SB116 (Senate Rules, Governor), HB 159 (House Rules, Governor) [c]—The Alaska Consumer Data Privacy Act mirrors the CCPA but includes a registry for data brokers and deems violations of the act as violations of the state’s unfair and deceptive trade law. The House Labor and Commerce Committee held a hearing on the bill on May 17. The House Labor and Commerce Committee held a hearing on December 6 concerning various potential amendments to the bill. HB 159 has been significantly been amended in Committee. For this reason, it is considered its own model, the Alaska model. HB 159 now limits sharing of data to what is reasonably necessary, requires persons obtaining data collected by businesses to notify consumers, institutes global privacy controls, requires consent for the use of geolocation, and regulates data being used for a business purpose for those under 18. A hearing will be held on March 18 in the House Judiciary Committee.
HB222 (Rauscher)—This bill mirrors CCPA in many ways as well but correction rights but does have rights to correction restrict use of personal information. The bill would be enforced by the Attorney General and does not have private right of action. Outside of the core comprehensive data privacy bill, HB222 also has protections for genetic data and data breach notification provisions.
SB 1495 (Mesnard)—This bill would require social media and search engines to obtain consent before collecting data. It also requires preapproval for posting of certain children’s material for those under 16.
SB6 (Looney)—This bill would increase funding for the Attorney General to protect consumer privacy. The new Committee bill version mirrors the Colorado privacy law in that it allows for a global opt out. The Attorney General does have exclusive enforcement authority. A Joint Committee Substitute on March 15 passed out of the General Laws Committee which relies heavily on global opt out, is enforced by the Attorney General, and creates a new working group to study privacy and algorithmic bias. The Judiciary Committee reported out a Joint Favorable Substitute by a vote of 25 to 14 on April 11. The Senate passed the latest Joint Favorable Substitute by a vote of 35-0-1 on April 20. A House Amendment was passed by the House 144 to 5. This bill was signed into law by the Governor on May 10.
HB 262 (Griffith) [c]—This bill would require data brokers, which are very broadly defined, to register with the Consumer Protection Unit of the Department of Justice. The bill also prohibits “acquiring or providing brokered personal information where it will be used for certain unlawful purposes, or where it was obtained through fraudulent means.” The bill was assigned to the House Technology & Telecommunications Committee on January 13. This bill was assigned to the House Appropriations Committee on January 27. The Appropriations Committed voted to release the bill on April 13. An amended version passed the House on May 5th 27 to 13 and the bill is now in the Senate Banking Committee.
District of Columbia
SB 1864 (Bradley)—“The Florida Privacy Protection Act” merges elements of Virginia’s privacy law and California’s CCPA. The definition of “controller” more closely resembles CCPA’s definition dealing with business structure as opposed to the data control. The bill would also require notice, data use limitations, and reasonable security practices. Businesses would be required to obtain consent to process sensitive information. Consumers would have the right to opt out of sales and processing of targeted ads or profiling. Like California, the law bars sharing of data of those younger than 16 but allows consent for ages 13 to 16. Global privacy controls are recognized. The Attorney General is the enforcer and private rights of action are not authorized. This bill died in the Commerce and Tourism Committee.
HB 9 (McFarland)—This bill is like the CCPA but it does go beyond it in some ways. It requires companies to not retain data for longer than what is needed to fulfill its initial purpose. It also includes correction rights and expands opt out from mere sales to sharing. Like CCPA, it allows a private right of action for failure to correct or delete, failure to honor opt out rights or selling/sharing information of those under 16 without consent. The Department of Legal Affairs is tasked with general enforcement. The Commerce Committee held a hearing on the bill on February 10 a favorably reported a striker amendment which provided regulations for minors under 16 and also provided factors for assessing private rights of action. The bill has now been added to the House Judiciary Committee agenda. The bill is now on Third Reading in the House. This bill died in the Senate Judiciary Committee.
SB 394 (Dolezal)—The “Georgia Computer Data Privacy Act” mirrors the CCPA in many ways. It differs in that it requires reasonable security practices. It also empowers the Georgia Technology Authority to make rules and allows for a private right of action for privacy violations. In addition to giving consumers the right to opt out of data sales, a business may not sell the personal information a consumer who does not opt in to the sale of that personal information on or after September 1, 2022.
