Keypoint: There were four notable developments this week: the Florida House passed a bill out of committee, lawmakers proposed a new bill in Texas, the Washington Privacy Act was scheduled for a public hearing and committee session on March 17 and 19, respectively, and the Illinois Right to Know Act was scheduled for a March 19 hearing in the Cybersecurity, Data Analytics & IT Committee.
For the third week in a row, we are providing an update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide three reminders.
There were four notable developments this week.
First, Florida’s HB 969 unanimously passed out of the House Regulatory Reform Committee. However, during the March 10 committee hearing, the bill sponsor made it clear that the bill is a work in progress. In fact, lawmakers approved five amendments to the bill prior to passage.
Second, in Texas, Representative Capriglione filed six bills “related to increasing the protection of consumer data by the private sector.” One bill, HB 3741, is a data privacy omnibus bill. As introduced, the bill is perhaps best described as a heavily modified version of the CCPA, however, there are many aspects of the bill that make it unique, including its creation of three “categories” of data.
The bill would provide Texas residents with the right to know, right to correct inaccurate information, right to access, right to data portability, and right to deletion. It also contains a provision that would permit individuals to provide their “data stream” as “consideration under a contract.” Further, the bill would restrict a business’s sale and collection of certain types of data and require “express written consent” for the collection and sale of geolocation data. The Texas Attorney General’s office would enforce the bill and could seek “a civil penalty in an amount of not more than $10,000 for each violation, not to exceed a total of $1 million.” Many thanks to Steve Perkins for alerting us to the filing of the Texas bills.
Third, the Washington Privacy Act is now scheduled for a public hearing in the House Committee on Civil Rights & Judiciary on March 17 and an executive committee session on March 19.
Finally, in Illinois, HB 2402 was assigned to the Cybersecurity, Data Analytics, & IT Committee and is currently scheduled for a hearing on March 19.
To date, state lawmakers have introduced bills in 20 states. Connecticut, Florida, Illinois, Minnesota, New York, Massachusetts, and Washington are considering multiple bills. One state (Virginia) has passed legislation whereas the bills in three states (North Dakota, Mississippi, and Utah) have failed.
The below analysis divides the bills into four categories: (1) passed bills, (2) active bills, (3) introduced bills, and (4) dead bills.
Passed bills are those that have become law (i.e., Virginia). Active bills are those that have seen some movement, such as a committee hearing or vote. Introduced bills are those that have been introduced in a state legislature but have yet to see any movement (other than, for example, being referred to a committee). Dead bills are (as you might have guessed) bills that have failed.
On March 2, 2021, Virginia became the second state – after California – to enact state consumer data privacy legislation. You can find our coverage of the Virginia bill here, and you can find the text of the new law here. We also hosted a webinar on the law on March 11. You can access the recording here.
The Washington Senate passed the 2021 version of the Washington Privacy Act (WPA) on March 3. The bill is now with the House and is scheduled for a public hearing in the House Committee on Civil Rights & Judiciary on March 17, and an executive committee session on March 19.
The People’s Privacy Act (a competing bill supported by the ACLU of Washington) has not seen movement since February 1.
The Oklahoma House passed a revised version of the Oklahoma Computer Data Privacy Act on March 4. The bill is now in the state senate. You can find a summary of the bill here.
Senate Bill 893 introduced on February 17 and Senate Bill 156 introduced on January 15 have not seen any new movement. Both bills are with the Joint General Law Committee, which held a public hearing on February 25.
Senate Bill 893 is similar to Virginia’s Consumer Data Protection Act. As introduced, Senate Bill 156 is just a one-paragraph bill.
We moved Florida into the active category this week. As discussed, the House Regulatory Reform Committee unanimously passed HB 969 out of committee. A second bill, SB 1734, filed on February 25, 2021, is in committee.
HB 969 is perhaps best described as a heavily modified version of the California Privacy Rights Act (CPRA), while SB 1734 is perhaps best described as a heavily modified version of the CCPA.
We also decided to move Illinois into the active category this week after HB 2404 (the Right to Know Act) was assigned to the Cybersecurity, Data Analytics, & IT Committee and the committee scheduled a hearing on the bill for March 19. As its name suggests, the Right to Know Act would provide Illinois residents with the right to know certain information regarding their personal information.
In addition to HB 2404, Illinois lawmakers also introduced HB 3910 (entitled the Consumer Privacy Act) on February 22. That bill is assigned to the Rules Committee. HB 3910 is a modified version of the CCPA.
House Bill 216 was introduced on February 2, 2021. Notably, the bill has attracted 18 Republican sponsors or co-sponsors. However, to date, it has not moved forward and is currently referred to the House committee on Technology and Research. The bill is similar to the CCPA.
HB 2865 was introduced on February 11, 2021. To date, there have been no hearings or votes taken on the bill. The bill is currently pending in the House Commerce Committee. The bill does not readily track the form or contents of either the CCPA or the Virginia and Washington bills.
SB 930 (the Maryland Online Consumer Protection Act) was introduced on February 10, 2021. No action has been taken to date. The bill is a modified version of the CCPA.
SD 1726 was filed on February 18, 2021. It does not appear that any action has been taken on the bill to date. The bill is a modified version of Washington’s People’s Privacy Act. A second bill, HD 3847, was filed in the state house.
Minnesota is interesting insofar as it was one of the first states to see legislation proposed this year (HF 36 proposed on January 7, 2021), but then lawmakers introduced a second bill (HF 1492) more than a month later on February 22, 2021. Neither bill has seen movement since being introduced.
HF 36 is a modified (and shortened) version of the CCPA and contains a private right of action. HF 1492 is similar to the Washington and Virginia bills.
New York legislators have proposed a number of consumer privacy bills in 2021. All of those bills currently sit in committee. In addition, Governor Cuomo’s privacy legislation (see page 148) is still active.
H 3063 was pre-filed on December 9, 2020 and referred to the Committee on Labor on January 12, 2021. It has not moved since. The bill is limited to providing rights around the collection and use of biometric information.
As discussed, last week Representative Capriglione introduced HB 3741. Please see our discussion of the bill in the “What’s New” section above.
H.160 is still a short form bill (i.e., only one paragraph long). The bill has been referred to committee and no further action has been taken to date.
North Dakota’s HB 1330, Mississippi’s Senate Bill 2612, and Utah’s SB 200 have all died.