Privacy Legislation Progresses in 5 More StatesStates Would Join 3 Others That Have Already Enacted Laws
Five states are making progress this year toward passing privacy legislation along the lines of California's Consumer Privacy Act, according to the International Association of Privacy Professionals.
If Virginia, Minnesota, New York, Washington and Oklahoma succeed in enacting new privacy laws this year, the total number of states with privacy regulations would go up to eight, says Caitlin Fennessy, research director at the IAPP. Previously, Maine and Nevada, in addition to California, each enacted legislation.
"Virginia's House and Senate have both passed a version of the Consumer Data Protection Act, suggesting the state could soon have a comprehensive privacy law," Fennessy says. "Oklahoma's bill has bipartisan support, and Washington's reflects years of legislative efforts. Meanwhile, companies are following New York's legislative activity closely given the state's economic weight. There are a lot of near-term possibilities on the horizon."
Ten other states introduced privacy legislation last year.
The steady stream of privacy legislation at the state level might eventually create momentum for a federal privacy law, Fennessy notes.
"In recent years, federal lawmakers on both sides of the aisle have introduced numerous privacy bills," she says. But those efforts have been stalled by several issues, including debate over whether consumers should have the right to sue for violations of the law and whether a federal law would preempt state laws, including those providing stronger protections.
The majority of bills being considered at the state level are modeled on the CCPA and the recently instituted California Privacy Rights Act. Full enforcement of the CCPA began in July 2020 (see: It's Official: CCPA Enforcement Begins). Washington's pending legislation has also played an influential role, Fennessy notes.
Following is a roundup of recent state legislative activities.
In the past two weeks, Virginia's Senate and House of Delegates each passed versions of that state's Consumer Data Protection Act, which now must be reconciled before being presented to the state's governor for final approval, the IAPP says.
The Virginia bill applies to businesses that control or process personal data of at least 100,000 consumers or derive over 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.
The Washington Privacy Act, also known as SB 5062, has moved into committee in the state Senate and was scheduled to be reviewed beginning Monday.
The bill is similar to Virginia's. It would allow consumers to access, delete and correct their personal data, as well as opt out of having their data sold for advertising.
The legislation covers companies in the state that process the data of at least 100,000 consumers per year as well as those that generate more than 25% of their revenue from processing data and process the data of at least 25,000 consumers.
New York has several privacy bills in the works, including the Privacy Act and the Right to Know Act - both of which died in committee in 2020 but are once again on the docket for that state's Senate and Assembly.
The Senate's Privacy Act, SB 567, is a near copy of the CCPA but adds the ability for consumers who suffer an injury to recover statutory damages of $1,000 or actual damages, whichever is greater, and $3,000 or actual damages for an intentional violation. It also allows for anyone who has their privacy violated to file a civil suit.
The New York State Assembly is considering AB400, the Right to Know Act. It would restrict the disclosure of personal information by businesses and require organizations that collect consumers' data to reveal what information was disclosed to third parties.
The Minnesota Privacy Bill, HF 36, was reintroduced in January after failing to move through committee in 2020.
It is also similar to the CCPA and other state legislation in that it focuses on businesses with annual gross revenue of more than $25 million that annually buy or sell the personal information of 50,000 or more consumers, households or devices or derive 50% or more of their annual revenue from selling consumers' personal information.
The Oklahoma Computer Data Privacy Act, House Bill 1602, applies to businesses with $10 million in annual revenue that buy, sell, receive or share for commercial purposes the personal information of 50,000 or more consumers, households or devices. Also covered are businesses that derive 25% or more of their annual revenue from selling consumers' personal information.
The bill would give Oklahoma residents the right to request that businesses disclose what information they have about the individual. It would also allow residents to ask that their personal information be deleted. And it would require businesses to enable consumers to opt in or out of the sale of their personal information and prohibit the retention of that information.