Over the past few months, we have witnessed an unprecedented wave of privacy legislation being introduced in multiple states. In the absence of any federal privacy legislation, states are taking the lead on providing their residents with data privacy rights such as the right to access the data businesses collect, request deletion of that information, and correct inaccuracies, among others. Privacy is generally considered a bipartisan issue, although the political parties might have different motivations for seeking to pass such legislation.
Many of us are aware that California became the first state to enact a comprehensive data privacy law, the California Consumer Privacy Act (CCPA), in 2018, and voters in that state expanded that law by passing the California Privacy Rights Act (CPRA) in the November 2020 election (see our analysis of the CPRA here). Drawing lessons from California, as many as 12 states have introduced privacy legislation this year alone.
Ohio Personal Privacy Act (OPPA)
On July 13, 2021, Ohio State Representatives Rick Carfagna (R-Genoa Township) and Thomas Hall (R-Madison Township) introduced House Bill 376, the Ohio Personal Privacy Act (“OPPA”), a measure that would establish data rights for residents of the state while requiring businesses to adhere to specified data standards. In doing so, Ohio becomes one of over 20 states that have introduced data privacy legislation in the absence of federal legislation on the topic. Three states (California, Colorado and Virginia) have already passed comprehensive data privacy laws.
Similar to other data privacy laws, OPPA would apply to “businesses” that conduct business in Ohio, produce products or services targeted to Ohio consumers, and meet one of the following conditions: (1) have annual gross revenues generated in Ohio in excess of $25,000,000; (2) during a calendar year, control or process the personal data of 100,000 or more consumers; or (3) during a calendar year, derive over 50% of their gross revenue from the sale or personal data and process or control the personal data of 25,000 or more consumers.
OPPA defines “consumer” as an Ohio resident acting only in an individual or household context; it does not include individuals acting in a business or employment context.
OPPA also defines “personal data” as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.” This excludes publicly available data and pseudonymized, deidentified or aggregated data.
OPPA includes a number of exemptions, including personal data regulated by federal laws such as the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Report Act (FCRA), Family Educational Rights and Privacy Act (FERPA), among others, as well as personal data related to higher education institutions, business-to-business transactions and employment.
OPPA would establish a list of the following “data rights” for Ohioans that do not currently exist. Notably, unlike other data privacy laws, OPPA does not include a right to correct inaccurate data; allow consumers to opt out of targeted advertising or profiling; and include any provisions relating to the collection and treatment of sensitive data.
- Right to Know what personal data a business collects about them.
- Right to Access personal data that a business collected about a consumer for the preceding 12-month period, subject to verification of the consumer’s identity. Upon a consumer’s request, the business would need to provide this data in an electronic, portable, and readily usable format.
- Right to Delete their personal data collected by the business from the consumer for commercial purposes and that the business maintains in an electronic format, subject to verification of the consumer’s identity and certain exceptions.
- Right to Opt Out of the Sale of personal data to third parties. Unlike other states, businesses would not be required to provide a “Do Not Sell My Personal Information” or similar link or respond to the consumer’s use of a universal opt-out mechanism. Under the law, “sale” is defined as the “exchange of personal data for monetary or other valuable consideration by a business to a third party.”
- Right Not to Be Discriminated Against for exercising other rights under the law; however, businesses would be able charge different prices or rates for goods or services for individuals who exercise their rights “for legitimate business reasons or as otherwise permitted or required by applicable law.”
Business Obligations: The proposed bill includes a list of obligations for businesses to follow, including posting privacy notices and disclosing where data is being sold.
Data Processing Agreements: Under the proposed law, businesses would be required to enter into written contracts with processors that prohibit the processor from processing personal data “except to provide services to the business.”
Safe Harbor: OPPA would also change Ohio laws so that businesses that take reasonable precautions and meet the industry-recommended standards the National Institute of Standards and Technology (NIST) Privacy Framework would be afforded an affirmative defense against legal claims.
Enforcement: The Ohio Attorney General would have exclusive authority to enforce OPPA and no private right of action would exist. Prior to initiating an action, the Attorney General would be required to provide a 30-day right to cure any potential violations without any further legal action being taken.
Colorado Privacy Act (CPA)
On June 8, the Colorado Legislature officially passed Senate Bill 21-190, the Colorado Privacy Act (CPA). Colorado Governor Jared Polis signed the bill on July 7, 2021. The law goes into effect on July 1, 2023 and Colorado becomes the third state – after California and Virginia – to enact comprehensive consumer data privacy legislation.
