Legislation in the States
Last Reviewed December 2024
Included below:
Artificial Intelligence (AI)
STATES THAT HAVE PASSED BILLS INTO LAW:
NOW LAW: Colorado SB205 Colorado Becomes the First State to Enact Comprehensive AI Legislation. The new law becomes effective February 1, 2026. It applies generally to developers and deployers of “high risk AI systems,” which are defined as AI systems that make, or are a substantial factor in making a consequential decision. The law also defines “consequential decision” as “any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of: (a) education enrollment or an education opportunity, (b) employment or an employment opportunity, (c) a financial or lending service, (d) an essential government service, (e) health-care services, (f) housing, (g) insurance, or (h) a legal service.”
The law is aimed at addressing AI bias, establishing a requirement of human oversight throughout the life cycle of AI systems, and requiring significant documentation around the use of AI.
It applies to any person doing business in Colorado who develops an “AI system” or deploys a “high-risk AI system.” In effect, this means that it applies to any organization using a high-risk AI system, whether or not that system is consumer-facing. Importantly, the law explicitly excludes a Private Right of Action, leaving enforcement solely to the Colorado Attorney General.
NOW LAW: California AB 2013/Chapter 817 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. This law requires, on or before January 1, 2026, and before each time thereafter, that a generative AI system or service, or a substantial modification to such a system or service, released on or after January 1, 2022, is made available to Californians for use, regardless of whether the terms of that use include compensation, a developer of the system or service to post on the developer’s internet website documentation regarding the data used to train the generative AI system or service. Documentation is required to include a high-level summary of the datasets used in the development of the system or service.
NOW LAW: California SB 896/Chapter 928 was signed into law by Democratic Gov. Gavin Newsom on September 29, 2024 and takes effect on January 1, 2025. This law will bring the California Privacy Protection Agency into the reporting creation aspect of this bill. The law will create the Artificial Intelligence Accountability Act as a follow up to Sen. Bill Dodd’s, D-Napa, CR 17, as he stated in his press release. Additionally, the law requires state agencies to develop a risk report for potentially the most significant uses of artificial intelligence. It will also require state agencies to alert users when they are interacting with artificial intelligence.
PROPOSED BILLS:
California SB 1047 was delivered to Democratic Gov. Gavin Newsom on September 9, 2024; he will have until September 30 to sign or veto the bill or it becomes law. The bill would create the Safe and Secure Innovation for Frontier Artificial Intelligence Systems Act and would require developers of powerful AI models and those providing the computing power to train such models to place appropriate safeguards and policies to prevent critical harms. The Frontier Model Division would be created within the California Department of Technology to oversee the development of models.
Colorado: The Colorado AI Impact Task Force held its second hearing on September 16, 2024, continuing discussions from their August meeting. While the initial meeting focused on organizing the task force and planning future work, this one delved into more substantive issues surrounding the regulation of AI and automated decision systems. Key areas of focus for this task force include defining AI and automated decision systems and recommending legislation that ensures transparency and disclosure, addresses algorithmic discrimination and creates ethical guidelines and best practices.
Task force members discussed the challenges of defining AI in a way that balances innovation with public safety and took testimony from experts about the risks of using overly broad definitions that could unintentionally stifle future innovation; the need to regulate the outcomes of AI, such as algorithmic discrimination and transparency rather than the technology itself, since it is constantly evolving; and received an overview of international frameworks, such as those from the European Union and the Organization for Economic Co-operation and Development (OECD), which classify AI systems by risk levels to allow for flexibility while ensuring safety in high-risk applications like facial recognition. The task force is required to submit their final report to the legislature by February 1, 2025.
