Keypoint: This week the Colorado legislature continued to advance the Colorado Privacy Act, and the Nevada Governor signed into law a bill that will broaden the state’s pre-existing right to opt out of sales as of October 1, 2021.
Below is our fifteenth weekly update on the status of proposed CCPA-like privacy legislation. Before we get to our update, we wanted to provide two reminders.
First, we have been regularly updating our 2021 State Privacy Law Tracker to keep pace with the latest developments. We encourage you to bookmark the page for easy reference.
Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated.
In Colorado, the House Finance and Appropriations Committees passed the Colorado Privacy Act on June 2 and 3, respectively. The bill then passed a second reading on the House floor on the night of June 4. The bill is now scheduled for a third (and final) reading on June 7. The House calendar currently lists 89 bills for consideration so it is possible it could take multiple days for the CPA to be considered.
If the CPA passes a third reading in the House, it will be sent back to the Senate because the of the amendments the House made to the bill that the Senate previously passed. The Senate would have to accept the changes, reject the changes, or reject the changes and ask for a conference committee.
If passed by both chambers, the bill will be sent to Governor Polis who will have thirty days to sign or veto it (the additional time being provided because the bill would be sent to him in the final ten days of the session). If Governor Polis does not act within thirty days, the bill would become law without his signature. (For a description of the Colorado legislative process click here.)
In Nevada, the Governor approved SB260 on June 2. By law, the bill will go into effect on October 1, 2021.
No movement occurred this week with the Connecticut and New York bills. With those legislatures set to adjourn on June 9 and 10, respectively, it does not appear that the bills will pass this year.
Finally, the Texas legislature closed without passing its bill.
To date, state lawmakers have introduced bills in 26 states. Multiple bills were introduced in Alaska, Connecticut, Florida, Illinois, Minnesota, New York, Massachusetts, and Washington. Two states (Virginia and Nevada) have passed legislation whereas the bills in fifteen states (Alabama, Alaska, Arizona, Florida, Kentucky, Maryland, Mississippi, Minnesota, North Dakota, Oklahoma, South Carolina, Texas, Utah, Washington, and West Virginia) have failed.
The below analysis divides the bills into four categories: (1) passed bills, (2) active bills, (3) introduced bills, and (4) dead bills.
Passed bills are those that have become law (i.e., Virginia and Nevada). Active bills are those that have seen some movement, such as a committee hearing or vote. Introduced bills are those that have been introduced in a state legislature but have yet to see any movement (other than, for example, being referred to a committee). Dead bills are (as you might have guessed) bills that have failed.
For links to all of these bills please see our 2021 State Privacy Law Tracker.
On March 2, 2021, Virginia became the second state – after California – to enact state consumer data privacy legislation. You can find our coverage of the Virginia bill here, and you can find the text of the new law here. We also hosted a webinar on the law on March 11. You can access the recording here.
On June 2, the Nevada Governor approved SB260. The bill, which amends Nevada’s online privacy notice statutes, NRS 603A.300-360, will provide Nevada residents with a broader right to opt out of sales when it goes into effect on October 1, 2021.
The Colorado Senate unanimously passed the Colorado Privacy Act on May 26. The bill is now with the Colorado House where it is set for a third floor reading. The Colorado legislature adjourns on June 12.
SB 893, which is similar to Virginia’s Consumer Data Protection Act, was reported out of Legislative Commissioner’s Office on April 8 and given a Senate calendar number. On April 28, it was referred to the Senate Committee on Judiciary. On May 4, it was tabled for the Senate calendar. On May 12, it was referred to the Senate Appropriations Committee. On May 17, it was voted out of the Senate Appropriations Committee and tabled for the Senate calendar. Senate Bill 156, a one-paragraph bill, introduced on January 15 has not seen movement since the Joint General Law Committee held a public hearing on February 25. The Connecticut legislature adjourns on June 9.
On March 15, the Assembly Science, Innovation and Technology Committee held a hearing on three bills (A5448, A3283, and A3255). A recording of the hearing is available here.
As shown on our tracker, New York legislators have proposed a number of consumer privacy bills in 2021. Of note, the New York Privacy Act was reintroduced on May 12 and passed out of the Senate Consumer Protection Committee on May 18. It advanced to a third reading on May 24. The Assembly version of the New York Privacy Act – A680 – was amended and recommitted to the Committee for Consumer Affairs and Protection on May 27. The New York legislature adjourns on June 12.
Illinois is considering two bills.
First, HB 2404 (the Right to Know Act) is presently assigned to the Rules Committee. It had previously been assigned to the Cybersecurity, Data Analytics, & IT Committee. As its name suggests, the Right to Know Act would provide Illinois residents with the right to know certain information regarding their personal information.
In addition to HB 2404, Illinois lawmakers also introduced HB 3910 (entitled the Consumer Privacy Act) on February 22. That bill was assigned to the Judiciary – Civil Committee on March 16, to the Civil Procedure & Tort Liability Subcommittee on March 23 and re-referred to the Rules Committee on March 27. HB 3910 is a modified version of the CCPA.
SD 1726 was filed on February 18, 2021. On March 29, it was referred to the joint committee on Advance Information Technology, the Internet and Cybersecurity. The bill is a modified version of Washington’s People’s Privacy Act. A second bill, HD 3847, was filed in the state house. On April 13, it also was referred to the joint committee on Advanced Information Technology, the Internet and Cybersecurity.
Senate Bill 569 was introduced on April 6 and referred to the Committee on Rules and Operations of the Senate. The North Carolina legislature adjourns on July 2.
House Bill 1126 was introduced on April 7 and referred to the Consumer Affairs Committee.
H.160 is still a short form bill (i.e., only one paragraph long). The bill has been referred to committee and no further action has been taken to date.
Alabama’s HB 216, Alaska’s SB 116 and HB 159, Arizona’s HB 2865, Florida’s HB 969 and SB 1734, Kentucky’s HB 408, Maryland’s SB 930, Minnesota’s HF 36 and HF 1492 / SF 1408, North Dakota’s HB 1330, Oklahoma’s HB 1602, Mississippi’s Senate Bill 2612, South Carolina’s H 3063, Texas’ HB 3741, Utah’s SB 200, Washington’s SB 5062, and West Virginia’s HB 3159 have all died.