“We need someone who is focused on our concerns, our issues … how we work and how we relate to our donors and fulfill our missions.” - Steve Abrahamson, Vice President, Direct Response, National Audubon Society

Legislation in the States

State Legislatures in Session
(Thursday, September 21, 2023)

Graphic of States in Session as of 9.21.2023

Included below:

Consumer Data Protection & Data Privacy in the States
Donor Privacy and Confidentiality in the States
Charitable Solicitation Laws in the States
Nonprofit Governance in the States
Salary Disclosure in the States

This information is prepared by TNPA staff based on reports supplied by FOCUS, a Leonine business, and up-to-date as of September 21, 2023. Our next update will be on September 28, 2023.

States: Consumer Data Protection / Data Privacy

As anticipated, privacy legislation came back in full force in 2021 after 20+ legislative efforts were derailed by the pandemic in 2020.  The “come back” trend has continued in 2022. Read more here.

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California (from the CA AG website): The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This law secures new privacy rights for California consumers, including:

The right to know about the personal information a business collects about them and how it is used and shared;
The right to delete personal information collected from them (with some exceptions);
The right to opt-out of the sale of their personal information; and
The right to non-discrimination for exercising their CCPA rights.

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

NOW LAW: Colorado SB 190 was signed into law by Governor Polis on July 7, 2021. The law takes effect on July 1, 2023. Major provisions include:

Enable a consumer to opt-out of the processing of their personal information.
Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information.
The right to correct inaccurate personal information.
The right to have personal information deleted.
Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
Does not contain a private right of action.

Nonprofit organizations are NOT exempted from the requirements of the law.

NOW LAW: Connecticut SB 6/Public Act 22-15, sponsored by Senate President Pro Tempore Martin Looney, D-New Haven, was signed by Democratic Gov. Ned Lamont on May 10 and takes effect July 1, 2023. The law will grant consumers various rights including:

The right to confirm whether or not a controller is processing the consumer’s personal data.
The right to correct inaccuracies in their personal data.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of the consumer’s personal data processed by the controller.
The right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers will be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers will also be prohibited from processing the sensitive data of a consumer without their affirmative consent. The law will not apply to nonprofit organizations, does not provide a private right of action and will grant controllers a right to cure at the discretion of the attorney general. The law will also specify that a controller is not required to authenticate an opt-out request but will be able to deny a request if the controller has reasonable and documented belief that the request is fraudulent. Controllers will be required to send notice to the person making the request that they believe the request is fraudulent.

NOW LAW : Delaware HB 154 was signed into law by Democratic Gov. John Carney on September 11, 2023 and takes effect January 1, 2025. The law does apply to nonprofits. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:

Control or process the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general may initiate any action which would remain in place until December 31, 2025. After that date, the right to cure will be up to the discretion of the attorney general. Controllers will also be required to provide a reasonably accessible, clear and meaningful privacy notice.

NOW LAW: Florida SB 262 was signed by Republican Gov. Ron DeSantis on June 6, 2023 and takes effect July 1, 2024. The law will prohibit government employees or officers from using their positions or state resources for the purposes of social media content moderation. The law contains age-appropriate design code language.

The law will also grant consumers various rights including:

The right to confirm if a consumer’s personal data is being processed and providing access to the data.
The right to correct inaccurate consumer personal data.
The right to delete the consumer’s personal data provided by or obtained about the consumer.
The right to opt-out of processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
The right to obtain a copy of the consumer’s personal data in a structured, commonly used and machine-readable format.
The right to opt out of the collection of sensitive data, including precise geolocation data, or the processing of such data.
The right to opt out of the collection of personal data collected by a voice recognition feature.

Controllers will be required to take action on consumer requests within 45 days but could request an extension of an additional 15 days and must establish a process that allows consumers to appeal a controller’s decision not to act on a request to exercise their rights. Controllers will be required to provide two methods for a consumer to submit requests taking into account the ways in which the consumer normally interacts with the controller. Controllers will be required to limit collection of personal data to what is reasonably necessary. Controllers will also be required to conduct data protection assessments for various processing activities involving personal data including targeted advertising and the sale of personal data. The law contains 45 day right to cure language but will give the Department of Legal Affairs the authority to issue guidance notifying controllers that they will not be offered any additional cure periods for future violations. The law does not contain a private right of action and does not apply to nonprofits.

Recent amendments would in part change the definition of targeted advertising to mean displaying to a consumer an advertisement selected based on personal data obtained from that consumer’s activities over time, but would not include an advertisement that is based on the context of a consumer’s current search query on the controller’s own website or online application, or is directed to a consumer search query on the controller’s own website or online application in response to the consumer’s request for information or feedback. Other amendments would prohibit a tracking entity from collecting a consumer’s tracking information without the consumer’s consent, or from collecting a consumer’s tracking information while the collecting technology is not in active use by the consumer without the consumer’s consent for continued collection. Tracking information would include precise geolocation and biometric information.

NOW LAW: Indiana SB 5, sponsored by Senate Judiciary Chair Liz Brown, R-Fort Wayne, was signed by Republican Gov. Eric Holcomb on May 1 and takes effect January 1, 2026. The law will apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The law will grant consumers various rights including, but not limited to, the right to delete data and opt-out of the sale of their personal data. The law will apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Iowa SF 262 was signed by Gov. Kim Reynolds on March 28 and takes effect January 1, 2025. The law will apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

Controls or processes personal data of at least 100,000 consumers.
Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The bill does not contain a private right of action but does contain a 30-day right to cure before the attorney general could initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.

NOW LAW: Montana SB 384/Chapter 681, sponsored by Sen. Daniel Zolinkov, R-Billings, was signed into law by Republican Gov. Greg Gianforte on May 19, 2023. The bill will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and:

Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

The law will grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action. Controllers will also be required to provide a reasonably accessible, clear and meaningful privacy notice.

NOW LAW: Oregon SB 619 was signed by Democratic Gov. Tina Kotek on July 18 and takes effect July 1, 2024. The law does not exempt nonprofits. The law will apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year either controls or processes:

The personal data of 100,000 or more consumers, personal data from 100,000 or more devices that identify or that link to or are reasonably linkable to one or more consumers, or personal data from a combination of 100,000 or more consumers and devices.
The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.

It will grant consumers various rights including, but not limited to, the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale or sharing of their data. Controllers will be required to provide a reasonably accessible, clear and meaningful privacy notice and conduct a data protection impact assessment involving specified processing activities. The bill does not contain a private right of action.

NOW LAW: Oregon HB 2052 was signed by Democratic Gov. Tina Kotek on July 27 and took immediate effect with the registration provisions becoming operative January 1. The law will require data brokers to annually register with the Department of Consumer and Business Services. The law will impose a $500 penalty for each day the company fails to register with a maximum penalty of $10,000.

NOW LAW: Texas HB 4 was signed by Republican Gov. Greg Abbott on June 18, 2023 and takes effect July 1, 2024. It does not apply to nonprofit organizations. The law will in part require controllers to honor global privacy controls such as a browser setting as a request to opt-out and exempt and includes 501(c)19 under the definition of a nonprofit organization. The law will apply only to a person that:

Conducts business in this state or produces a product or service consumed by residents of this state.
Processes or engages in the sale of personal data.
Is not a small business as defined by the United States Small Business Administration.

The law will grant consumers various rights, including the right to their personal data and to opt out of the processing of their personal data for various purposes such as the sale of data. The law contains 30 day right to cure language and does not contain a private right of action.

NOW LAW: Utah SB 227 was signed by Republican Gov. Spencer Cox on March 24 and takes effect December 31, 2023. The law will grant consumer’s various rights including:

The right to confirm whether a controller is processing the consumer’s personal data and to access their data.
The right to correct inaccurate personal data.
The right to delete the consumer’s personal data.
The right to obtain their personal data in an easily portable format.
The right to opt-out of the processing of their data for the purposes of targeted advertising or the sale of personal data.

The law does not apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2, 2021, and will take effect on January 1, 2023.  The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale.  It includes an opt-in consent requirement for sensitive data.  Nonprofits are largely exempt.

The following bills, each amending a portion of the Virginia Consumer Data Protection Act (2021) have been passed by both houses of the General Assembly and are awaiting the signature of the Governor:

VA SB 393, was presented to the governor on on March 11, alongside an identical bill, HB381 (see below).
VA SB 516, sponsored by Sen. David Marsden, D-Burke, which would authorize the attorney general to pursue actual damages to the extent they exist if a controller or processor continues to violate the bill. The bill would also include political organizations under the definition of a nonprofit and abolish the consumer privacy fund. The bill passed the House Energy and Commerce Committee on February 24 and the House on March 1.
Virginia HB 381 was delivered to Republican Gov. Glenn Youngkin on March 11. Governor Youngkin will have until April 11 to sign or veto the bill or it becomes law. The bill would amend the Consumer Data Protection Act to specify that a controller that has obtained personal data about a consumer from a source other than the consumer would be deemed in compliance with a consumer’s request to delete such data by either retaining a record of the deletion request and the minimum data necessary for ensuring the consumer’s personal data remains deleted or by opting the consumer out of the processing of that data for targeted advertising, sale or profiling. An identical bill, SB 393, was also presented to the governor on that same day.
VA HB 714, sponsored by Del. Cliff Hayes, D-Chesapeake, passed the Senate General Laws and Technology Committee and the Senate Finance and Appropriations Committee on March 2 and the Senate on March 2. The bill is now pending delivery to Republican Gov. Glenn Youngkin. The bill would include political organizations under the definition of a nonprofit.

