| State |
Law |
Date Introduced |
Effective Date |
Status |
Scope of Law |
| CA |
CCPA – California Consumer Protection Act |
Jan-18 |
Jan-20 |
Enacted |
- Allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers.
- Allows consumers to also know the source of that information and business purpose for collecting the information.
- Provides that consumers may request that a business delete personal information that the business collected from the consumers.
- Provides that consumers have the right to opt out of a business’s sale of their personal information.
- Businesses may not discriminate against consumers who opt out. • Provides a private right of action only for data breaches, with fines up to $750 per violation.
- Privacy violations are only enforceable by the AG, with fines up to $2,500 per violation or $7,500 per intentional or reckless violations.
|
| ME |
An Act To Protect the Privacy of Online Consumer Information |
Jun-19 |
Jul-20 |
Enacted |
- Prohibits providers of broadband Internet access from using, disclosing, selling, or permitting access to customer’s personal information unless the customer expressly consents to such.
- Customer may request that Internet provider does not use, sell, disclose, or provide access to non-personal information as well by written notice.
- Exceptions include:
- Consent
- To provide the continued services from which that PI is derived.
- To advertise or market the provider’s communications-related services to the customer;
- To comply with a lawful court order;
- To initiate, render, bill for and collect payment for broadband Internet access service;
- To protect users of the provider’s or other providers’ services from fraudulent, abusive or unlawful use of or subscription to such services; and
- To provide geolocation information concerning the customer for emergencies.
- Provider must give a clear, conspicuous and non-deceptive notice at the point of sale and on the provider’s publicly accessible website of the provider’s obligations and a customer’s rights.
- Law prohibits a provider from refusing to serve a customer, charging them a penalty, or offering them a discount based on costumer data.
|
| NV |
Security of Personal Information (NRS 603A) |
Feb-19 |
Oct-19 |
Enacted |
- Requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer.
- The term “sale” means the exchange of covered information for monetary consideration by the operator to a third party for them to license or sell the covered information to additional persons.
- The law also prohibits an operator who has received such a request from making any sale of any covered information collected about the consumer.
- The Attorney General may seek an permanent injunction or a civil penalty of $5,000 for each violation.
|
| CT |
Chap. 19-24 Task Force |
N/A |
N/A |
Pending |
Establishes a task force to examine what information businesses in the state should be required to disclose to consumers concerning consumers’ personal information that is retained or sold by such businesses. |
| HI |
SB 2451 |
Jan-20 |
TBD |
In committee |
- Gives consumers a right to opt out of the sale of their personal information.
- Different from the CCPA in that a third party cannot sell or use personal information that has been sold to it unless the consumer receives explicit notice and provides express written consent.
- The term “sale” is not defined broadly as in the CCPA and would likely be interpreted to have a more typical definition that requires the exchange of monetary consideration.
- Enforceable under existing Hawaii statute by the attorney general or office of consumer protection, with penalties up to $2,500 per violation.
- Also includes private right of action for actual damages and attorneys’ fees.
- Sale of geolocation collected from any device without explicit consent from primary user is prohibited.
- Sale of internet browser information collected from any device without explicit consent from primary user is prohibited.
|
|
Data Transparency and Privacy Act |
May-19 |
TBD |
In committee |
- Applies to businesses that either:
- control or process the personal data of 100,000 or more Illinois residents or
- derive over 50% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Illinois residents.
- Individuals acting in an employment or commercial context are exempt. • Information subject to HIPAA, FCRA, or Gramm-Leach-Bliley Act (GLBA) is also exempt.
- Like CCPA, consumers would have right, upon request, to access, port, correct, delete, and object to processing.
- The right to object to processing includes a right to object to the use of personal data for targeted advertising as well.
- Controllers must disclose the categories of personal information they collect, the purposes for which personal data is used, the categories of personal data shared with third parties, and the categories of third parties with whom it is shared.
- Controllers must conduct risk assessments of their processing activities and provide them to the attorney general upon request.
- Attorney general would be empowered to seek civil penalties of $2,500 per violation or $7,500 per intentional violation.
- There is no private right of action
|
| IL |
App Privacy Act |
Feb-19 |
TBD |
In committee |
- Requires operators of websites, online services, or software applications to disclose in its terms of service the names of third parties that collect electronic information through its service, along with the categories of information they collect.
