Updated March 2020

As we move deeper into 2020, we are starting to see an end to the uncertainty surrounding what the final version of the CCPA will look like, which is critical since the regulation is still slated to go into enforcement no later than July 2020.  We’re also starting to get a better idea of where the other 49 States might be headed with respect to their own Privacy Acts – seeing commonalities in the notice requirements and Individual Rights afforded individuals, but still a marked set of differences in the definitions of critical components of the regulations, including the how “personal information” and “sale” are defined.  Another major divergence is which States will limit penalties to fines issued by the State Attorney General or empower consumers with a Private Right of Action. 

Despite the emerging clarity, this is still very much a changing landscape, with State House and Senate Bills being proposed, rejected, sent to a task force, or passed on almost a weekly basis – so by no means has the approach to privacy in the United States been determined, let alone uniformly established.

Here, we bring some order to the chaos by analyzing passed and pending privacy regulations across the U.S. and ranking each state based on the relative strength of its privacy regulatory environment.

Table of Contents (Click to skip to the section)

State-by-State Privacy Regulation Details (Click the State to See Details)
AZ | CA | CO | CT | FL | HI | IL | MD | ME | MA | MN | MS | NE | NH | NV | NJ | NM | NY | ND | RI | TX | VA | VT | WA

This State of the States is a detailed explanation of passed and pending privacy regulations around the U.S. These regulations change quickly, so check back often, or sign up below to be notified when there’s an update.

{{cta(‘a1acc1a3-c018-40fe-8b64-5eb095e55608’)}}

State-by-State Privacy Regulation Details 

Arizona Privacy Regulation 

Regulation status: Proposed

In February 2020, the Arizona House of Representatives proposed HB 2729, a new privacy law narrower than the CCPA in several key areas, but that is clearly inspired by both the CCPA and GDPR in establishing organization roles, provisioning liability, and granting consumers a series of rights similar to those under the CCPA and GDPR. 

As under the GDPR, HB 2729 regulates “controllers” and “processors” of personal information (“PI”). “Controllers” are defined as entities that individually, or with others, “determines the purposes and means of processing personal data;” and “processors” are separately defined as entities that collect, use, store, disclose, analyze, delete, or modify personal data.

HB 2729 defines personal information as information that can be reasonably linked to an identifiable natural person, excluding deidentified data and publicly available information.  The Bill also includes a subset of personal data referred to as “sensitive data,” which includes information regarding race, ethnicity, religion, health conditions, sexual orientation, biometric data, geolocation data, and the personal data of children; however, there are no additional obligations or heightened liability with respect to sensitive data.   

Common across pending and passed state privacy acts, businesses must provide notice disclosing at the point of collection what personal data will be collected and what it will be used for.  Additional Individual Rights established by HB 2729 include the right to know whether personal information is collected and to receive a copy of the collected data; the right to have personal information corrected; and the right to have personal information deleted.

More aligned to Nevada’s Act, HB 2729 limits “Sale” to the transfer of personal data for monetary consideration.

Similar to the GDPR, the liability provisions of HB 2729 apply to both processors and controllers, suggesting that both can be liable for failing to comply with the act.

As with the CCPA, the Arizona AG can impose fines of up to $2,500 for violations and $7,500 for intentional violations; however, HB 2729 does not provide for a Private Right of Action, so Arizona businesses will not face civil lawsuits directly from consumers for mishandling personal data. 

California Privacy Regulation 

Regulation status: Effective

While the GDPR set the standard in the EU for data privacy, California set the bar for US policy. It is the most replicated bill across other states with many other states taking excerpts from the CCPA. The CCPA became effective on January 1, 2020, but the CCPA continues to evolve – following the signed amendments and first set of draft regulations in October 2019, the AG released revised proposed regulations to the CCPA on February 10, 2020 and then again on March 11, 2020. 

The most notable change from the February 2020 to March 2020 versions being the removal of February’s “Section 999.302 – Guidance Regarding the Interpretation of CCPA Definitions,” which put forward that the manner in which a “business maintains information” can help determine whether it is considered personal information under the CCPA.  With the March 2020 revisions, IP Addresses are considered personal information under the CCPA.

