While we continue to await comprehensive US federal privacy legislation, and following California’s lead with its California Consumer Privacy Act of 2018 (CCPA), individual states are stepping up to the plate. Based on what we are already seeing in terms of the impressive volume of state-level proposed privacy legislation in the early days of 2021, it appears that we may see a big year for US privacy law, and yet another developing “crazy quilt” compliance framework challenge for companies.
Below is a sampling of where things stand in several states. For each proposed piece of legislation, we provide an update on the status, a brief description of the proposed law’s key points, whether it provides for a private right of action, its fines and penalties, and the proposed effective date. Virginia, with the one of the shortest state legislative sessions in the country, is rushing to the finish line with its legislation. One bill, introduced in North Dakota, recently failed to pass a committee vote, but is included below for visibility.
Virginia
Name: Virginia Consumer Data Protection Act (HB2307) (a companion bill, the Consumer Data Protection Act (SB1392) was introduced in the Virginia Senate)
Status: The House and Senate approved the respective bill versions, and they now move to a reconciliation and signature by Virginia Governor Ralph Northam before the legislative session wraps up at the end of February.
Key Points:
-
Differs from the CCPA in some important compliance aspects and mimics many European Union General Data Protection Regulation (GDPR) defined terms, such as “controller”, “processor” and “personal data”
-
Applies to businesses and individuals that conduct business in Virginia or produce products or services targeted to Virginia residents that (i) control or process personal data of 100,000 or more Virginians; or (ii) control or process personal data of 25,000 or more Virginians and derive over 50% of gross revenue from the sale of personal data
-
Gives consumers the following rights with respect to their personal data: (i) access and disclosure; (ii) correction; (iii) deletion; (iv) portability; and (v) opt-out rights to processing of their data for purposes of targeted advertising, sale, or profiling
-
Requires that data controllers conduct data protection assessments of certain processing activities
-
Requires that data controllers and processors enter into data processing agreements
-
Contains exemptions for financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA or HITECH, non-profit organizations, and institutions of higher education
Private Right of Action: No (enforced by Attorney General)
Penalties: Up to $7,500 per violation (includes a 30 day cure provision)
Proposed Effective Date: January 1, 2023
Washington
Name: The Washington Privacy Act of 2021 (SB 5062)
Status: Introduced (a competing bill, the People’s Privacy Act, was introduced in the Washington House of Representatives – further details below*)
Key Points:
-
This is the third attempt in Washington to pass a comprehensive privacy law
-
Mimics many GDPR defined terms, such as “controller”, “processor” and “personal data”
-
Applies to legal entities conducting business in Washington or producing products or services targeted to Washington residents that (i) during a calendar year, control or process the personal data of 100,000 or more Washington residents; or (ii) derive over 25% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Washington residents
-
Gives consumers the following rights with respect to their personal data: (i) access; (ii) correction; (iii) deletion; (iv) portability; (v) opt out of the processing of their personal data for purposes of (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer
-
Requires that controllers conduct data protection impact assessments
-
Includes provisions relating to the processing of personal data for public health emergencies such as contact tracing, in response to the COVID-19 pandemic
-
Contains exemptions for state agencies, legislative agencies, local governments, tribes, municipal corporations, personal data regulated by certain federal and state laws, and data maintained for employment records purposes
Private Right of Action: No, however, the bill states that the “rights possessed by consumers as of July 1, 2020, under chapter 19.86 RCW (Washington’s Consumer Protection Act), the Washington state constitution, the United States Constitution, and other laws are not altered”
Penalties: Up to $7,500 per violation
Proposed Effective Date: July 31, 2022
* A competing bill, the Washington People’s Privacy Act (WPPA), supported by the Washington ACLU, was introduced in the Washington House of Representatives. The WPPA has lower applicability thresholds, requires opt-in consent for processing of personal information, and contains a private right of action with fines of $10,000 per violation or actual damages.