PROPOSED LAWS:

Alaska HB 159 [The legislature adjourned without further action on May 18, 2022] sponsored by the House Rules Committee at the request of Republican Gov. Mike Dunleavy, was heard in the House Rules Committee on March 18; the committee received an overview of various state privacy efforts from Ryan Harkins a Senior Director of Public Policy at Microsoft but did not vote on the bill during the hearing. This broad privacy bill would:

Require a business that collects a consumer’s personal information to notify the consumer before collecting the information and provide various disclosures.
Grant consumers the right to request a business provide specified information including the categories and specific pieces of personal information that the business collects.
Grant consumers the right to request deletion of their personal information collected by a business from the preceding five years.
Grant consumers the right to request the disclosure of personal information sold or disclosed to third parties.
Grant consumers the right to opt out of the sale of their personal information.
Prohibit third parties from disclosing information unless it was collected in compliance with the bill’s other provisions.
Provide for a private right of action for violations of the bill.
Require the annual registration of data brokers with the commissioner of commerce.

Alaska HB 222 [The legislature adjourned without further action on May 18, 2022], sponsored by Rep. George Rauscher, R-Sutton, was pre-filed on January 7. The bill was referred to the Labor & Commerce Committee on January 18. The bill would require a business that collects a consumer’s personal information to notify a consumer, at or before the point of collection, of the following:

The categories of personal information and sensitive personal information the business will collect and the purposes and whether the business will sell or share the information.
The length of time the business will retain each category of personal information.
The proviso the business cannot retain personal information for longer than is reasonably necessary for the specified purpose.

The bill would also grant consumers the right to:

Correct inaccurate personal information.
Receive a disclosure about the categories of information collected, sources of that information, specific pieces of information collected and the business or commercial purpose for collecting, sharing, or selling.
Direct the business not to sell or share their personal information, i.e., opt out.
Limit the businesses’ use of sensitive personally identifiable information.
Receive a disclosure with specified information about the sale of their data.

The bill contains a private right of action but only for data breaches.

California SB 362 passed the Assembly Privacy and Consumer Protection Committee on June 27, 2023 and is now pending in the Assembly Appropriations Committee after being amended and transferred from the Assembly Judiciary Committee on June 10, 2023. This bill would require the California Privacy Protection Agency to establish an appropriate deletion mechanism for data brokers to implement that would allow consumers to make requests about their personal information, including data deletion and to opt out of the collection, sale, retention or sharing of their personal data.

California SB 362 was heard in the Assembly Appropriations Committee on August 16, 2023 where it was referred to the suspense file. The suspense file is a holding place for bills that carry a fiscal impact of $150,000 or more and may be voted out eventually to continue the legislative process. This bill, dubbed the Delete Act, seeks increased limitations on data brokers that amass and sell personal information collected online. It would create a portal for residents to remove personal data that has been collected by the 486 registered data brokers in the state, from purchase history to internet browsing habits. The bill would also require data brokers to register with the California Privacy Protection Agency and disclose the types of information they collect.

California SB 362: After being amended and passed by the Assembly on September 13, 2023, California SB 362 passed the Senate on September 14 and was enrolled on September 18. The bill currently awaits engrossment and delivery to the governor.

California AB 1546 was heard in the Senate Appropriations Committee on August 21, 2023 where it was referred to the suspense file. The suspense file is a holding place for bills that carry a fiscal impact of $150,000 or more and may be voted out eventually to continue the legislative process. The bill would extend the statute of limitations for action brought by the attorney general to enforce the CCPA to five years after the accrual of the cause of action.

California AB 1546 was heard in the Senate Appropriations Committee on September 1, 2023 where the bill remains pending.

Delaware HB 262 passed the House with amendments on May 5, 2022, and was heard in the Senate Banking, Business and Insurance Committee on June 8; the committee took testimony, including from Vermont Deputy Attorney General Christopher Curtis, but did not vote on the bill during the hearing. The bill would require data brokers to annually register with the consumer protection unit of the Department of Justice and pay an annual fee. As part of the registration process the data broker would be required to provide the following information:

The name and primary physical, email and internet address of the data broker and links to all applicable privacy policies.
The method consumers can use to opt-out if the data broker permits consumers to do so.
A statement specifying the data collection, databases, or sales activities from which the data broker does not allow a consumer to opt-out.
A description of the data broker’s processes for verifying the purchasers of its brokered personal information. A separate statement would also be required if the broker deals the personal information of minors.
The number of data security breaches that the data broker has experienced within the past three years.
Answers to specified questions including whether the data broker limits the use of personal information by a purchaser or licensee.

The bill does not contain a private right of action.

District of Columbia B24-451, sponsored by City Council Chair Phil Mendelson is a verbatim rendition of a model law very recently proposed by the Uniform Law Commission. The bill will be known as the “Uniform Personal Data Protection Act of 2021” and is slated to be referred to the Judiciary and Public Safety Committee on November 2. The bill would:

It would grant consumers the right to copy or correct their personal data.
Permit “compatible” data practices without consent if the processing of the data is consistent with the expectations of the data subject or is likely to benefit the data subject.
Prohibit data practices that may cause a substantial risk of harm to data subjects including processing likely to cause harassment, financial harm or that fails to provide reasonable data security.
The bill would permit incompatible data practices which include practices neither prohibited or compatible with a consumer’s consent. Tailored messaging including advertising would be considered a compatible use.
Does not contain a private right of action.

Florida HB 9, sponsored by Rep. Fiona McFarland, R-Sarasota, passed the House Commerce Committee with a substitute on February 10, 2022. Known as the Florida Privacy Act, the legislation is dead for a second consecutive year after the Senate did not act on the bill amid House and Senate budget negotiations, Florida Politics reports. The bill is expected to be reintroduced next year. The bill would require a controller that collects personal information about a consumer to maintain an online privacy policy that is updated at least every 12 months and contains:

A list of categories of personal information the business collects.
The consumer’s right to request deletion or correction of personal information.
The consumer’s right to opt-out of the sale or sharing to third parties.

A controller that collects personal information would be required to:

Inform consumers of the categories of personal information to be collected and the purposes for which the information will be used.
To adopt and implement a retention schedule that prohibits the use or retention of the information after the initial purpose has been fulfilled or three years after the consumer’s last interaction with the controller.

The bill would also grant a consumer various rights including:

The right to request a copy of personal data collected, sold or shared.
The right to have personal data deleted or corrected.
The right to opt-out of the sale or sharing of their personal data. Once a consumer has opted-out, controllers would be required to wait at least 12 months before requesting a consumer to authorize the sale or sharing of their data.

Florida HB 1547, sponsored by Rep. Fiona McFarland, R-Sarasota, was filed on March 7, 2023 and has not yet been referred to a committee. The bill would define a controller to mean a sole proprietorship, partnership, limited liability company, corporation, association or legal entity that meets the following requirements:

Is organized or operated for the profit or financial benefit of its shareholders or owners.
Does business in this state.
Collects personal information about consumers or is the entity on behalf of which such information is collected.
Determines the purposes and means of processing personal information about consumers alone or jointly with others.
Makes in excess of $1 billion in gross revenues, as adjusted in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
Satisfies one of the following:
- Derives 50 percent or more of its global annual revenues from providing targeted advertising or the sale of ads online.
- Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle.

The bill would, in part:

Prohibit a controller from collecting a consumer’s precise geolocation data or personal information through a voice recognition feature, without their authorization.
Require a controller that operates a search engine to provide a consumer with information of how the controller’s search engine algorithm prioritizes or deprioritizes political partisanship or political ideology in its search results.
Require a controller that collects personal information about consumer’s to maintain an up to date privacy policy that meets specified requirements.
Require controllers or direct processors to inform consumers, at or before the point of collection, the categories of personal information to be collected and the purposes for which the information will be used.
Grant consumers the right to:
- Request a copy of their personal information that is collected, sold or shared including the third parties to which the personal information was sold or shared.
- Have personal information deleted or corrected.
- Opt-out of the sale or sharing of their personal data. Controllers would be required to post a link on their homepage entitled “Do Not Sell or Share My Personal Information” that enables a consumer to opt-out.
Require contracts between controllers and processors to contain specified language including prohibiting the processor from selling, sharing, retaining, using or disclosing the personal information for purpose that violates the bill’s provisions.
Prohibit social media companies that are predominately accessed by children from collecting, selling or sharing the personal information of any known child.

Controllers would be defined as any sole proprietorship, partnership, limited liability company, corporation or association that meets specified requirements including making in excess of $1 billion in global revenue. The bill does not contain a private right of action. A similar bill, SB 262, sponsored by Sen. Jennifer Bradley, R-Fleming Island, has been scheduled for a hearing in the Senate Commerce and Tourism Committee on March 13 at 3:30 PM. Similarly, Republican Gov. Ron DeSantis recently unveiled a proposed digital bill of rights. A press release about the proposal can be found here with specific details of the proposal being found here.

Florida HB 1547, passed the House Regulatory Reform and Economic Development Subcommittee with a substitute on March 29. While the text of the substitute was not immediately available two associated amendments have been released. The first makes technical changes and the second adds a section relating to the safety of children in online spaces. The bill is now pending in the House Commerce Committee.

Florida HB 1547, passed the House Commerce Committee on April 24, 2023 and is now pending on the House second reading calendar.

A similar bill, SB 262, sponsored by Sen. Jennifer Bradley, R-Fleming Island, passed the Senate Rules Committee with a substitute on April 24, 2023. The bill is now pending on the Senate Special Order Calendar for April 28, 2023. A full analysis of the substitute’s numerous changes can be found here.

Georgia SB 394, sponsored by Sen. Greg Dolezal, R-Cumming, was introduced on January 26, 2022, and has not yet been referred to a committee. The bill, to be known as the Georgia Computer Data Privacy Act, would entitle consumers to various privacy rights including:

The right to request the categories and specific items of personal information that a business has collected on them.
The right to request deletion of their personal information. Businesses would be required to direct service providers to delete the consumer’s information.
The right to request the categories of information that a business has sold or disclosed for a business purpose, as well as the categories of third parties to whom the information was sold or disclosed.
The right to opt-out of the sale of their personal data and could authorize someone else to opt-out on their behalf.

Businesses would be required to provide notice to consumers on their internet homepage that:

The personal information could be sold.
Identifies the persons to whom the data would or could be sold.
The pro rata value of the consumer’s personal information.
The consumer has the right to opt-out of the sale of their data.