What Changed – October 2019

On October 11, 2019, Governor Newsom signed all five of the California Consumer Privacy Act amendments (AB 25, 874, 1146, 1355, and 1564) as well as an amendment to California’s data breach law (AB 1130), bringing a degree of much needed clarity to certain issues, and making substantive changes to businesses’ CCPA obligations with respect to Employee and B2B personal information.  Key highlights include:

• Employee Exemption (AB 25) – A “sunset provision” expiring January 1, 2021, personal information (PI) that is collected from job applicants, employees, business owners, directors, officers, medical staff, or contractors, is exempted from the CCPA consumer rights (e.g. access, deletion, and opt-out). However, the CCPA’s notice and data breach liability provisions still apply, so employers must provide a privacy notice, as described in the CCPA, when they collect employee PI; and Employee PI is also still included in the event of a data breach, and a private right of action is available.
• Business-to-Business Exemption (AB 1355) – Also a “sunset provision” expiring January 1, 2021, B2B communications and transactions involving due diligence, or providing or receiving a product or service would be excused from the requirements of notice, deletion, and access. However, the exemption does not affect marketing communications or other B2B communications that do not involve providing or receiving a product or service, and does not apply to the CCPA’s non-discrimination rights or the right to Opt-Out of the Sale of PI.  Further, B2B PI is still in-scope for the CCPA’s private right of action for a data breach.
• AB 1355 and AB 874 also redefine the term “personal information” to exclude de-identified and aggregate consumer information.
• Consumer Requests for Disclosure Methods (AB 1564) – allowing businesses that operate exclusively online and have a direct relationship with the consumers to create an email address for individual rights rather than requiring the toll-free telephone number.
• AB 1202 requires data brokers to register with the state; AB 1146 exempts personal information for vehicle warranties and recalls; and AB 1130 expands the data breach notification law to include biometrics and additional government-issued identifiers, such as passport numbers.

What’s Proposed – October 2019

On October 10, 2019, the California Attorney General released proposed rules, shedding light on how the California AG is interpreting and may eventually be enforcing key sections of the CCPA.  The 5 key topics covered: 

1. Notices to Consumers – 4 types of notice must be provided: notice at collection, notice of the right to opt-out of sale, notice of financial incentive, and a privacy policy. Further, notice must be given to consumers at the time PI is collected, and it must be visible and accessible before any personal information is gathered.
2. Consumer Requests – additional clarity and more specific information is provided, including methods for submitting and responding to requests to know (e.g., access) and requests to delete; communication and record keeping requirements; and defining the 45-day period for answering consumer requests to include any time needed to authenticate the request. The article also addresses requirements for service providers, requests to opt-out, requests to opt-in, training, and requests to access or delete household information.
3. Request Verification – to the extent possible, companies should not collect additional PI for verifying and responding to Requests, but at the same time, the regulations state that a strict verification process should be applicable to more sensitive data. The regulations also offer guidelines on the measures to take in the event identity cannot be verified.
4. Minors – the draft rules introduce an additional obligation that overrides the US Children’s Online Privacy Protect Act to ‘establish, document, and comply with a reasonable’ approach to authenticate that the individual the sale of a data of a child below 13 years old is the parent or guardian. For ages 13-15 years old, companies will be obliged to receive consent through a two-step procedure in which the consumer must seek to opt-in and then confirm that decision.
5. Non-Discrimination – requiring businesses to provide notice of each financial inducement, price, or service difference subject to CCPA requirements; an explanation of why the monetary incentive or price difference is allowed; and an honest estimate of the value of the consumer’s data, as well as the methodology employed in coming up with this value.

What’s Proposed – February & March 2020

Even though the revised regulations differ from the initial proposed regulations in a few key ways, businesses that built CCPA compliance programs based on the initial proposed regulations will likely need only minor modifications to their program if these regulations become final as drafted.  A number of revisions were made to the proposed regulations, and following are several of the key changes:

