Keypoint: It was a busy week for privacy law. Since the update we provided last week Virginia’s bill was signed into law, bills in Washington and Oklahoma advanced, and Utah’s bill failed to pass before its legislative session closed.
Last week, we provided an update on the status of proposed CCPA-like privacy legislation. In that article, we noted that the contents were “time-sensitive and subject to change.” Typical to privacy law, in just a week, the landscape of these proposed laws changed dramatically. Given these changes, we decided to publish another update and, like last week, waited until a weekend when state legislatures are quiet.
Before we get to our update, we wanted to provide three reminders.
First, we will be hosting a webinar on Virginia’s Consumer Data Protection Act on March 11. You can register for the webinar here. If you are unable to attend the webinar live, you can still register, and we will email a copy of the presentation and a link to the webinar recording to you.
Second, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.
Third, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.
Since our March 1 post, the proposed privacy law landscape has drastically changed.
First, as you certainly know, Virginia’s Governor signed into law the Virginia’s Consumer Data Protection Act (CDPA). It will go into effect on January 1, 2023.
Second, the Utah legislature was unable to pass its bill. Before the bill failed, lawmakers introduced a more business-friendly version, but the legislature was unable to pass the bill before closing on March 5. The IAPP’s Joe Duball closely tracked this process. His twitter feed is a must read for those interested in tracking all of the proposed state privacy laws.
Third, significantly different bills in Washington and Oklahoma both passed one chamber of their respective state legislatures.
A version of the Washington Privacy Act has passed the state Senate the last two years, so it comes as no surprise that the Washington bill passed the Senate this week. The real question is whether Washington can finally get a bill across the finish line. Of course, that question becomes even more interesting given that Virginia’s CDPA is a more business-friendly version of the Washington bill.
Lawmakers amended the Oklahoma bill significantly prior to it passing the Oklahoma House. To catch up on the Oklahoma bill take a look at our summary. As we detail in our summary, the bill no longer contains a private right of action, but has significant provisions regarding consent for collection and sale of personal information. It also would likely apply to more businesses than California’s CCPA.
Fourth, lawmakers have introduced a new bill in Rhode Island, a second bill in Massachusetts, and an additional bill in New York.
In New York specifically, Governor Cuomo’s privacy legislation (see page 148) introduced in his state budget proposal drew criticism from the ACLU of New York. In apparent response, a version of the ACLU’s People’s Privacy Act was introduced in the state (A6042). Those looking to track these developments should follow Joseph Jerome’s twitter feed.
To date, state lawmakers have introduced bills in 19 states. Connecticut, Florida, Illinois, Minnesota, New York, Massachusetts, and Washington are considering multiple bills. One state (Virginia) has passed legislation whereas the bills in three states (North Dakota, Mississippi, and Utah) have already failed.
The below analysis divides the bills into four categories: (1) passed bills, (2) active bills, (3) introduced bills, and (4) dead bills.
Passed bills are those that have become law (i.e., Virginia). Active bills are those that have seen some movement, such as a committee hearing or vote. Introduced bills are those that have been introduced in a state legislature but have yet to see any movement (other than, for example, being referred to a committee). Dead bills are (as you might have guessed) bills that have failed.
For links to all of these bills please see our 2021 State Privacy Law Tracker.
On March 2, 2021, Virginia became the second state – after California – to enact state consumer data privacy legislation. You can find our coverage of the Virginia bill here, and you can find the text of the new law here. As noted, we will be hosting a webinar on the new law on March 11.
The Washington Senate passed the 2021 version of the Washington Privacy Act (WPA) on March 3, and now the real action begins as the bill moves to the House. Last year, the House passed an amended version of the WPA adding, among other things, a private right of action. However, the Senate and House were ultimately unable to reach a consensus in a conference committee and the WPA failed.
The People’s Privacy Act (a competing bill supported by the ACLU of Washington) has not seen movement since February 1.
As discussed above, the Oklahoma House passed a revised version of the Oklahoma Computer Data Privacy Act on March 4. The bill now moves to the state senate. You can find a summary of the bill here.
We did not see any movement on the two bills that have been introduced in Connecticut – Senate Bill 893 introduced on February 17 and Senate Bill 156 introduced on January 15. Both bills are with the Joint General Law Committee, which held a public hearing on February 25.
Senate Bill 893 is similar to Virginia’s CDPA. As introduced, Senate Bill 156 is just a one-paragraph bill.
House Bill 216 was introduced on February 2, 2021. Notably, the bill has attracted 18 Republican sponsors or co-sponsors. However, to date, it has not moved forward and is currently referred to the House committee on Technology and Research. The bill is similar to the CCPA.
HB 2865 was introduced on February 11, 2021. To date, there have been no hearings or votes taken on the bill. The bill is currently pending in the House Commerce Committee. The bill does not readily track the form or contents of either the CCPA or the Virginia and Washington bills.
HB 969 was filed on February 15, 2021. A second bill, SB 1734, was filed on February 25, 2021. Both bills are currently in committee.
HB 969 is perhaps best described as a heavily modified version of the California Privacy Rights Act (CPRA),while SB 1734 is perhaps best described as a heavily modified version of the CCPA.
Illinois lawmakers have proposed two bills. Lawmakers introduced HB 2404 (entitled the Right to Know Act) and HB 3910 (entitled the Consumer Privacy Act) on February 17 and February 22, respectively. Both bills are with the Rules Committee.
As its name suggests, the Right to Know Act would provide Illinois residents with the right to know certain information regarding their personal information. HB 3910 is a modified version of the CCPA.
SB 930 (the Maryland Online Consumer Protection Act) was introduced on February 10, 2021. No action has been taken to date. The bill is a modified version of the CCPA.
SD 1726 was filed on February 18, 2021. It does not appear that any action has been taken on the bill to date. The bill is a modified version of Washington’s People’s Privacy Act. A second bill, HD 3847 was filed in the state house.
Minnesota is interesting insofar as it was one of the first states to see legislation proposed this year (HF 36 proposed on January 7, 2021), but then lawmakers introduce a second bill (HF 1492) more than a month later on February 22, 2021. Neither bill has seen movement since being introduced.
HF 36 is a modified (and shortened) version of the CCPA and contains a private right of action. HF 1492 is similar to the Washington and Virginia bills.
As shown on our tracker, New York legislators have proposed a number of consumer privacy bills in 2021. All of those bills currently sit in committee. In addition, Governor Cuomo’s privacy legislation (see page 148) is still active.
H 3063 was pre-filed on December 9, 2020 and referred to the Committee on Labor on January 12, 2021. It has not moved since. The bill is limited to providing rights around the collection and use of biometric information.
H.160 is still a short form bill (i.e., only one paragraph long). The bill has been referred to committee and no further action has been taken to date.
North Dakota’s HB 1330, Mississippi’s Senate Bill 2612, and Utah’s SB 200 have all died.