Businesses would also be required to provide a link on their homepage that allows a consumer to opt-out of the sale of their data. Beginning September 1, businesses would not be allowed to sell personal data to a third party without a consumer’s consent. Third parties would not be able to further sell the data unless a consumer has received notice and opts-in to the sale of their data. Businesses would not be allowed to collect personal data without first providing notice and obtaining the consumer’s consent. The bill would grant consumers a private right of action in addition to enforcement by the attorney general.

Hawaii SB 21, sponsored by Senate Judiciary Committee Chair Karl Rhoads, D-Honolulu, was referred to the Senate Commerce and Consumer Protection Committee on January 20, 2022. The bill would propose an amendment to the state constitution establishing the right of each person to own and have an exclusive property right in the data they generate on the internet.

Hawaii SB 974, sponsored by Senate Assistant Majority Whip Chris Lee, D-Honolulu, was filed on January 23, 2022 and has not yet been referred to a committee. The bill would grant consumers the following rights:

The right to confirm whether or not a controller is processing the consumer’s personal data.
The right to correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to a controller without hinderance.
The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 25 percent of their gross revenue from the sale of personal data. The bill does not apply to nonprofit organizations and does not contain a private right of action. Prior to initiating any action the Department of the Attorney General would be required to provide 30 days’ notice and provide a right to cure. A similar bill, SB 1110, sponsored by Senate Assistant Majority Whip Gilbert Keith-Agaran, D-Maui, was filed on January 23 and has not yet been referred to a committee. Notable differences found in SB 1110 include but are not limited to:

Modifying the right obtain a copy of their personal data by specifying that the format would be required to allow the consumer to transmit the data to another controller only where the processing is carried out by automated means.
Specifying that the bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their gross revenue from the sale of personal data.
The inclusion of a private right of action and the absence of any right to cure provisions.

Hawaii SB 974, passed the Senate Commerce and Consumer Protection Committee with amendments on February 15, 2023. The text of amendments was not immediately available; however, during the hearing the committee noted they would be adopting the recommended amendments put forward by the attorney general.

Hawaii SB 974, passed the Senate following a 23-1 vote on March 7. Recent amendments exempt the national insurance crime bureau from the bill’s provisions and specify that if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller would be required to disclose the processing to the affected consumer.

Hawaii HB 1497, sponsored by House Speaker Scott Saki, D-Honolulu, was referred to the House Higher Education and Technology Committee on January 30 and passed that committee with amendments on February 1. While the text of the amendment was not immediately available the committee noted during the hearing that changes will include:

The removal of provisions that give consumers the right to access their personal data.
The addition of a 30 day right to cure.
The removal of the private of action.

The bill would grant consumers the following rights:

The right to confirm whether or not a controller is processing the consumer’s personal data.
The right to correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to another controller, where the processing is carried out by automated means.
The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their gross revenue from the sale of personal data. The bill does not apply to nonprofit organizations. A companion bill, SB 1110, sponsored by Senate Assistant Majority Whip Gilbert Keith-Agaran, D-Maui, was referred to the Senate Commerce and Consumer Protection Committee on January 27.

Iowa HSB 12, sponsored by the House Economic Growth and Technology Committee, passed a subcommittee on January 23. The bill remains pending in the House Economic Growth and Technology Committee. The bill would grant consumers the following rights:

The right to confirm whether or not a controller is processing the consumer’s personal data.
The right to delete personal data provided by the consumer.
The right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller with an exception for specified personal information that is subject to security breach protection.
The right to opt-out of processing for the purposes of target advertising or the sale of personal data.

Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without providing a consumer with clear notice and the opportunity to opt-out. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The bill exempts nonprofits. The bill does not contain a private right of action but does contain a 30-day right to cure before the attorney general could initiate any action. A companion bill, SSB 1071, was referred to the Senate Technology Committee on January 23.

Kentucky SB 15, sponsored by Sen. Whitney Westerfield, R-Hopkinsville, was referred to the Senate Committee on Committees on January 3. The bill would require controllers to comply with authenticated consumer requests to exercise the right to:

Confirm whether or not a controller is processing the consumer’s personal data and to access that data.
Delete personal data provided by the consumer.
Obtain a copy of the consumer’s personal data in a portable and, to the extent possible, readily usable format.
Opt out of targeted advertising.
Opt out of tracking.
Opt out of the sale or sharing of their personal data.

Controllers would be required to establish, implement and maintain reasonable data security practices and could not process sensitive data concerning a consumer for a nonexempt purpose without giving them the opportunity to opt-out. Upon a request of the attorney general’s office a controller would be required to provide the agency with the specific third parties, if any, with whom the controller shares or sells personal data including the location where they retain the data, the length of time they retain the data and the third party’s use or uses of the data. The bill contains 30 day right to cure language and a limited private right of action which would only apply if a controller or processor fails to cure the violation within the 30 day timeframe. The bill would apply to entities that control or process personal data of at least 25,000 consumers or derive over 40 percent of gross revenue from the sale of data. The bill would not apply to nonprofit organizations. A similar bill from last session, SB 15, also sponsored by Senator Westerfield did not advance last session. Notable changes from last year’s bill include:

Raising the threshold entities need to meet to 25,000 consumers up from 10,000.
Adding requirements for state agencies, who remain exempt, to maintain an accessible privacy notice and establish, implement and maintain reasonable data security standards. State agencies would be prohibited from sharing data with third parties unless the data is aggregated and deidentified.
Adding exemptions for organizations that do not provide net earnings or benefit to any officer, employee or shareholder and only collects, processes, uses or shares data solely in relation to assisting:
- Law enforcement agencies with suspected insurance related criminal or fraudulent acts.
- First responders in connection with catastrophic events.
Adding exemptions for national securities associations and legal entities and their affiliates conducting research.
Expanding the information exempted from the bill to include data processed by utilities and data processed or maintained in the course of an individual applying to, employed by or acting as the agent of a controller processor or third party.
Adding language that permits consumers to opt-out via user-enabled global privacy controls such as a browser plug-in or privacy setting. Consumers could also designated another person to act on their behalf.
Extending the deadline for controllers to respond to 45 days rather than 30.
Adding requirements that controllers provide a quarterly report to the legislative research commission and attorney general with specified information the categories of personal data processed, the amount of personal data in each category and the number of identifiable consumers whose data was processed.
Requiring the data protection impact assessment to be conducted within 30 days of becoming a controller. Assessments would be required to be immediately updated upon any material change in the nature or volume of data controlled, processed, sold traded or shared.

Kentucky SB 15, passed the Senate with an amendment following a 32-2 vote on March 15. The substitute would in part limit civil remedies to appropriate injunctive relief. The bill would apply to persons that conduct business in this state or produce products or services that are targeted to residents of this state and that during a calendar year control or process personal data of at least 25,000 consumers or derive over 40 percent of gross revenue from the sale of personal data. It would grant consumers various rights including but not limited to the right to delete personal data they previously provided, obtain a copy of that data and prohibit the sale or sharing of their data. Controllers would be required to provide a reasonably accessible, clear and meaningful privacy notice and to conduct a data protection impact assessment involving specified processing activities. The bill contains a private right of action but would grant businesses a 30 day right to cure.

Maryland SB 698, sponsored by Senate President Pro Tempore Malcom Augustine, D-Cheverly, was referred to the Senate Finance Committee on February 6 and has been scheduled for a hearing in that committee on March 8 at 1:00 PM. While the bill text was not immediately available the bill summary states, “Establishing generally the manner in which a controller or a processor may process a consumer’s personal data; authorizing a consumer to exercise certain rights in regards to the consumer’s personal data; requiring a controller of personal data to establish a method for a consumer to exercise certain rights in regards to the consumer’s personal data; regulating the use of biometric data by a controller; etc.” A companion bill, HB 807, sponsored by Del. Sara Love, D-Bethesda, was referred to the House Economic Matters Committee on February 8 and also does not currently have any associated bill text.

Maryland HB 807, sponsored by Del. Sara Love, D-Bethesda, has been scheduled for a hearing in the House Economic Matters Committee on February 22 at 1:00 PM. The bill would grant consumer’s the following rights:

The right to confirm whether a controller is processing the consumer’s personal data.
The right to access their data if a controller is processing a consumer’s personal data.
The right to correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to another controller, where the processing is carried out by automated means.
The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 25 percent of their revenue from the sale of personal data. The bill does apply to nonprofit organizations but does contain a private right of action. A companion bill, SB 698, sponsored by Senate President Pro Tempore Malcom Augustine, D-Cheverly, was referred to the Senate Finance Committee on February 6 and has been scheduled for a hearing in that committee on March 8 at 1:00 PM.

Minnesota SF 950, sponsored by Sen. Eric Lucero, R-St. Michael, was referred to the Senate Commerce and Consumer Protection Committee on January 30. The bill would prohibit a business from collecting, using or disclosing a consumer’s personal information without the consumer’s consent. In order to receive a consumer’s consent a business would be required, at or before the point of collection, to notify the consumer of:

The categories of personal information the business collects about the consumer.
The categories of sources from which the business collects the personal information about the consumer.
The purpose of collecting each category of personal information.
The categories of persons to which the personal information could be disclosed and the purpose for the disclosure, for each category of personal information.

A business would not be permitted to collect additional categories of personal information or disclose additional personal information without providing notice and obtaining the consumer’s consent. The bill would define business to mean “an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, or any other legal or commercial entity that is organized or operated for the profit or financial benefit of the business’s shareholders or other owners.” The bill would define personal information to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” The bill contains a private right of action. It does not currently have a companion.

Minnesota HF 1367, sponsored by Rep. Mohamud Noor, DFL-Minneapolis, was referred to the House Commerce, Finance and Policy Committee on February 6. The bill would require a business that collects personal information about a consumer to notify a consumer at or before the point of collection of the following:

The categories of personal information the business collects about the consumer.
The categories of sources from which the business collects the personal information.
The business or commercial purpose for collecting each category of personal information.
The service providers that each category will be shared with and the business purpose for the disclosure.
The consumer’s right to access personal information.
The consumer’s right to deletion of personal information.