• Definitions – in section 999.301, several definitions were clarified, added, or amended, including: Categories of sources and Categories of third parties; Household; and Price or Service difference.
• Updates to Notice Requirements – section 999.305 addresses privacy notice requirements, including the standard for accessibility; clarifying that the notice must be “made readily available” to consumers somewhere where they will “encounter it at or before the point of collection;” explaining that mobile apps may comply with the notice (and opt-out requirements) by linking to the notice on the app’s download page and within the application, itself; just-in-time notice requirements for unexpected collection; notification and consent for a “materially different” new intended use of previously collected personal information; exempting businesses that do not collect personal information directly from a consumer from providing a notice at collection if the business does not sell the consumer’s personal information; and allowing the removal of the “Do Not Sell” link and link to the company’s privacy policy at the collection of employment-related information.
• Updates to Sale Opt-Out Requirements – section 999.306 adds some clarity to the opt-out requirement, including a more concise opt-out notice and the need for consent to sell information obtained before opt-out was offered; the Opt-Out button language proposed in February 2020 was deleted from the March 2020 version.
• Privacy Policy Updates – section 999.308 explains the privacy policy requirements, including removing the requirement that businesses identify the source of the personal information; removing the requirement that the business state whether it sold or disclosed personal information to third parties in the past 12 months; clarifying that individuals can request the deletion of their personal information collected by the business; and clear notice as to whether or not the business sells personal information. New language in the March 2020 version requires that within the “Right to Know about Personal Information Collected, Disclosed, or Sold” section of the policy, businesses identify the categories of sources from which the personal information is collected, and identify the business or commercial purpose for collecting or selling personal information; and that if the business has actual knowledge that it sells the personal information of minors under 16 years of age, it must provide a description of the Opt-In processes.
• Updates for Submitting Requests – section 999.312 clarifies the requirements for requests to know and requests to delete, explicitly providing that a business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address; and in-person methods should be considered, but are no longer required.
• Clarification on Request Responses – section 999.313 was revised to clarify the requirements, including providing 10 business days to confirm a Request to Know or Delete and 45 calendar days to complete it; exempting a business from searching for personal information if criteria are met; clarifying that while certain categories of personal information, including biometric data, should never be disclosed in a Request to Know, businesses will inform the consumer with sufficient specificity that it has collected the type of information; clarifying that a Request to Know must include whether the data was sold; including the business purpose in the Request to Know; removing the requirement that a non-verified deletion request becomes an opt-out; and establishing that Requests to Delete responses do not have to state how the data was deleted. Further, the March 2020 revisions added that if a business that denies a consumer’s request to delete sells personal information, and the consumer has not already made a request to Opt-Out, the business will need to ask the consumer if they would like to Opt Out of the sale of their personal information, including either the contents of, or a link to, the notice of Right to Opt-Out.
• Clarification on Service Providers – section 999.314 addresses and describes the requirements for service providers, including clarifying relationships; personal information collection; permitted uses of PI by Service Providers; and allowing a Service Provider to either fulfill the request on behalf of the business or inform the consumer that it cannot act on the request because the request was sent to a Service Provider.
• Clarifications on Opt-Out Requests – section 999.315 specifies that Opt-Out methods should be easy for consumers to execute; that the consumer must affirmatively select their choice to Opt Out (no pre-ticked boxes); that individuals should be provided with the choice between the Opt-Out and the Loyalty / Financial Incentive Program; that the business has 15 business days to comply with Opt-Out Requests; and businesses no longer need to notify third parties to which the business sold the data within the 90 days prior.
• Updates to Training & Record Keeping – section 999.317 clarifies training and record keeping requirements, to include applying reasonable security measures to protect CCPA records; that CCPA records must not be shared with third parties; and additional information on the mini-Data Broker reporting requirements.
• Clarification on Discriminatory Practices – section 999.336 clarifies that business that show that the financial incentive is reasonably related to the value of the consumer’s data cannot offer the incentive; and that denying a Request to Know/Delete or Opt Out for reasons allowed by the CCPA is not discriminatory.

The CCPA provides consumers (and households) the right to know (“request my data”), the right to delete, the right to opt-out of sale, transparency in the use of personal data and a right to non-discrimination or services for exercising their rights. The right to disclosure clearly states that a consumer has a right to know what categories of information is collected on them, what information is disclosed to third parties, what information is sold and how the information is used. A business has the obligation to present on their home page a link that says “Do not sell my information.”

While the CCPA does not provide guidance on documentation required, it is hard for a company to comply without doing a data inventory, assessment and gap analysis – similar to the GDPR articles 30 and 35.

Businesses who infringe on the CCPA will be fined up to $7,500 per violation. This is relatively small amount in comparison to the GDPR’s head turning maximum fine of €20 million or 4 percent of annual global turnover, but even $7,500 could quickly add up if large-scale or repeated infringements occur. Twenty percent of the fine will be paid into the newly created Consumer Privacy Fund. This fund is supposed to cover the costs of enforcing the CCPA. Consumers can also bring civil claims against businesses for claims relating to unauthorized access, breach, theft, or improper disclosure of personal information.

Colorado Privacy Regulation 

Regulation status: Pending

In May 2018, a consumer data privacy bill passed legislation. The current law focuses on data breach and data security. Other initiatives are written that provide deeper rights for consumers but are not yet publicly available.

Connecticut Privacy Regulation 

Regulation status: Task Force Concerning Consumer Privacy Substituted for Bill

Connecticut is another carve-out of CCPA, very similar in rights, business scope, and disclosures. These include right of access, disclosure of categories, purpose and specific data, and the right to opt-out of selling personal information.