California SB 1047 was vetoed by Democratic Gov. Gavin Newsom on September 29, 2024. The bill was then sent to the Senate to consider a veto override. This bill would have established safety and security protocols for large developers of advanced AI models that require over $100 million to train or meet a certain computing power threshold. Covered developers would have been required to immediately shut down a model if necessary, providing protection for “unsafe post-training modifications.” Developers would have had to report AI safety incidents to the attorney general and restrict the use of covered models if they posed an unreasonable risk of critical harm. In his veto message, the governor stated that focusing on regulating large artificial intelligence models based on size and cost could create a false sense of security. He expressed concern that the bill’s approach may overlook potential risks from smaller, specialized models and could stifle innovation. The governor emphasized the need for adaptable, evidence-based regulation that evolves with the rapidly advancing AI technology
Board Diversity
STATES THAT HAVE PASSED BILLS INTO LAW:
NOW LAW: Illinois SB 2930/Public Act 635 was signed by Democratic Gov. J.B. Pritzker on July 1, 2024 and takes effect January 1, 2025. The law will, in part, provide that a nonprofit, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, that reports grants of $1 million or more to other charitable organizations would need to post on its website, if applicable, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation and gender identity.
PROPOSED BILLS:
States: Consumer Data Protection / Data Privacy
Below is a comprehensive list of state activity. If you are interested in a broader overview of the issue, please read more here.
STATES THAT HAVE PASSED BILLS INTO LAW:
NOW LAW: California (from the CA AG website): The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This law secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.
NOW LAW: California SB 362/Chapter 709 was signed by Democratic Gov. Gavin Newsom on October 10, 2023 with the bill taking effect January 1, 2026. This law, dubbed the Delete Act, seeks increased limitations on data brokers that amass and sell personal information collected online. It will create a portal for residents to remove personal data that has been collected by the 486 registered data brokers in the state, from purchase history to internet browsing habits. The law will also require data brokers to register with the California Privacy Protection Agency and disclose the types of information they collect.
NOW LAW : California AB 1008/Chapter 802 was signed into law by Democratic Gov. Gavin Newsom on September 28, 2024 and takes effect on January 1, 2025. The law states that “publicly available” does not include information gathered from websites using automated mass data extraction; personal information can exist in various formats. The law defines terms related to personal information, such as advertising and marketing, aggregate consumer information and biometric information. It outlines what constitutes a business and the thresholds for data collection and processing that apply. The law describes business purposes for using personal information and specifies what qualifies as consumer consent. Additionally, it includes definitions for sensitive personal information, service providers and third parties, emphasizing the protection and proper handling of personal data.
NOW LAW: Colorado SB 190 was signed into law by Governor Polis on July 7, 2021. The law takes effect on July 1, 2023. Major provisions include:
- Enable a consumer to opt-out of the processing of their personal information.
- Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information.
- The right to correct inaccurate personal information.
- The right to have personal information deleted.
- Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
- Does not contain a private right of action.
Nonprofit organizations are NOT exempted from the requirements of the law.
NOW LAW: Connecticut SB 6/Public Act 22-15, sponsored by Senate President Pro Tempore Martin Looney, D-New Haven, was signed by Democratic Gov. Ned Lamont on May 10 and takes effect July 1, 2023. The law will grant consumers various rights including:
- The right to confirm whether or not a controller is processing the consumer’s personal data.
- The right to correct inaccuracies in their personal data.
- The right to delete personal data provided by or obtained about the consumer.
- The right to obtain a copy of the consumer’s personal data processed by the controller.
- The right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.
Controllers will be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers will also be prohibited from processing the sensitive data of a consumer without their affirmative consent. The law will not apply to nonprofit organizations, does not provide a private right of action and will grant controllers a right to cure at the discretion of the attorney general. The law will also specify that a controller is not required to authenticate an opt-out request but will be able to deny a request if the controller has reasonable and documented belief that the request is fraudulent. Controllers will be required to send notice to the person making the request that they believe the request is fraudulent.
NOW LAW : Delaware HB 154 was signed into law by Democratic Gov. John Carney on September 11, 2023 and takes effect January 1, 2025. The law does apply to nonprofits. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.
The law will grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general may initiate any action which would remain in place until December 31, 2025. After that date, the right to cure will be up to the discretion of the attorney general. Controllers will also be required to provide a reasonably accessible, clear and meaningful privacy notice.
