Over the past few months, we have witnessed an unprecedented wave of privacy legislation being introduced in multiple states. In the absence of any federal privacy legislation, states are taking the lead on providing their residents with data privacy rights such as the right to access the data businesses collect, request deletion of that information, and correct inaccuracies, among others. Privacy is generally considered a bipartisan issue, although the political parties might have different motivations for seeking to pass such legislation.
Many of us are aware that California became the first state to enact a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in 2018, and voters in that state expanded that law by passing the California Privacy Rights Act (CPRA) in the November 2020 election (see our analysis of the CPRA here). Drawing lessons from California, as many as 12 states have introduced privacy legislation this year alone.
Colorado Privacy Act (CPA)
On June 8, the Colorado Legislature officially passed Senate Bill 21-190, the Colorado Privacy Act (CPA). The bill will now be sent to the desk of Colorado Governor Jared Polis for signature. If approved, the law would go into effect on July 1, 2023 and Colorado would become the third state – after California and Virginia – to enact comprehensive consumer data privacy legislation.
Like the California and Virginia laws, the CPA would give Colorado consumers the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The CPA is based on this year’s version of the Washington Privacy Law (which did not pass) and uses “controller/processor” language that is found in the European Union’s General Data Protection Regulation (GDPR). The law is perceived as being more friendly to business than its California counterpart. For instance, the CPA does not include a private right of action (although and defines the “sale” of personal information narrowly as the “exchange of personal data for monetary or valuable consideration” only, whereas California law also considers it a sale if data is shared for nonmonetary consideration.
The law would be enforced by the state’s attorney general and district attorneys.
Under Colorado law, Governor Polis has thirty days to sign or veto the CPA; he is given additional time because the bill was sent to him in the final ten days of the legislative session. If Governor Polis does not act within thirty days, the bill would become law without his signature.
Virginia Consumer Data Protection Act (VCDPA)
On March 2, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), making Virginia the second state to pass a comprehensive data privacy law. The Act incorporates aspects of California’s privacy law and the European GDPR, yet is considered to be more business-friendly than its California counterparts. Mirroring a similar bill from Washington state, the Act includes the following highlights:
- Establishes a series of consumer privacy rights, including the right to access the data businesses collect, request deletion of that information, correct inaccuracies and opt out of processing.
- Applies to businesses that control the personal data of either 100,000 consumers, or 25,000 consumers and 50 percent of the business’ gross revenues come from the sale of that information.
- Exempts Virginia state agencies, boards, commissions, or political subdivisions; nonprofit organizations; and institutions of higher education.
- Imposes the following requirements on data controllers, or the businesses that have a direct relationship to the Virginia resident:
- Must limit collection of personal data to only what is necessary for the purposes for which such data is processed;
- Must establish and implement and maintain administrative, technical, and physical safeguards to protect the confidentiality of personal data;
- Cannot process sensitive data such as racial, genetic, or geolocation data without the consumer’s consent;
- Must provide meaningful privacy notices, an opt-out for the sale or use for targeted advertising of consumer personal data, and a secure mechanism to allow consumers to exercise their rights under the law;
- Must protect the confidentiality and privacy of personal data shared with data processors, whose role must be limited and circumscribed by contract; and
- Must perform and document data protection assessments under certain circumstances (e.g., processing sensitive data).
- Imposes the following requirements on data processors, or those entities that process personal information on behalf of the data controller:
- Must adhere to the instructions of a controller; and
- Must aid the controller in meeting the controller’s obligations under the Act.
- Like the GDPR, includes a broader definition of “personal data,” which includes “any information that is linked or reasonably linkable to an identified or identifiable natural person” and excludes “de-identified data or publicly available information.”
- Does not allow a private right of action but does allow the state attorney general to litigate and seek damages as high as $7,500 on behalf of Virginia residents for “any violations” of the act.
- Defines sale of personal information to include the exchange of personal data for monetary consideration only (different from California).
- Does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law, including the following:
- Gramm-Leach Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Fair Credit Reporting Act (FCRA)
- Driver Privacy Protection Act (DPPA)
- Federal Educational Rights and Privacy Act (FERPA)
- Farm Credit Act
- Children’s Online Privacy Protection Act (COPPA)
- Does not set out rulemaking procedures to follow.
- Goes into effect on January 1, 2023.
On February 22, Illinois State Representative Michelle Mussman (D-56th) introduced House Bill 3910, the Consumer Privacy Act, to the Illinois General Assembly. Among other things, the bill requires businesses to:
- inform a consumer about the categories of personal information to be collected and the purposes for which the personal information will be used;
- provide notice when collecting additional categories of personal information or when using a consumer’s personal information for additional purposes; and
- make certain disclosures to the consumer upon receipt of a verifiable consumer request, if collecting or selling personal information.