SB 1108 was substituted with a task force to review the proposed act that would require businesses to disclose the proposed use of any personal information and to give consumers the right to discover what personal information the business possesses and to opt out of the sale of such information and to create a cause of action and penalties for violations of such requirements.

Florida Privacy Regulation 

Regulation status: Proposed

Blending elements of the CCPA and Nevada’s privacy legislation, Florida introduced companion bills in both the state’s Senate (SB 1620) and House of Representatives (HB 963), that would, if passed, become effective in July 2020.

The proposed legislation requires an “Operator” of a website or online service to provide consumers with notice regarding the personal information collected on the website or through the service; creates the right for consumers to review and correct their personal information; and allows for an opportunity to “opt out” of the sale of certain personal information.

Both the CCPA and Florida bills apply to companies doing business within the state, with similar exceptions for small businesses, and exclusions for companies already subject to the Gramm-Leach-Bliley Act or to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Two striking differences with the CCPA: 1) while Florida consumers would have the right to review and request changes to their personal information, there is no right to delete included; and 2) “covered information” is not defined as broadly, omitting information covered under the CCPA such as predictive inferences.

Narrower than the CCPA and more closely aligned to the Nevada bill, Florida’s draft legislation obligates operators to stop selling data of a consumer who submits a verified request to do so, but defines a “sale” as an exchange of covered information “for monetary consideration…to a person for the person to license or sell the covered information to additional persons.” Florida also includes exceptions for disclosures to an entity that only processes information for the Operator.

The bill allows for a 30-day cure period before bringing an enforcement action, and the AG’s office could seek a civil penalty of up to $5,000 per violation; there is no private right of action under this bill.

Hawaii Privacy Regulation 

Regulation status: Passed by the House on March 3, 2020, the Bill is in the Hawaiian Senate for consideration.

If enacted, Hawaii’s law will be very similar to CCPA but with important clarifications and even broader applicability.

There is a very broad definition of data – including biometric, IP address, physical address, geolocation (even without other elements) and any type of profiling (if stored). Applicability is also very broad, basically stipulating that if you are interacting with PI in the state (not just residents but clearly also visitors, with no threshold) then you are subject to the law.

Very similar to the CCPA, the Bill establishes the right of access and deletion in relation to personal information held by companies, prohibits a business from discriminating against consumers in the exercise of their rights, and outlines a penalty of $7,500 for a violation of any provision of the Bill.

Going further than the CCPA, the Bill mandates that data brokers register annually with the office of consumer protection and provide pertinent information regarding policies on opt-out, consent, and security breaches; and the Bill prohibits the sale of geolocation and internet browser information without explicit consent – Opt-In not the Opt-Out of the CCPA.

The law enumerates on the format to reply to consumer requests very nicely. If a consumer opts out, then the company is prohibited from request again for 12 months – like CCPA – but Hawaii added necessary clarifications, such that it can be implemented electronically. (You can retain the data just to keep from asking them again for 12 months.)

Notice is very strong and clear, even more so than CCPA (anyplace PI is collected), and enforcement is almost identical to CCPA – making this one of the country’s strongest proposed privacy protections for consumers.

Illinois Data Transparency and Privacy Act

Regulation status: Pending

Proposed in January 2020, the Illinois Data Transparency and Privacy Act (SB2330) would be effective July 1, 2021, and has a number of similarities with the CCPA, notably requiring any business that processes personal information or deidentified information to provide notice to the consumer on the business’ website or mobile application prior to processing; defining in-scope businesses as any that collects or discloses the personal information of 50,000 or more persons and/or Illinois households OR if the business derives 50% or more of its annual revenues from selling consumer’s personal information; and defining personal information in much the same terms as the CCPA.

The Act also prescribes pricing incentives and prohibitions against discrimination; and establishes 4 Individual Rights and a protocol for the handling of requests for: the Right to Know, prescribing the types of information consumers may request of businesses; the Right to Opt-Out of the disclosure and sale of PI from the business to third parties and affiliates, and the processing of PI by the business, third parties, and affiliates; the Right to Correction; and the Right to Deletion. 

Different from the CCPA, the Act defines “sale” by limiting it to exchanges for monetary consideration, and does not apply to employee data.

The Act goes further than the CCPA, requiring that businesses, affiliates, and third parties conduct risk assessments and provides requirements for the assessments.    

As is common across states’ pending regulations, the Illinois Data Transparency and Privacy Act would not apply to personal information collected, processed, sold, or disclosed under the GLBA, HIPAA, and FCRA.