- Both the attorney general or state’s attorneys may enforce under Illinois Consumer Fraud and Deceptive Business Practices Act.
- Civil penalties up to $50,000 can accrue.
- Private plaintiffs may sue for injunctive relief, compensatory damages, attorney’s fees, and punitive damages if attorney general or state attorneys do not bring a case.
|
|
BIPA (Biometric Information Protection Act) |
N/A |
Jan-08 |
Enacted |
Regulates the collection, use, safeguarding, handling, storage, retention, and destruction of Biometric identifiers and Biometric information and Biometric data. A Private Entity:
- Needs both a Retention and Destruction Policy for all Biometric data.
- Must destroy any Biometric data at the end of its use, or 3 years after the last interaction with the individual.
- Must inform the individual in writing of the specific purpose and length of time that their Biometric data is being used and obtain written release.
- Cannot sale/trade/lease or otherwise profit from the Biometric data in any way.
- Cannot disclose the Biometric data unless:
- They have consent or;
- There is a financial transaction requested or authorized by the individual or;
- Disclosure is required by Federal, State, or Municipal Law or;
- Disclosure is required pursuant to a valid warrant or subpoena.
- Must store, transmit, and protect Biometric data using:
- the reasonable standard of care within its industry and;
- the same protective manner as used with other confidential and sensitive information within the Private entity’s care.
|
| LA |
Task force |
N/A |
N/A |
Pending |
Task force to determine what best Privacy issues are of top concern and should be addressed in the State Privacy Act when introduced. |
|
TX
|
Task force – Texas Privacy Protection Act (H.B. 4390) |
N/A |
N/A |
Pending |
Task force to determine what best Privacy issues are of top concern and should be addressed in the State Privacy Act when introduced. |
| Texas Biometric Information Privacy Statute |
|
|
|
- Prohibits employers from capturing a biometric identifier of an employee for a commercial purpose without notice and consent. No writing requirement for evidencing consent.
- Prohibits employers from selling, leasing, or otherwise disclosing an employee’s biometric identifier(s) captured for a commercial purpose unless one of four exceptions apply:
- the employee consents to the disclosure for identification purposes in the event of the employee’s disappearance or death.
- disclosure completes a financial transaction the employee requested or authorized.
- disclosure is required or permitted by federal statute or state statute (other than the TX open government provision).
- disclosure is made by or to a law enforcement agency for a law enforcement purpose in response to a warrant.
- Requires employers to store, transmit, and protect biometric identifiers from disclosure using reasonable care, in a manner the same or more protective than that in which the employer stores, transmits, and protects any other confidential information it possesses
- Requires employers to destroy biometric identifiers within a “reasonable time”
- Not later than one year after the purpose for collecting the identifier expires
- Exception in employment context: if biometric identifier is collected and used for security purposes by an employer = purpose is presumed to expire when employment terminates.
- Enforcement
- AG enforcement only. (No private right of action – unlike BIPA.)
- Maximum civil penalty of $25,000 for each violation.
|
|
WA
|
Washington Privacy Act |
Jan-20 |
10-Mar |
Failed In committee on 3/10 |
- Similar to the potential IL DTPA , this law would apply to any legal entity that conducts business in Washington or targets products or services to Washington residents while meeting one of the following criteria:
- during a calendar year, controls or processes personal data of 100,000 Washington consumers or more; or
- derives 50% or more of its gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 Washington consumers.
- Law does not apply to information subject to HIPAA, FCRA or GLBA.
- Consumers would have the right to access, port, correct, delete, and opt out of the processing of their personal data.
- All data controllers would be obligated to layout consumer options through privacy policy disclosures including:
- purpose specification;
- data minimization;
- avoiding secondary use;
- security;
- nondiscrimination;
- special standards for “sensitive” data (only processed with consent);
- non-waiver of consumer rights.
- Controllers would have to conduct data protection assessments of certain processing activities, including the sale of personal data and the processing of personal data for targeted advertising.
- Would impose special requirements on controllers and processors that use facial recognition technology.
- Attorney general would be able to enforce under statute, with fines as high as $7,500 per violation.
