The U.S. data privacy landscape continues to evolve. Last year, the California Consumer Privacy Act ("CCPA") passed following the EU General Data Protection Regulation ("GDPR"). Nine additional states have since introduced bills modeled at least in part on the CCPA and would require companies to provide notice of the types of personal information they collect and the third parties to whom they disclose it. The bills also grant individuals the right to access or opt-out of the sale of their personal information. Six bills also permit individuals to request deletion of their information. Several other bills propose a private right of action for certain violations. Washington proposes requirements that mirror the GDPR, such as defined roles for controllers and processors and the right to correct information.
Although some states (e.g., Rhode Island) limit application to entities that exceed certain gross revenues or other thresholds, all of the bills would apply broadly to companies regardless of industry, and a majority of them define "personal information" as any information that identifies an individual, including physical characteristics, employment history, medical information, IP addresses, internet activity, biometrics, and geolocation data. With one exception (Mississippi's bill died in committee on February 5), all of these bills have been referred to committees for further consideration.
Companies should continue to monitor the legislative progress of these bills, as well as attempts at the federal level to pass preemptive legislation.
Implementing an effective CCPA compliance program would go a long way toward satisfying potential compliance obligations on the horizon in other states.