Aligned with the CCPA, the Attorney General would have authority to enforce the Act and it requires businesses to implement reasonable measures to protect consumers’ personal information from unauthorized use, disclosure, or access; a Private Right of Action for data breaches would allow consumers to recover damages between $100 and $750 per incident.

 

Maine Act to Protect the Privacy of Online Consumer Information

Regulation status: Effective

Maine Governor Janet Mills signed the Act to Protect the Privacy of Online Consumer Information, LD 946, into law in June 2019 and it will law will take effect July 1, 2020.

The new law imposes data privacy requirements on Internet service providers (ISPs), requiring ISPs to obtain customers’ “express, affirmative” opt-In consent before “using, disclosing, selling or permitting access” to a third party the vast majority of the information generated by a customer’s use of internet service.

The Act protects a customer’s web browsing history, application usage history, precise geolocation information, device identifiers, the origin and destination internet protocol addresses, personal identifying information, and the content of a customer’s communications.

ISPs must provide clear and “nondeceptive” notice; cannot refuse to serve customers who withhold consent; and are banned from offering financial or other incentives for customers to opt-in. Finally, ISPs will also be required to take “reasonable measures” to protect customer personal information from “unauthorized use, disclosure, sale or access”.

The law is applicable to all ISPs that service customers physically based and billed for within the State.

Maryland Privacy Regulation & The Online Consumer Protection Act

Regulation status: Pending

Maryland has several bills in legislation at various stages (HB1654, HB1655 and HB141). The net effect of the Maryland personal data laws pivot on the sale and use of data. A BIAS (mass market retail company) may only sell, disclose or use personal data once a consumer opts in. If a consumer does not opt in, the BIAS must provide the same level of service as if the consumer did opt in. These bills do not require a company to disclose categories of data collected or provide notice. Additionally, the bills do not require a company to disclose the specific pieces of personal information collected on a consumer.

Unlikely to pass through the legislature this year, Maryland held a public hearing on Senate Bill 613, the Online Consumer Protection Act – another bill with the potential to expand on the scope of CCPA in some areas. Businesses will have similar obligations to disclose information usage, though, to a lesser degree than under CCPA. And like California and Massachusetts, the definition of personal information includes a “probabilistic identifier.” 

SB613 goes beyond the scope of CCPA regarding companies’ obligations to disclose third-party involvement – companies would have to disclose any information that is passed on to third parties, even if that data is transferred for free. This bill also prohibits websites from knowingly disclosing any personal information collected about children.

Massachusetts Privacy Regulation 

Regulation status: Pending

Massachusetts bill SD 341 looks extremely similar to the CCPA. The measure would require a business that collects a consumer’s personal information to provide at or before the point of collection a detailed notice of what information is collected and shared. Consumers also have the right to request disclosures, request a copy of their data and request the data be deleted. Much like the CCPA, the Massachusetts proposal provides a broad definition of personal information including probabilistic identifiers, contains applicability thresholds for businesses, verifiable consumer requests, and even a requirement for a “clear and conspicuous” link on a business’s web page for consumers wishing to opt out of third-party transfers (“do not share my information,” similar to the CCPA’s “do not sell my data”).

There are a few important divergences from the CCPA, which include the right for consumers to sue for any violation of the proposed Massachusetts law. Consumers “need not suffer a loss of money or property as a result of the violation” to bring an action – with fines up to $750 per consumer, it introduces serious financial risk to in-scope organizations.

The scope of businesses has a definition similar to CCPA but the annual revenue threshold is $10 million (versus the CCPA’s $25 million). A business has 45 days to comply with a verifiable request.

Minnesota Consumer Data Privacy Act

Regulation status: Pending

Very similar to the CCPA, the Minnesota Consumer Data Privacy Act establishes a broad definition of “Controllers,” defining in-scope businesses as any that controls or processes the personal information of 100,000 or more consumers OR if the business derives 50% or more of its annual revenues from selling consumer’s personal information and controls or processes the personal information of 25,000 or more consumers; and defines personal information as any information relating to an identified or identifiable person, not to include de-identified data.

Controllers are required to provide notice to the consumer, and processing by a processor must be governed by a contract between the controller.

The Act establishes a comprehensive set of Individual Rights including: the Rights of Access to Personal Information Collected and to Personal Information Shared; the Right to Correction; the Right to Deletion; the Right to Data Portability; and the Right to Opt Out.

Differing from the CCPA, the Minnesota Consumer Data Privacy Act does not apply to employee data and does not allow for a Private Right of Action; but identical to the CCPA, the Minnesota AG may seek up to $2,500 for each violation and up to $7,500 for each intentional violation.