HB 2051 (LoPresti)—This bill follows the CPRA ballot initiative model.
SB 1009 (Lee)—This bill would ban the sale of geolocation and internet browser history without opt-in consent. The legislation also deals with how government entities may obtain personal information in electronic communications. Such violations would be an unfair or deceptive trade practice. On February 16, the Government Operations Committee deferred the measure.
SB 2744 (Rhoads)/HB 2050 (LoPresti)—This bill would amend Hawaii’s constitution to provide an ownership property right in personal information. The Senate Judiciary Committee on February 10 recommended the bill pass. The Committee reported the bill favorably.
HB 3910 (Mussman)[c]—The Consumer Privacy Act follows the CCPA model.
HB 2404 (Bucker)[c]—The Right to Know Act would require companies to disclose information sharing practices and have in place a data protection safety plan. Violations would be enforceable by a private right of action.
HB 2880 (Mazzochi)[c]—This bill would give consumer an intellectual property right in their digital identity.
SB3081 (Cullerton)—The “Do Not Track Act” regulates “tracking” which is defined as collecting data regarding user action of a particular user, processing data outside context user action occurred, facilitating the creation of a user profile, or personalizing a user experience. A party to a user action that receives a do-not-track signal indicating a user preference not to be tracked shall not track. Exceptions include user consent, first-party use, and anonymized data. Companies engaged in tracking are subject to transparency requirements. The Attorney General has agency enforcement authority and private rights of action are authorized.
SB358 (Brown)—This bill incorporates many aspects of CCPA and the California Privacy Rights Act and requires companies to provide notice to consumers about privacy practices and prevent the collection of sensitive personal information or additional categories of data that what noticed at the point of collection without notice. The bill also contains data use restrictions to what is reasonably necessary to achieve the purpose of collection. Businesses have a duty of reasonable security. Consumers have access, correction, deletion, transparency, and opt out rights of the sharing of personal information. Restrictions are placed on using data of minors under 16. A prohibition exists against companies that discriminate against those exercising data rights. A version of this bill that mirrors Virginia passed the Senate by a vote of 49 to 0 on February 1. It has been referred to the House Committee on Commerce, Small Business and Economic Development. The Committee has recommended passage and amendment.
HB1261 (Hamilton)—This bill mirrors the CCPA in many ways but excludes the breach provisions. It enables consumers the ability to restrict the use of sensitive personal information. Additional exceptions to the bills requirements include commercial credit reporting. There is also no discrimination provision. The bill would be enforced the Consumer Protection Division of the Attorney General.
HSB 674 (Lohse)/SF 2208 (Nunn)—This bill effectively mirrors the Virginia model. On February 15, the House Committee on Information Technology reported favorably the House bill. HF 2506 is a successor bill from the Committee and was reported favorably. This amended bill passed the House 91 to 2.
SB15 (Westerfield)—The bill mirrors in many ways the Virginia bill but does not specifically provide opt-in requirements where data use in a way that has a legal result and instead regulates tracking. The bill differs in that it provides restrictions around targeted advertising for those under 18. Although the Attorney General is the primary enforcer, the bill provides a private right of action.
HB586 (Pratt)—This bill mirrors SB15 but does not provide for a private right of action.
HB 987 (Deshotel)—The “Louisiana Consumer Privacy Act” mirrors the new Utah law. On May 10 the House Commerce Committee reported the bill out 11 to 0 and amended it including impact assessments in line with Virginia and Colorado.
SP713 (Rafferty)—This bill effectively is the CCPA but also has an added provision regarding to protections for those obtaining small loans. The Committee on Health Coverage, Insurance and Financial Services has reported the bill “ought not pass.”
SB11 (Lee)—The “Maryland Online Consumer Protection and Child Safety Act” mirrors the CCPA but requires recognition of global privacy controls. The bill has now been amended to create a working group on data privacy. This amended version passed out of the Senate but received an unfavorable Committee report in the House.
