| State |
Law |
Date Introduced |
Effective Date |
Status |
Scope of Law |
|
CA
|
CCPA – California Consumer Protection Act |
Jan-18 |
Jan-20 |
Enacted |
- Allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers.
- Allows consumers to also know the source of that information and business purpose for collecting the information.
- Provides that consumers may request that a business delete personal information that the business collected from the consumers.
- Provides that consumers have the right to opt out of a business’s sale of their personal information.
- Businesses may not discriminate against consumers who opt out.
- Provides a private right of action only for data breaches, with fines up to $750 per violation.
- Privacy violations are only enforceable by the AG, with fines up to $2,500 per violation or $7,500 per intentional or reckless violations.
|
| A.B. 950 |
Feb-19 |
TBD |
In committee |
- Business subject to the CCPA would be required to disclose the “monetary value to the business” of California residents’ “consumer data”.
- Consumer data is not yet defined.
- Businesses would be required to include the average value of consumers’ data in their privacy policy
- Must update this disclosure at least every 90 days.
- The law would require businesses to disclose the average price that they sell consumer data for, and, upon request, the actual price.
- If enacted, this bill will supplement the CCPA and be enforceable by the California attorney general under the same authority.
|
| ME |
An Act To Protect the Privacy of Online Consumer Information |
Jun-19 |
Jul-20 |
Enacted |
- Prohibits providers of broadband Internet access from using, disclosing, selling, or permitting access to customer’s personal information unless the customer expressly consents to such.
- Customer may request that Internet provider does not use, sell, disclose, or provide access to non-personal information as well by written notice.
- Exceptions include:
- Consent
- To provide the continued services from which that PI is derived.
- To advertise or market the provider’s communications-related services to the customer;
- To comply with a lawful court order;
- To initiate, render, bill for and collect payment for broadband Internet access service;
- To protect users of the provider’s or other providers’ services from fraudulent, abusive or unlawful use of or subscription to such services; and
- To provide geolocation information concerning the customer for emergencies.
- Law must give a clear, conspicuous and non-deceptive notice at the point of sale and on the provider’s publicly accessible website of the provider’s obligations and a customer’s rights.
- Law prohibits a provider from refusing to serve a customer, charging them a penalty, or offering them a discount based on consumer data.
|
| NV |
Security of Personal Information (NRS 603A) |
Feb-19 |
Oct-19 |
Enacted |
- Requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information collected about the consumer.
- The term “sale” means the exchange of covered information for monetary consideration by the operator to a third party for them to license or sell the covered information to additional persons.
- The law also prohibits an operator who has received such a request from making any sale of any covered information collected about the consumer.
- The Attorney General may seek an permanent injunction or a civil penalty of $5,000 for each violation.
|
| CT |
Chap. 19-24 Task Force |
N/A |
N/A |
Pending |
Establishes a task force to examine what information businesses in the state should be required to disclose to consumers concerning consumers’ personal information that is retained or sold by such businesses. |
| HI |
SB 2451 |
Jan-20 |
TBD |
In committee |
- Gives consumers a right to opt out of the sale of their personal information.
- Different from the CCPA in that a third party cannot sell or use personal information that has been sold to it unless the consumer receives explicit notice and provides express written consent.
- The term “sale” is not defined broadly as in the CCPA and would likely be interpreted to have a more typical definition that requires the exchange of monetary consideration.
- Enforceable under existing Hawaii statute by the attorney general or office of consumer protection, with penalties up to $2,500 per violation.
- Also includes private right of action for actual damages and attorneys’ fees.
|
|
IL
|
Data Transparency and Privacy Act |
May-19 |
TBD |
In committee |
- Applies to businesses that either:
- control or process the personal data of 100,000 or more Illinois residents or
- derive over 50% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Illinois residents.
- Individuals acting in an employment or commercial context are exempt. • Information subject to HIPAA, FCRA, or Gramm-Leach-Bliley Act (GLBA) is also exempt.
- Like CCPA, consumers would have right, upon request, to access, port, correct, delete, and object to processing.
