UPDATE: The below post discusses whether the Washington Privacy Act is still alive notwithstanding that the House failed to pass the bill prior to the April 11 deadline. In a tweet, bill sponsor Reuven Carlyle stated: “The bill remains alive through the end of the Legislative Session.”
Keypoint: This week bills in Florida and Connecticut continued to progress, the Washington Privacy Act failed to get out of the House at the deadline, and bills in Oklahoma and West Virginia died.
Below is our seventh weekly update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide two reminders.
First, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.
Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.
In Washington, according to the session cutoff calendar, Sunday, April 11 was the last date for the Washington House of Representatives to pass the Washington Privacy Act (WPA) (SB 5062). The WPA appeared on the House calendar but lawmakers never called it for a vote before the session ended late Sunday night. After the April 11 deadline, the House is permitted to consider “initiatives, alternatives to initiatives, budgets and matters necessary to implement budgets, matters that affect state revenue, messages pertaining to amendments, differences between the houses, and matters incident to the interim and closing of the session.” At this point (i.e., the morning after), it is unclear whether the WPA could fit into one of those categories or if it has now failed for the third year in a row. We will keep you posted as we learn more. Further, in a sign that the lawmakers still sharply disagreed on the contours of the WPA, House members had proposed twenty-five amendments that would have needed to be debated prior to a vote Sunday night.
In Florida, SB 1734 passed out of the Rules Committee on April 6. However, before doing so, the bill was heavily watered down. The bill has been placed on the Senate calendar for a second reading. No movement took place with its companion bill, HB 969, this week. Thanks to Joe Duball at the IAPP for keeping us up to date.
In Connecticut, SB 893 was reported out of the Legislative Commissioner’s Office and given a Senate calendar number.
In Oklahoma, the Oklahoma Computer Data Privacy Act did not make it out of the Senate Judiciary Committee by the April 8 deadline for passing bills out of committee. It appears that bill is now dead and we have moved it into our “dead bills” category.
Finally, in West Virginia, the legislature closed its session on April 10 without passing its proposed bill. As a result, we have moved West Virginia into our “dead bills” category.
To date, state lawmakers have introduced bills in 24 states. Alaska, Connecticut, Florida, Illinois, Minnesota, New York, Massachusetts, and Washington are considering multiple bills. One state (Virginia) has passed legislation whereas the bills in six states (Kentucky, North Dakota, Oklahoma, Mississippi, Utah and West Virginia) have failed.
The below analysis divides the bills into four categories: (1) passed bills, (2) active bills, (3) introduced bills, and (4) dead bills.
Passed bills are those that have become law (i.e., Virginia). Active bills are those that have seen some movement, such as a committee hearing or vote. Introduced bills are those that have been introduced in a state legislature but have yet to see any movement (other than, for example, being referred to a committee). Dead bills are (as you might have guessed) bills that have failed.
For links to all of these bills please see our 2021 State Privacy Law Tracker.
On March 2, 2021, Virginia became the second state – after California – to enact state consumer data privacy legislation. You can find our coverage of the Virginia bill here, and you can find the text of the new law here. We also hosted a webinar on the law on March 11. You can access the recording here.
As discussed above, the Washington Privacy Act (WPA) did not pass the House at the April 11 deadline. The People’s Privacy Act (a competing bill supported by the ACLU of Washington) has not seen movement since February 1. The deadline to pass bills out of their house of origin passed on March 9.
SB 893, which is similar to Virginia’s Consumer Data Protection Act, was reported out of Legislative Commissioner’s Office and given a Senate calendar number.
Senate Bill 156, a one-paragraph bill, introduced on January 15 has not seen movement since the Joint General Law Committee held a public hearing on February 25.
The Connecticut legislature adjourns on June 9.
SB 1734 passed out of the Rules Committee agenda on April 6. However, before doing so, the bill was heavily watered down. The bill has been placed on the Senate calendar for a second reading.
A companion bill, HB 969, passed unanimously out of the Civil Justice & Property Rights Subcommittee on March 23. As reported in our prior post, the bill previously passed out of the Regulatory Reform Subcommittee. The bill is now with the Commerce Committee.