S2687 (Creem)/H4514 (Vargas)—The “Massachusetts Information Privacy and Security Act” would require companies to have a lawful basis for processing data. The processing must also be consistent with the reasonable expectations of the individual. Companies are required to obtain consent from parents for selling data for children less than 13 years of age and obtain consent from minors between 13 and 16. The bill gives consumers rights to notice, access, portability, deletion, correction, and opting out of the sale of data. Consumers may also limit the use and sharing of sensitive personal information. The bill prohibits discrimination against consumers who exercise their privacy rights. Companies are also required to conduct risk assessments. The bill also prohibits using data in a way that is unlawfully discriminatory. Data brokers must also register with the Commonwealth. The Attorney General is the primary enforcer of the bill and private rights of action are authorized for breach. The bill has been favorably reported from the Cybersecurity Committee. The House Bill has been reported favorably from the Advanced Information Technology, Internet, and Cybersecurity Committee. The Reporting Date on H4514 has been extended to June 1, 2022.
S46 (Creem), H142 (Vargas)[c]—The Massachusetts Information Privacy Act would impose a duty of loyalty, confidentiality, and care on covered entities with regard to personal information. It would also give consumers the rights of access, correction, data portability, and deletion. Covered entities are required to give notice. Consumers are to give consent before collection, disclosure and processing of data. The bill would create the Massachusetts Information Privacy Act Commission as the government regulator and enforcer and also enables a private right of action.
S50 (Finegold)—This bill would amend Massachusetts code pertaining to data breaches related to “data brokers” and establishes a data broker registry.
S51 (Finegold)[c]—This bill would create an Office of Data Protection, Cybersecurity and Privacy. The Office would primarily deal with state and local agency privacy issues.
H4152 (Holmes)[c]—The Internet Bill of Rights applies to the processing of personal data wholly or partly by automated means on any other processing part of a defined filing system. Processing of personal data may only be done for defined legally permissible purposes, including affirmative consent from the data subject. Data may only be collected for specified, explicit and legitimate purposes, and not further processed in a manner incompatible with those purposes. Data collection must also be adequate, relevant and limited to what is necessary to the purposes for which it is processed. Data must also be accurate and must be kept in identifiable form no longer than what is necessary for purposes processed. Also, data must be processed in a manner that ensures appropriate security. The bill also gives consumers data deletion rights.
A data subject may also subject to provisions in the act restrict data processing and also has data access rights. Data subjects shall have the right to purely automated decision-making where a legal effect is produced.
The bill would also impose a 72-hour data breach notification requirement. High risk data processing with new technologies are also subject to impact assessment requirements.
The Attorney General is tasked with approving codes of conduct and privacy certifications. The bill also places restrictions on “foreign” data transfers if controllers are not in compliance with the Internet Bill of Rights. The Attorney General is primarily charged with enforcement but private rights of action are authorized after failure of the AG to act.
H.136 (Rogers) [c]—This bill would create the Massachusetts Data Accountability and Transparency Agency lead by a single Commissioner. The Agency may require reports and conduct examinations on a periodic basis of “data aggregators” with revenues over $25 million or who handle the data of over 50,000 individuals. The Agency shall make rules regarding unfair, deceptive, or abusive practices regarding privacy. Additionally, the Agency can divest companies for any antitrust or competition concerns. The Agency may also assess civil penalties and keep a public website of “data aggregators.” Data aggregators cannot use, collect, or share data except for defined permissible purposes. Subject to exceptions, sharing of data with affiliates or third parties is barred. Other barred practices include retaining personal data for longer than strictly necessary, deriving or inferring data, or generating ad revenue with data even for a permissible purpose. The bill would prohibit discriminating against consumers who exercise their data rights. Risks assessments and testing are also required for automated decision systems. Consumers have a right to notice, access, deletion, and correction. Reasonable security measures are also required. The bill would require comprehensive privacy and security programs and subject companies to private rights of action.
HB 5989 (Anthony)—The “Consumer Privacy Act” mirrors the Virginia model yet although there are no explicit protections for loyalty programs in the anti-discrimination provision.
HF 1492 (Elkins)/SF1408 (Bigham)[c]—The Minnesota Consumer Data Privacy Act follows the Virginia model with a key exception in that it has more in depth anti-discrimination requirements, including a CCPA-like provision for taking action against consumers exercising privacy rights.
HF 36 (Noor)[c]—This bill is effectively the CCPA with some changes and a private right of action.
