2021 Data Privacy
Alabama
HB 216 (Lipscomb)—“The Alabama Consumer Privacy Act” is effectively the CCPA.
Alaska
SB116 (Senate Rules, Governor), HB 159 (House Rules, Governor)—The Alaska Consumer Data Privacy Act mirrors the CCPA but includes a registry for data brokers and deems violations of the act as violations of the state’s unfair and deceptive trade law. The House Labor and Commerce Committee held a hearing on the bill on May 17.
Colorado
SB190 (Rodriguez)—The Colorado Privacy Act although not verbatim mirrors the Virginia model in terms of consumer rights and enforcement but includes provisions against unlawful discriminatory conduct. The bill passed the Senate Business, Labor & Technology Committee by 7 to 0 with amendments including global opt out, barring private rights of action, and some service provider issues. The Senate Appropriations Committee sent the bill to the Senate floor by a vote of 7 to 0. The bill passed the House 57 to 7 to 1 and the Senate 34 to 0 to 1. The Governor of Colorado signed this legislation, the third comprehensive state law, on July 7, 2021.
Connecticut
SB 1202 (Looney)—This bill is Connecticut’s budget bill. The Senate passed a version including a Virginia-like privacy bill that included a one-year cure period, exempted employee and business-to-business data, and barred private rights of action. The provision was inevitably stripped.
SB 893 (General Laws Committee)—This bill is effectively the Virginia privacy approach. A public hearing was held about the bill on February 25. The General Law Committee passed out a substitute 18 to 0. The bill was passed favorably by a vote of 38 to 0 to 1 in the Joint Judiciary Committee.
SB 156 (Duff)—This is a placeholder for a bill that would “(1) require businesses to disclose the proposed use of any personal information, (2) give consumers the right to discover what personal information such business possess and to opt out of the sale of such information, and (3) create a cause of action and penalties for violations of such requirements.”
SB 723 (Hwang)—This bill is a placeholder bill for social media privacy.
H6169 (Vahey)—This bill would establish a state data privacy task force.
Delaware
HB 262 (Griffith)—This bill would require data brokers, which are very broadly defined, to register with the Consumer Protection Unit of the Department of Justice. The bill also prohibits “acquiring or providing brokered personal information where it will be used for certain unlawful purposes, or where it was obtained through fraudulent means.”
Florida
HB 969 (McFarland)—This bill is like the CCPA but it does go beyond it in some ways. It requires companies to not retain data for longer than what is needed to fulfill its initial purpose. It also includes correction rights and expands opt out from mere sales to sharing. Like CCPA, it allows a private right of action for data breach/unauthorized access but leaves remaining enforcement to the Department of Legal Affairs. This bill was reported out of the Regulatory Reform Subcommittee. This bill was amended with a Committee Substitute including a private right of action for violations of privacy rights by the House Civil Justice and Property Rights Subcommittee. Most recently, the House Commerce Committee passed a striker bill that still included a private right of action. The full Senate then passed a striker amendment stripping the previous amendment of a private right of action and provided for a GLBA entity carve out by a vote of 29 to 11.
SB1734 (Bradley)—Although similar to the HB 969, this legislation would provide an opt out of sales—not sharing—right but has a private right of action that pertains to all violations of the Act. This bill passed out of the Commerce and Tourism Committee by a vote of 10 to 1. The Senate Rules Committee amended the bill removing the private right of action as part of a striker amendment. The Florida privacy bills failed to pass in 2021 as time in the legislative session ran out.
Hawaii
SB 1009 (Lee)—This bill would ban the sale of geolocation and internet browser history without opt-in consent. The legislation also deals with how government entities may obtain personal information in electronic communications. Such violations would be an unfair or deceptive trade practice. On February 16, the Government Operations Committee deferred the measure.
Illinois
HB 3910 (Mussman)—The Consumer Privacy Act follows the CCPA model.
HB 2404 (Bucker)—The Right to Know Act would require companies to disclose information sharing practices and have in place a data protection safety plan. Violations would be enforceable by a private right of action.
HB 2880 (Mazzochi)—This bill would give consumer an intellectual property right in their digital identity.
Kentucky
HB 408 (Willner)—This bill is like CCPA in that it gives consumers the right to transparency and opt out of data sales. It also requires opt-in for certain children’s data. It bans discrimination against those exercising data rights and would be enforced by the Attorney General. There is no deletion right.
Louisiana
SR 188 (Reese)—Louisiana enacted a resolution requiring a study of buying, selling and usage of consumer data and other state laws like Virginia.
Massachusetts
SD1726 (Creem), HD2664 (Vargas)—The Massachusetts Information Privacy Act would impose a duty of loyalty, confidentiality, and care on covered entities with regard to personal information. It would also give consumers the rights of access, correction, data portability, and deletion. Covered entities are required to give notice. Consumers are to give consent before collection, disclosure and processing of data. The bill would create the Massachusetts Information Privacy Act Commission as the government regulator and enforcer and also enables a private right of action.
