy Act was described by Wired as “even bolder” than the CCPA. Indeed, in some ways it was. Unlike the CCPA, it provided a private right of action for consumers, and it lacked carve outs for smaller companies whose business models do not rely on the monetization of consumer data. On the other hand, the New York law would have exempted employees from the definition of “consumer,” significantly narrowing businesses’ obligations. Borrowing an idea that recently has gained currency, the New York Privacy Act included the concept of a “data fiduciary,” which in the context of this bill meant that businesses were required to exercise duties of care, loyalty, and confidentiality, and to “act in the best interests of the consumer,” a duty that would have superseded any preexisting duties to owners or shareholders.

Although many of the recent proposals failed to cross the finish line during the 2019 legislative session, they may be a preview of coming attractions, particularly if Congress fails to pass comprehensive privacy legislation this year. And even in the absence of comprehensive federal legislation, the House recently passed legislation to give at least $40 million in additional funding to the FTC for antitrust and privacy enforcement. While the possibility of these various state privacy laws passing in 2019 has dimmed, they are still alive, and privacy watchers should continue to monitor developments.