- The right to object to processing includes a right to object to the use of personal data for targeted advertising as well.
- Controllers must disclose the categories of personal information they collect, the purposes for which personal data is used, the categories of personal data shared with third parties, and the categories of third parties with whom it is shared.
- Controllers must conduct risk assessments of their processing activities and provide them to the attorney general upon request.
- Attorney general would be empowered to seek civil penalties of $2,500 per violation or $7,500 per intentional violation.
- There is no private right of action
|
| App Privacy Act |
Feb-19 |
TBD |
In committee |
- Requires operators of websites, online services, or software applications to disclose in its terms of service the names of third parties that collect electronic information through its service, along with the categories of information they collect.
- Both the attorney general or state’s attorneys may enforce under Illinois Consumer Fraud and Deceptive Business Practices Act.
- Civil penalties up to $50,000 can accrue.
- Private plaintiffs may sue for injunctive relief, compensatory damages, attorney’s fees, and punitive damages if attorney general or state attorneys do not bring a case.
|
| LA |
Task force |
N/A |
N/A |
Pending |
Task force to determine what best Privacy issues are of top concern and should be addressed in the State Privacy Act when introduced. |
| TX |
Task force |
N/A |
N/A |
Pending |
Task force to determine what best Privacy issues are of top concern and should be addressed in the State Privacy Act when introduced. |
| WA |
SB 5376 |
Jan-20 |
TBD |
In committee |
- Similar to the potential IL DTPA , this law would apply to any legal entity that conducts business in Washington or targets products or services to Washington residents while meeting one of the following criteria:
- during a calendar year, controls or processes personal data of 100,000 Washington consumers or more; or
- derives 50% or more of its gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 Washington consumers.
- Law does not apply to information subject to HIPAA, FCRA or GLBA.
- Consumers would have the right to access, port, correct, delete, and opt out of the processing of their personal data.
- All data controllers would be obligated to layout consumer options through privacy policy disclosures including:
- purpose specification;
- data minimization;
- avoiding secondary use;
- security;
- nondiscrimination;
- special standards for “sensitive” data (only processed with consent);
- non-waiver of consumer rights.
- Controllers would have to conduct data protection assessments of certain processing activities, including the sale of personal data and the processing of personal data for targeted advertising.
- Would impose special requirements on controllers and processors that use facial recognition technology.
- Attorney general would be able to enforce under statute, with fines as high as $7,500 per violation.
- No private right of action.
|
| NE |
Nebraska Privacy Act |
Jan-20 |
TBD |
In committee |
- Would apply to businesses that collect personal information from Nebraska residents with the purposes and means of processing that personal information while meeting one of the following thresholds:
- has an annual gross revenue in excess of $10 million;
- alone, or in combination, annually buy, receive for the business’s commercial purposes, sell, or share the personal information of 50,000 or more consumers; or
- derive 50% or more of annual revenue from selling consumer personal information
- Similar to CCPA and other laws, contains exemptions for information subject to HIPAA, FCRA, or GLBA.
- Different from CCPA, has an entity-level exemption for financial institutions or their affiliates that are regulated by the GLBA.
- Upon request, consumers would have rights to access, delete, and opt out of the sale of their personal information; and businesses may not discriminate against consumers for exercising their rights.
- Similar to IL, upon a consumer’s request, the businesses is required to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared.
- Businesses would have to make certain disclosures in their online privacy policy.
- Businesses that sell personal information would be required to place a “Do Not Sell My Personal Information” link on their homepage, in their privacy policy, and in any Nebraska-specific description of consumer rights.
- Attorney general can enforce fines up to $7,500 per violation.
- No private right of action.
|
|
NH
|
H.B.1680 -FN |
Dec-19 |
TBD |
In committee |
- Largely copies the current CCPA and proposed NE law as it would apply to businesses that collect personal information from New Hampshire residents, with the purposes and means of processing that personal information, and meet one of the following thresholds:
- annual gross revenue in excess of $25 million;
- alone, or in combination, annually buys, receives for the business’s commercial purposes, sell, or share the personal information of 50,000 or more consumers; or
- derive 50% or more of their annual revenue from selling consumer personal information.