New York
Name: New York Privacy Act (AB680)
Status: Introduced (an identical bill was introduced during the last legislative session)
Key Points:
-
Applies to legal entities that conduct business in New York or produce products or services that are intentionally targeted to residents of New York (there are no revenue or data subject number thresholds)
-
Mimics many GDPR defined terms, such as “controller”, “processor” and “personal data”
-
Requires “express and documented “consent for processing and third-party disclosures of personal data
-
Gives consumers the following rights with respect to their personal data: (i) deletion; (ii) access (iii) consent to additional collection or sharing; and (iv) non-discrimination
-
Introduces a “data fiduciary” concept for controllers
-
Exempts employment records
-
Contains exemptions for financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA or HITECH, non-profit organizations, and institutions of higher education
Private Rights of Action: Yes
Penalties: Amounts not specified, but the bill provides for damages civil penalties, and specifies that individual whose information was unlawfully processed counts as a separate violation, and each provision of the bill that was violated counts as a separate violation.
Proposed Effective Date: 180 days after passage
Minnesota
Name: HF 36
Status: Introduced and referred to committee
Key Points:
-
Borrows several California Consumer Privacy Act (“CCPA”) defined terms and concepts such as “consumer”, “business purpose”, “service provider”, and “sell”
-
Applies to businesses that (i) have annual gross revenues in excess of $25,000,000; (ii) annually buy or sell the personal information of 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of the business' annual revenue from selling personal information
-
Contains certain transparency and consumer notification requirements
-
Gives consumers the following rights with respect to their personal information: (i) access; (ii) opt-out of sale; (iii) deletion; and (iv) non-discrimination
Private Right of Action: Yes
Penalties: In addition to unspecified penalties based on attorney general enforcement, consumers may seek damages between $100 and $750 per consumer, per violation, or the consumer's actual damages, whichever is greater
Proposed Effective Date: June 30, 2022
Oklahoma
Name: Oklahoma Computer Data Privacy Act (HB1602)
Status:
Key Points:
-
Borrows several CCPA defined terms and concepts such as “consumer”, “business purpose” and “sell”
-
Applies to business that (i) have annual gross revenue in excess of $10,000,000; (ii) annually buy, sell, or receive or share for commercial purposes the personal information of 50,000 or more consumers, households or devices; or (iii) derive 25% or more of the business’ annual revenue from selling personal information
-
Gives consumers the following rights with respect to their personal information: (i) disclosure; (ii) deletion; (iii) right to opt in and out of the sale of their personal information; and (iv) non-discrimination and retaliation
-
Requires opt-in consent for the collection and sale of personal information
Private Right of Action: Yes
Penalties: Fines of $2,500 for each violation and $7,500 for each intentional violation
Proposed Effective Date: November 1, 2021
Utah
Name: House Bill 80
Status: Introduced
Key Points:
-
Creates an affirmative defense for companies in data breach litigation if they have a written information security program that meets certain requirements as specified in the bill
Private Right of Action: No
Penalties: N/A
Proposed Effective Date: Not specified
North Dakota
Name: House Bill 1330
Status: Failed to pass committee vote
Key Points:
-
Prohibits sale of “protected data” without opt-in consent for each type of data
-
“Protected data” is defined broadly to include a user's location; screen name; website address; interests; hometown; professional history; friends or followers; shopping habits; test scores; health conditions, insurance, or interests; internet browsing history; purchases or purchase history; the number of friends or followers of the user; socioeconomic status; religious affiliation; alcohol, tobacco, or drug usage; gambling habits; banking relationships; residence details; children's information or household information; credit; banking and insurance policies; media usage; and relationship status
Private Right of Action: Yes (and expressly authorizes class action lawsuits)
Penalties: Minimum of $10,000 and attorney’s fees. For companies that knowingly violate the law, a minimum of $100,000, attorney’s fees, and punitive damages
Proposed Effective Date: Not specified