Keypoint: Lawmakers in New York and Minnesota have proposed CCPA-like privacy legislation.
As state legislatures have started to convene for the 2021 session, state lawmakers have once-again proposed CCPA-like privacy legislation. As discussed in our prior post, in early January Washington lawmakers again proposed the Washington Privacy Act. In addition, over the last few days, CCPA-like legislation has been proposed in New York and Minnesota.
It is expected that CCPA-like legislation will be filed in more states over the coming days. Whether this legislation moves forward remains to be seen. With the exception of the Washington Privacy Act, over the last two years privacy legislation proposed in other states has failed to gain any traction.
Below is a short discussion of the New York and Minnesota legislation. To the extent that any of the below bills appear poised for advancement, we will provide a more detailed analysis.
To date, five bills directed at consumer privacy have been filed in the New York legislature:
- Assembly Bill A400 – This bill would prohibit the disclosure of personal information by businesses.
- Assembly Bill A674 – This bill would prohibit the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.
- Assembly Bill A680 – This bill (named the New York Privacy Act) would require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared.
- Senate Bill S567 – This bill would grant consumers the right to request that a business disclose the categories and specific pieces of personal information that the business collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
HF36 – The bill would require businesses to notify consumers of the businesses data collection activities; make certain disclosures regarding the sale of personal information; allow consumers the right to access their personal information held by the business, opt out of the sale of their personal information, delete their personal information and not be discriminated against for exercising their rights. The bill would be enforced by the attorney general’s office as well as a private right of action with statutory damages of between $100 to $750, per consumer, per incident.
At the time of this post, each of these bills has been referred to committee.