- Contains exemptions for information subject to HIPAA, FCRA, or GLBA.
- Consumers would have the right, to access, delete, and opt out of the sale of their personal information upon request; and businesses may not discriminate against consumers for exercising these rights.
- Upon request from a consumer, businesses will need to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared.
- Businesses will need to place a “Do Not Sell My Personal Information” link on their homepage, in their privacy policy, and in any New Hampshire–specific description of consumer rights.
- Provides a private right of action only for data breaches, with fines up to $750 per violation.
- Privacy violations are only enforceable by the AG, with fines up to $2,500 per violation or $7,500 per intentional or reckless violations.
|
| H.B. 1236 |
Jan-20 |
TBD |
In committee |
Establishes an expectation of privacy in personal information provided to “third-party providers of information and services,” including cell service providers, Internet service providers, and social media companies. |
| NJ |
SB 269 |
Jan-20 |
TBD |
In committee |
- Will apply to businesses that meet one of the following thresholds:
- annual gross revenue in excess of $5 million;
- alone, or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares the personal information of 25,000 or more data subjects; or
- derives 50% or more of annual revenue from selling personal information.
- Different from other CCPA and other laws as there are No exemptions for HIPAA, FCRA or GLBA information.
- Would require businesses to maintain an information security program that either meets federal law requirements (if applicable) or industry standards
- Upon collecting information from a data subject, businesses would be required to provide the data subject with:
- the purpose and legal basis for the processing of the personally identifiable information;
- a complete description of the PII that the business collects about the individual and the means by which a business collects the PII;
- all third parties to which the business may disclose the individual’s PII;
- the purpose of the disclosure of the PII, including whether the business profits from the disclosure; and
- the contact information of the person employed at the business responsible for PII data protection, where applicable.
- Would require businesses to allow data subjects to opt out of the processing of their data, subject to certain exceptions (not yet defined).
- Would require businesses to provide individual data subject with the data retention period of the data processing, as well as the right to access the data.
- Similar to the CCPA, would create a private right of action only for data breaches, with fines that reach as high as $750 per violation.
|
|
NY
|
New York Privacy Act |
Jan-20 |
TBD |
In committee |
- Similar to GDPR; provides consumers the rights to access, correct, delete, and port data, including the right to know the third parties their data is sold to.
- Would apply to all legal entities that conduct business in New York or targets products or services to New York residents.
- Prohibits any use, processing, or transfer of personal data without express consent from individual.
- Definition of “personal data” is similar to “personal information” under the CCPA.
- Like GDPR, will prohibit decisions about consumers based solely on “automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person,” unless required by federal or state law.
- Businesses that profile as such would be required to disclose their profiling to affected consumers at or before the time their personal data is obtained, including meaningful information about the logic involved and the contemplated consequences of the profiling.
- Would create a private right of action for the entire law.
- Businesses could be enjoined from conducting unlawful practices, and;
- Can be required to pay actual damages and reasonable attorney’s fees.
|
| SB. 3036 |
Feb-19 |
TBD |
In committee |
Would make knowingly making a “false or misleading” statement in an online privacy policy a Class A misdemeanor, punishable by up to 364 days in jail and/or a $1,000 fine. |
| VA |
Virginia Privacy Act |
Jan-20 |
TBD |
Carried over to 2021 |
- Like IL Privacy law, applies to businesses that control or process the personal data of 100,000 or more Virginia residents,
- or derive over 50% of their gross revenue from the sale of personal data and;
- process or control the personal data of 25,000 or more Virginia residents.
- Exemptions for individuals acting in an employment or commercial context.
- Information subject to HIPAA, FCRA, or GLBA is exempt
- Consumers can access, port, correct, delete, and object to processing.
- Objecting to processing includes a right to object to the use of personal data for targeted advertising.
