Keypoint: CCPA-like privacy bills continue to be introduced and work their way through state legislatures.
Those who attended our recent webinar or who subscribe to this blog know that we have been closely tracking proposed CCPA-like legislation in state legislatures across the country. We also launched a 2021 State Privacy Law Tracker to keep pace with the latest developments.
Yet, even with these efforts, there still are numerous developments occurring on a near daily basis. Therefore, we decided to wait until a weekend (when state legislatures are quiet) to provide a summary of where these bills stand. Of course, the contents provided below are time-sensitive and subject to change.
To date, state lawmakers have introduced bills in 18 states. Some states, such as Florida, Washington and Minnesota are considering multiple bills. One state (Virginia) has passed legislation whereas bills in two states (North Dakota and Mississippi) have already failed.
The below analysis divides the bills into three categories: (1) active bills, (2) introduced bills, and (3) dead bills. Active bills are those that have seen some movement, such as a committee hearing, vote, or passage. Introduced bills are those that have been introduced in a state legislature but have yet to see any movement (other than, for example, being referred to a committee). Dead bills are (as you might have guessed) bills that have failed.
For links to all of these bills please see our 2021 State Privacy Law Tracker.
By now everyone knows that the Virginia General Assembly passed the Virginia Consumer Data Protection Act (CDPA). As of February 26, the President of the Virginia Senate and Speaker of the Virginia House of Delegates signed the bill and it is with the Governor. The Governor is expected to sign the bill, and the law will go into effect January 1, 2023.
Of note, at least one consumer advocacy group already announced that it intends to ask the Virginia legislature to strengthen the law next session. The Electronic Frontier Foundation also announced its opposition to the bill, and asked Virginia Governor Northam to either veto it or add a reenactment clause, which would send the bill back to the legislature.
Prior to final passage, the legislature did add a provision to the CDPA creating a working group of government, business and privacy representatives to “review the provisions of [the CDPA] and issues related to its implementation” and submit their “findings, best practices, and recommendations regarding the implementation of” the CDPA to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.
In the end, it appears that privacy professionals will need to keep a close eye on next year’s Virginia legislative session as the CDPA could change before its January 1, 2023 effective date.
The Washington Senate continues to debate the Washington Privacy Act (WPA). As of this weekend, the WPA has been placed on a second reading by the Rules Committee. The WPA and the Virginia CDPA are very similar bills, with the Virginia bill being derived from the Washington bill. The Virginia bill is regarded as more business-friendly than the Washington bill.
The People’s Privacy Act (a competing bill supported by the ACLU of Washington) has not seen movement since February 1.
The Utah Senate has been (quickly) considering a bill that contains the Utah Consumer Privacy Act and Utah Commercial Email Act. The bill was introduced on February 16, 2021. The bill’s legislative history indicates that, as of February 26, it is on a third reading in the Senate.
The IAPP’s Joe Duball has been closely tracking this (and other proposed state privacy bills) on his twitter feed. On February 26, he reported that Senator Cullimore held the bill when it was called on the Senate floor session and indicated that a substitute bill was forthcoming.
As currently drafted, the Utah bill is similar to the Washington and Virginia bills. One notable difference, however, is that the bill includes a separate provision on commercial emails. Also, if passed, the law would go into effect on January 1, 2022, earlier than Virginia (January 1, 2023) and Washington (July 31, 2022).
The fact that the Utah bill is so similar to the Washington and Virginia bills also is remarkable because the Utah legislature is controlled by Republicans whereas the Washington and Virginia legislatures are controlled by Democrats.
Just a few weeks ago, all (privacy) eyes were focused on Oklahoma and the Oklahoma Computer Data Privacy Act. On February 10, 2021, the House Technology Committee unanimously (6-0) passed the bill out of committee and numerous representatives added their names as co-authors. News articles also reported that the bill had widespread bipartisan support. At the time, it seemed as though there was real momentum for the bill to pass. However, nearly three weeks later, the bill has not moved forward.
The Oklahoma bill is more similar to the CCPA than it is to the Virginia, Washington, and Utah bills. However, the bill has a lower threshold for when it would apply ($10 million in annual gross revenue versus the CCPA’s $25 million), it would require a business to obtain a consumer’s consent for processing of personal information, and it includes a private right of action with statutory damages.
Two bills have been introduced in Connecticut – Senate Bill 893 introduced on February 17 and Senate Bill 156 introduced on January 15. Both bills are with the Joint General Law Committee, which held a public hearing on February 25.
Senate Bill 893 is similar to Virginia’s CDPA. As introduced, Senate Bill 156 is just a one-paragraph bill.
House Bill 216 was introduced on February 2, 2021. Notably, the bill has attracted 18 Republican sponsors or co-sponsors. However, to date, it has not moved forward and is currently referred to the House committee on Technology and Research. The bill is similar to the CCPA.
HB 2865 was introduced on February 11, 2021. To date, there have been no hearings or votes taken on the bill. The bill is currently pending in the House Commerce Committee. The bill does not readily track the form or contents of the CCPA, CDPA, or WPA.
HB 969 was filed on February 15, 2021. It currently is in committee. A second bill, SB 1734, was filed on February 25, 2021.
HB 969 is perhaps best described as a heavily modified version of the California Privacy Rights Act (CPRA). SB 1734 is perhaps best described as a heavily modified version of the CCPA.
Illinois lawmakers proposed two bills in the last two weeks. HB 2404 (entitled the Right to Know Act) and HB 3910 (entitled the Consumer Privacy Act) were introduced on February 17 and February 22, respectively. Both bills are with the Rules Committee.
As its name suggests, the Right to Know Act would provide Illinois residents with the right to know certain information regarding their personal information. HB 3910 is a modified version of the CCPA.
SB 930 (the Maryland Online Consumer Protection Act) was introduced on February 10, 2021. No action has been taken to date. The bill is a modified version of the CCPA.
SD 1726 was filed on February 18, 2021. It does not appear that any action has been taken on the bill to date. The bill is a modified version of Washington’s People’s Privacy Act.
Minnesota is an interesting state insofar as it was one of the first states to see legislation proposed this year (HF 36 proposed on January 7, 2021), but then saw a second bill (HF 1492) proposed more than a month later on February 22, 2021. Neither bill has seen movement since being introduced.
HF 36 is a modified (and shortened) version of the CCPA and contains a private right of action. HF 1492 is similar to the Washington and Virginia bills.
As shown on our tracker, New York legislators have proposed a number of consumer privacy bills in 2021. All of those bills currently sit in committee.
H 3063 was pre-filed on December 9, 2020 and referred to the Committee on Labor on January 12, 2021. It has not moved since. The bill is limited to providing rights around the collection and use of biometric information.
H.160 is still a short form bill (i.e., only one paragraph long). The bill has been referred to committee and no further action has been taken to date.
North Dakota’s HB 1330 and Mississippi’s Senate Bill 2612 have both died.