Incoming Wave of State Data Privacy Laws
Although the United States has passed certain data privacy-related laws, like HIPAA, there is not a broad scale, all-types-of-data encompassing law in our country. We have seen this type of legislation enacted in other places, namely through the General Data Protection Regulation, or GDPR, which is active across the European Union. Even though a nationwide law like this has not been passed, that does not mean that there is not a widespread concern over the amount of data that companies can access and use from individuals without their consent.
In order to combat this desire to ensure the protection of individual’s personally identifiable information (PII), many states in the U.S. have taken it upon themselves to create and enact general data laws. It is very likely that we will see a national version at some point in the near future, but until then and potentially even after, the states are determining what this looks like for each of them. At this point, 20 states have seen the introduction of a related bill by their lawmakers. We will continually be updating this blog as additional states prepare to pass related legislation.
It is also worth noting that most of these state-specific laws follow the lead of either GDPR or the CCPA, which was the first data law passed by a state when it was enacted in 2018 in California. Since then, California has created a new law that is an updated and expanded version of the CCPA, which we will discuss below. However, it is important to note that many states are drawing their inspiration for their own laws from the GDPR, CCPA, or the new CPRA law.
California has certainly been the pioneer in this entire process - they are currently working on their second expansive data privacy law while many states are only beginning to consider their first. The California Consumer Privacy Act (CCPA) was passed in 2018 but has only been in effect since July 2020, at which time the state legislature had already begun work on the California Privacy Rights Act (CPRA). The CPRA, which draws inspiration from the GDPR, is a dramatic update and expansion of the CCPA which has been the foundation that many states have followed as they create their own legislation. The CPRA was passed by California voters in November 2020 and will go into full effect on January 1st, 2023.
Simply put, the CPRA will continue to support individual rights to have control over their personally identifiable information (PII). They are provided the right to know what information of theirs organizations have, whether that information is shared or sold, receive copies of that information upon request, and opt-out of the sale or storage of their PII at any point without penalty. Within this legislation, a new agency, the Consumer Privacy Protection Agency, is created which will regulate and enforce the act on behalf of all California residents. The CPRA has increased the standards in that organizations can now face much larger penalties and they will not be able to remediate issues within a 30-day period without facing lawsuits as the CCPA had allowed for.
Just this February, Florida’s governor has put his support behind a potential new consumer privacy law, House Bill 969, this would be the first attempt at increasing data privacy regulations in the state since 2014. This bill would follow closely behind the example that was set by the CCPA as mentioned above and would go into effect on January 1, 2022. The goal is to give individuals a greater level of control over how personally identifiable information (PII) is handled. As a result of this goal, the restrictions on companies using this data will be significantly greater than before.
Just as we have seen with California & Virginia, this bill would apply to most large for-profit organizations within that location. In this case, it would be companies doing business in Florida with total revenue of over $25 million, plus those who interact with the personal information of 50,000+ Florida residents or devices each year. The last qualifier for being subject to this law is whether half or more of a company’s total revenue comes from sharing, holding, or selling Florida resident’s personal information.
If a company falls into any of these categories, then there are certain requirements that they must meet. Here are a few of them:
- Provide notice at the “point of collection” of the personal data
- Respond to every individual request to share a person’s information with them or to update, correct, or delete those records
- Allow consumers the ability to opt-out of sharing their personal information with an organization without any costs to them
- Right to request a correction to inaccuracies in their data or request deletion of the information as a whole
- Prevent organizations from retaining information beyond the initial purpose for that it was approved for
Update: Both Florida's House of Representatives and Senate passed a version of the privacy bill, but ultimately they were unable to come together on a final version to vote on and pass before the legislature closed on April 30th. Reports are that the main point of disagreement between the two groups was whether or not to include the private right to action.
Minnesota Consumer Data Privacy Act, or the MCDPA, was introduced into their state legislature in late February. This act, which is currently being discussed in the state legislature as HF36, is extremely similar to the CCPA. This law would seek to protect Minnesota resident’s personal information which in this case is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer.”
If a company meets any of the following requirements then they will be subject to this law: makes an annual gross revenue of $25 million, sells, buys, or stores the PII of 50,000+ Minnesota residents or their devices, or makes 50% or more of their yearly revenue from selling individual’s personal information. Each group that meets one of these thresholds will be required to notify customers upon collection of their information, disclose to a consumer when their personal information is sold, allow consumers the right to request copies, edits, or deletion of their PII at any time, and opt-out of the sale of their information at any time without any damages. Just as with other state laws, the Minnesota Attorney General will be responsible for enforcing and penalizing companies according to this law should it pass entirely through the Senate.