- Controllers will need to disclose the categories of personal information they collect, the purposes for which the information is used, the categories of information shared with third parties, and the categories of third parties with whom it is shared.
- Controllers would be required to conduct risk assessments of their processing activities and provide them to the attorney general upon request.
- Enforceable under the Virginia Consumer Protection Act either by the attorney general or a private party after a 30-day right to cure.
- Private parties can recover actual damages or $500 (whichever is greater), or actual damages or $1,000 (whichever is greater) if the violation is found to be willful.
|
| FL |
HB 963/SB 1670 |
Jan-20 |
TBD |
In committee |
- Would apply to anyone who “owns or operates a website or online service for commercial purposes” and “collects and maintains covered information” from Florida residents.
- Information subject to HIPAA or GLBA would be exempt.
- “Covered information” includes:
- A subject’s first and last name;
- Street address;
- Email address;
- Telephone number;
- Social Security number;
- Any identifier that allows a consumer to be contacted either physically or online; and
- Any combination of Information and personal identifiers that can be linked to an individual data subject.
- Consumers can opt out of the sale of their covered information if wanted.
- The term “Sale” requires an exchange of money for covered information.
- Exceptions for disclosures to processors/service providers, or disclosures “for purposes that are consistent with the reasonable expectations of a consumer considering the context in which the consumer provided the covered information to the operator.”
- Operators need to disclose, in a reasonably accessible manner, the categories of covered information collected and the categories of third parties that they share the covered information with, as well as whether a third party “may collect covered information about a consumer’s online activities over time and across different websites or online services when the consumer uses the operator’s website or online service.”
- Contains a 30-day right to cure and does not provide a private right of action.
|
| MD |
HB. 249 |
|
|
In committee |
- Give consumers a right to opt out of their personal information being disclosed.
- Would apply to businesses that have annual gross revenues above $25 million, and either
- processes the personal information of 100,000 or more Maryland residents or;
- derive at least 50% of their annual revenue from selling the personal information of Maryland residents.
- Consumers would have the right to opt out of the disclosure of their personal information, via browser settings that indicate the consumer’s intent to opt out of third-party disclosure.
- Browser settings can also be a browser extension, or global device settings.
- Businesses would not be able to disclose the personal information of individuals the business knows or should know are under the age of 18 to a third party.
- Law would be enforceable by AG under Consumer Protection Act, which includes civil penalties of up to $10,000 for a first violation and $25,000 for subsequent violations.
- Private right of action for actual damages and attorney’s fee
|
| MA |
HB. 243 |
Jan-20 |
TBD |
In committee |
- Strictly limits the collection and use of “account numbers.”
- Account numbers is defined to include Social Security numbers, driver’s license numbers, license plate numbers, bank account numbers, credit card numbers, telephone numbers, and account numbers with businesses that sell goods or services.
- There must be a limited use of “account numbers” without prior written permission to a set of enumerated purposes, including:
- Processing transactions,
- Verifying identity,
- And complying with federal or state law.
- Prior written permission for other purposes could be obtained only by a paper-and-ink document and would have to be renewed annually.
- The state government would be prohibited from maintaining any electronic information containing Social Security numbers, financial information, employer identification numbers, or “other confidential information” in a form that is accessible via the Internet.
- Would create a private right of action, including the potential for class actions.
- Would be considered a fiduciary duty, and strict liability applies.
|
| AZ |
S.B. 1614 |
Feb-20 |
TBD |
In committee |
- Gives consumers upon request, rights of access, erasure, and rectification of personal data held by a business, and imposing an obligation on said business to provide the requested data.
- Business must disclose to the consumer the rights of deletion available to them upon collecting their personal data.
- Consumers can request the categories of personal information the business has collected about that consumer; the categories of sources from which the personal information is collected; the business or commercial purpose for collecting or selling personal information; the categories of third parties with whom the business shares personal information; and the specific personal information the business has collected about that consumer.
- Personal right of action for data breaches up to $750 per incident.
- Attorney General can also bring claim for up to $7500 per violation.
|