- No private right of action
|
| RCW 19.375.010 |
N/A |
Jul-17 |
Enacted |
- Any person cannot enroll a biometric identifier in a database for a commercial purpose without first:
- Providing notice.
- Defined as disclosure reasonably designed to be readily available to the affected persons.
- Does not necessarily need to be in writing.
- Obtaining consent.
- Providing a mechanism to prevent the later use of a biometric identifier for a commercial purpose.
- Applies to biometric identifiers that are both
- Enrolled – meaning those that have undergone the process of:
- capturing a biometric identifier;
- converting it into a reference template that cannot be reconstructed into the original output image; and
- storing it in a database that matches the biometric identifier to a specific individual.
- Used for a commercial purpose Commercial purposes means:
- The sale or disclosure to a third party for the purpose of marketing goods or services that are unrelated to the initial transaction in which the person obtained the biometric identifier
- Does not include a security or law enforcement purpose.
- Does not apply to the disclosure or retention of biometric identifiers that:
- Have been unenrolled.
- Are used for a security purpose, defined as:
- preventing shoplifting, fraud, or other misappropriation or theft; and
- other purposes to protect the security or integrity of software, accounts, applications, online services, or any person.
- An employer may not sell, lease, or disclose an employee’s biometric identifier for a commercial purpose unless either:
- The employer obtains the employee’s consent.
- The sale, lease, or disclosure is:
- consistent with the law’s requirements;
- necessary to provide a product or service subscribed to, required by, or expressly authorized by the employee;
- necessary to effect, administer, enforce, or complete a financial transaction that the employee requested, initiated, or authorized, and the third-party recipient of the biometric identifier maintains its confidentiality and does not further disclose it;
- required or expressly authorized by statute or court order;
- made to a third party that contractually promises not to disclose it or enroll it in a database for a commercial purpose inconsistent with the law; or
- made in preparation for litigation or to respond or participate in judicial process.
|
| NE |
Nebraska Privacy Act |
Jan-20 |
TBD |
In committee |
- Would apply to businesses that collect personal information from Nebraska residents with the purposes and means of processing that personal information while meeting one of the following thresholds:
- has an annual gross revenue in excess of $10 million;
- alone, or in combination, annually buy, receive for the business’s commercial purposes, sell, or share the personal information of 50,000 or more consumers; or
- derive 50% or more of annual revenue from selling consumer personal information
- Similar to CCPA and other laws, contains exemptions for information subject to HIPAA, FCRA, or GLBA.
- Different from CCPA, has an entity-level exemption for financial institutions or their affiliates that are regulated by the GLBA.
- Upon request, consumers would have rights to access, delete, and opt out of the sale of their personal information; and businesses may not discriminate against consumers for exercising their rights.
- Similar to IL, upon a consumer’s request, the businesses is required to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared.
- Businesses would have to make certain disclosures in their online privacy policy.
- Businesses that sell personal information would be required to place a “Do Not Sell My Personal Information” link on their homepage, in their privacy policy, and in any Nebraska-specific description of consumer rights.
- Attorney general can enforce fines up to $7,500 per violation.
- No private right of action.
|
|
NH
|
H.B.1680 -FN |
Dec-19 |
TBD |
In committee |
- Largely copies the current CCPA and proposed NE law as it would apply to businesses that collect personal information from New Hampshire residents, with the purposes and means of processing that personal information, and meet one of the following thresholds:
- annual gross revenue in excess of $25 million;
- alone, or in combination, annually buys, receives for the business’s commercial purposes, sell, or share the personal information of 50,000 or more consumers; or
- derive 50% or more of their annual revenue from selling consumer personal information.
- Contains exemptions for information subject to HIPAA, FCRA, or GLBA.
- Consumers would have the right, to access, delete, and opt out of the sale of their personal information upon request; and businesses may not discriminate against consumers for exercising these rights.
- Upon request from a consumer, businesses will need to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared.
- Businesses will need to place a “Do Not Sell My Personal Information” link on their homepage, in their privacy policy, and in any New Hampshire–specific description of consumer rights.
- Provides a private right of action only for data breaches, with fines up to $750 per violation.