Mississippi Privacy Regulation 

Regulation status: Pending

The Mississippi bill in legislation looks to be nearly identical to the CCPA. Same rights, same scope for business and the same definition of personal data. Consumers must be notified at or before the point of collection. The business is required to disclose the purpose of collecting the data, the categories of information and disclose any third party disclosures and sale of data. It even requires a business place on the home page a link that says “Do not sell my information.”

Nebraska Consumer Data Privacy Act

Regulation status: Proposed

Proposed in January 2020, the Nebraska Consumer Data Privacy Act borrows most of its requirements, from the CCPA, including the definition of a covered business that has only minor differences, applying to any business has an annual gross revenue of at least $10 million; or annually buys, receives, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or derives 50% or more of its annual revenues from selling consumers’ personal information. 

Aligned with the CCPA, person information is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including, commercial information, geolocation data, and biometric information.

Similar to the CCPA, the Nebraska Consumer Data Privacy Act requires covered businesses to provide consumers with notice of their privacy practices at or before the time of data collection and provides consumers with the right to: know, access and have deleted the personal information collected about them; know whether their personal information is sold or disclosed and to whom; Opt-Out of the sale of their personal information (or opt-in if under 16); and obtain equal services and prices, even if they exercise the rights provided by the bill.

The Consumer Data Privacy Act also requires businesses to include a Do Not Sell My Personal Information link on its home page; provide two or more methods for submitting requests for information, including a toll-free phone number and, if applicable, a website address; and outlines that businesses violating the provisions of the Bill would be liable for a civil action of up to $7,500 for each violation.

New Hampshire Privacy Regulation

Regulation status: Proposed

The New Hampshire Legislature is currently considering House Bill 1680, which, if enacted, would be the most comprehensive privacy law in the state and would create significant regulatory compliance issues for the businesses to which it applies – and it was clearly modeled on the CCPA. 

Identical to the CCPA, the Bill would apply to businesses that conduct business in New Hampshire and have annual gross revenues of more than $25 million; buy or receive personal information of 50,000 or more consumers, households or devices; or derive 50% or more of their annual revenue from selling consumers’ personal information.

As with the CCPA, businesses will be required to provide notice and disclose the specific personal information collected before the information is collected.  The notice must also inform consumers of their rights under this law – consumers will be empowered to request a copy of the personal information held by the business; to request that the business delete their personal information; and to request information pertaining to any sale of their personal information and to Opt-Out of that sale.

As with the CCPA, HB 1680 empowers the AG to levy penalties for noncompliance between $2,500 and $7,500 for each violation and also creates a Private Right of Action in the event of a breach.

Nevada Privacy Regulation 

Regulation status: Effective

The Nevada Internet Privacy Act SB220, which went into effect on October 1, 2019, is a very narrowly scoped bill and only emulates a small portion of the CCPA – permitting consumers to object to the sale of their data. The scope of this bill is limited to companies who operate a website and collect information about Nevadans. Unlike the CCPA, SB220 excludes information collected offline (i.e., hand-written applications, in-store sales, etc.). The term “sale” is more limiting than CCPA. A company must receive “money”; unlike the CCPA “valuable consideration” is not in scope for SB220.

Among the exclusions are companies with an affiliate relationship are exempt from disclosure to each other. An affiliate is legally defined as “any company that controls, is controlled by or is under common control with another company”. Information gathered from the transfer of records as part of a merger, acquisition, or bankruptcy is also excluded.

Any website operator collecting information from Nevadans (or with nexus to Nevada), must provide a designated address (webpage or phone number) by which a consumer can make a verifiable request to restrict a company from selling their personal information that was collected or will be collected. Once a consumer makes a verified request, the operator (i.e., company) has 60 days to complete the request. An additional 30-day extension can be requested. Civil penalties (with no right of action by the consumer) cannot exceed $5000 per violation (per consumer affected).

New Jersey Privacy Regulation 

Regulation status: Pending

The NJ bill is intended to take effect 1/1/2021, but is currently not expected to pass. The bill is similar to CCPA in many respects. Some of the larger differences include an expansive definition of “personally identifiable information” to include not only biometric data but also any information that personally identifies, describes, or is able to be associated with a customer. State and federal organizations are expected from the law, and the gross revenue limit for a regular business is reduced to $5 million.

Another requirement is that a business must identify a specific person to which privacy requests can be made, but there is no requirement for a prominent website link to their privacy management section. In addition to identifying data collected and third parties that may receive the data, a business must disclose how long they retain the consumer data. The regulation provides for the consumer rights of data access, opt-out, change and deletion. Data access is limited to only twice a year, and business have only 30 days to respond. No time extension is permitted.