NOW LAW: Florida SB 262 was signed by Republican Gov. Ron DeSantis on June 6, 2023 and takes effect July 1, 2024. The law will prohibit government employees or officers from using their positions or state resources for the purposes of social media content moderation. The law contains age-appropriate design code language.
The law will also grant consumers various rights including:
- The right to confirm if a consumer’s personal data is being processed and providing access to the data.
- The right to correct inaccurate consumer personal data.
- The right to delete the consumer’s personal data provided by or obtained about the consumer.
- The right to opt-out of processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
- The right to obtain a copy of the consumer’s personal data in a structured, commonly used and machine-readable format.
- The right to opt out of the collection of sensitive data, including precise geolocation data, or the processing of such data.
- The right to opt out of the collection of personal data collected by a voice recognition feature.
Controllers will be required to take action on consumer requests within 45 days but could request an extension of an additional 15 days and must establish a process that allows consumers to appeal a controller’s decision not to act on a request to exercise their rights. Controllers will be required to provide two methods for a consumer to submit requests taking into account the ways in which the consumer normally interacts with the controller. Controllers will be required to limit collection of personal data to what is reasonably necessary. Controllers will also be required to conduct data protection assessments for various processing activities involving personal data including targeted advertising and the sale of personal data. The law contains 45 day right to cure language but will give the Department of Legal Affairs the authority to issue guidance notifying controllers that they will not be offered any additional cure periods for future violations. The law does not contain a private right of action and does not apply to nonprofits.
Recent amendments would in part change the definition of targeted advertising to mean displaying to a consumer an advertisement selected based on personal data obtained from that consumer’s activities over time, but would not include an advertisement that is based on the context of a consumer’s current search query on the controller’s own website or online application, or is directed to a consumer search query on the controller’s own website or online application in response to the consumer’s request for information or feedback. Other amendments would prohibit a tracking entity from collecting a consumer’s tracking information without the consumer’s consent, or from collecting a consumer’s tracking information while the collecting technology is not in active use by the consumer without the consumer’s consent for continued collection. Tracking information would include precise geolocation and biometric information.
NOW LAW: Indiana SB 5, sponsored by Senate Judiciary Chair Liz Brown, R-Fort Wayne, was signed by Republican Gov. Eric Holcomb on May 1 and takes effect January 1, 2026. The law will apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The law will grant consumers various rights including, but not limited to, the right to delete data and opt-out of the sale of their personal data. The law will apply to nonprofit organizations and does not contain a private right of action.
NOW LAW: Iowa SF 262 was signed by Gov. Kim Reynolds on March 28 and takes effect January 1, 2025. The law will apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:
- Controls or processes personal data of at least 100,000 consumers.
- Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.
The law will grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The bill does not contain a private right of action but does contain a 30-day right to cure before the attorney general could initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.
NOW LAW: Kentucky HB 15 was signed by Democratic Gov. Andy Beshear on April 4, 2024 and takes effect January 1, 2026. The law will not apply to nonprofits. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of at least 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
The law will grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.
NOW LAW: Maryland SB 541/Chapter 455 was signed by Democratic Gov. Wes Moore on May 9, 2024. Effective October 1, 2025, the act applies to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and during the preceding calendar year:
- Control or process the personal data of at least 35,000 consumers, excluding data processed solely to complete a payment transaction.
- Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.
The act grants consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. A consumer would be permitted to opt out using global privacy controls. Identical companion HB 567/Chapter 454 was also signed by the governor on May 9.
NOW LAW: Minnesota HF 4757/Chapter 121 was signed by Democratic Gov. Tim Walz on May 24, 2024 and takes effect July 31, 2025, with a delayed effective date of July 31, 2029 for institutions regulated by the Office of Higher Education. Nonprofits are not exempt from the law. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The law will grant consumers various rights including but not limited to the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. If a consumer’s data is profiled in furtherance of these effects, a consumer will have the right to question the result of the profiling, to be informed of the reason why the profiling resulted in the decision and to be informed of what actions the consumer could have taken to receive a different decision. The bill contains an exemption and requirements for small businesses and also contains a time limited 30-day right to cure until January 31, 2026.