SB 2330 (Turner-Ford)—The “Mississippi Consumer Data Privacy Act” is effectively the CCPA. This bill died in Committee.
LB 1188 (Flood)—The Uniform Personal Data Protection Act is the ULC Model and prohibits private rights of action. A hearing will be held on this bill on February 28. This bill has indefinitely been postponed.
A505 (Benson)—The “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)” would bar the processing of personal information unless there is an enumerated legitimate interest or there is opt-in consent. The bill also provides for security requirements in addition to access, correction, and transparency rights. Individuals also have the right to object to processing in certain circumstances. Consumers have the right to opt out of having decisions be made solely by automated decision making. The bill has a 72-hour data breach notification requirement. The Office of Data Protection and Responsible Use in the Division of Consumer Affairs in the Department of Law and Public Safety is responsible as a rulemaker, clearinghouse, and enforcer of the Act.
A1971 (Mukherji)—This bill is a effectively a CCPA for online operators. This bill would require commercial internet website operators and online serves to provide transparency about the use, collection, and sharing of personal information. It also would require operators to honor opt out requests to be provided in a manner chosen by the operator. The Senate Commerce Committee reported the bill favorably by a vote of 3 to 2 on June 9. The State recently release a reprint of the Senate version.
S6701A (Thomas)[c]—The “New York Privacy Act” would give consumers the right to notice, opt-in for data processing, access, portability, correction, and deletion rights. The bill would give consumers the right to appeal automated decision-making in the financial services, housing, public accommodation, insurance and health care services. Consumers cannot be discriminated against for failure to opt in. The bill would be enforced by the Attorney General and private rights of action. This legislation has been amended and recommitted to Committee for 2022. This bill was reported and committed to the Internet and Technology Committee on February 8.
A680-B (Rosenthal)[c]—The New York Privacy Act imposes a fiduciary duty and institutes transparency, portability, correction, and deletion rights. The Attorney General has the ability to seek injunctive relief, fines, restitution and disgorgement. This bill has a private right of action for damages. This legislation has been amended and recommitted to Committee for 2022.
A405 (Rosen)/S2886 (Kavanaugh)[c]—The Online Consumer Protection Act would prohibit collection by webpage publishers and advertising networks from collecting personal information for purposes of “online preference marketing” unless there is consent. This bill has been referred to Committee for 2022.
S567 (Hoylman)/A3709 (Gunther)[c]—This bill would give consumers the right to know about data practices and give them the right to opt out of data sales. This bill has been referred to Committee for 2022.
A400 (Rozic)/S1349 (Hoylman)[c]—The “Right to Know Act” would provide consumers with the ability to request how companies collect, use, and share personal information. S1349 has be referred to Committee for 2022.
S1570 (Sanders)[c]—This “New York Data Protection Act” would give individuals the right among others things access and deletion rights to personal information held by government entities and their contractors. This bill was referred to Committee for 2022.
S4021 (Comrie)/A3586(Kim)[c]—The “It’s Your Data Act” would make it a misdemeanor for companies that collect, store, or use data for trade, advertising, data-mining, or commercial or economic value certain personal data without consent or if they fail to act with reasonable care as a bailee of the data even with consent. The bill would also require transparency, collection limitation, deletion and access rights. The bill would prohibit discrimination like CCPA for exercising privacy rights and companies are required to maintain reasonable security. The bill includes a private right of action. S4021 has been referred to Committee for 2022.
A5091 (Reilly)[c]—This bill will make it a Class E felony to release certain personal data without authorization.
S5003 (Parker)[c]—This bill would enact a New York constitutional right to privacy. This bill was referred to Committee for 2022. This bill has been referred to the Judiciary Committee.
A6402 (Cruz)[c]—The Digital Fairness Act would require privacy notices and opt-in consent for data processing.
S6727 (Gounardes)[c]—The Data Labor Compensation Act would establish and Office of Consumer Data Protection and a Board which oversees and regulates data privacy in New York. The aim of the bill is also to tax gross receipts from companies that earn a profit using data.
S 569 (Salvador)[c]—The Consumer Privacy Act of North Carolina mirrors the Virginia model substantively but in addition to Attorney General enforcement, it provides for a private right of action for both injunctive relief and damages.