The Florida legislature adjourns on April 30.
Illinois is considering two bills.
First, HB 2404 (the Right to Know Act) is presently assigned to the Rules Committee. It had previously been assigned to the Cybersecurity, Data Analytics, & IT Committee. As its name suggests, the Right to Know Act would provide Illinois residents with the right to know certain information regarding their personal information.
In addition to HB 2404, Illinois lawmakers also introduced HB 3910 (entitled the Consumer Privacy Act) on February 22. That bill was assigned to the Judiciary – Civil Committee on March 16, to the Civil Procedure & Tort Liability Subcommittee on March 23 and re-referred to the Rules Committee on March 27. HB 3910 is a modified version of the CCPA.
On March 15, the Assembly Science, Innovation and Technology Committee held a hearing on three bills (A5448, A3283, and A3255). A recording of the hearing is available here.
House Bill 216 was introduced on February 2, 2021. Notably, the bill has attracted 18 Republican sponsors or co-sponsors. However, to date, it has not moved forward and is currently referred to the House committee on Technology and Research. The bill is similar to the CCPA. The Alabama legislature adjourns on May 30.
SB 116 and HB 159 were introduced on March 31. Both bills are in committee. The Alaska legislature adjourns on May 19.
HB 2865 was introduced on February 11, 2021. To date, there have been no hearings or votes taken on the bill. The bill is currently pending in the House Commerce Committee. The bill does not readily track the form or contents of either the CCPA or the Virginia and Washington bills. The Arizona legislature adjourns on April 24.
SB21-190 was introduced on March 19, 2021. It was assigned to the Senate Committee on Business, Labor and Technology. You can read our analysis of the bill here. According to the legislative calendar, the deadline for bills to pass out of the Senate was April 7.
SB 930 (the Maryland Online Consumer Protection Act) was introduced on February 10, 2021. No action has been taken to date. The bill is a modified version of the CCPA. The Maryland legislature adjourns on April 12.
SD 1726 was filed on February 18, 2021. It does not appear that any action has been taken on the bill to date. The bill is a modified version of Washington’s People’s Privacy Act. A second bill, HD 3847, was filed in the state house.
Minnesota is considering two bills – HF 36 and HF 1492 / SF 1408. The bills have not seen movement since being introduced.
HF 36 is a modified (and shortened) version of the CCPA and contains a private right of action. HF 1492 / SF 1408 are similar to the Washington and Virginia bills.
The Minnesota legislature adjourns on May 17.
On March 17, 2021, Nevada lawmakers introduced AB323 and SB260. Although the bills are focused on adding a new “data broker” category to Nevada’s online disclosure law, they also would broaden Nevada’s definition of “sale” in its right to opt out of sales. The Senate Committee on Commerce and Labor held a hearing on SB 260 on March 31, and it appears an amendment is forthcoming. For more information, see our analysis here.
The Nevada legislature adjourns on June 1.
As shown on our tracker, New York legislators have proposed a number of consumer privacy bills in 2021. All of those bills currently sit in committee. However, according to Joe Duball and Joseph Jerome, the Governor’s budget proposal no longer contains privacy provisions.
H 3063 was pre-filed on December 9, 2020 and referred to the Committee on Labor on January 12, 2021. It has not moved since. The bill is limited to providing rights around the collection and use of biometric information. The South Carolina legislature adjourns on May 13.
In Texas, Representative Capriglione filed six bills “related to increasing the protection of consumer data by the private sector.” One bill, HB 3741, is a data privacy omnibus bill. As introduced, the bill is perhaps best described as a heavily modified version of the CCPA, however, there are many aspects of the bill that make it unique, including its creation of three “categories” of data. On March 22, the bill was referred to the House Committee for Business & Industry. The Texas legislature adjourns on May 31.
H.160 is still a short form bill (i.e., only one paragraph long). The bill has been referred to committee and no further action has been taken to date. The Vermont legislature adjourns on May 28.
Kentucky’s HB 408, North Dakota’s HB 1330, Oklahoma’s HB 1602, Mississippi’s Senate Bill 2612, Utah’s SB 200, and West Virginia’s HB 3159 have all died.