NOW LAW: Montana SB 384/Chapter 681, sponsored by Sen. Daniel Zolinkov, R-Billings, was signed into law by Republican Gov. Greg Gianforte on May 19, 2023. The bill will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and:
- Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The law will grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The law does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action. Controllers will also be required to provide a reasonably accessible, clear and meaningful privacy notice.
NOW LAW: Nebraska LB 1074 passed the legislature following a 47 to 0 vote on April 11, 2024 and was signed by Republican Gov. Jim Pillen on April 17 and takes effect January 1. The law will not apply to nonprofits. The law contains both privacy and banking provisions. The privacy provisions will apply to anyone who conducts business in this state or produces a product or service consumed by residents of this state, processes or engages in the sale of personal data and is not a small business as defined under the federal Small Business Act. The law will grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising, the sale of data or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a private right of action but does contain a 30-day right to cure.
NOW LAW: New Hampshire SB 255/Chapter 5 was signed by Republican Gov. Chris Sununu on March 6, 2024 and takes effect January 1. The law will not apply to nonprofits. The law will apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or controlled or processed the personal data of not less than 10,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. The law will grant consumers various rights including the right to collect inaccuracies in their personal data and delete their data. Controllers will be required to limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. Controllers will also be required to provide a reasonably accessible, clear and meaningful privacy notice. The law does not contain a private right of action but does contain a 60-day right cure.
NOW LAW: New Jersey SB 332/Chapter 266 was signed by Democratic Gov. Phil Murphy on January 16, 2024 and takes effect January 15, 2025. Nonprofits are not exempt from the law. The law will apply to controllers that conduct business in the state or produce products or services that are targeted to residents of the state, and that during a calendar year meet one or more of the following thresholds:
- Control or process the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Control or process the personal data of not less than 25,000 consumers and derives or receives a discount on the price of goods or services, from the sale of personal data.
The law will grant consumers various rights including, but not limited to, the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or the sale of their data. Users will be able to opt-out of the processing of their data for the purposes of targeted advertising or the sale of their data via a user selected universal opt-out mechanism. The opt out mechanism will be prohibited from using a default setting that opts-in a consumer to the processing or sale of personal data, unless the controller has determined the selection clearly represents the consumer’s affirmative, freely given, and unambiguous choice to opt into any processing of such consumer’s personal data. Controllers will be required to conduct a data protection assessment prior to any processing activities that present a heightened risk of harm to the consumer. The law does not contain a private right of action.
NOW LAW: New Jersey SB 2930/Chapter 16 was signed by Democratic Gov. Phil Murphy on June 5, 2024 and takes effect September 3. This law will make broad changes to the state’s public records law, including in part prohibiting public records requests made by or for data brokers and would prohibit data obtained through records requests from being sold. The law also contains a data broker registry requirement.
NOW LAW: Oregon SB 619 was signed by Democratic Gov. Tina Kotek on July 18 and takes effect July 1, 2024. The law does not exempt nonprofits. The law will apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year either controls or processes:
- The personal data of 100,000 or more consumers, personal data from 100,000 or more devices that identify or that link to or are reasonably linkable to one or more consumers, or personal data from a combination of 100,000 or more consumers and devices.
- The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person’s annual gross revenue from selling personal data.
It will grant consumers various rights including, but not limited to, the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale or sharing of their data. Controllers will be required to provide a reasonably accessible, clear and meaningful privacy notice and conduct a data protection impact assessment involving specified processing activities. The bill does not contain a private right of action.
NOW LAW: Oregon HB 2052 was signed by Democratic Gov. Tina Kotek on July 27 and took immediate effect with the registration provisions becoming operative January 1. The law will require data brokers to annually register with the Department of Consumer and Business Services. The law will impose a $500 penalty for each day the company fails to register with a maximum penalty of $10,000.