HB 376 (Carfagna)[c]—The “Enact Ohio Personal Privacy Act” tracks the CCPA in many ways but modifies it significantly. Similarities include rights to transparency, access, deletion and opting out of data sales and targeted advertising. The law specifically prohibits private rights of action. It also bars discrimination against consumers who have exercised data rights. The Attorney General of Ohio may bring actions against companies and there is a 30-day cure period. The bill also provides an affirmative defense for companies that have a program in line with NIST’s “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” The House Government Oversight Committee on February 9th favorably reported a substitute.
HB2968 / HB2969 (Walke)—The “Oklahoma Computer Data Privacy Act of 2022” would require companies to provide notice to consumers about its privacy policies. Companies are required to limit collection, use, and retention of data to that which is necessary to a provide a product or service. Consumers also have the right to opt out of personalized advertising. Consumers also have access, correction, portability, and deletion rights. The bill prohibits discrimination against consumers for exercising their data rights but allows consumer loyalty programs with conditions. Consumer may not waive their privacy rights. The bill also prohibits companies from “obscuring, subverting, or impairing user autonomy, decision-making or choice as further defined by regulation.” The Attorney General is the enforcer of the Act and can seek punitive damages as well as injunctive relief. This bill was referred to the Technology Committee on February 8. This bill was referred to the Rules Committee on February 14.
HB 3447 (O’Donnell)—This bill is the ULC bill but prohibits private right of action. This bill has been referred to the Rules Committee on February 8.
HB 2202 (Mercuri)—The “Consumer Data Privacy Act” mirrors Colorado’s new privacy law but bars processing of personal information for targeting advertising and sales of data for individuals under 16 unless they are between 13 and 16 and provide consent.
HB 2257 (Kenyatta)—The “Consumer Data Protection Act” follows the Virginia model.
HB 1126 (Nielson)[c]—The Consumer Data Privacy Act is effectively the CCPA.
H7917 (McNamara)—The “Rhode Island Information Privacy Act” would require covered entities and processors to use automated decision systems discreetly and honestly and reasonable for their purpose. The bill follows the fiduciary model requiring a duties of care, loyalty, and confidentiality. The bill would also provide consumers with notice, access, correction, portability, and deletion rights. The notice requirement has word limit and reading level requirements. Consumers also have the right to consent before personal information is collected, processed, and shared. The bill also has restrictions on the use of biometric, location, and recording devices. The bill also bans processing use to discriminate unlawfully against consumers. The bill would establish a data privacy commission that can make rules. Private rights of action are also authorized. The bill also creates rules around workplace surveillance. The House Committee on State Government & Elections has recommended the bill be held for further study.
H7400 (Shanley)—The “Rhode Island Data Transparency and Privacy Protection Act” would require online operators to make transparent their data sharing practices. The Committee of jurisdiction has recommended it be held for further study.
SB227 (Cullimore)—The “Consumer Privacy Act” mirrors the Virginia model in several ways although it does not provide opt out rights for profiling that creates a legal result or impact. The bill also does not require impact assessments. The Attorney General is the enforcer of the Act and private rights of action are barred. This bill was signed into law by the Governor.
H 160 (Townsend)[c]—A placeholder bill that gives consumers the same rights as CCPA.
H570 (Marcotte)—This is a placeholder for a data privacy bill.
The General Assembly passed into law the abolishment of the Consumer Privacy Fund and redirects proceeds to the Treasury. Political organizations are also exempted from the Virginia Consumer Data Protection Act under the amendment. Another new law enables the Attorney General to seek actual damages for consumers for violations occurring after the 30-day cure period. Finally, another one approved is designed to protection controllers for deletion purposes who obtained personal information from a source other than the consumer if they keep the deletion requests and the data necessary for deletion.
SB 5062 (Carlyle)[c]—The “Washington Privacy Act” would give consumers the right to access, correction, deletion, and opt out of processing data for targeted advertising, data sales, and profiling in furtherance of decisions producing a legal effect. Controllers must issue a privacy notice, limit collection and use, and maintain reasonable security. Controllers would also be required to implement data protection assessments. The Attorney General would be tasked with enforcement and the Act would not give rise to a new private right of action. The bill was passed 12 to 1 on to the Senate Ways & Means Committee, please click here. To view the Senate Ways & Means February 8, 2021 public hearing on the bill view here. The bill passed the Senate 48 to 1. On April 1, the House Appropriations voted to recommend passing a striker amendment adopted by the House Civil Rights & Judiciary Committee which includes an injunctive private right of action and global opt out. The measure was reintroduced by resolution for the 2022 session. There is currently a second substitute bill.