Like the California and Virginia laws, the CPA gives Colorado consumers the right to opt out of the processing of their personal data; access, correct, or delete the data; or obtain a portable copy of the data. The CPA is based on this year’s version of the Washington Privacy Law (which did not pass) and uses “controller/processor” language that is found in the European Union’s General Data Protection Regulation (GDPR). The law is perceived as being more friendly to business than its California counterpart. For instance, the CPA does not include a private right of action (although and defines the “sale” of personal information narrowly as the “exchange of personal data for monetary or valuable consideration” only, whereas California law also considers it a sale if data is shared for nonmonetary consideration.
The law will be enforced by the state’s attorney general and district attorneys.
Virginia Consumer Data Protection Act (VCDPA)
On March 2, Governor Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA), making Virginia the second state to pass a comprehensive data privacy law. The Act incorporates aspects of California's privacy law and the European GDPR, yet is considered to be more business-friendly than its California counterparts. Mirroring a similar bill from Washington state, the Act includes the following highlights:
- Establishes a series of consumer privacy rights, including the right to access the data businesses collect, request deletion of that information, correct inaccuracies and opt out of processing.
- Applies to businesses that control the personal data of either 100,000 consumers, or 25,000 consumers and 50 percent of the business’ gross revenues come from the sale of that information.
- Exempts Virginia state agencies, boards, commissions, or political subdivisions; nonprofit organizations; and institutions of higher education.
- Imposes the following requirements on data controllers, or the businesses that have a direct relationship to the Virginia resident:
- Must limit collection of personal data to only what is necessary for the purposes for which such data is processed;
- Must establish and implement and maintain administrative, technical, and physical safeguards to protect the confidentiality of personal data;
- Cannot process sensitive data such as racial, genetic, or geolocation data without the consumer’s consent;
- Must provide meaningful privacy notices, an opt-out for the sale or use for targeted advertising of consumer personal data, and a secure mechanism to allow consumers to exercise their rights under the law;
- Must protect the confidentiality and privacy of personal data shared with data processors, whose role must be limited and circumscribed by contract; and
- Must perform and document data protection assessments under certain circumstances (e.g., processing sensitive data).
- Imposes the following requirements on data processors, or those entities that process personal information on behalf of the data controller:
- Must adhere to the instructions of a controller; and
- Must aid the controller in meeting the controller’s obligations under the Act.
- Like the GDPR, includes a broader definition of “personal data,” which includes “any information that is linked or reasonably linkable to an identified or identifiable natural person” and excludes “de-identified data or publicly available information.”
- Does not allow a private right of action but does allow the state attorney general to litigate and seek damages as high as $7,500 on behalf of Virginia residents for “any violations” of the act.
- Defines sale of personal information to include the exchange of personal data for monetary consideration only (different from California).
- Does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law, including the following:
- Gramm-Leach Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Fair Credit Reporting Act (FCRA)
- Driver Privacy Protection Act (DPPA)
- Federal Educational Rights and Privacy Act (FERPA)
- Farm Credit Act
- Children’s Online Privacy Protection Act (COPPA)
- Does not set out rulemaking procedures to follow.
- Goes into effect on January 1, 2023.
On February 22, Illinois State Representative Michelle Mussman (D-56th) introduced House Bill 3910, the Consumer Privacy Act, to the Illinois General Assembly. Among other things, the bill requires businesses to:
- inform a consumer about the categories of personal information to be collected and the purposes for which the personal information will be used;
- provide notice when collecting additional categories of personal information or when using a consumer's personal information for additional purposes; and
- make certain disclosures to the consumer upon receipt of a verifiable consumer request, if collecting or selling personal information.
In addition, the bill provides consumers with several rights, including the right to request that a business that collects the consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected; and the right to request that a business delete any personal information about the consumer that the business has collected from the consumer, with some exceptions.
The bill passed its first reading and was referred to the House Rules Committee on February 22.
On February 15, Florida Governor Ron DeSantis and House Speaker Chris Sprowls held a press conference to announce their support for House Bill 969, a data privacy bill introduced by State Representative Fiona McFarland (R-Sarasota) that would significantly increase data privacy and security regulation and create new rights for Florida consumers with respect to their personal information. If enacted, the bill would:
- Apply to any for-profit business that collects personal information about Florida residents and satisfies one or more of the following thresholds: (a) has annual revenue over $25 million, (b) collects 50% or more of its revenue from selling or sharing PI, or (c) sells or shares the PI of 50,000 or more consumers or devices.