A business that sells personal information to a third party would be required to notify the consumer regarding the categories of information that could be sold, the categories of third parties to which the information could be sold and that they have the right to opt-out of the sale. The third party would be prohibited from selling the information unless the consumer has received explicit notice and is afforded the opportunity to opt-out. Businesses must provide at least two designated requests addresses including a conspicuous link on the website homepage titled “Do Not Sell My Personal Information.” The bill contains a private right of action. Last session, an identical bill, SF 36, also sponsored by Representative Noor, failed to advance.

New Hampshire HB 314, sponsored by Rep. Keith Erf, R-Weare, which was referred to the House Judiciary Committee on January 9. The bill has been scheduled for a hearing in that committee on January 19 at 10:00 AM. A prior bill, HB 597, also sponsored by Representative Erf, passed the House las session.

New Hampshire SB 255, sponsored by Senate Judiciary Committee Chair Shannon Carson, R-Londonderry, was heard in that committee on February 14. The committee heard from the bill sponsor, Ryan Harkins with Microsoft, the attorney general’s office and Andrew Kingman with the State Privacy and Security Coalition and Tech Net and the New Hampshire Business and Industry Association but did not take any action on the bill. Video of the hearing can be found here. The bill would grant consumer’s the following rights:

The right to confirm whether or not a controller is processing the consumer’s personal data, unless doing so would require a controller to reveal a trade secret.
The right to correct inaccuracies in the consumer’s personal data taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to another controller, where the processing is carried out by automated means and provided that a controller would not be required to reveal a trade secret.
The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

New Hampshire SB 255, sponsored by Senate Judiciary Committee Chair Shannon Carson, R-Londonderry, passed the Senate with an amendment on March 16, 2023. The amendments would specify the bill would apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or controlled or processed the personal data of not less than 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. Other recently adopted amendments would, in part, exempt various activities from the definition of targeted advertising. The bill would in persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state. The bill would grant consumers various rights including the right to collect inaccuracies in their personal data and delete their data. Controllers would be required to limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice. The bill does not contain a private right of action but does contain a 60 day right cure.

New Hampshire SB 255 was heard in a House Judiciary Subcommittee on June 28, 2023. The committee also considered HB 314 which regulates the collection, retention and use of personal information by government entities and establishes a cause of action for violations of an individual’s expectation of privacy in personal information. The committee discussed the possibility of combining the two bills but did not do so. The committee heard from former Rep. Neal Kurk, R-Weare, who argued for several changes in SB 255, including turning the bill into an opt-in bill and including a private right of action and a lobbyist for Microsoft. The committee also heard from the New Hampshire Municipal League on HB 314. The committee is next scheduled to meet at some point in September and has until mid-November to decide on a course of action.

New Hampshire SB 255 has been scheduled for a work session in the House Judiciary Subcommittee on October 11, 2023 at 10:00 AM. The bill does not apply to nonprofits. The committee is also scheduled to consider HB 314 which regulates the collection, retention and use of personal information by government entities and establishes a cause of action for violations of an individual’s expectation of privacy in personal information.

New Jersey AB 4811, sponsored by Asm. Bill Moen, D-Camden, was referred to the Assembly Science, Innovation and Technology Committee on October 20, 2022. The bill would require the Division of Consumer Affairs to establish and maintain a data broker registry. Data brokers would be required to pay a registration fee of $100 per year and provide the following following information:

The name and primary physical, email and internet addresses of the data broker.
Whether the data broker permits a consumer to opt-out of the data brokers’ collection practices including the method to request an opt-out.
A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out.
Whether the data broker uses a credentialing process for purchasers of the data.
Any information the data broker has about the security breaches it has experienced.
A separate statement detailing the data collection practices, database sales activities, and opt out methods that are applicable to minors as well as whether the data broker has any knowledge that it possess the brokered personal information of minors.
Any information the division deems appropriate to implement.

Brokered personal information would include but not be limited to: name, address, date of birth, unique biometric data and social security number. Data brokers would not inlcude e-commerce platforms, 411 directory asssistance services, providing publicly available information related to a consumer’s business or profession, and providing publicly available information via real time alert services for health and safety purposes.

New Jersey SB 332, sponsored by Senate Majority Whip Troy Singleton, D-Delran, passed the Senate following a 27 to 11 vote on February 2, 2023. The bill is now pending in the Assembly Science, Innovation and Technology Committee, which has taken no action as of February 22. The bill would require commercial internet websites and online service operators to notify consumers of the collection and disclosure of personally identifiable information to third parties including:

The categories of the personal identifiable information that the operator collects through the internet website or online service.
All third parties with which the operator could disclosure a consumer’s personally identifiable information.
Whether a third party could collect personally identifiable information over time and across different commercial internet websites.
A description of the process for an individual consumer to review or request changes to their personal information.
The process by which an operator notifies consumers of material changes to the required notification.

An operator would be required to create a webpage that, by verified request, allows a consumer to opt out of the sale of their personally identifiable information.

New Jersey SB 332, passed the Assembly Science, Innovation and Technology Committee with amendments on May 11, 2023. The amendments specify that an operator would be required to create a webpage that, by verified request, allows a consumer to opt into the sale of their personally identifiable information rather than the opt-out standard used in prior versions of the bill.

New York SB 365, sponsored by Senate Consumer Protection Committee Chair Kevin Thomas, D-Levittown, was referred to that committee on January 4, 2023. This bill, to be known as the New York Privacy Act, would require a controller to facilitate certain consumer rights including:

The right to confirm if a consumer’s personal data is being processed and providing access to the data.
The right to correct inaccurate consumer personal data.
The right to delete the consumer’s personal data if certain conditions are met.
The right to opt-out the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
The right a copy of the consumer’s personal data in a structured, commonly used and machine-readable format.

When a consumer objects, the consumer would be required to communicate the consumer’s objection to any third parties. The bill would define personal data to include any information relating to an identified or identifiable natural person but would not include de-identified data. The bill contains a private right of action and does not exempt nonprofits.

New York SB 365, passed that committee on April 25, 2023. An identical bill from last year, SB 6701 also sponsored by Senator Thomas, did not advance last session.

New York SB 365, passed the Senate Internet and Technology Committee with amendments on May 22, 2023 and is now pending in the Senate Finance Committee. The amendments in part exempt nonprofits and remove the private right of action.

New York SB 365, was amended and re-referred to Senate Finance Committee on June 4, 2023. The amendment in part removes language relating to automated decision making.

New York SB 365, passed the Senate on June 8, 2023 and was referred to the Assembly Consumer Affairs and Protection Committee. The legislature adjourned for the year on June 10, however, the bill will carryover. The bill does not apply to nonprofits.

The bill also contains provisions that require data brokers to annually register with the attorney general. The bill does not contain a private right of actions. A similar bill, AB 7423, which will also carryover, covers nonprofits and was amended and re-referred to the Assembly Codes Committee on June 5, 2023.

New York AB 417, sponsored by Assembly Consumer Affairs and Protection Committee Chair Nily Rozic, D-Queens, was referred to that committee on January 9. The bill, to be known as the “Right to Know Act,” would require a business that retains a customer’s personal information to make that information available to the customer free of charge upon request. If a business discloses the information to third parties it would be required to provide the names and contact information of the third parties that received the information and the categories of personal information that were disclosed. Personal information include but is not limited to identity information such as name, alias nicknames and usernames as well as physical addresses, email addresses, telephone numbers and birthdate or age.

New York SB 2277, sponsored by Sen. Brian Kavanagh, D-New York City, was referred to the Senate Internet and Technology Committee on January 19. The bill, to known as the “Digital Fairness Act” would specify that covered entities are required to make both a long form and short form privacy policy, which could be no more than 500 words long, persistently and conspicuously available. A covered entity would be required to ensure that individuals interact with the short form privacy policy upon their first visit to the covered entity’s website or mobile application. A covered entity would be required to obtain freely given, specific, informed and unambiguous opt-in consent before processing an individual’s personal information or making changes in the processing of their personal information. The option to withhold consent would be required to be as prominently displayed as the option to consent and the covered entity must provide a mechanism for an individual to withdraw consent. Interaction with the entities terms of service or privacy policy would not constitute opt-in consent. Covered entities would be prohibited from discriminating against individuals who do not opt-in but would be able to process information to operate a loyalty program provided the information is only processed for the operation of the program and opt-in consent is obtained.

A covered entity would be required to respond to verified requests from individuals no later than 90 days after they are received. A covered entity would be prohibited from disclosing captured personal data to third parties unless the third party is contractually bound to meet the same privacy and security obligations as the covered entity. A covered entity would be prohibited from processing information it has obtained from third parties unless it has obtained and individual’s opt-in consent. Individual’s aged 13 and older would be able to exercise rights granted under the bill’s provisions. The bill would provide a private right of action with liquidated damages of $10,000 per violation or actual damages, whichever is greater. The bill would also allow the attorney general, city attorney or district attorney to initiate an action with court penalties that could include injunctive relief or fines of $25,000 or four percent of annual revenue, whichever is greater. The bill does not currently have a companion. A prior bill, AB 6042, sponsored by Asm. Catalina Cruz, D-Queens, died in the Assembly Consumer Affairs and Protection Committee last session.

New York SB 3163, sponsored by Senate Judiciary Committee Chair Brad Hoylman, D-New York City, was referred to the Senate Consumer Protection Committee on January 30.

The bill, to be known as the “Right to Know Act,” would require a business that retains a customer’s personal information to make that information available to the customer free of charge upon request. If a business discloses the information to third parties it would be required to provide the names and contact information of the third parties that received the information and the categories of personal information that were disclosed. Personal information would include but is not limited to identity information such as name, alias nicknames and usernames as well as physical addresses, email addresses, telephone numbers and birthdate or age. A companion bill, AB 417, sponsored by Assembly Consumer Affairs and Protection Committee Chair Nily Rozic, D-Queens, was referred to that committee on January 9.