SB 5813 (Carlyle)—Carlyle has introduced a new bill that deals with children’s data “data brokers” and “Do Not Track.” With regard to the underaged individuals, companies must obtain consent from the parent of a known child under 13 to process personal information. In the case of known adolescents (13 to 18), consent from the adolescent must be obtained before processing personal information that is sensitive or used for targeted advertising. Verified consent in compliance with COPPA is deemed to be legally met under the Act. Businesses may not use data in a way that unfairly disadvantages minors and are required to have clear privacy policies. A duty of security is required for minor’s data and there are data use and retention limitations. Businesses may not direct content based on race or socioeconomic factors, may not engage in certain “abusive trade practices.” Those who exercise their privacy rights may not be discriminated against. With regard to minors, companies must undertake data impact assessments which can be requested by the Attorney General. The Attorney General is tasked with enforcement and children/parents may bring civil actions to if companies do not honor requests to confirm if they have personal information as well as correct or delete data upon request.
The data broker section of the bill broadly defines “data brokers” as a business “that knowingly collects and sells or licenses to third parties the brokered personal data of a consumer with whom the business does not have a direct relationship.” Data brokers must register with the state and may not process personal information unless they receive consent. Consumers have transparency, correction, and deletion rights. People may not acquire brokered data through fraudulent means. Brokers also have a security as well. The Secretary of State may make rules to implement the bill and the Attorney General has enforcement authority. Private rights of action are allowed for transparency, correction, and deletion violations.
Under the “Do Not Track” provisions, consumers have the right to opt out of the sale of personal information for the purposes of targeted advertising and sales of PI. Businesses are required to provide a “Do Not Track” mechanism. The Attorney General has rulemaking and enforcement authority and private rights of action are authorized.
A hearing was held in the Senate Committee on Environment, Energy & Technology on January 20.
HB 1850 (Slatter)—The “Washington Foundational Data Privacy Act” mirrors the Colorado privacy law but creates a new Washington Consumer Data Privacy Commission which has enforcement and rulemaking authority. The State’s Attorney General has enforcement authority and the bill has a private right of action. The bill also requires registration. A public hearing was held in the House Civil Rights and Judiciary Committee on January 25 and an executive session is scheduled for February 2. A public hearing was held on February 5. On February 28, the House Appropriations Committee approved a Second Substitute that is contingently tied to passage of SB. 5062.
SB 5108 (Erickson)[c]—This legislation would requirement affirmative consent before companies can develop “secret surveillance scores.
HB 1433 (Kloba)[c]—The “Peoples Privacy Act” would give consumers the right to access, transparency, refusal of consent for processing other than what essential for a transaction, correction, deletion, and “not to be subject to surreptitious surveillance.” The bill would also impose notice requirements. The State Department of Commerce is tasked with rulemaking regarding notice. Discrimination based on age, race, creed, color, national origin, sexual orientation, gender identity, sex, disability, genetics or domestic violence status would be barred. A private right of action is authorized. The measure was reintroduced by resolution for the 2022 session.
HB 3159 (Hamrick)[c]—This bill follows in the mold of the CCPA but does give consumers the right to data correct and the ability to opt out of data sharing in addition to data sales.
HB 4454 (Reed)—This bill would give consumers the right to opt out of data sharing and would bar discrimination against consumers who exercise their rights.
AB 957 (Zimmerman)—This bill follows the Virginia model. This bill has been referred to the Government Operations Committee. This bill failed to pass.
AB 1050 (Brostoff)—This bill follows the CCPA model yet has a private right of action. This bill has failed to pass.
The Weekly Download
Subscribe to receive a weekly roundup of the Chamber Technology Engagement Center (C_TEC) and relevant U.S. Chamber advocacy and events.
The Weekly Download will keep you updated on emerging tech issues including privacy, telecommunications, artificial intelligence, transportation, and government digital transformation.