Keypoint: There were a number of notable developments this week: the Washington Privacy Act passed out of a house committee after adding a private right of action, there was more movement on the Florida and Connecticut bills, and Nevada lawmakers introduced companion bills that would expand the state’s right to opt out of sales.
For the fifth week in a row, we are providing an update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide three reminders.
First, there has been so much debate about what to call Virginia’s new privacy law – the Virginia Consumer Data Protection Act – that we started an online poll. Tell us whether you think the law should be called the CDPA or VCPDA. We will keep voting open until April 2 and release the results on our blog.
Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.
The big news this week comes out of Washington state where the House Committee on Civil Rights & Judiciary passed an amended version of the Washington Privacy Act (WPA). The bill now heads to appropriations.
Prior to passing the bill, the Committee made a number of changes, including adding a private right of action. The addition of a private right of action comes as no surprise given that the House added a private right of action to last year’s bill. Ultimately, the addition of a private right of action was the primary reason why the WPA did not pass last year.
The difference this year appears to be that the House private right of action is narrower than what was added last year. Last year’s private right of action would have allowed Washington residents to bring claims under the state Consumer Protection Act, which authorizes litigants to seek an injunction, actual damages, treble damages, costs of suit, and attorney’s fees.
Conversely, this year’s private right of action provides that a consumer can bring a civil action for violations of section 103 or section 107 (6), (8) or (9) of the WPA. However, the remedies would be limited to injunctive relief and reasonable attorneys’ fees and costs to any prevailing plaintiff.
Section 103 of the WPA sets forth consumer rights (e.g., the right to delete, access, and opt out of certain types of processing).
Section 107(6) provides that controllers shall not process certain types of sensitive personal data (e.g., race, gender, and religion) in a discriminatory manner. Section 107(8) provides that controllers cannot process sensitive data without consent or, in the case of a minor, without parental or guardian consent. Section 107(9) provides that controllers cannot process a minor’s personal data for purposes of targeted advertising or the sale of personal data without the minor’s consent.
It remains to be seen whether constraining the private right of action to injunctive relief (but still allowing for attorneys’ fees and costs) will satisfy business advocates who have long objected to a private right of action.
In Connecticut, SB 893 was filed with the Legislative Commissioner’s Office on March 23 after the General Law Committee voted 18-0-2 on a joint favorable substitute.
In Florida, HB 969 passed unanimously out of the Civil Justice & Property Rights Subcommittee on March 23. As reported in our prior post, the Regulatory Reform Subcommittee previously passed the bill. The bill is now with the Commerce Committee. Meanwhile, SB 1734 passed out of the Senate Commerce and Tourism Committee on March 22.
Finally, in Nevada, lawmakers introduced AB323 and SB260. Although the bills are focused on adding a new “data broker” category to Nevada’s pre-existing online disclosure statute, the bills also would broaden Nevada’s definition of “sale” in its right to opt out of sales. SB260 is set for a hearing on March 31 in the Senate Committee on Commerce and Labor. For more information about the bills, see our analysis here.
To date, state lawmakers have introduced bills in 23 states. Connecticut, Florida, Illinois, Minnesota, New York, Massachusetts, and Washington are considering multiple bills. One state (Virginia) has passed legislation whereas the bills in three states (North Dakota, Mississippi, and Utah) have failed.
The below analysis divides the bills into four categories: (1) passed bills, (2) active bills, (3) introduced bills, and (4) dead bills.
Passed bills are those that have become law (i.e., Virginia). Active bills are those that have seen some movement, such as a committee hearing or vote. Introduced bills are those that have been introduced in a state legislature but have yet to see any movement (other than, for example, being referred to a committee). Dead bills are (as you might have guessed) bills that have failed.
For links to all of these bills please see our 2021 State Privacy Law Tracker.
On March 2, 2021, Virginia became the second state – after California – to enact state consumer data privacy legislation. You can find our coverage of the Virginia bill here, and you can find the text of the new law here.
As discussed, the House Committee on Civil Rights & Judiciary passed an amended version of the WPA on March 26, and the bill was referred to appropriations. The Washington Senate previously passed the 2021 version of the WPA on March 3.
The People’s Privacy Act (a competing bill supported by the ACLU of Washington) has not seen movement since February 1.
The Washington legislative session closes on April 25.
The Oklahoma House passed a revised version of the Oklahoma Computer Data Privacy Act on March 4. The bill is now in the state senate where it was referred to the Senate Judiciary Committee on March 22. You can find a summary of the bill here. The Committee has a hearing set for March 30, but the bill is not currently on the agenda.