Minnesota
HF 1492 (Elkins)/SF1408 (Bigham)—The Minnesota Consumer Data Privacy Act follows the Virginia model with a key exception in that it has more in depth anti-discrimination requirements, including a CCPA-like provision for taking action against consumers exercising privacy rights.
HF 36 (Noor)—This bill is effectively the CCPA with some changes and a private right of action.
Mississippi
SB 2612(Turner-Ford)—The “Mississippi Consumer Data Privacy Act” is effectively the CCPA. This bill died in Committee on February 2.
Montana
HB 710 (Olsen)—This bill would require online operators to provide notice about the collection and use of data as well as how the operator responds to opt-out and correction requests.
Nevada
SB 260 (Cannizzaro)—This bill, which was signed by the Governor, expands the requirements of current Nevada law allowing opt out of online data sales to data brokers who primary purpose is buying and selling data.
New Jersey
A 3255 (Buzrichelli)—This bill, mirroring CCPA in many ways, would require companies to get opt-in consent before collecting and sharing personally identifiable information. Consumers also would enjoy transparency, access and deletion rights. Additionally companies would be barred from discriminating against consumers for exercising rights.
A 3283 (Zwicker)—The New Jersey Disclosure and Accountability Act or NJ DaTA Act would bar the processing of personal information unless there is an enumerated legitimate interest or there is opt-in consent. The bill also provides for security requirements in addition to access, correction, and transparency rights. Individuals also have the right to object to processing in certain circumstances.
A 5448 (Mukherji)/S 1257(Singleton)—This bill would require commercial internet website operators and online serves to provide transparency about the use, collection, and sharing of personal information. It also would require operators to honor opt out requests to be provided in a manner chosen by the operator.
New York
S6701 (Thomas)—The “New York Privacy Act” would give consumers the right to notice, opt-in for data processing, access, portability, correction, and deletion rights. The bill would give consumers the right to appeal automated decision-making in the financial services, housing, public accommodation, insurance and health care services. Consumers cannot be discriminated against for failure to opt in. The bill would be enforced by the Attorney General and private rights of action.
S2505/A3005(Finance)—The “New York Data Accountability and Transparency Act” would task the Secretary of State through rulemaking to develop a Privacy Bill of Rights including but not limited to the right to data protection, access, correction, deletion, control, and opting out of sales. A new Data Privacy Advisory Board would provide guidance. Both bills have been recommitted to their respective finance committees.
A680 (Rosenthal)—The New York Privacy Act which effectively is the same as last year including the fiduciary duty, transparency, portability, correction, and deletion rights. This bill has a private right of action.
A405 (Rosen)—The Online Consumer Protection Act would prohibit collection by webpage publishers and advertising networks from collecting personal information for purposes of “online preference marketing” unless there is consent.
S567 (Hoylman)—This bill would give consumers the right to know about data practices and give them the right to opt out of data sales.
A400 (Rozic)/S1349 (Hoylman)—The “Right to Know Act” would provide consumers with the ability to request how companies collect, use, and share personal information.
S1570 (Sanders)—This “New York Data Protection Act” would give individuals the right among others things access and deletion rights to personal information held by government entities and their contractors.
S4021 (Comrie)/A3586(Kim)—The “It’s Your Data Act” would make it a misdemeanor for companies that collect, store, or use data for trade, advertising, data-mining, or commercial or economic value certain personal data without consent or if they fail to act with reasonable care as a bailee of the data even with consent. The bill would also require transparency, collection limitation, deletion and access rights. The bill would prohibit discrimination like CCPA for exercising privacy rights and companies are required to maintain reasonable security. The bill includes a private right of action.
A5091 (Reilly)—This bill will make it a Class E felony to release certain personal data without authorization.
S5003 (Parker)—This bill would enact a New York constitutional right to privacy.
A6402 (Cruz)—The Digital Fairness Act would require privacy notices and opt-in consent for data processing.
S6727 (Gounardes)—The Data Labor Compensation Act would establish and Office of Consumer Data Protection and a Board which oversees and regulates data privacy in New York. The aim of the bill is also to tax gross receipts from companies that earn a profit using data.
North Carolina
S 569 (Salvador)—The Consumer Privacy Act of North Carolina mirrors the Virginia model substantively but in addition to Attorney General enforcement, it provides for a private right of action for both injunctive relief and damages.
North Dakota
HB1330 (Kading)—This bill would require covered entities to obtain opt-in consent before selling personal information. The bill specifically authorizes class action lawsuits. The House Industry, Business & Labor Committee held a public hearing on the bill on February 9, 2021 and voted “Do Not Pass” 12 to 1 to 1. The full House voted against the bill 75 to 19.