New York AB 3593, sponsored by Asm. Linda Rosenthal, D-New York City, which was referred to the Assembly Consumer Affairs and Protection Committee on February 3. The bill does not currently have a companion.

New York AB 6319, sponsored by Asm. Michaelle Solages, D-Valley Stream, which was referred to the Assembly Science and Technology Committee on April 3, 2023. This privacy bill is identical to the federal American Data Privacy Protection Act which was introduced in congress last session. The bill does not currently have a companion.

North Carolina SB 525, sponsored by Sen. Bobby Hanig, R-Powell’s Point, which was referred to the Senate Rules and Operations Committee on April 4, 2023.

Ohio HB 376, sponsored by Rep. Rick Carfagna, R-Genoa Township, passed the House Government Oversight Committee with a substitute on February 9, 2022. The bill has support of Republican Gov. Mike DeWine.

The bill (the Ohio Personal Privacy Act) would grant consumers:

the right to obtain a copy of their personal data
the right to deletion of any personal data collected for a business purpose
the right to have any inaccurate personal information corrected
the right to opt-out of the sale of their personal information.

The bill would apply to businesses that satisfy one or more of the following three criteria: Annual gross revenues exceeding $25 million; Processes or controls the data of 100,000 or more consumers; Derives over half of its revenue from the sale of personal data and processes or controls data on 25,000 or more consumers.

Significantly, the bill contains a private right of action.

Oklahoma HB 1030, sponsored by Rep. Josh West, R-Grove, was prefiled on January 4. The legislature is scheduled to convene its 2023 session on February 6. The bill is identical to the engrossed version of HB 2969, sponsored by former Rep. Colin Walke, D-Oklahoma City, which passed the House last session but did not advance further. This broad privacy bill would in part require businesses that meet the specified threshold to:

Notify consumers on its website that they have the right to opt-in to the sale of their personal data and provide a method to do so.
Obtain a consumer’s consent before collecting their personal data.
Upon consumer request, disclose personal data as well as the data that is shared and the categories of parties with whom the information was shared.
Delete data, including data that was shared with third parties, upon consumer request.
Respond to requests within 45 days with extensions.

The bill would prohibit a business from:

Sharing personal data to third parties unless it is necessary to provide a requested good or service or for security purposes.
Denying services or altering prices based on a consumer’s rights granted in the measure.

The bill does not apply to nonprofits and does not contain a private right of action.

Oklahoma HB 1030 passed the House with amendments following a 84 to 11 vote on March 8, 2023 and is now pending in the Senate. The amendment changes the effective date of the bill to one year after enactment. This opt-in privacy bill would apply to a business that does business in this state, collects consumers’ personal information or has that information collected on the business’ behalf, alone or in conjunction with others, determines the purpose for and means of processing consumers’ personal information, and satisfies one or more of the following thresholds:

- Annual gross revenue in an amount that exceeds $15 million.
- Alone or in combination with others, annually buys, sells or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices.
- Derives 25 percent or more of the business’ annual revenue from selling consumers’ personal information.

It would also apply to an entity that controls or is controlled by a business as described above and that shares the same or substantially similar brand name and/or common database for consumers’ personal information. The bill would require businesses to notify consumers on its website that they have the right to opt-in to the sale of their personal data and provide a method to do so. Businesses would also be required to obtain a consumer’s consent before collecting their personal data. The bill does not contain a private right of action.

Pennsylvania HB 2202 was heard in the House Consumer Affairs Committee on May 25; the committee took testimony from Microsoft and SPSC, among others, but did not vote on the bill during the hearing. This broad privacy bill would grant consumers various rights including the right to:

Know whether a business is processing personal information about the consumer.
Know whether their personal information is processed for the purposes of targeted advertising or the sale of personal information.
Decline or opt out of the processing of personal information for specified purposes including targeted advertising.
Access, correct, and delete their information.

The bill does not include a private right of action.

The bill would specify that personal information processed by a business or service provider could only be processed only to an extent that is necessary, reasonable and proportionate for an authorized purpose. The bill would not include a private right of action. The bill would only apply to businesses that have annual gross revenues of more than $20 million, buys, receives, sells or shares the data of 100,000 or more consumers, or derives 50 percent or more of its annual revenue from selling consumers personal information.

Pennsylvania HB 2257, sponsored by Rep. Malcom Kenyatta, D-Philadelphia, was referred to the House Consumer Affairs Committee on January 20. The bill, to be known as the Pennsylvania Consumer Data Protection Act, is modeled after the Virginia law and would grant consumers various rights including:

The right to confirm whether or not a controller is processing the consumer’s personal data and the right to access that data.
The right to correct inaccurate personal data.
The right to delete their personal data.
The right to obtain a copy of the consumer’s personal data in a portable and, to the extent possible, readily usable format.
The right to opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The bill contains right to cure language providing controllers or processors 30 days to rectify any violations under the bill. The bill does not contain a private right of action and does not apply to nonprofit organizations.

Pennsylvania HB 708, sponsored by Rep. Malcom Kenyatta, D-Philadelphia, was referred to the House Commerce Committee on March 27. The bill would apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

Controls or processes personal data of at least 100,000 consumers.
Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

The bill would grant consumer various rights including, but not limited to, the right to delete data they provided and opt-out of the sale of their personal data. The bill does not contain a private right of action but does contain a 30-day right to cure before the attorney general could initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.

Pennsylvania HB 1201, sponsored by Rep. Ed Neilson, D-Philadelphia, has been scheduled for a hearing in the House Consumer Affairs Committee on September 6, 2023 at 11:00 AM. The bill does not apply to nonprofits. The bill would apply to businesses that meet one or more of the following thresholds:

Has annual gross revenues in excess of $10 million.
Alone or in combination, annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices.
Derives at least 50 percent of annual revenues from selling consumers’ personal information.

It would grant consumers various rights including, but not limited to, the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale of their data. Controllers would be required to provide a reasonably accessible, clear and meaningful privacy notice and to conduct a data protection impact assessment involving specified processing activities. The bill does not contain a private right of action. A bill last session, HB 1126, also sponsored by Representative Nelson did not advance.

Pennsylvania HB 1201 was heard in the House Commerce Committee on September 6, 2023 and remains pending in that committee. The committee heard testimony from the Pennsylvania Retailers Association, Insurance Federation Pennsylvania and TechNet. The bill does not apply to nonprofits.

Rhode Island HB 5354, sponsored by Rep. Evan Shanley, D-Warwick, which was referred to the House Innovation, Internet and Technology Committee on February 3.

Rhode Island HB 5354 was heard House Innovation Internet and Technology Committee on March 2, 2023 where the committee held the bill for further study. The bill, to be known as the Rhode Island Data Transparency and Privacy Protection Act, would require online service providers and commercial websites that collect, store and sell personally identifiable information to disclose what categories of personally identifiable information they collect and to what third parties they sell the information.

Tennessee SB 73, sponsored by Sen. Bo Watson, R-Hixon, was prefiled on January 4. The legislature is scheduled to convene on January 10, 2023. Senator Watson serves as the Chair of both the Finance, Ways and Means and Rules committees. The bill, to be known as the “Tennessee Information Protection Act,” would require controllers to comply with authenticated consumer requests to exercise the right to:

Confirm whether or not a controller is processing the consumer’s personal data and to access that data.
Delete personal data provided by the consumer.
Obtain a copy of the consumer’s personal data in a portable and, to the extent possible, readily usable format.
Opt out of the sale of their personal data.

Controllers would be required to respond to authenticated requests within 45 days but could request an extension of an additional 45 days to comply. Controllers would also be required, in part, to:

Limit the collection of personal information to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer.
Not process personal information for purposes that is beyond what is reasonably necessary.
Establish, implement and maintain reasonably data security practices.
Not process sensitive data without obtaining the consumer’s consent.
Conduct and document a data protection assessment of various processing activities including but not limited to processing information for the purposes of targeted advertising or the sale of personal information.

The bill would also require a controller or processor to create, maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology framework. The bill contains 60 day right to cure language but does not contain a private right of action. The bill would apply to entities that control or process personal data of at least 100,000 consumers or at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of data. The bill does not apply to nonprofits.

Tennessee SB 73 has been scheduled for a hearing in the Senate Commerce and Labor Committee on March 14, 2023 at 1:30 PM. The bill would apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

- Controls or processes personal data of at least 100,000 consumers.
- Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

The bill would grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The bill does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.

Tennessee SB 73 has been placed on the Senate floor calendar for April 13, 2023 after previously being deferred on March 30, 2023 and April 6, 2023. A companion bill, HB 1181, passed the House Commerce Committee on April 4, 2023 and is now pending on the House calendar for April 10, 2023.

Tennessee HB 1181, unanimously passed the House on April 10, 2023 and is now pending committee referral in the Senate. The bill would apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

Controls or processes personal data of at least 100,000 consumers.
Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

Tennessee HB 1181 was delivered to Republican Gov. Bill Lee, who will have until May 18, 2023 to sign or veto the bill or it becomes law.

Texas HB 1844, sponsored by Rep. Giovanni Capriglione, R-South Lake, was filed on February 3 and has not yet been referred to a committee. The bill, to be known as the Texas Data Privacy and Security Act, would grant consumers the right to:

Confirm whether or not a controller is processing the consumer’s personal data.
Correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
Delete personal data provided by or obtained about the consumer.
Obtain a copy of their personal data if the data is available in a digital format.
Opt-out of processing for the purposes of target advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that:

Conduct business in the state or produce a product or service consumed by residents of the state.
Process or engage in the sale of personal data.
Are not a small business as defined by the Small Business Administration.

It does not apply to nonprofit organizations. The bill contains 30 day right to cure language and does not contain a private right of action.

