Welcome to another edition of the DGS Privacy & Data Security Legal Update! The goal is to keep you apprised of the latest developments in privacy and data security law. If you have any comments, questions, suggestions, or feedback, please reach out to the author,Camila Tobón.
In this edition, we focus on privacy bills at the U.S. state and federal levels. The states have been the most active, with nearly half the states considering some form of comprehensive privacy legislation. A few bills have also been introduced at the federal level. It’s possible that another one or two states will join California and Virginia with a privacy law. But a federal privacy law still seems far off.
U.S. Developments
Comprehensive privacy legislation pending in several U.S. states
On March 19, 2021, Colorado Senators Rodriguez and Lundeen introduced a bill providing additional protections for the personal data of Colorado residents called the Colorado Privacy Act (SB21-190). To read more about this bill, read our March update here. The bill came up for hearing before the Senate Business, Labor & Technology Committee on May 5, 2021. The Committee approved amendments to the bill, including:
- Clarifications to the definitions of “sale” and “targeted advertising”;
- Narrowing the right to opt-out to targeted advertising, sale, or profiling;
- Shifting sensitive data processing from an opt-in basis to notice and opt-out;
- Adding a notice and 60-day period to cure before an enforcement action can be initiated.
The bill now moves to the Senate Appropriations Committee.
In our prior editions we also covered bills introduced in Alabama, Florida, Minnesota, New York, Oklahoma, Utah, Virginia, and Washington. The Virginia bill has now become law, when it was signed by the governor on March 2, 2021. The Virginia Consumer Data Protection Act (VCDPA) will apply to personal information collected on or after January 1, 2022 and takes effect on January 1, 2023. The law follows a different model than the California Consumer Privacy Act (CCPA). To read more on it, please see our prior update here.
Several other states introduced privacy bills this legislative session. Below is a chart of the currently pending state bills.
|
State |
Bill No. |
Summary |
|
Alabama |
This bill is similar to the CCPA. It is before the House Committee on Technology and Research. |
|
|
Alaska |
These bills are a modified version of the CCPA and include provisions for a data broker registry. Both bills have been referred to Labor & Commerce. |
|
|
Colorado |
This bill is like the new law in Virginia except that the opt-out applies to all personal data processing. It is pending before the Senate Appropriations Committee. |
|
|
Connecticut |
This bill is like the new law in Virginia. A public hearing was held in late February and a substitute bill was then filed. The bill is now before the full Senate. |
|
|
Illinois |
This bill is like the CCPA. It is before the House Rules Committee. |
|
|
Massachusetts |
The Senate bill differs from the other bills because it creates duties of care, loyalty, and confidentiality and requires consent before personal information is collected and processed. It has been referred to the committee on Advanced Information Technology, the Internet and Cybersecurity. |
|
|
Minnesota |
HF 36 is like the CCPA while HF 1492 is like the new Virginia law. Both bills have been referred to the Commerce Finance and Policy Committee. |
|
|
New Jersey |
AB 3283 is like the GDPR in that it requires a legal basis for processing personal information. AB 3255 is like the CCPA. Both bills are before the Science, Innovation and Technology Committee. |
|
|
New York |
SB 567 is like the CCPA. A6042 would require opt-in consent for processing personal information. A680 requires consent to use, process, and disclose, and imposes a fiduciary duty of care. These bills are pending in committee. |
|
|
North Carolina |
This bill is like the VCDPA. It passed first reading in the Senate and has been referred to committee. |
|
|
Pennsylvania |
This bill is like the CCPA. It was referred to the Consumer Affairs Committee in the House. |
|
|
Texas |
This bill is different from the CCPA and Virginia law. It imposes restrictions on use of personal information, in addition to providing consumer rights. The bill is before the Business & Industry Committee. |
Bills filed in Arizona, Florida, Kentucky, Maryland, Mississippi, North Dakota, Oklahoma, Utah, Washington, and West Virginia have died.
From this legislative activity it is clear that two distinct models are emerging – the CCPA model and the VCDPA model. Although both focus on transparency – where covered entities provide clear notice of their personal data handling practices – and control – where consumers are given specific rights with respect to their data – the requirements and implementation differ. As legislative sessions come to a close in the coming weeks, it will be interesting to see which states join California and Virginia and which model emerges as the leading standard.
Four federal privacy bills introduced in 2021
Rep. Suzan DelBene, D-WA, introduced the Information Transparency and Personal Data Control Act in March. The bill directs the Federal Trade Commission (FTC) to enact regulations governing the use of sensitive personal information (SPI), which broadly includes data typically associated with breach notification laws as well as information considered sensitive under the CCPA and VCDPA as well as the content of communications and personal call detail records. With regard to non-SPI, the bill establishes a right to opt out any personal information processing. No private right of action is provided. Instead, enforcement would be by the FTC and state attorneys general.
Sen. Brian Schatz, D-HI, introduced the Data Care Act in March. The bill requires online service providers to (1) reasonably secure individual-identifying data from unauthorized access, (2) refrain from using such data in a way that will result in reasonably foreseeable harm to the end user, and (3) not disclose such data to another party unless that party is also bound by the duties established in the bill. The bill authorizes the Federal Trade Commission and specified state officials to take enforcement actions with respect to breaches of such duties.
Sen. Ron Wyden, D-OR, introduced a bill to amend the FTC Act in late April. As of May 13, 2021, the bill text has not been received for S.1444. But a bill summary states that it establishes requirements and responsibilities for entities that use, store, or share personal information, to protect personal information, and for other purposes.
Sen. Jerry Moran, R-KS, introduced A bill to protect the privacy of consumers also in late April. As of May 13, 2021, text has not been received for S.1494.
The late April rally to introduce new legislation signals a continued interest in data privacy issues. However, it is unlikely that any of these bills will gain traction in the near term. The activity continues to be focused at the state level.