New York is taking a slightly different approach than some other states in their progress towards legislation that protects consumers’ personal data. They have actually introduced five different bills into the Senate that are all related to this overall topic - one is a broad bill that mirrors the CCPA, while some of the others attempt to more directly target specific aspects. In this context we will briefly touch on three of those five bills: The New York Privacy Act (NYPA), The Right to Know Act, and Senate Bill S567/Assembly Bill A3709 which has yet to be given a final name.
- The New York Privacy Act (NYPA) is the exact same as a bill that was introduced in the last legislative session but wasn’t able to pass through either chamber. The goal of this law is to provide New York residents with a higher level of transparency and control over their PII while mandating greater regulation and compliance from the companies underneath it. The NYPA is an extensive and even tougher version of GDPR which experts feel is unlikely to be signed into law but may set the scene for how state privacy laws may trend in the future.
- The Right to Know Act, Assembly Bill A400, would require New York businesses to offer consumers access to their personal information, the categories of information that they share with third parties, and the contact information for all third party groups that they share this information with. If passed, this act would come with penalties that would be jointly enforced by the attorney general, district attorney, city attorney, or city prosecutor. Just as the NYPA, this act was also introduced in the last session but was never approved.
- Finally, Senate Bill S567/Assembly Bill A3709 is almost identical to the CCPA in just about every way - but it does have one distinction which is the private right of action. The private right of action provided in S567/A3709 would allow any person who becomes aware of an organization’s violation of this law through non-public information (i.e. not through a company’s public breach notification statement) to be able to file a civil action which could result in civil penalties against the company at fault.
Update: All of these bills are still currently active, although New York's legislative session ends on June 10th so there is limited time before any of these bills could be officially signed into law.
On March 4th, 2021, the Oklahoma State House of Representatives passed a brand-new act, called the Oklahoma Computer Data Privacy Act in an overwhelming majority of votes. This bill, which is focused on the data privacy of personally identifiable information, is headed to the state senate now where it is expected to pass as well.
The key aspect to mention here is that the OCDPA would be the first data privacy law seen in the United States that is an “opt-in law” which means that companies will have to ask for explicit consent prior to collecting any personally identifiable information. By contrast, the CCPA is an “opt-out” law, which means that businesses can collect information unless requested not to. In addition to the opt-in clause, the OCDPA will also include lower thresholds and active opt-in requirements for sales of PII. If you are looking for a more detailed look at this impending law, here is our article covering the whole thing.
Update: Although the House had passed the Oklahoma Computer Data Privacy Act on March 4th, the bill did not make it out of the state Senate before the session closed on April 8th. This means that the OCDPA is officially dead for this legislative session.
As of the official bill-passage on February 3rd, Virginia is now set to become the second state to pass a broad, state-specific privacy law. The Virginia CDPA will take aspects of the CPRA, CCPA, and the GDPR plus it has some aspects that are different from all three of these previous data laws. The Virginia CDPA is targeted at larger organizations specifically meaning those that interact with 100,000+ people’s information yearly but also includes the caveat that if a company makes over 50% of their revenue from the sale of consumer data then the threshold for the number of individual’s data you work with to apply goes down to 25,000. This bill does not apply to nonprofit organizations, universities, or government agencies. Lastly, any organizations that already have to comply with either GLBA or HIPAA for their data management do not need to comply with Virginia CDPA.
The Virginia CDPA requires companies to do the following things:
- Respond to all consumer data requests within 45 days
- Conduct a complete assessment of their current data security operations
This bill is known for being the second state-specific law to be signed into law awaiting its enforcement date but also for having more exclusions than either the CCPA or GDPR. The other distinctions from previous pieces of legislation are that the Virginia CDPA clarifies the language for “selling” information within the CDPA versus a more broad, vague definition that can be found in the CCPA. This Virginia bill makes it clear that only exchanges that involve monetary compensation being traded for personal data will be considered a sale. Full details of this law can be found here.
The Washington legislature has discussed, debated, and considered a version of The Washington Privacy Act (WPA) for the past 3 years consistently but ultimately the chambers have been unable to compromise on this. This year the 2021 version of the WPA will be brought up yet again in hopes that a resolution can be reached. This bill is made up of four total parts - the first is similar to those in the past and relates to the processing or selling of personal data in the private sector. The second and third sections revolve around the handling of PII during public health crises, which was clearly written in response to the COVID-19 pandemic. The fourth section deals mostly with enforcement and the effective date which would be July 31st, 2022.
Update: As of April 25th, the Washington's Legislative Session officially closed without passing this law meaning that the WPA is officially dead for the 3rd year in a row.
Data security regulation has certainly become one of the main themes of state legislature over the past few years all across the United States. Most of this legislation follows the precedent that was laid out by GDPR and the CCPA but many states are also adjusting these trends to fit what they feel will best protect their constituents. We will continue to follow these laws as they are debated and eventually voted on by their state congress. Check back on this article for updates as we hear about them nationwide!