- Privacy violations are only enforceable by the AG, with fines up to $2,500 per violation or $7,500 per intentional or reckless violations.
|
| H.B. 1236 |
Jan-20 |
TBD |
In committee |
Establishes an expectation of privacy in personal information provided to “third-party providers of information and services,” including cell service providers, Internet service providers, and social media companies. |
| NJ |
A.3255 |
Feb-20 |
TBD |
In committee |
- Will apply to businesses that meet one of the following thresholds:
- annual gross revenue in excess of $25 million;
- alone, or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares the personal information of 50,000 or more data subjects; or
- derives 50% or more of annual revenue from selling personal information.
- Similar to CCPA and other laws as there are exemptions for HIPAA, FCRA or GLBA information.
- Consumers must opt in before a business can sale or collect their data.
- Businesses would be required to disclose their profiling to affected consumers at or before the time their personal data is obtained.
- Upon collecting information from a data subject, businesses would be required to provide the data subject with:
- the purpose and legal basis for the processing of the personally identifiable information;
- a complete description of the PII that the business collects about the individual and the means by which a business collects the PII;
- all third parties to which the business may disclose the individual’s PII;
- the purpose of the disclosure of the PII, including whether the business profits from the disclosure; and
- the contact information of the person employed at the business responsible for PII data protection, where applicable.
- Would require businesses to allow data subjects to opt out of the processing of their data, subject to certain exceptions (not yet defined). • Must have clear and conspicuous links on Businesses homepage that state “I Permit this Businesses to Collect my PII”, and “I Permit this Businesses to Sell my PII”
- Would create a monetary penalty of up to 10,000 for first offense, and up to 20,000 for subsequent offenses to be enforced by AG.
|
|
NY
|
New York Privacy Act |
Jan-20 |
TBD |
In committee |
- Similar to GDPR; provides consumers the rights to access, correct, delete, and port data, including the right to know the third parties their data is sold to.
- Would apply to all legal entities that conduct business in New York or targets products or services to New York residents.
- Prohibits any use, processing, or transfer of personal data without express consent from individual.
- Definition of “personal data” is similar to “personal information” under the CCPA.
- Like GDPR, will prohibit decisions about consumers based solely on “automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person,” unless required by federal or state law.
- Businesses that profile as such would be required to disclose their profiling to affected consumers at or before the time their personal data is obtained, including meaningful information about the logic involved and the contemplated consequences of the profiling.
- Would create a private right of action for the entire law.
- Businesses could be enjoined from conducting unlawful practices, and;
- Can be required to pay actual damages and reasonable attorney’s fees.
|
| Right To Know Act |
Feb-19 |
TBD |
In committee |
Would make knowingly making a “false or misleading” statement in an online privacy policy a Class A misdemeanor, punishable by up to 364 days in jail and/or a $1,000 fine. |
| VA |
Carried ove+A28:E29r to 2021+B21 |
Jan-20 |
TBD |
Carried over to 2021 |
- Like IL Privacy law, applies to businesses that control or process the personal data of 100,000 or more Virginia residents,
- or derive over 50% of their gross revenue from the sale of personal data and;
- process or control the personal data of 25,000 or more Virginia residents.
- Exemptions for individuals acting in an employment or commercial context.
- Information subject to HIPAA, FCRA, or GLBA is exempt
- Consumers can access, port, correct, delete, and object to processing.
- Objecting to processing includes a right to object to the use of personal data for targeted advertising.
- Controllers will need to disclose the categories of personal information they collect, the purposes for which the information is used, the categories of information shared with third parties, and the categories of third parties with whom it is shared.
- Controllers would be required to conduct risk assessments of their processing activities and provide them to the attorney general upon request.
- Enforceable under the Virginia Consumer Protection Act either by the attorney general or a private party after a 30-day right to cure.
- Private parties can recover actual damages or $500 (whichever is greater), or actual damages or $1,000 (whichever is greater) if the violation is found to be willful.
|
| FL |
HB 963/SB 1670 |
Jan-20 |
TBD |
Failed In committee |
- Would apply to anyone who “owns or operates a website or online service for commercial purposes” and “collects and maintains covered information” from Florida residents.
- Information subject to HIPAA or GLBA would be exempt.
