2021 Data Privacy


SB 5062 (Carlyle)—The “Washington Privacy Act” would give consumers the right to access, correction, deletion, and opt out of processing data for targeted advertising, data sales, and profiling in furtherance of decisions producing a legal effect. Controllers must issue a privacy notice, limit collection and use, and maintain reasonable security. Controllers would also be required to implement data protection assessments. The Attorney General would be tasked with enforcement and the Act would not give rise to a new private right of action. The bill was passed 12 to 1 on to the Senate Ways & Means Committee, please click here. To view the Senate Ways & Means February 8, 2021 public hearing on the bill view here. The Senate Ways and Means Committee voted Do Pass 22 to 2 on February 15 on a Second Substitute.

SB 5108 (Erickson)—This legislation would requirement affirmative consent before companies can develop “secret surveillance scores. 

HB 1433 (Kloba)—The “Peoples Privacy Act” would give consumers the right to access, transparency, refusal of consent for processing other than what essential for a transaction, correction, deletion, and “not to be subject to surreptitious surveillance.” The bill would also impose notice requirements. The State Department of Commerce is tasked with rulemaking regarding notice. Discrimination based on age, race, creed, color, national origin, sexual orientation, gender identity, sex, disability, genetics or domestic violence status would be barred. A private right of action is authorized.


HB 2307 (Hayes)—The Consumer Data Protection Act, mirroring the Washington State model, with access, correction, deletion, portability, and opt out rights to be enforced solely by the state AG.  This passed the House of Delegates 89 to 9 on January 29.

Senator Marsden’s companion bill, SB 1392, passed the a substitute version in the Senate by a vote of 36 to 0 to 1. These bills have been carried over into the special session. On February 15, the House Communications and Technology Committee passed an amended version 19 to 2.

SB641 (Surovell)—Carried over from last year, this bill would create a private right of action against “data sellers” who fail to implement reasonable security, obtain express consent for minor’s data, access procedures, provide a “Do Not Sell” option, or maintaining or selling inaccurate information. 

HB 473 (Sickles)—Carried over from last year, the Virginia Privacy Act is more like the Washington State model. 

New York 

A680 (Rosenthal)—The New York Privacy Act which effectively is the same as last year including the fiduciary duty, transparency, portability, correction, and deletion rights. This bill has a private right of action. 

A405 (Rosen)—The Online Consumer Protection Act would prohibit collection by webpage publishers and advertising networks from collecting personal information for purposes of “online preference marketing” unless there is consent. 

S567 (Hoylman)—This bill would give consumers the right to know about data practices and give them the right to opt out of data sales. 

A400 (Rozic)/S1349 (Hoylman)—The “Right to Know Act” would provide consumers with the ability to request how companies collect, use, and share personal information. 

S1570 (Sanders)—This bill would give individuals the right among others things access and deletion rights to personal information held by government entities and their contractors. 

S2505/A3005 (Finance)—The “New York Data Accountability and Transparency Act” would task the Secretary of State through rulemaking to develop a Privacy Bill of Rights including but not limited to the right to data protection, access, correction, deletion, control, and opting out of sales. A new Data Privacy Advisory Board would provide guidance. 

S4021 (Comrie)/A3586 (Kim)—The “It’s Your Data Act” would make it a misdemeanor for companies that collect, store, or use data for trade, advertising, data-mining, or commercial or economic value certain personal data without consent or if they fail to act with reasonable care as a bailee of the data even with consent. The bill would also require transparency, collection limitation, deletion and access rights. The bill would prohibit discrimination like CCPA for exercising privacy rights and companies are required to maintain reasonable security. The bill includes a private right of action.

A5091 (Reilly)—This bill will make it a Class E felony to release certain personal data without authorization.


HF 36 (Noor)—This bill is effectively the CCPA with some changes and a private right of action.

North Dakota 

HB1330 (Kading)—This bill would require covered entities to obtain opt-in consent before selling personal information. The bill specifically authorizes class action lawsuits. The House Industry, Business & Labor Committee held a public hearing on the bill on February 9, 2021 and voted “Do Not Pass” 12 to 1 to 1.


HB 1602(Walke)—The “Oklahoma Consumer Data Privacy Act” is effectively the CCPA but with opt-in for data sales, and not opt-out like CCPA. It also has a private right of action. The House Technology Committee voted to pass the bill 6 to 0.

HB 1130 (Phillips)—This bill would impose transparency and notice requirements concerning personal information. 

HB 1125 (Phillips)—This bill would subject companies that do not fulfill privacy promises to be deemed in violation of Oklahoma’s Consumer Protect Act. 


SB 156 (Duff)—This is a placeholder for a bill that would “(1) require businesses to disclose the proposed use of any personal information, (2) give consumers the right to discover what personal information such business possess and to opt out of the sale of such information, and (3) create a cause of action and penalties for violations of such requirements.” 

SB 723 (Hwang)—This bill is a placeholder bill for social media privacy.

H6169 (Vahey)—This bill would establish a state data privacy task force.


SB 2612(Turner-Ford)—The “Mississippi Consumer Data Privacy Act” is effectively the CCPA. This bill died in Committee on February 2.


HB 216 (Lipscomb)—“The Alabama Consumer Privacy Act” is effectively the CCPA.


H 160 (Townsend)—A placeholder bill that gives consumers the same rights as CCPA.


SB 1009 (Lee)—This bill would ban the sale of geolocation and internet browser history without opt-in consent. The legislation also deals with how government entities may obtain personal information in electronic communications. Such violations would be an unfair or deceptive trade practice.


HB 408 (Willner)—This bill is like CCPA in that it gives consumers the right to transparency and opt out of data sales. It also requires opt-in for certain children’s data. It bans discrimination against those exercising data rights and would be enforced by the Attorney General. There is no deletion right.


HB 969 (McFarland)—This bill is like the CCPA but it does go beyond it in some ways. It requires companies to not retain data for longer than what is needed to fulfill its initial purpose. It also includes correction rights and expands opt out from mere sales to sharing. Like CCPA, it allows a private right of action for data breach/unauthorized access but leaves remaining enforcement to the Department of Legal Affairs.