Vermont HB 121, sponsored by House Commerce and Economic Development Committee Chair Michael Marcotte, R-Newport, was referred to that committee on January 26. The bill has been scheduled for a hearing in that committee on February 9 at 9:00 AM and will feature testimony from Democratic Attorney General Charity Clark, who drafted the bill, and Assistant Attorney General Ryan Kriger The bill would, in part, require a data collector’s collection, use, retention and sharing of personal information to be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or for another disclosed purpose that is compatible with the context in which the personal information was collected. A data collector that obtains personal information from a source other than the consumer would be prohibited from using that information for a purpose inconsistent with the purpose for which it was initially collected or for a purpose inconsistent with any notice or consent involved in the initial data collection. Data collectors would be prohibited from retaining information if they are unable to determine the initial purpose, notice or consent.

The bill would also specify that consumers have rights specified by rule of the attorney general with regard to their personal information. On or after July 1, a data collector that processes for the purposes of targeted advertising, predictive analytics, tracking, or the sale of personal information, or is otherwise a data broker would be required to allow consumers to opt out of the processing of their data for those purposes through a user-selected universal opt-opt out mechanism that meets the technical specifications established by the attorney general. Data brokers would be required to report data security breaches to the attorney general within 14 days and to consumers within 45 days. The bill would grant consumers the right to request a data broker to:

Stop collecting the consumers data.
Delete all data in its possession about the consumer.
Stop selling the consumer’s data.

Data brokers would be required to establish a simple procedure for consumers to submit requests and would be required to comply within 10 days of a request being submitted. A consumer would also be able to submit an opt out request by filing it the secretary of state who would be required to develop a form to facilitate consumer’s general opt out. The secretary of state would also be required to maintain a data broker opt out list of consumers who have requested a general opt out along with the specific type of opt out. Data brokers would be required to review this list once every 31 days to ensure compliance. Data brokers would be required to maintain reasonable procedures designed to ensure that the brokered personal information it discloses is used for a legitimate and legal purpose. These procedures would require prospective users of the information to certify the purposes for which the information is sought, and that the information will not be used for any other purpose. Data brokers would be required to make a reasonable effort to identify a new prospective user prior to furnishing the information. The bill also contains numerous provisions relating to biometric information including language that would prohibit a person who has collected or stored a consumer’s biometric identifier from using, selling, leasing or otherwise disclosing the biometric identifier to another person for a specific purpose unless consent has been obtained.

Vermont HB 121, was heard in that committee on February 9. The committee heard from Democratic Attorney General Charity Clark and Andrew Kingman of the State Privacy and Security Coalition among others but did not take any action during the hearing.

Vermont HB 121, was heard in that committee on March 29. The committee heard from Maureen Mahoney with the California Privacy Protection Agency who gave the committee an overview of the California Privacy Rights Act and how that compares to HB 121, as well as briefly touching on the California Age Appropriate Design Code. Chair Marcotte said the committee will take a closer look at “dark patterns” as well as language around minors. The committee is scheduled to consider the bill at additional hearings on April 4 and April 6 at 9:00 AM. During the April 4 hearing the committee is scheduled to receive a walkthrough of a recently released draft of the bill along with additional testimony from the Vermont Banker’s Association, the Association of Vermont Credit Unions and Blue Cross/Blue Shield of Vermont among others. While the bill did not meet crossover deadline this year Marcotte is hoping to move the bill out of the House this year to position the bill for action next year. The proposed language would amend the bill with provisions similar to other privacy legislation currently pending around the country.

Vermont HB 121, was heard in that committee on April 6, 2023. The committee heard from Technet, ANA and a local resident but did not vote on the bill.

Virginia HB 1688, sponsored by House Communications, Technology and Innovation Committee Chair Emily Brewer, R-Smithfield, was prefiled on January 9 and has not yet been referred to a committee. The legislature began its 2023 session on January 11. The bill would amend the Consumer Data Protection Act to require operators to obtain verifiable parental consent prior to registering any child with the operator’s product or service or before collecting, using, or disclosing such child’s personal data. The bill would also prohibit a controller from knowingly processing the personal data of a child for purposes of:

Targeted advertising.
The sale of such personal data.
Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

The bill would also amend the definition of child under the act to include any natural person younger than 18 years of age. A companion bill, SB 1026, sponsored by Sen. David Suetterlein, R-Roanoke, was prefiled and referred to the Senate General Laws and Technology Committee on January 7.

Virginia HB 1688, passed committee with a substitute on January 30. The amendment removes references to and the definition of operator form the bill. The bill would amend the Consumer Data Protection Act to require operators to obtain verifiable parental consent prior to registering any child with the controller or processor’s product or service or before collecting, using or disclosing such child’s personal data.

Virginia SB 1026, sponsored by Sen. David Suetterlein, R-Roanoke, was heard in the Senate General Laws and Technology Committee on January 18; the committee took testimony but did not vote on the bill. The bill would amend the Consumer Data Protection Act to require operators to obtain verifiable parental consent prior to registering any child with the operator’s product or service or before collecting, using, or disclosing such child’s personal data. The bill would also prohibit a controller from knowingly processing the personal data of a child for purposes of:

Targeted advertising.
The sale of such personal data.
Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

The bill would also amend the definition of child under the act to include any natural person younger than 18 years of age. A companion bill, HB 1688, sponsored by House Communications, Technology and Innovation Committee Chair Emily Brewer, R-Smithfield, is pending in that committee.

Washington HB 1616, sponsored by Rep. Shelley Kloba, D-Kirkland, was referred to the House Civil Rights and Judiciary Committee on January 26, 2023. The bill, to be known as the people’s privacy act, would afford a consumer various rights including:

The right to know what personal information a covered entity processes, including the categories and specific pieces of personal information the covered entity possesses.
The right to access and obtain their personal information that is processed by a covered entity, in a machine-readable format.
The right to refuse consent for any processing of their personal information that is not essential to the primary transaction.
The right to correct inaccurate personal information.
The right to require a covered entity or data processor to delete their information.
The right not to be subject to surreptitious surveillance.

Covered entities would be required to make both a long form and short form privacy policy, which could be no more than 500 words long, persistently and conspicuously available. A covered entity would be required to ensure that individuals interact with the short form privacy policy upon their first visit to the covered entity’s website or mobile application. A covered entity would be required to obtain freely given, specific, informed and unambiguous opt-in consent before processing an individual’s personal information or making changes in the processing of their personal information. The option to withhold consent would be required to be as prominently displayed as the option to consent and the covered entity must provide a mechanism for an individual to withdraw consent. Interaction with the entities terms of service or privacy policy would not constitute opt-in consent. Covered entities would be prohibited from discriminating against individuals who do not opt-in but would be able to process information to operate a loyalty program provided the information is only processed for the operation of the program and opt-in consent is obtained. The biggest difference between this version and last session’s HB 1433 is the addition of language that would require covered entities to conduct a data processing assessment of specified processing activities including targeted advertising.

A covered entity would be required to respond to verified requests from individuals no later than 30 days after they are received but could request additional time under certain circumstances. A covered entity would be prohibited from disclosing captured personal data to third parties unless the third party is contractually bound to meet the same privacy and security obligations as the covered entity. A covered entity would be prohibited from processing information it has obtained from third parties unless it has obtained and individual’s opt-in consent. Individual’s aged 13 and older would be able to exercise rights granted under the bill’s provisions. The bill would provide a private right of action with liquidated damages of $10,000 per violation or actual damages, whichever is greater. The bill would also allow the attorney general, city attorney or county prosecutor to initiate an action with court penalties that could include injunctive relief or fines of $25,000 or four percent of annual revenue, whichever is greater. A companion bill, SB 5643, sponsored by Senate Majority Caucus Chair Bob Hasegawa, D-Seattle, was referred to the Senate Environment, Energy and Technology Committee on January 31.

West Virginia HB 3498, sponsored by House Technology and Infrastructure Committee Chair Daniel Linville, R-Milton, was referred to that committee on February 14. The bill would grant consumer’s the following rights:

The right to confirm whether a controller is processing the consumer’s personal data and to access that data.
The right to correct inaccuracies in the consumer’s data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.
The right to delete personal data provided by or obtained about the consumer.
The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to another controller, where the processing is carried out by automated means.
The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The bill would not apply to nonprofit organizations. It contains 30 day right to cure language but does not contain a private action. Another bill, HB 3453, sponsored by Del. Kayla Young, D- Kanawha, was also referred to the House Technology and Infrastructure Committee on February 14.

States: Donor Privacy and Confidentiality

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: Georgia SB 534 was signed by Republican Gov. Brian Kemp on May 2, 2022 and took immediate effect. The law prohibits state agencies, absent the showing of compelling interest, to impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. Any additional reporting or filing requirements are required to be narrowly tailored to achieve the compelling state interest. The bill defines charitable organizations as 501(C)3 organizations.

NOW LAW: Indiana HB 1212, sponsored by House Speaker Pro Tempore Mike Karickhoff, R-Kokomo, was signed by Republican Gov. Eric Holcomb and takes effect July 1. The law will prohibit, with certain exceptions, a state or local agency from collecting or disclosing information that identifies an individual or business entity as a member, supporter, volunteer, or donor of financial or nonfinancial support to a nonprofit organization.

NOW LAW: New Hampshire SB 302/Chapter 336 was signed by Republican Gov. Chris Sununu on July 25, 2022 and takes effect January 1. The law will prohibit a public agency from:

Requiring an individual or entity to provide the public agency with personal information.
Releasing, publicizing or otherwise publicly disclosing any data that directly or indirectly identifies a person as a member, supporter, volunteer, or donor of financial or nonfinancial support.
Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

NOW LAW: New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. It was delivered to Gov. Hochul on November 1 and she signed it into law on November 12, 2022.

This legislation was necessary to undo a rider on 2020 budget legislation inserted by then Gov. Cuomo. That rider would have required all nonprofits registered with the Attorney General under the solicitation law to perform a duplicative (literally) registration with the NY Dept of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG collected Sched B from registrants until dissuaded by the U.S. Supreme Court donor privacy decision in July 2021).

Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. That effort was successful.

NOW LAW: Virginia SB 324/Chapter 19, sponsored Sen. Jill Vogel, R-Upperville, was signed by Republican Gov. Glenn Youngkin on August 4, 2022 and takes effect January 1, 2023. The law will prohibit a state agency from:

Requiring an individual or entity to provide the public agency with personal donor information.
Requiring any bidder, offeror, contractor or grantee of the organization to provide the agency with personal donor information.
Disclosing personal donor information without the express written permission of every individual who is identifiable from the potential release of such information, including identifiable as members, supporters or volunteers, or donors to the agency.

PROPOSED BILLS:

Hawaii HB 2416 was delivered to Democratic Governor David Ige on May 4 who will have until May 18 to act on the bill or it becomes law. The bill would in part require 501(c)4 organizations operating as a noncandidate committee to disclose the name and address of donors who donate an aggregate of more than $10,000. The bill would prohibit donations from being used for electioneering communications, independent expenditures or contributions without the written consent of the donor.

Louisiana SB 179, a look-a-like bill to Georgia SB 534 (see above), was delivered to Democratic Gov. John Bel Edwards on May 27 who will have until June 6 to sign or veto the bill or it becomes law. The bill would prohibit state agencies, absent the showing of compelling interest, impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature would be able to review any requirements that are more restrictive. The bill defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious, or eleemosynary organization.

Missouri HB 2120 passed the House on April 6 and passed the Senate Government Accountability and Fiscal Oversight Committee with a substitute on May 9. The bill would prohibit a public agency from:

Requiring an individual to provide the public agency with personal information.
Requiring any 501(c) tax exempt organization to provide the public agency with personal information.
Releasing, publicizing, or otherwise publicly disclosing personal information in possession of the agency.
Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

Nebraska LB 823 was heard in the Government, Military and Veterans Affairs Committee on January 27; information from the hearing was not immediately available. The bill would prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required.

North Carolina SB 636 was passed by the House Judiciary Committee with a substitute on on August 19 on a vote of 59-33 and by the Senate on August 25 by 25-19. Both votes were strict party line, Republicans in favor, Democrats opposed. It was sent to Gov. Roy Cooper for signing or veto on August 27. The Governor, a Democrat, vetoed the bill on September 3, saying the legislation was unnecessary and could prejudice existing campaign contribution laws. At this writing, it is unclear whether the legislature will seek to override the veto. An override requires a 60% vote in each chamber.

The bill would have exempted, except as specifically required by state and federal law, nonprofit donor information from disclosure under the public records law, including any attachments or other information submitted with IRS 990 or 990-EZ forms. The bill also defines donor information as “confidential” in numerous instances in NC law in which state officials and legislators are prohibited from using, or restricted in their use of, “confidential information.”

Pennsylvania HB 2087, sponsored by Rep. John Hershey, R-Mifflintown, was referred to the House State Government Committee on November 16. Joined as co-sponsors were eight additional Republican Representatives, including State Government Committee Chair Grove. The bill’s intent is to prohibit state agencies from collecting or disclosing any information which would identify an individual as a donor/supporter of a nonprofit organization, except when required by law to do so.

The prohibition would apply to:

An agency’s request made to an individual.
An agency’s request made to a charitable organization seeking information on individual donors.
An agency’s request made to a current or prospective contractor or grantee seeking the names of charitable organizations to which they have provided financial or nonfinancial support.

The legislation would also make it illegal for an agency to “Release, publicize or otherwise publicly disclose...” donor information in its possession.

States: Charitable Solicitation

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California AB 488 Governor Gavin Newsom signed the bill into law on October 7, 2021. The law takes effect January 1, 2023.

TNPA participated in a multi-year stakeholder process for this legislation which resulted in many necessary changes to the original draft created by the Attorney General’s office. Nevertheless, significant issues remain to be resolved through the means of rulemaking during the course of the coming year. The Attorney General conducts the rulemaking. The bill’s stakeholders, including TNPA, will undoubtedly participate in the process.

The bill establishes new requirements for online fundraising by third parties. However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.).

The new California categories of solicitation law oversight are unique and will surely draw the attention of charity officials in other states. It is likely other states will let the California experiment play out rather than rush to emulate. Nonprofits currently receiving significant funds from the newly regulated platforms will also be watching. It is not a forgone conclusion the legislation and forthcoming regulations will strike the right balance between protecting donors and allowing support dollars to flow to nonprofit missions.

NOW LAW: Illinois HB 1197/Public Acts 121 was signed by Democratic Gov. J.B. Pritzker on June 30, 2023 and takes effect January 1, 2023. The bill would provide that every charitable organization that receives contributions in excess of $750,000, rather than the $300,000 specified under existing law, would be required to file a written report with the attorney general with specified information. The bill would also require organizations that receive contributions in excess of $25,000 but less than $750,000 to file a simplified report with the attorney general.

NOW LAW: Indiana SB 302/Public Law 40, sponsored by Senate Judiciary Committee Chair Liz Brown, R-Fort Wayne, was signed by Republican Gov. Eric Holcomb on April 20, 2023 and takes effect July 1, 2023. The law will prohibit state agencies or officials from imposing filing or reporting requirements on charitable organizations that are more stringent or burdensome than those imposed by or authorized under state or federal law.

NOW LAW: Louisiana SB 179/Act 262 was signed by Democratic Gov. John Bel Edwards on June 3, 2022 and took immediate effect. The law prohibits state agencies from imposing any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature can review any requirements that are more restrictive. The law defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious or eleemosynary organization.

NOW LAW: New Hampshire SB 375/Chapter 173 was signed by Republican Gov. Chris Sununu on June 7, 2022 and takes effect August 6. The law will prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required under existing law. The law will also raise the compulsory audit threshold for annual reporting by nonprofits from $1 million to $2 million.

NOW LAW: North Carolina SB 429/Session Law 119 was signed into law by Democratic Gov. Roy Cooper on September 14, 2023. The law took immediate effect with certain provisions taking effect October 1. The law will increase the qualifying income threshold for exemption from charitable solicitation requirements to $50,000 from $25,000. The law will also specify that licensure applications are considered filed as of the date they are postmarked or electronically submitted.

NOW LAW: Tennesse SB 1935/Chapter 773 was signed by Republican Gov. Bill Lee on April 8, 2022 and took immediate effect. The law removes requirements that financial statements, annual event applications, charitable solicitation applications and athlete agent registrations filed with the secretary of state be sworn under penalty of perjury.

NOW LAW: Tennessee SB 868 was signed by Republican Gov. Bill Lee on April 4, 2023 and takes effect July 1, 2023. The law will extend the prohibitions, requirements and penalties that already apply to telephone solicitations to text message solicitations.

NOW LAW: Virginia HB 1748/Chapter 289 was signed by Republican Gov. Glenn Youngkin on March 23, 2023 and takes effect July 1, 2023. The law will expand the definition of solicitation to include requests made via email. It will also require any contract between a professional solicitor and charitable or civic organization to specify the percentage of gross contributions that the civic organization will receive or the terms upon which a determination can be made. The contract will also be required to specify that at least every 90 days the professional solicitor would be required to provide the charitable or civic organization with access to and use of all information in the professional solicitor’s possession concerning contributors.

PROPOSED BILLS:

Arkansas SB 484, sponsored by Sen. Clarke Tucker, D-Little Rock, was referred to the Senate Insurance and Commerce Committee on March 27, 2023. The committee heard the bill on March 30; however, information from the hearing was not immediately available. The bill would exclude bequests to a charitable organization that is received from a decedent’s estate and testamentary distribution to a charitable organization that is received from a trust from the definition of a charitable contribution.

Connecticut HB 5222 passed the House on May 3; however, the legislature adjourned on May 4 so the bill will not advance further. The bill codifies recent federal caselaw relating to the Connecticut Solicitation of Charitable Funds Act that rendered various provisions relating to the regulation of paid solicitors unenforceable. Specifically, the bill would:

Reduce to one day, rather than the current 20 days, the notice a solicitor is required to give the Department of Consumer Protection before starting a campaign.
Eliminate the requirement that copies of the campaign “script” be shared with DCP ahead of the campaign.
Eliminate the requirement that the solicitor disclose the percentage of gross revenue the charitable organization will receive. A similar requirement to disclose the percentage on written solicitations would also be eliminated.
Raises the compulsory audit threshold for annual reporting by nonprofits from $500K to $1 million (an overdue and welcome update – not among the constitutionally required changes).

The bill would eliminate the requirement that solicitors share donor names and addresses with the department, though solicitors would still be required to maintain this information internally. However, the AG’s right to inspect donation records would be limited to date and amount with donor identity explicitly excluded. This change is evidently in deference to the U.S. Supreme Court donor privacy ruling in Bonta (go here for more information).

Illinois SB 72 passed the Senate Judiciary Committee on February 7, 2023 and is now pending on the Senate floor. The bill would provide that every charitable organization that receives contributions in excess of $500,000, rather than the $300,000 specified under existing law, would be required to file a written report with the attorney general with specified information. The bill would also require organizations that receive contributions in excess of $25,000 but less than $500,000 to file a simplified report with the attorney general. A companion bill, HB 5814, sponsored by Rep. Maurice West, D-Rockford, was referred to the House Rules Committee on January 31.

Illinois SB 72 has been placed on the Senate third reading calendar for March 21, 2023.

Maryland HB 72, sponsored by Del. Courtney Watson, D-Ellicott City, was heard in the Senate Judicial Proceedings Committee on March 22; the committee heard from the bill sponsor only and took no action on the bill. The bill would require registration statements to be on a form provided by the secretary of state along with various requirements regarding what the form should contain. However in place of a required audit or financial review the bill would permit organizations to submit supporting documents and an affidavit that attests, among other requirements, that the organization does not use professional solicitors.