- “Covered information” includes:
- A subject’s first and last name;
- Street address;
- Email address;
- Telephone number;
- Social Security number;
- Any identifier that allows a consumer to be contacted either physically or online; and
- Any combination of Information and personal identifiers that can be linked to an individual data subject.
- Consumers can opt out of the sale of their covered information if wanted.
- The term “Sale” requires an exchange of money for covered information.
- Exceptions for disclosures to processors/service providers, or disclosures “for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator”.
- Operators need to disclose, in a reasonably accessible manner, the categories of covered information collected and the categories of third parties that they share the covered information with, as well as whether a third party “may collect covered information about a consumer’s online activities over time and across different websites or online services when the consumer uses the operator’s website or online service.”
- Contains a 30-day right to cure and does not provide a private right of action.
|
| MD |
HB. 1656 |
Mar-20 |
TBD |
In committee |
- Give consumers a right to opt out of their personal information being disclosed.
- Would apply to businesses that have annual gross revenues above $25 million, and/or
- processes the personal information of 50,000 or more Maryland residents and/or;
- derive at least 50% of their annual revenue from selling the personal information of Maryland residents.
- Similar to IL, upon a consumer’s request, the businesses is required to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared.
- Provider must give a clear, conspicuous and non-deceptive notice at the point of sale and on the provider’s publicly accessible website of the provider’s obligations and a customer’s rights.
- Consumers would have the right to opt out of the disclosure of their personal information, via browser settings that indicate the consumer’s intent to opt out of third-party disclosure.
- Browser settings can also be a browser extension, or global device settings.
- Businesses would not be able to disclose the personal information of individuals the business knows or should know are under the age of 18 to a third party.
- Prohibits the knowledgeable or willfully disregarded disclosure of personal information of individuals under age 16 to third parties.
- Law would be enforceable by AG , which includes civil penalties of up to $7500 per violation.
- Private right of action $750 for damages from breach and attorney’s fee.
|
|
MA
|
HB. 243 |
Jan-20 |
TBD |
In committee |
- Strictly limits the collection and use of “account numbers.”
- Account numbers is defined to include Social Security numbers, driver’s license numbers, license plate numbers, bank account numbers, credit card numbers, telephone numbers, and account numbers with businesses that sell goods or services.
- There must be a limited use of “account numbers” without prior written permission to a set of enumerated purposes, including:
- Processing transactions,
- Verifying identity,
- And complying with federal or state law.
- Prior written permission for other purposes could be obtained only by a paper-and-ink document and would have to be renewed annually.
- The state government would be prohibited from maintaining any electronic information containing Social Security numbers, financial information, employer identification numbers, or “other confidential information” in a form that is accessible via the Internet.
- Would create a private right of action, including the potential for class actions.
- Would be considered a fiduciary duty, and strict liability applies.
|
| S.120 |
Jan-19 |
TBD |
Assigned to Study Group |
- Give consumers a right to opt out of their personal information being disclosed.
- Would apply to businesses that collect MA consumers data and have annual gross revenues above $10 million, and/or
- derive at least 50% of their annual revenue from selling the personal information of MA residents.
- Similar to IL, upon a consumer’s request, the businesses is required to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared.
- Information subject to HIPAA, FCRA, or GLBA is exempt • Provider must give a clear, conspicuous and non-deceptive notice at the point of sale and on the provider’s publicly accessible website of the provider’s obligations and a customer’s rights.
- Consumers would have the right to opt out of the disclosure of their personal information, via browser settings that indicate the consumer’s intent to opt out of third-party disclosure.
- Browser settings can also be a browser extension, or global device settings.
- Businesses would not be able to disclose the personal information of individuals the business knows or should know are under the age of 18 to a third party.
- Enforceable by the AG, with fines up to $2,500 per violation or $7,500 per intentional or reckless violations.
- Private right of action $750 for damages for each violation and attorney’s fee.
|
|
AZ
|
S.B. 1614 |
Feb-20 |
TBD |
In committee |
- Gives consumers upon request, rights of access, erasure, and rectification of personal data held by a business, and imposing an obligation on said business to provide the requested data.
- Business must disclose to the consumer the rights of deletion available to them upon collecting their personal data.