- Take effect January 1, 2022.
On April 30, 2021 House Bill 969 failed.
On April 6, 2021, Senate Bill 1734, the Florida Senate Rules Committee voted 11–5 to give a favorable recommendation to an amended version of SB 1734.
- The scope of the law was changed to only cover businesses that sell data per the definition of “sale,” instead of reaching organizations that simply collect personal information.
- Application thresholds were changed to companies selling or sharing the data of more than 100,000 consumers or those generating 50% of their annual revenue from data sales or sharing.
- Removed private right of action and put enforcement of privacy violations in the hands of the attorney general
The effective date of the law was also moved to July 1, 2022, following compliance concerns.
- Minnesota is another state following California's lead in proposing new legislation aimed at enhancing consumer data privacy. Introduced in January 2021 by State Representative Mohamud Noor (D60B), HF 36 would expand consumer rights over personal information and impose specific transparency obligations on businesses collecting and disclosing personal information. The bill would apply to businesses that (i) have annual gross revenues in excess of $25,000,000; (ii) annually buy or sell the personal information of 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of the business' annual revenue from selling personal information. Unlike other proposed state privacy laws, the legislation includes an expanded scope of private right of action for violations of the law that could result in statutory damages of between $100 to $750, per consumer, per incident.
New York State has a number of data privacy bills under consideration, but the following two are the most comprehensive.
- Assembly Bill A680 – Introduced in January 2021 by several Assembly members, the so-called New York Privacy Act would require companies to disclose their methods of de-identifying personal information, place special safeguards around data sharing, and allow consumers to obtain the names of all entities with whom their information is shared. Importantly, the bill applies to any legal entity that conducts business in New York or produces products or services that are intentionally targeted to residents of New York (regardless of revenue or data subject number thresholds), and it imposes fiduciary duties on companies that collect, sell or license consumer personal information.
- Senate Bill S567 – This bill, called the Consumer Control of Personal Information Act, would grant consumers the right to request that a business disclose the categories and specific pieces of personal information that the business collects about them, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
On February 16, State Sen. Kirk Cullimore, R-Utah, introduced Senate Bill 200, the Utah Consumer Privacy Act and Utah Commercial Email Act. The bill features opt-in consent requirements, data subject rights, data protection assessments and enforcement by the attorney general.
On March 31, 2021 Alaska Governor Mike Dunleavy introduced the Consumer Data Privacy Act (SB 116, HB 159) to protect Alaskans’ personal information.
The Consumer Data Privacy Act would contain four new rights:
- The Right to Know: Alaskans will have the right to know when businesses are collecting their personal information.
- The Right to Disclosure: Alaskans will have the right to learn what information businesses have collected about them for the last five years and whether businesses have sold or disclosed that information to third parties.
- The Right to Delete: Alaska will have the right to request that businesses delete any personal information that has been collected within the last five years.
- Right to opt-out: Alaskans will have the right to prevent businesses from selling their personal information.
The bill ensures the personal information of Alaskans is protected from unscrupulous monetization by businesses that consumers have never heard of or interacted with and will protect the personal information of minors, requiring parental or guardian approval before the information of a minor may be sold.
On March 3, 2021, Senate Bill 5062, dubbed the Washington Privacy Act, passed 48-1 in the state Senate. This bill if passed would give consumers the right to access, correct, and delete personal data collected by businesses, and companies would have to issue privacy notices and adopt reasonable security standards.
In January, 2021, a competing bill co-created by the ACLU of Washington, the People’s Privacy Act HB1433, was introduced in the Washington House. This act would require companies to obtain opt-in consent for the collection and use of personal information and would also give consumers the ability to sue.
In April 2020, both of these bills failed.
Red Clover Advisors is also monitoring laws in the other states below, and will keep you posted on any developments.
Alabama: HB 216 (“Alabama Consumer Privacy Act”)
Arizona: HB 2865
Connecticut: SB 893
Kentucky: HB 408
Oklahoma: HB 1602 (“Oklahoma Computer Data Privacy Act”) – Failed, April 2021
South Carolina: H3063 (“South Carolina Biometric Data Privacy Act”)