NOW LAW: Rhode Island SB 2500, became law without the signature of Democratic Gov. Dan McKee on June 26, 2024 and takes effect January 1, 2026. Nonprofits are exempt from the law. The law will apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 35,000 consumers.
- Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.
The law will grant consumers various rights including but not limited to the right to correct inaccuracies in their personal, the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The law does not contain a right to cure or a private right of action.
NOW LAW: Texas HB 4 was signed by Republican Gov. Greg Abbott on June 18, 2023 and takes effect July 1, 2024. It does not apply to nonprofit organizations. The law will in part require controllers to honor global privacy controls such as a browser setting as a request to opt-out and exempt and includes 501(c)19 under the definition of a nonprofit organization. The law will apply only to a person that:
- Conducts business in this state or produces a product or service consumed by residents of this state.
- Processes or engages in the sale of personal data.
- Is not a small business as defined by the United States Small Business Administration.
The law will grant consumers various rights, including the right to their personal data and to opt out of the processing of their personal data for various purposes such as the sale of data. The law contains 30 day right to cure language and does not contain a private right of action.
NOW LAW: Utah SB 227 was signed by Republican Gov. Spencer Cox on March 24 and takes effect December 31, 2023. The law will grant consumer’s various rights including:
- The right to confirm whether a controller is processing the consumer’s personal data and to access their data.
- The right to correct inaccurate personal data.
- The right to delete the consumer’s personal data.
- The right to obtain their personal data in an easily portable format.
- The right to opt-out of the processing of their data for the purposes of targeted advertising or the sale of personal data.
The law does not apply to nonprofit organizations and does not contain a private right of action.
NOW LAW: Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2, 2021, and will take effect on January 1, 2023. The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale. It includes an opt-in consent requirement for sensitive data. Nonprofits are largely exempt.
The following bills, each amending a portion of the Virginia Consumer Data Protection Act (2021) have been passed by both houses of the General Assembly and are awaiting the signature of the Governor:
- VA SB 393, was presented to the governor on on March 11, alongside an identical bill, HB381 (see below).
- VA SB 516, sponsored by Sen. David Marsden, D-Burke, which would authorize the attorney general to pursue actual damages to the extent they exist if a controller or processor continues to violate the bill. The bill would also include political organizations under the definition of a nonprofit and abolish the consumer privacy fund. The bill passed the House Energy and Commerce Committee on February 24 and the House on March 1.
- Virginia HB 381 was delivered to Republican Gov. Glenn Youngkin on March 11. Governor Youngkin will have until April 11 to sign or veto the bill or it becomes law. The bill would amend the Consumer Data Protection Act to specify that a controller that has obtained personal data about a consumer from a source other than the consumer would be deemed in compliance with a consumer’s request to delete such data by either retaining a record of the deletion request and the minimum data necessary for ensuring the consumer’s personal data remains deleted or by opting the consumer out of the processing of that data for targeted advertising, sale or profiling. An identical bill, SB 393, was also presented to the governor on that same day.
- VA HB 714, sponsored by Del. Cliff Hayes, D-Chesapeake, passed the Senate General Laws and Technology Committee and the Senate Finance and Appropriations Committee on March 2 and the Senate on March 2. The bill is now pending delivery to Republican Gov. Glenn Youngkin. The bill would include political organizations under the definition of a nonprofit.
PROPOSED LAWS:
Alabama SB 213 passed the Senate Fiscal Responsibility and Economic Development Committee on March 19, 2024. The bill would require data brokers to annually register with the secretary of state.
Alaska HB 159 [The legislature adjourned without further action on May 18, 2022] sponsored by the House Rules Committee at the request of Republican Gov. Mike Dunleavy, was heard in the House Rules Committee on March 18; the committee received an overview of various state privacy efforts from Ryan Harkins a Senior Director of Public Policy at Microsoft but did not vote on the bill during the hearing. This broad privacy bill would:
- Require a business that collects a consumer’s personal information to notify the consumer before collecting the information and provide various disclosures.