In addition, the bill provides consumers with several rights, including the right to request that a business that collects the consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected; and the right to request that a business delete any personal information about the consumer that the business has collected from the consumer, with some exceptions.
The bill passed its first reading and was referred to the House Rules Committee on February 22.
On February 15, Florida Governor Ron DeSantis and House Speaker Chris Sprowls held a press conference to announce their support for House Bill 969, a data privacy bill introduced by State Representative Fiona McFarland (R-Sarasota) that would significantly increase data privacy and security regulation and create new rights for Florida consumers with respect to their personal information. If enacted, the bill would:
- Apply to any for-profit business that collects personal information about Florida residents and satisfies one or more of the following thresholds: (a) has annual revenue over $25 million, (b) collects 50% or more of its revenue from selling or sharing PI, or (c) sells or shares the PI of 50,000 or more consumers or devices.
- Take effect January 1, 2022.
On April 30, 2021 House Bill 969 failed.
On April 6, 2021, Senate Bill 1734, the Florida Senate Rules Committee voted 11–5 to give a favorable recommendation to an amended version of SB 1734.
- The scope of the law was changed to only cover businesses that sell data per the definition of “sale,” instead of reaching organizations that simply collect personal information.
- Application thresholds were changed to companies selling or sharing the data of more than 100,000 consumers or those generating 50% of their annual revenue from data sales or sharing.
- Removed private right of action and put enforcement of privacy violations in the hands of the attorney general
The effective date of the law was also moved to July 1, 2022, following compliance concerns.
- Minnesota is another state following California’s lead in proposing new legislation aimed at enhancing consumer data privacy. Introduced in January 2021 by State Representative Mohamud Noor (D60B), HF 36 would expand consumer rights over personal information and impose specific transparency obligations on businesses collecting and disclosing personal information. The bill would apply to businesses that (i) have annual gross revenues in excess of $25,000,000; (ii) annually buy or sell the personal information of 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of the business’ annual revenue from selling personal information. Unlike other proposed state privacy laws, the legislation includes an expanded scope of private right of action for violations of the law that could result in statutory damages of between $100 to $750, per consumer, per incident.
New York State has a number of data privacy bills under consideration, but the following two are the most comprehensive.
- Assembly Bill A680 – Introduced in January 2021 by several Assembly members, the so-called New York Privacy Act would require companies to disclose their methods of de-identifying personal information, place special safeguards around data sharing, and allow consumers to obtain the names of all entities with whom their information is shared. Importantly, the bill applies to any legal entity that conducts business in New York or produces products or services that are intentionally targeted to residents of New York (regardless of revenue or data subject number thresholds), and it imposes fiduciary duties on companies that collect, sell or license consumer personal information.
- Senate Bill S567 – This bill, called the Consumer Control of Personal Information Act, would grant consumers the right to request that a business disclose the categories and specific pieces of personal information that the business collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
On February 16, State Sen. Kirk Cullimore, R-Utah, introduced Senate Bill 200, the Utah Consumer Privacy Act and Utah Commercial Email Act. The bill features opt-in consent requirements, data subject rights, data protection assessments and enforcement by the attorney general.
On March 31, 2021 Alaska Governor Mike Dunleavy introduced the Consumer Data Privacy Act (SB 116, HB 159) to protect Alaskans’ personal information.
The Consumer Data Privacy Act would contain four new rights:
- The Right to Know: Alaskans will have the right to know when businesses are collecting their personal information.
- The Right to Disclosure: Alaskans will have the right to learn what information businesses have collected about them for the last five years and whether businesses have sold or disclosed that information to third parties.
- The Right to Delete: Alaska will have the right to request that businesses delete any personal information that has been collected within the last five years.
- Right to opt-out: Alaskans will have the right to prevent businesses from selling their personal information.
The bill ensures the personal information of Alaskans is protected from unscrupulous monetization by businesses that consumers have never heard of or interacted with and will protect the personal information of minors, requiring parental or guardian approval before the information of a minor may be sold.
On March 3, 2021, Senate Bill 5062, dubbed the Washington Privacy Act, passed 48-1 in the state Senate. This bill if passed would give consumers the right to access, correct, and delete personal data collected by businesses, and companies would have to issue privacy notices and adopt reasonable security standards.
In January, 2021, a competing bill co-created by the ACLU of Washington, the People’s Privacy Act HB1433, was introduced in the Washington House. This act would require companies to obtain opt-in consent for the collection and use of personal information and would also give consumers the ability to sue.
In April 2020, both of these bills failed.
Red Clover Advisors is also monitoring laws in the other states below, and will keep you posted on any developments.
Alabama: HB 216 (“Alabama Consumer Privacy Act”)
Arizona: HB 2865
Connecticut: SB 893
Kentucky: HB 408
Oklahoma: HB 1602 (“Oklahoma Computer Data Privacy Act”) – Failed, April 2021
South Carolina: H3063 (“South Carolina Biometric Data Privacy Act”)