Ohio
HB 376 (Carfagna)—The “Enact Ohio Personal Privacy Act” tracks the CCPA in many ways but modifies it significantly. Similarities include rights to transparency, access, deletion and opting out of data sales. The law specifically prohibits private rights of action. It also bars discrimination against consumers who have exercised data rights. The Attorney General of Ohio may bring actions against companies and there is a 30-day cure period. The bill also provides an affirmative defense for companies that have a program in line with NIST’s “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.”
Oklahoma
HB 1602(Walke)—The “Oklahoma Consumer Data Privacy Act” is effectively the CCPA but with opt-in for data sales, and not opt-out like CCPA. The original bill had a private right of action but would now be enforced by the Attorney General alone. The House passed the bill 85 to 11.
HB 1130 (Phillips)—This bill would impose transparency and notice requirements concerning personal information.
HB 1125(Phillips)—This bill would subject companies that do not fulfill privacy promises to be deemed in violation of Oklahoma’s Consumer Protect Act. This bill passed the House 91 to 0.
Pennsylvania
HB 1126 (Nielson)—The Consumer Data Privacy Act is effectively the CCPA.
Rhode Island
H 5959 (Shanley)—The Rhode Island Transparency and Privacy Protection Act would require online operators to provide notice of data practices. The measure was recommended to be held for further study by Committee.
Texas
HB3741 (Capriglione)—This bill would give consumers the right to know how data is used, collected and shared. Additionally, consumers would have the right to correction, access, and portability as well as deletion of sensitive personal information. Consumers and businesses may contract with data as consideration for goods and services reasonably related to the value of the data. The legislation would create restrictions on the sharing of personal information based on tiers associated with risk. After a consumer closes an account with a business, the business must delete all personal information within 1 year. The Act would be enforced by the Attorney General and bars private rights of action.
Utah
SB 200 (Kirk)—The Utah Commercial Privacy Act, although not identical, tracks the Virginia model conceptually, with regard to consumer rights but has several differences like a longer time period to respond to consumer requests. This bill failed to get past the Third Reading in the Senate and has failed.
Vermont
H 160 (Townsend)—A placeholder bill that gives consumers the same rights as CCPA.
Virginia
HB 2307 (Hayes)/ SB 1392 (Marsden)—The Consumer Data Protection Act, mirroring the Washington State model, with access, correction, deletion, portability, opt out rights, and opt in rights for sensitive data to be enforced solely by the state AG. Governor Ralph Northam signed the bill into law on March 2 making it the second general data privacy law in the country.
SB641 (Surovell)—Carried over from last year, this bill would create a private right of action against “data sellers” who fail to implement reasonable security, obtain express consent for minor’s data, access procedures, provide a “Do Not Sell” option, or maintaining or selling inaccurate information.
HB 473 (Sickles)—Carried over from last year, the Virginia Privacy Act is more like the Washington State model.
Washington
SB 5062 (Carlyle)—The “Washington Privacy Act” would give consumers the right to access, correction, deletion, and opt out of processing data for targeted advertising, data sales, and profiling in furtherance of decisions producing a legal effect. Controllers must issue a privacy notice, limit collection and use, and maintain reasonable security. Controllers would also be required to implement data protection assessments. The Attorney General would be tasked with enforcement and the Act would not give rise to a new private right of action. The bill was passed 12 to 1 on to the Senate Ways & Means Committee, please click here. To view the Senate Ways & Means February 8, 2021 public hearing on the bill view here. The bill passed the Senate 48 to 1. On April 1, the House Appropriations voted to recommend passing a striker amendment adopted by the House Civil Rights & Judiciary Committee which includes an injunctive private right of action and global opt out.
SB 5108 (Erickson)—This legislation would requirement affirmative consent before companies can develop “secret surveillance scores.
HB 1433 (Kloba)—The “Peoples Privacy Act” would give consumers the right to access, transparency, refusal of consent for processing other than what essential for a transaction, correction, deletion, and “not to be subject to surreptitious surveillance.” The bill would also impose notice requirements. The State Department of Commerce is tasked with rulemaking regarding notice. Discrimination based on age, race, creed, color, national origin, sexual orientation, gender identity, sex, disability, genetics or domestic violence status would be barred. A private right of action is authorized.
West Virginia
HB 3159 (Hamrick)—This bill follows in the mold of the CCPA but does give consumers the right to data correct and the ability to opt out of data sharing in addition to data sales.
The Weekly Download
Subscribe to receive a weekly roundup of the Chamber Technology Engagement Center (C_TEC) and relevant U.S. Chamber advocacy and events.
The Weekly Download will keep you updated on emerging tech issues including privacy, telecommunications, artificial intelligence, transportation, and government digital transformation.