State privacy legislation

Keypoint: The Minnesota bill contains several unique requirements and provisions, including a novel right to question the result of a profiling decision, privacy policy provisions that increase interoperability with existing state laws, and new privacy program requirements such as a requirement for controllers to maintain a data inventory.

On May 19, the Minnesota legislature passed the Minnesota Consumer Data Privacy Act (HF 4757 / SF 4782). The bill, which is sponsored by Representative Steve Elkins, was passed as Article 5 of a larger omnibus bill. The bill next moves to Governor Tim Walz for consideration.

The Minnesota bill largely tracks the Washington Privacy Act model but with some significant and unique variations. For example, the bill creates a novel right to question the result of a profiling decision and have a controller provide additional information regarding that decision. It also contains privacy policy requirements that are intended to increase interoperability with other state consumer data privacy laws. Further, the bill contains provisions requiring controllers to maintain a data inventory and document and maintain a description of policies and procedures the controller has adopted to comply with the bill’s provisions. We discuss those requirements and provisions, along with others, in the below article.

As with prior bills, we have added the Minnesota bill to our chart providing a detailed comparison of laws enacted to date. Continue Reading Minnesota Legislature Passes Consumer Data Privacy Act

Keypoint: Last week, Colorado passed children’s privacy and artificial intelligence bills, Vermont passed a consumer data privacy bill, Maryland’s consumer data privacy and AADC bills were signed into law, and Minnesota is on the cusp of passing a consumer data privacy bill.

Below is the sixteenth weekly update on the status of proposed state privacy legislation in 2024.Continue Reading Proposed State Privacy Law Update: May 13, 2024

Keypoint: Last week, the Nebraska Governor signed the Nebraska Data Privacy Act into law, the Maine legislature closed without passing a consumer data privacy bill, Colorado’s biological/neural data bill was signed into law, and there were developments with bills in California, Virginia, Minnesota, Vermont, Wisconsin and Iowa.

Below is the thirteenth weekly update on the status of proposed state privacy legislation in 2024.Continue Reading Proposed State Privacy Law Update: April 22, 2024

Keypoint: Nebraska is the seventeenth state legislature to pass consumer data privacy legislation with a bill that largely tracks the Texas Data Privacy and Security Act.

On April 11, 2024, the Nebraska legislature passed the Nebraska Data Privacy Act (LB 1074). We have been tracking the bill since it was first introduced under LB 1294. That bill never advanced out of committee; however, it was added to LB 1074 in late March as part of a larger multi-subject 139 page bill. The bill unanimously passed Nebraska’s unicameral legislature on April 11. It now heads to Nebraska Governor Jim Pillen. Assuming the bill becomes law, Nebraska will become either the sixteenth or seventeenth state to enact consumer data privacy legislation, depending on whether Maryland’s bill, which passed the Maryland legislature last Saturday, is enacted first.

The Nebraska bill largely tracks the Texas Data Privacy and Security Act, but with some differences we identify below. As with prior bills, we have added the Nebraska bill to our chart providing a detailed comparison of laws enacted to date. We also have added Nebraska to our sensitive data comparison chart.Continue Reading Nebraska Legislature Passes Consumer Data Privacy Bill

Keypoint: Maryland’s bill diverges from other Washington Privacy Act variants passed to date with unique data minimization, sensitive data, minor’s data privacy, and unlawful discrimination provisions (among others).

On April 6, 2024, the Maryland legislature passed the Maryland Online Data Privacy Act of 2024 (MODPA) (SB 541). A companion House bill (HB 567) also appears likely to pass before the legislature closes on April 8. Subject to the procedural formalities in the legislature, the bills will next head to Maryland Governor Wes Moore for consideration.

Assuming MODPA becomes law, Maryland will become the sixteenth state to pass broad consumer data privacy legislation. However, Maryland will be the first state to pass a Washington Privacy Act variant that contains unique provisions regarding data minimization, sensitive data, minor’s data privacy, and unlawful discrimination – among other provisions. In doing so, Maryland injects a new wrinkle into the state privacy law debate much like Washington did with last year’s My Health My Data Act. MODPA also contains a low threshold for applicability such that even smaller companies may need to comply with its provisions.

The below article analyzes MODPA’s contours, including some of its more notable provisions and deviations. We also have added MODPA to our chart providing a detailed comparison of the laws enacted to date. It should be noted that – as of the date of this article – the bills available on the legislature’s website have not yet been updated to reflect the final amendments although we have included those amendments in our analysis.

The Maryland legislature also passed Age-Appropriate Design Code Act companion bills (SB 571 / HB 603). We will provide a separate article analyzing those bills.Continue Reading Maryland Legislature Passes Consumer Data Privacy Bill

Keypoint: Last week, the Maryland legislature passed consumer data privacy and Age-Appropriate Design Code Act bills, the Kentucky Governor signed HB 15 into law, three bills advanced out of a California Assembly Committee, and there was movement with bills in Minnesota, Vermont, Louisiana, Illinois and Colorado.

Below is the eleventh weekly update on the status of proposed state privacy legislation in 2024.Continue Reading Proposed State Privacy Law Update: April 8, 2024