There is little discussion of data breach or data security, other than to say all business must maintain an “industry standard” security program. Penalties are not set forth in this legislation but are outlined in a separate bill, The Identity Theft Protection Act.

In addition to Assembly Bill 4640, described above, New Jersey has a second privacy bill which is primarily focused on a company’s Privacy Policy. This bill seeks to have companies conspicuously post their privacy policies. The bill requires companies to include standard information in privacy policies, including the categories of personal information collected and the categories of personal information that may be shared with third parties, similar to CCPA.

The bill does not require a company to provide procedures to review and change personal information, but if those services are offered by a company, they must be documented in the privacy policy. Uniquely, the bill requires companies to disclose procedures it uses to respond to do-not-track signals. The bill also has an expansive definition of “personally identifiable information.” However, the bill applies to companies providing a commercial Internet website or online service, not all organizations. No penalties for violating these regulations are provided in this bill.

New Mexico Privacy Regulation 

Regulation status: Pending

The New Mexico bill is almost an exact copy of the CCPA, including the same required disclosures and penalties. New Mexico extends the definition of “business” to all businesses, not just those of a certain size, but strangely does not define “consumer” within the bill. The New Mexico bill does extends the definition of personal data to include biometric information but does not include household data as personal data. Consumers may request access to their data and opt out or request deletion. The bill does not include any provisions for changing data.

New York Privacy Act

Regulation status: On Hold

New York’s proposed S5642 has many parallels to the CCPA, and – as drafted now – grants New York residents more control over their data than in any other state.  Unlike the CCPA and similar to Massachusetts, the New York Privacy Act proposes a private right of action to allow consumers to sue businesses over violation of any aspect of the Act, such as when their personal data is put at risk or sold without their consent.  Going further than any other proposed regulation, the law would apply to all businesses without any revenue threshold.

The definition of personal information is undoubtedly inspired by the CCPA, relating “any information related to an identified or identifiable person” and including a very extensive list of identifiers from inferences used to create a profile, to online and technology-tracked identifiers, to personal identifiers and biometric date, and more.

Like the CCPA, it would allow people to find out what data companies are collecting on them, see who they’re sharing that data with, and request that it be deleted.  The Act requires consumers to affirmatively opt before their data is used for commercial purposes – rather than opt out – potentially barring companies from sharing, or selling, their data to third parties. Similar in spirit to the GPDR, the law would also allow consumers to request that companies correct the data held about them.

Another key difference, the New York Privacy Act proposes the role of a data fiduciary, forcing all NY State businesses to be legally responsible for the consumer data they hold – business must protect personal data and act in the best interests of the consumer, “without regard to the interests of the entity, controller or data broker”. Bottom line: consumers own the data.

North Dakota Privacy Regulation 

Regulation status: Pending

North Dakota has presented a bill that is lighter than CCPA regarding the disclosure and management of personal data. However, recently the bill was redlined to only include “A bill for an Act to provide for a legislative management study of consumer personal data disclosures” – meaning the legislature is in the studying phase to determine the proper language for a bill.

Rhode Island Privacy Regulation 

Regulation status: Pending

Rhode Island has drafted a bill just like Massachusetts and CCPA. The measure would require a business that collects a consumer’s personal information to provide at or before the point of collection a detailed notice of what information is collected and shared. Consumers also have the right to request disclosures, request a copy of their data and request the data be deleted.

Much like the CCPA, the Rhode Island proposal contains applicability thresholds for businesses, verifiable consumer requests, and even a requirement for a “clear and conspicuous” link on a business’s web page for consumers wishing to opt out of third-party sale of data (“Do not sell my data), which Rhode Island calls “opt out of sale.”

The scope of businesses has a definition similar to CCPA but the annual revenue threshold is $5 million (versus the CCPA’s $25 million). A business has 45 days to respond to a verifiable request.

{{cta(‘a1acc1a3-c018-40fe-8b64-5eb095e55608’)}}

Texas Privacy Regulation 

Regulation status: Task Force Concerning Consumer Privacy Substituted for Bill

Two consumer privacy bills were filed in the Texas House of Representatives in 2019, but only HB 4390 survived while HB 4518 was left pending in the Texas House Business & Industry Committee.

HB 4390, originally filed as a comprehensive consumer privacy bill known as the Texas Privacy Protection Act, was amended multiple times, and eventually limited to updates to the breach notification requirements in the Texas Identity Theft Enforcement and Protection Act and to creating the Texas Privacy Protection Advisory Council to study data privacy laws in advance of the 2020 legislative session.