- Consumers can request the categories of personal information the business has collected about that consumer; the categories of sources from which the personal information is collected; the business or commercial purpose for collecting or selling personal information; the categories of third parties with whom the business shares personal information; and the specific personal information the business has collected about that consumer.
- Personal right of action for data breaches up to $750 per incident.
- Attorney General can also bring claim for up to $7500 per violation.
|
| H.B. 2729 |
Feb-20 |
TBD |
In committee |
- Applies to any legal entity with annual gross revenue of at least $25 million that conducts business or produces products or services targeting Arizona residents and either:
- Controls or processes data of at least 100,000 consumers or;
- Derives over 35% of gross revenue from the sale of personal information and processes or controls personal information of at least 25,000 consumers.
- Consumers would have the right to know, delete and correct their personal data.
- Consumers cannot opt-out of the sale of their personal information but do have the right to object to the processing of their personal data.
- Processing = collecting, using, storing, disclosing, analyzing, deleting or modifying personal data.
- If any processing objection is related to targeted advertising, the business must cease such processing and communicate the objection.
- unless it proves impossible or involves disproportionate effort.
- If the objection to processing is for any other reason, the processing can continue “if the controller can demonstrate:
- a legitimate ground to process that personal data and;
- overrides the potential risks to the rights of the consumer
- HIPPA, GLBA, and FCRA data is exempt
- No private right of action.
- Civil penalties by the Attorney General in the amount of $2,500 per violation, or $7,500 per intentional violation.
|
|
MN
|
Minnesota Consumer Data Privacy Act |
Mar-20 |
TBD |
In committee |
- Apply to entities conducting business in Minnesota or targeting its residents with products or services that:
- control or process personal data of 100,000 consumers; or
- derive more than 50 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 or more consumers.
- Provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information.
- Consumers would have the right to correction and data portability as well.
- Processors would be responsible for adhering to controllers’ contractual instructions by:
- assisting controllers with respect to the security and processing of personal data and breach notification,
- agreeing to audits by the controller and;
- ensuring “each person processing the personal data is subject to a duty of confidentiality with respect to the data.
- Controllers must establish the means for submission and authentication of consumers’ requests.
- Controllers must conduct data protection assessments which must be provided to the attorney general upon request.
- Exemptions for businesses or personal information subject to HIPAA, FCRA or GLBA.
- No private right of action, but the attorney general could enforce civil penalties up to $7,500 per violation.
|
| HF 3096 |
Feb-20 |
TBD |
In committee |
- Apply to any for-profit business, regardless of whether it “does business” in Minnesota, that:
- has annual gross revenue in excess of $25 million;
- annually buys or sells the personal information of 50,000 or more consumers, households, or devices; or
- derives 50% or more of its annual revenues from selling consumers’ personal information.
- Require notice at collection
- Provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information.
- A business may require authentication of the consumer’s identity and the request.”
- No exemptions for businesses or personal information subject to HIPAA, FCRA or GLBA.
- No private right of action
- Attorney General could seek damages between $100 and $750 per consumer per violation and treble damages in the event of willful and malicious violations.
|
| SC |
South Carolina Biometric Data Privacy Act |
Jan-20 |
TBD |
In committee |
- Business that collects a consumer’s biometric information shall, at or before the point of collection, inform the consumer.
- Must provide the specific and legitimate purpose for which the biometric information will be used.
- Consumer must give the business consent before any biometric information may be collected.
- Consumer has the right to request that a business disclose the categories and specific pieces of information the business has collected.
- No more than twice in a year
- A consumer may request that a business delete biometric information collected by the business once the initial purpose of the collection of biometric information has been satisfied.
- Business must direct all third parties with these records to delete the information from their records also.
- Must be deleted within 1 year of request
- Consumer has the right, at any time, to direct a business to discontinue selling the information.
- Businesses can never sell the Bio info of a minors under 16 without parental consent.
- A business must provide a clear and conspicuous link on the business’s website titled ‘Do Not Sell My Biometric Information’ to a webpage.
- Business must notify all consumers of any data security breach within 72 hours of the business discovering such breach.
- $5,000 fine in addition other penalties if no notice.
- Private right of Action for consumers against businesses that violate the law accordingly:
- Negligent violation = $1000
- Willful or Reckless violation = $10,000
- Attorney fees
|
