[co-author: Sanjana Ramkumar]
The Mintz Privacy & Cybersecurity Blog will be providing regular updates of notable pending US state privacy laws. Following our similar previous updates, the most recent of which may be found here, this update checks in on the progression of those laws. The most notable update is that Colorado is set to become the third US state to pass a comprehensive privacy law as the Colorado Privacy Act is on the governor’s desk and is expected to be signed. Details are provided below.
Pending 2021 Privacy Laws
SB21-190, the “Colorado Privacy Act,” at the time of this writing, is very likely to become law. The Colorado Privacy Act is a broad privacy law similar to the CCPA that would apply to entities that produce products or services targeted to Colorado residents that either (i) control or process personal data of more than 100,000 consumers per year; or (ii) sell personal data of at least 25,000 consumers. The Colorado Privacy Act would grant consumers various privacy rights including the right to opt-out of the processing of their personal data; the right to access, correct or delete their personal data, and the right to obtain a portable copy of their data. The Colorado Privacy Act would not create a private right of action, and would take effect on July 1, 2023.
The Colorado Privacy Act was passed by the Colorado House of Representatives on June 7, 2021, and on June 8, 2021, was re-passed (as amended by the House) by the Colorado State Senate. Governor Jared Polis is expected to sign.
House Bill 3910, the “Consumer Privacy Act,” is a broad-based privacy bill similar to the CCPA that was introduced on February 22, 2021. The Consumer Privacy Act would provide consumers with a number of privacy rights including, the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected, and the right to request deletion of the consumer’s personal information. It would also require businesses to make a number of disclosures about their collection and use of personal information. The Consumer Privacy Act would apply to business that do business in Illinois and meet one of the following thresholds: (i) have more than $25M in annual gross revenue; (ii) alone or jointly with others process personal information of 50,000 or more consumers; or (iii) derive 50% or more of their annual revenue from the sale of personal information. The Consumer Privacy Act was referred to the Illinois House Rules Committee on March 27, 2021.
A second bill, House Bill 2404, the “Right to Know Act,” was introduced on February 17, and notably would require website operators to make a number of disclosures to consumers about their collection of personal information, and provide consumers the right to obtain personal information that was collected. HB 2404 was assigned to the Cybersecurity, Data Analytics & IT Committee, and on March 27, 2021, it was re-referred to the Illinois House Rules Committee.
SD 1726, the “Massachusetts Information Privacy Act,” is pending in the Massachusetts Senate and was referred to the Senate committee on Advanced Information Technology, the Internet and Cybersecurity on March 29, 2021. A second bill, HD 3847, was introduced in the House of Representatives and was referred to the House committee on Advanced Information Technology, the Internet and Cybersecurity on March 29, 2021.
There are three privacy bills pending in New Jersey (AB 3255, AB 3283, and AB 5448). AB 3255 would require certain businesses to notify consumers of certain information concerning the collection and sale of personal information and would allow consumers to opt-in to collection and sale of their personal information. AB 3283, the “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA),” would establish certain requirements for disclosure and processing of personal information. AB 5448 would require commercial websites and online services to notify consumers of collection and disclosure of personal information, and would provide consumers with certain rights to opt out. All three bills were referred to the Assembly Science, Innovation and Technology Committee.
SB 569, the “Consumer Privacy Act of North Carolina,” was introduced on April 6, 2021 and was referred to the Senate Committee on Rules and Operations on April 7, 2021. The North Carolina legislative session adjourns on July 2.
HB 1126 would provide consumers with a number of privacy rights and create obligations for businesses that collect personal information. The bill was introduced and referred to the Consumers Affair committee on April 7, 2021.
HB 5959, the “Rhode Island data Transparency and Privacy Protection Act,” was introduced on February 26, 2021 and would require website operators to make a number of disclosures regarding their collection of personal information. There was a hearing on the bill on March 26, 2021, after which it was held for further study. The Rhode Island legislative session adjourns on June 30.
New 2021 Privacy Laws
For reference and as a reminder, the following states enacted significant privacy laws during the 2021 legislative session:
The Virginia Consumer Data Protection Act (“CDPA”) was signed into law on March 2, 2021, making Virginia the second US state after California to pass a comprehensive data privacy law. Those familiar with the European Union General Data Protection Regulation (“GDPR”) will recognize terminology throughout the CDPA, mimicking many GDPR-defined terms, such as “controller”, “processor” and “personal data.” While not quite as expansive as the GDPR in every respect, the CDPA is a broad-based privacy law that is on par with the California Consumer Privacy Act (“CCPA”). For our summary of the CDPA, please see our overview of the Virginia Consumer Data Protection Act. The CDPA becomes effective on January 1, 2023.