The Council will meet on a regular basis until it reports its findings and recommendations to the Texas Legislature on or before September 1, 2020; the recommendations will likely form the basis for consumer privacy legislation when the Texas Legislature reconvenes in January 2021.

Vermont Privacy Regulation 

Regulation status: Effective

The Vermont law is not a comprehensive privacy bill. It focuses only on data brokers (companies that exist only to sell data). These brokers are required to register with the state and required to provide some standardized documentation to consumers about the data they collect. Consumers cannot request their specific data, nor request that their data be deleted or not sold.

Virginia

Regulation status: Proposed

In January 2020, HB 473, the Virginia Privacy Act, was introduced and as drafted, provides notice requirements similar to the CCPA, provides consumers with rights similar to those under the GDPR, and unlike either the CCPA or the GDPR, would require data controllers to perform and document a privacy risk assessment for every processing activity.

Very similar to the CCPA, the bill applies to any company doing business in Virginia or that produces products or services “intentionally targeted to residents” of Virginia, and that controls or processes personal data of at least 100,000 consumers, or derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.

Combining elements of GDPR with the CCPA, the Virginia bill distinguishes between data “controllers” and “processors” and would provide Virginia residents with a rights including the right to access, correction and deletion, as well as the right to restrict and/or object to processing, which must be fulfilled in 30-days.

The concept of a “sale” under the Virginia bill is similar to the one found in Nevada’s Act, and is limited to sales of personal data for monetary consideration for purposes of licensing or selling personal data at the third party’s discretion to additional third parties.

Controllers would have 30 days to cure any alleged violation of the Act. However, violations and enforcement of the Act would be subject to the Virginia Consumer Protection Act, which permits a private cause of action for violations of the Act to recover actual damages, or $500, whichever is greater; and if the violation was willful, damages may increase to an amount not exceeding three times the actual damages sustained, or $1,000, whichever is greater. The Act would permit the allocation of liability to processors according to comparative fault principles.

Washington Privacy Act

Regulation status: On Hold

On February 28, 2020, the Washington House Innovation, Technology & Economic Development Committee (ITED) voted to pass a strengthened version of the Washington Privacy Act (WPA) out of committee but it was not successful in clearing the House on March 12, 2020. Combining and lifting many provisions almost entirely from the text of GDPR and California’s CCPA, if passed in its current version, the Washing Privacy Act would arguably make Washington one of the most privacy-protective states in the nation

The WPA would impose far-reaching responsibilities on companies to protect the privacy of “personal data” and to limit the amount collected; and would grant residents new rights over data collection and use, including the right to opt out of targeted advertising.  Still applying to any company processing personal data of over 100,000 consumers during a calendar year, the ITED committee modified the WPA to apply to Data Brokers that derive over 25% of their gross revenue from the sale of personal data and process and control the personal data of 25,000 or more consumers (i.e., Washington residents); the Senate version of the WPA sets the threshold at 50%.

Companies would have 30 days to fulfill consumers’ requests with extension to 60 days only if warranted. In addition, the Privacy Act requires exceptional transparency for PII including clear disclosure of the purposes for which that data is used, the categories of personal data shared with third parties, and the categories of third parties with which the company shares data. Policing of vendors and service providers is also the responsibility of the company and quite strict.

Prominent disclosure is mandated. A risk assessment is a further requirement, to determine if the security of personal information might be compromised by a particular practice or use. There are unique restrictions on facial recognition, requiring organizations to provide easy-to-understand consent; the ITED committee amendments also removed the WPA’s provisions permitting controllers to enroll a consumer’s image in a facial recognition service without first obtaining the consumer’s consent.

The Act establishes a baseline of protection for consumer personal data, while pragmatically leaving Washington’s data breach law intact with CCPA-like enforcement by the Attorney General with specific penalties $2,500 and $7,500 per instance. Also aligned with the CCPA, the ITED committee approved the creation of a private right of action to enforce the privacy rights granted in the WPA, allowing Washington residents to bring claims under the state Consumer Protection Act, which authorizes litigants to seek an injunction, actual damages, treble damages, costs of suit, and attorney’s fees.

Overall this is a very well written law with broad application.

---

Subscribe to Stay Up-to-date Automatically

Pending privacy regulations are changing every day and new ones are being proposed. How will your company be affected? Sign up for our State of the States newsletter and we’ll send you regular updates to this information.

 

---

This publication informs our clients and friends about recent legal developments and is for informational purposes only. It does not constitute legal advice or reflect any opinions on any particular law or regulation.  The information contained herein is subject to change and may become inaccurate or outdated over time.  Do not rely on this publication without seeking legal guidance.