Massachusetts HD 1304, sponsored by Rep. Paul McMurtry, D-Dedham, was prefiled on January 18, 2023. The bill would require telemarketers to disclose the percentage share of the contribution raised by a charitable solicitation that will be received by the charitable organization. A similar bill, Oklahoma HB 2268, sponsored by Rep. Ty Burns, R-Pawnee, was prefiled on January 19. The legislature is scheduled to convene its 2023 session on February 6.

Mississippi SB 2077, sponsored by Sen. Chris Johnson, R-Hattiesburg, was referred to the Senate Judiciary Division A Committee on January 9. The bill would raise the audit threshold for charitable organizations from $500,000 to $750,000. The bill would also clarify that this threshold is based on a cash basis measurement only.

Missouri HB 2400 was delivered to Republican Gov. Mike Parsons on May 18 who will have until June 26 to sign or veto the bill or it becomes law. As recently amended, the bill would prohibit state agencies or state officials from imposing any annual filing or reporting requirements on charitable organizations that are more stringent than specified under existing law.

North Carolina HB 741 passed the House Judiciary 1 Committee with a substitute on May 31, 2023. As substituted, the bill would, in part, exempt additional charitable organizations from the requirement to obtain a charitable solicitation license from the secretary of state by increasing the contribution threshold for requiring a license to $50,000. The exemption would be further expanded by allowing professional fees to be paid to an organizer or incorporator who is a licensed attorney or a licensed accountant. The bill would also:

Expand the minimum number of natural persons required to be on a board of directors for a nonprofit corporation from one to three with the exception of private foundations.
Authorize a merger between a charitable or religious corporation and either limited liability company, assuming specified conditions are met, and an unincorporated association.
Require domestic and foreign nonprofit corporations authorized to conduct affairs in the state to submit annual reports electronically to the secretary of state. The annual reports would be required to include specified information, including the state or country under whose law the corporation is incorporated, address of the registered office, as well as basic information about principal officers.

The bill is now pending in the House Finance Committee.

North Carolina HB 741 passed the House Finance Committee with a substitute on June 13, 2023. Existing law requiring that charitable or religious corporations give 30 days’ advance notice to the attorney general prior to disposing of all or a majority of its property would be maintained.

North Carolina HB 741 passed the House on June 27, 2023 and is now pending further referral in the Senate Rules and Operations Committee.

Pennsylvania HB 1361, sponsored by Rep. Fred Schemel, R-Greencastle, was referred to the House State Government Committee on June 9, 2023. The bill would increase the exemption threshold necessary for registration with the Department of State to $50,000.

Tennessee HB 805, sponsored by Rep. William Lamberth, R-Portland, was referred to the House Commerce Committee on February 2 and has been scheduled for a hearing in the House Business and Utilities Subcommittee on February 14 at 12:00 PM. The bill would extend the prohibitions, requirements and penalties that already apply to telephone solicitations to text message solicitations. A companion bill, SB 868, sponsored by Sen. Shane Reeves, R-Murfreesboro, was referred to the Senate Commerce and Labor Committee on February 6.

Tennessee HB 805, passed the House Finance, Ways and Means Committee where it is scheduled to be heard on March 7, 2023 and is now pending in the House floor. A companion bill, SB 868, sponsored by Sen. Shane Reeves, R-Murfreesboro, unanimously passed the Senate on March 6, 2023.

Utah HB 119, sponsored by Rep. James Dunnigan, R-Taylorsville, was prefiled on January 3. The legislature is scheduled to convene its 2023 session on January 17. The bill would exempt federal income tax-exempt charitable organizations from registration requirements under the state’s charitable solicitations act. However, the Division of Consumer Protection would be permitted to include a searchable list on its website of federal tax exempt organizations engaging in specified solicitations.

Utah HB 119 passed the House Political Subdivisions Committee with a substitute on February 1. As substituted, the bill would exempt federal income tax-exempt charitable organizations from registration requirements under the state’s charitable solicitations act. The substitute removed provisions that would have permitted Division of Consumer Protection to include a searchable list on its website of federally tax exempt organizations engaging in specified solicitations.

Utah HB 119 passed the Senate on February 13 and is now pending final enrollment and delivery to Republican Gov. Spencer Cox. The bill would exempt 501(C)6 charitable organizations from registration requirements under the state’s charitable solicitations act. The bill would also provide that an application for a public grant would not be considered a charitable solicitation.

States: Nonprofit Governance

Maryland HB 72, sponsored by Del. Courtney Watson, D-Ellicott City, was referred to the House Economic Matters Committee on January 11. The bill would amend the definition of charitable contribution to exclude donations of property that is intended to redistributed without charge to a benevolent, educational, eleemosynary, humane, patriotic, philanthropic or religious purpose. It would also exclude an authorization for a discount on the use of services or materials, equipment or facilities, including those relating to advertising and broadcast airtime.

Minnesota HF 523, sponsored by Rep. Duane Quam, R-Byron, was referred to the House State and Local Government Finance and Policy Committee on January 18. The bill would prohibit an employee or representative of a state agency acting in their official capacity from vetoing the election or appointment of a potential board member of a nonprofit organization.

Minnesota SF 564, sponsored by Senate Jobs and Economic Development Committee Ranking Minority Member Rich Draheim, R-Madison Lake, was referred to that committee on January 23. The bill would prohibit nonprofit organizations with officers or employees compensated in excess of 125 percent of the governor’s salary from receiving grants under economic development or workforce development programs.

States: Salary Disclosure

Read more about this issue

STATES THAT HAVE PASSED BILLS INTO LAW:

NOW LAW: California SB 1162 /Chapter 559 was signed by Democratic Gov. Gavin Newsom on September 27, 2022, and takes effect January 1, 2023. The law, in part, will expand state pay data reporting requirements to cover contracted employees. The law will require a private employer that has 100 or more employees to submit a pay data report to the Civil Rights Department. This law will revise the timeframe in which a private employer is required to submit this information to require that it be provided on or before the second Wednesday of May 2023, and for each year thereafter on or before the second Wednesday of May. This law will require the pay data report to include the median and mean hourly rate for each combination of race, ethnicity and sex within each job category. It will also require an employer, upon request, to provide to an employee the pay scale for the position in which the employee is currently employed. The bill would require an employer with 15 or more employees to include the pay scale for a position in any job posting. The law will require an employer to maintain records of a job title and wage rate history for each employee for a specified timeframe, to be open to inspection by the labor commissioner

NOW LAW: New York SB 1326/Chapter 94 was signed by Democratic Gov. Kathy Hochul on March 3, 2023 and takes effect at the same time as SB 9427 from last session which is September 17, 2022. The bill would specify that existing laws around salary disclosure exclude remote work opportunities performed entirely out of state.

PROPOSED BILLS:

Montana SB 146, sponsored by Sen. Shane Morigeau, D-Missoula, was referred to the Senate Business, Labor and Economic Affairs Committee on January 11. The bill would, in part, require employers to disclose in each job posting the hourly or salary compensation or the range of compensation and a general description of all the benefits and other compensation to be offered to the hired applicant. The bill would also require employers to make reasonable efforts to announce, post or otherwise make known all opportunities for promotion to all current employees on the same calendar day and prior to making a promotion decision. Upon request of an employee offered an internal transfer, an employer would be required to provide the wage scale or salary range for the employee’s new position.

Montana SB 146 was heard in the Senate Business, Labor and Economic Affairs Committee on January 17, 2023. The committee took testimony but did not vote on the bill. The bill would, in part, require employers to disclose in each job posting the hourly or salary compensation or the range of compensation and a general description of all the benefits and other compensation to be offered to the hired applicant. The bill would also require employers to make reasonable efforts to announce, post or otherwise make known all opportunities for promotion to all current employees on the same calendar day and prior to making a promotion decision. Upon request of an employee offered an internal transfer, an employer would be required to provide the wage scale or salary range for the employee’s new position.

Virginia SB 1136 passed the Senate following a 20 to 18 vote on February 3, 2023 and is now pending in the Senate Commerce and Energy Committee. The bill would prohibit employers from:

Seeking the wage or salary history of a prospective employee.
Relying on the wage or salary history of a prospective employee in considering them for employment.
Relying on the wage or salary history of a prospective employee in determining the wages or salary the prospective employee is to be paid upon hire. Except, that if a prospective employee voluntarily provides their salary information the employer would be able to use the salary history to support a wage or salary higher than the employee’s initial offer to the extent that it does not create an unlawful pay differential.
Refusing to interview, hire, employ or promote a prospective employee or otherwise retaliate against a prospective employee for not providing wage or salary history or for requesting a wage or salary range.
Failing or refusing to provide a prospective employee the wage or salary range for the position for which the prospective employee is applying prior to discussing compensation and at any time upon the prospective employee’s request.
Failing to set a wage or salary range in good faith. Any analysis of whether the range or salary range has been set in good faith would need to consider, among other things, the breadth of the wage or salary range.

An employer that violates the bill’s provisions would be liable to a prospective employee for statutory damages between $1,000 and $10,000 or actual damages whichever is greater.

“We need someone who is focused on our concerns, our issues … how we work and how we relate to our donors and fulfill our missions.” - Steve Abrahamson, Vice President, Direct Response, National Audubon Society

Legislation in the States

State Legislatures in Session (Thursday, September 21, 2023)

Included below:

States: Consumer Data Protection / Data Privacy

STATES THAT HAVE PASSED BILLS INTO LAW:

PROPOSED LAWS:

States: Donor Privacy and Confidentiality

STATES THAT HAVE PASSED BILLS INTO LAW:

PROPOSED BILLS:

States: Charitable Solicitation

STATES THAT HAVE PASSED BILLS INTO LAW:

PROPOSED BILLS:

States: Nonprofit Governance

States: Salary Disclosure

STATES THAT HAVE PASSED BILLS INTO LAW:

PROPOSED BILLS:

State Legislatures in Session
(Thursday, September 21, 2023)