SB 893, which is similar to Virginia’s Consumer Data Protection Act, was filed with the Legislative Commissioner’s Office on March 23 after the General Law Committee voted 18-0-2 on a joint favorable substitute.
Senate Bill 156, a one-paragraph bill, introduced on January 15 has not seen movement since the Joint General Law Committee held a public hearing on February 25.
HB 969 passed unanimously out of the Civil Justice & Property Rights Subcommittee on March 23. As reported in our prior post, the bill previously passed out of the Regulatory Reform Subcommittee. The bill is now with the Commerce Committee. Meanwhile, SB 1734 passed out of the Senate Commerce and Tourism Committee on March 22.
Illinois is considering two bills.
First, HB 2404 (the Right to Know Act) is presently assigned to the Cybersecurity, Data Analytics, & IT Committee on March 9. As its name suggests, the Right to Know Act would provide Illinois residents with the right to know certain information regarding their personal information.
In addition to HB 2404, Illinois lawmakers also introduced HB 3910 (entitled the Consumer Privacy Act) on February 22. That bill was assigned to the Judiciary – Civil Committee on March 16 and to the Civil Procedure & Tort Liability Subcommittee on March 23. HB 3910 is a modified version of the CCPA.
On March 15, the Assembly Science, Innovation and Technology Committee held a hearing on three bills (A5448, A3283, and A3255). A recording of the hearing is available here.
House Bill 216 was introduced on February 2, 2021. Notably, the bill has attracted 18 Republican sponsors or co-sponsors. However, to date, it has not moved forward and is currently referred to the House committee on Technology and Research. The bill is similar to the CCPA.
HB 2865 was introduced on February 11, 2021. To date, there have been no hearings or votes taken on the bill. The bill is currently pending in the House Commerce Committee. The bill does not readily track the form or contents of either the CCPA or the Virginia and Washington bills.
SB21-190 was introduced on March 19, 2021. It was assigned to the Senate Committee on Business, Labor and Technology. You can read our analysis of the bill here.
SB 930 (the Maryland Online Consumer Protection Act) was introduced on February 10, 2021. No action has been taken to date. The Maryland legislative session closes April 12, 2021. The bill is a modified version of the CCPA.
SD 1726 was filed on February 18, 2021. It does not appear that any action has been taken on the bill to date. The bill is a modified version of Washington’s People’s Privacy Act. A second bill, HD 3847, was filed in the state house.
Minnesota is interesting insofar as it was one of the first states to see legislation proposed this year (HF 36 proposed on January 7, 2021), but then lawmakers introduced a second bill (HF 1492 and its companion bill SF 1408) more than a month later. Neither bill has seen movement since being introduced.
HF 36 is a modified (and shortened) version of the CCPA and contains a private right of action. HF 1492 / SF 1408 are similar to the Washington and Virginia bills.
On March 17, 2021, Nevada lawmakers introduced AB323 and SB260. Although the bills are focused on adding a new “data broker” category to Nevada’s online disclosure law, they also would broaden Nevada’s definition of “sale” in its right to opt out of sales. SB 260 is set for a hearing on March 31 in the Senate Committee on Commerce and Labor. For more information, see our analysis here.
As shown on our tracker, New York legislators have proposed a number of consumer privacy bills in 2021. All of those bills currently sit in committee. In addition, Governor Cuomo’s privacy legislation (see page 148) is still active.
H 3063 was pre-filed on December 9, 2020 and referred to the Committee on Labor on January 12, 2021. It has not moved since. The bill is limited to providing rights around the collection and use of biometric information.
In Texas, Representative Capriglione filed six bills “related to increasing the protection of consumer data by the private sector.” One bill, HB 3741, is a data privacy omnibus bill. As introduced, the bill is perhaps best described as a heavily modified version of the CCPA, however, there are many aspects of the bill that make it unique, including its creation of three “categories” of data. On March 22, the bill was referred to the House Committee for Business & Industry.
H.160 is still a short form bill (i.e., only one paragraph long). The bill has been referred to committee and no further action has been taken to date.
Lawmakers introduced HB 3159 on March 15, 2021. The bill was referred to the House Judiciary Committee. It is similar to the CCPA. The West Virginia legislative session ends on April 10.
North Dakota’s HB 1330, Mississippi’s Senate Bill 2612, and Utah’s SB 200 have all died.