While much narrower in scope than other new and pending privacy legislation, Utah’s Cybersecurity Affirmative Defense Act was signed into law on March 11, 2021. The law creates an affirmative defense (“safe harbor”) for companies in Utah’s data breach notification if they have a written information security program that meets certain requirements as specified in the law.
Privacy legislation in these states failed to pass during the below states’ 2021 legislative sessions. In many cases, bills failed to advance due to unresolved debate over details of the proposed laws (such as inclusion of a private right of action), so we expect many of the below bills to be re-introduced during the states’ subsequent legislative sessions.
House Bill 216, the “Consumer Privacy Act,” was a bipartisan bill introduced in February 2021 and would have given consumers a number of privacy rights including the right to opt-out of the sale of their personal information, and would have required that businesses make certain disclosures about their collection and use of personal information. The bill was referred to the House of Representatives Committee on Technology and Research, but failed to advance prior to adjournment of the legislative session on May 30.
Senate Bill 893 would have created a comprehensive privacy law similar to the CCPA that would have required transparency from companies with respect to their data collection and use, and would have provided consumers with a variety of privacy rights. SB 893 made progress through the Connecticut legislature. It was referred by the Connecticut Senate to the Committee on Judiciary on April 28, 2021, and on May 12, 2021 was referred to the Senate Appropriations Committee. SB 893 was tabled for the Senate Calendar, but failed to further advance prior to end of the legislative session on June 9.
Florida’s proposed privacy law, House Bill 969, showed promise of making it to law, but that did not happen during the 2021 legislative session. HB 969 contained some potentially game-changing provisions. HB 969 was sweeping privacy legislation that shared many similarities with the CCPA, imposing a broad set of requirements on businesses, and providing a number of rights to consumers with respect to their personal information. Additionally, similar to the CCPA, the bill also contained a private right of action in the event of certain data breaches. The bill overwhelmingly passed the Florida House of Representative 118 votes to 1, then moved to the Florida Senate. HB 969 also had the support of Florida Governor Ron DeSantis. The Florida Senate, on April 29th, passed its own privacy legislation – Senate Bill 1734 – which contained some key differences from HB 969 and headed back to the House for reconciliation. Although it appeared reasonably certain that the Florida House and Senate would reconcile differences between the two privacy bills and join California and Virginia with comprehensive state data privacy laws, it failed to happen. The gating item was the inclusion of a private right of action, which had been removed by the Florida Senate in its version, setting up the last minute reconciliation scenario. Reports say that the House intended to add the private right of action back in, which would have required a vote in House and Senate on the last day of the session to pass the bill.
A slate of privacy bills were pending in the New York legislature, including the “Its Your Data Act,” the “New York Privacy Act,” the “Digital Fairness Act,” and the and New York Data Accountability and Transparency Act.” Most of the bills never made it out of committee, however, the “New York Privacy Act,” which would require companies to disclose their methods of de-identifying personal information, place special safeguards around data sharing, and allow consumers to obtain the names of all entities with whom their information is shared, passed out of committee on May 18, 2021 and is currently on the floor calendar. However, no action was taken on the Act (for the second year in a row) before the Senate adjourned last night (June 10).
Notably, The Washington Privacy Act of 2021 (SB 5062) failed to pass for a third year in a row. The Washington Privacy Act was a comprehensive privacy bill similar to the CCPA and the GDPR, giving consumers broad privacy rights with respect to their personal data. As with years past, contention over the bill primarily focused on whether the bill should include a private right of action to allow residents to directly bring claims for violation of the law. While the bill showed promise this year when it passed in the Senate, the House version (which contained a private right of action), did not advance by the April 25 close of the legislative session.
Although it did not garner the level of national attention that the Washington Privacy Act generated, the Oklahoma Computer Data Privacy Act (HB 1602) was also a comprehensive privacy bill that borrowed many concepts from the CCPA, and included a private right of action. If passed, HB 1602 would have been a trendsetter in US privacy law – requiring that consumers opt-in prior to collection of their personal information (something we have not seen before in US privacy law). The bill had bipartisan support, passed in the Oklahoma House, but failed to advance out of the Oklahoma Senate Judiciary Committee before the April 8 deadline. Much of the opposition to the bill focused on the opt-in requirement, and there was a strong lobbying push from industry to oppose it.
H 160 was an extremely short-form (one paragraph) bill introduced on January 1, 2021 that proposed to adopt consumer privacy protections and give Vermont residents control over their personal information, and “to adopt other protections as provided in the California Consumer Privacy Act.” The bill failed to advance prior to the end of the Vermont legislative session on May 28.
Proposed privacy bills in the following states failed to pass during the 2021 legislative session: