In the fifth episode of our Legislating Data Privacy series, we talk with Florida Republican Representative Fiona McFarland.

In April, the Florida legislature was on the cusp of enacting consumer privacy legislation after both its House and Senate passed bills, although it ultimately was unable to pass a bill before adjourning. Representative McFarland was in the middle of this debate as the primary author of HB 969. A first term elected official, Representative McFarland threw herself into data privacy legislation, leaning on her prior experience in the Navy.

In this far-reaching interview, Representative McFarland discusses, among other topics, what happened behind-the-scenes with the Florida bills, her opinion on how data privacy legislation should be enforced, and the prospect for Florida to pass privacy legislation next year.

Click here to listen to the full interview.

In the fourth episode of our Legislating Data Privacy series, we talk with Arizona Representative Domingo DeGrazia.

Representative DeGrazia is the author of HB 2865, which would have granted Arizona residents various privacy rights regarding their personal data.

In this fascinating interview, Representative DeGrazia – a CIPP/US – discusses the challenges of running consumer privacy legislation in Arizona and his hopes for passing legislation next year. He also discusses the Uniform Law Commission’s Uniform Data Protection Act and his thoughts on whether he will run that legislation next year. Representative DeGrazia also talks about his opinions on enforcement, the role of states versus the federal government in passing privacy legislation, and the future of privacy legislation in the United States.

Click here to listen to the full interview.

Keypoint: Businesses that sell personal information under the CCPA are now required to honor Global Privacy Control signals.

In an update to its CCPA FAQs, the California Attorney General’s office has stated that businesses that sell personal information must honor Global Privacy Control (GPC) signals.

Continue Reading California AG Requires Businesses to Recognize GPC Signals for Requests to Opt Out of Sales

Keypoint: As introduced, the Ohio Personal Privacy Act would provide Ohio residents with some rights regarding their personal data, but it is not as extensive as the CPRA, CPA, and VCDPA.

As first reported by the IAPP’s Joe Duball, on July 13, 2021, Ohio lawmakers introduced the Ohio Personal Privacy Act (House Bill 376).

The bill’s primary sponsors are Republicans Rick Carfagna and Thomas Hall. The bill also has eight Republican co-sponsors in the House. For reference, Republicans have overwhelming majorities in Ohio’s House and Senate, and Ohio has a Republican Governor. In announcing the introduction of the bill, Kirk Herath, Chairman of CyberOhio, emphasized the large group of individuals involved in crafting the bill, including Ohio Lt. Governor Jon Husted. Ohio’s legislature closes in December.

Below is an analysis of the bill (as introduced).

Continue Reading Ohio Personal Privacy Act Introduced

Keypoint: On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act into law, making Colorado the third state to pass broad consumer privacy legislation.

On July 7, 2021, Colorado officially became the third state to pass broad consumer privacy legislation when Governor Jared Polis signed the Colorado Privacy Act (CPA) into law. The Colorado legislature previously passed the CPA on June 8. The CPA will go into effect on July 1, 2023.

Once effective, covered entities will be required to provide Colorado residents with various privacy rights, including the right to access, correct, and delete their personal data and to opt out of the sale of their personal data. Covered entities also will need to provide privacy policy disclosures and create data protection assessments for certain types of processing activities. For a full discussion of the CPA, please see our webinar here.


In the third episode of our Legislating Data Privacy series, we talk with Washington Representative Shelley Kloba.

If you follow proposed state privacy legislation, you know that Washington state is at its epicenter. For the past three years, the Washington legislature has considered – but failed to pass – the Washington Privacy Act. Representative Kloba is a central figure in this debate.

In 2021, she authored HB 1433 – the People’s Privacy Act – a rival bill to the Washington Privacy Act. The People’s Privacy Act would have required opt-in consent for the processing of personal data, created an Illinois-like biometric information privacy structure, and allowed for a private right of action. Representative Kloba also proposed five amendments to the Washington Privacy Act before it failed in the House.

In our interview, Representative Kloba discusses her bill and the Washington Privacy Act, including the tensions between the Washington Senate and House. She also tackles numerous related issues such as her view on how privacy laws should be enforced and what types of provisions they should contain.

Click here to listen to the full interview.

In the second podcast of our Legislating Data Privacy series, we talk with Minnesota Representative Steve Elkins.

Representative Elkins is the co-author of HF 1492, the Minnesota Consumer Data Privacy Act.

In this wide-ranging interview, Representative Elkins discusses what happened with HF 1492 during the 2021 legislative session, his plan for reintroducing the bill in 2022, and his opinions on a wide-range of issues relating to state privacy legislation.

Click here to listen to the full interview.


Keypoint: Our legislating data privacy podcast series kicks off with an in-depth conversation with Representative Collin Walke of Oklahoma.

As readers of this blog know, the emergence of broad state consumer privacy legislation has been one of the dominant stories in privacy law since at least June 2018 when California lawmakers passed the California Consumer Privacy Act in response to Alastair Mactaggart’s ballot measure. State lawmakers have jumped into the void created by the absence of federal privacy legislation and tackled this complicated issue. In 2021 alone, lawmakers in 26 states proposed CCPA-like privacy legislation. While the federal government may eventually pass federal privacy legislation, there can be no doubt that state lawmakers are at the forefront of developing the principles that will form the foundation of privacy law in this country.

Given the importance of these issues, we decided to launch a limited podcast series interviewing some of the prominent state lawmakers who have authored these bills.

Our first guest is Oklahoma Representative Collin Walke, who was one of the authors of HB 1602, the Oklahoma Computer Data Privacy Act (Act). In March, Representative Walke put Oklahoma on the privacy law map when he steered the Act through the Oklahoma House of Representatives. Although the bill eventually failed in the Senate, Representative Walke intends to introduce it again next year in the hopes of providing Oklahoma residents with strong privacy rights.

Click here to listen to our conversation with Representative Walke.

Keypoint: This week the Colorado legislature passed the Colorado Privacy Act.

Below is our sixteenth weekly update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we need to make a few announcements.

This will be our last weekly update – for now. With the legislatures in so many states having adjourned for the year and the bills in the remaining states not moving forward, we will be pausing our weekly updates. Rest assured, we will be back when things heat up again.

Even though we are pausing our weekly updates, we are not slowing down our work on state consumer privacy legislation.

On June 15, we will be hosting a webinar on the Colorado Privacy Act. Click here to register.

Starting Monday, June 21, we will be releasing a limited podcast series with interviews of state lawmakers who spearheaded privacy legislation in 2021. If you want to know the inside story on how these bills are drafted and lobbied, you will not want to miss these interviews.

Finally, if you are not already subscribed to our blog, consider doing so to stay updated.

Continue Reading Status of Proposed CCPA-Like State Privacy Legislation as of June 14, 2021

Keypoint: The Texas legislature has determined that companies who experience a data breach affecting Texas residents need to have their names in lights—but not in a good way.

House Bill 3746, which passed both the House and the Senate last week and has been sent to Governor Abbott for signature, amends Texas’s breach notification law to require the Attorney General’s office to maintain a publicly accessible page on its website containing every notification of a data breach it has received over the past year.

Continue Reading Texas Amends Its Breach Notification Law