- Grant consumers the right to request a business provide specified information including the categories and specific pieces of personal information that the business collects.
- Grant consumers the right to request deletion of their personal information collected by a business from the preceding five years.
- Grant consumers the right to request the disclosure of personal information sold or disclosed to third parties.
- Grant consumers the right to opt out of the sale of their personal information.
- Prohibit third parties from disclosing information unless it was collected in compliance with the bill’s other provisions.
- Provide for a private right of action for violations of the bill.
- Require the annual registration of data brokers with the commissioner of commerce.
Alaska HB 222 [The legislature adjourned without further action on May 18, 2022], sponsored by Rep. George Rauscher, R-Sutton, was pre-filed on January 7. The bill was referred to the Labor & Commerce Committee on January 18. The bill would require a business that collects a consumer’s personal information to notify a consumer, at or before the point of collection, of the following:
- The categories of personal information and sensitive personal information the business will collect and the purposes and whether the business will sell or share the information.
- The length of time the business will retain each category of personal information.
- The proviso the business cannot retain personal information for longer than is reasonably necessary for the specified purpose.
The bill would also grant consumers the right to:
- Correct inaccurate personal information.
- Receive a disclosure about the categories of information collected, sources of that information, specific pieces of information collected and the business or commercial purpose for collecting, sharing, or selling.
- Direct the business not to sell or share their personal information, i.e., opt out.
- Limit the businesses’ use of sensitive personally identifiable information.
- Receive a disclosure with specified information about the sale of their data.
The bill contains a private right of action but only for data breaches.
California AB 1546 was heard in the Senate Appropriations Committee on August 21, 2023 where it was referred to the suspense file. The suspense file is a holding place for bills that carry a fiscal impact of $150,000 or more and may be voted out eventually to continue the legislative process. The bill would extend the statute of limitations for action brought by the attorney general to enforce the CCPA to five years after the accrual of the cause of action.
California AB 1546 was heard in the Senate Appropriations Committee on September 1, 2023 where the bill remains pending.
California: A number of California privacy bills have been scheduled for consideration in the Assembly Privacy and Consumer Protection Committee on April 2, 2024 including:
Other privacy bills have been scheduled for a hearing in that committee on April 16 at 1:30 PM are:
- AB 3124, which would prohibit a business from making covered personal information publicly available on its internet website. The bill would also require a business that sells personal information through an internet website to retain identifying information of the customer that purchases that personal information and to make that identifying information available upon request to the subject of the personal information purchased by the customer.
- AB 3204, which would require data digesters to annually register with the California Privacy Protection Agency. The bill would define a data digester as a business that uses personal information to train artificial intelligence.
Another California privacy bill, SB 1076, has been scheduled for a hearing in the Senate Judiciary Committee on April 23, 2024 at 9:30 AM. This bill would amend the state’s data broker law to impose additional requirements on the accessible deletion mechanism regarding authorized agents. The bill would, in part, require an authorized agent aiding in a deletion request to be registered with, and certified by, the California Privacy Protection Agency and would prohibit the authorized agent from charging the consumer a fee. The bill would also authorize a data broker to deny a deletion request if the data broker has a good faith, reasonable, and documented belief that the request is fraudulent or if the request was submitted through an authorized agent who has not provided the consumer’s signed permission demonstrating the agent’s authority to act on the consumer’s behalf.
California: The following bills were referred to the Senate Appropriations Committee’s suspense file on August 5, 2024 and are scheduled to be heard before the committee on August 15 upon the adjournment of the session:
- AB 2877, which would prohibit the personal information from consumers under 16 years of age from being used to train an artificial intelligence system or service unless the consumer or the consumer’s parent or guardian, as specified, has affirmatively authorized that use of the consumer’s personal information. The bill would require that, if affirmative authorization is given, the personal information be deidentified and aggregated before being used to train an artificial intelligence system.
California: The following bills passed the Senate Appropriations Committee on August 15, 2024 and are now pending a third reading and final vote on the Senate floor:
- AB 2426, which proposes to prohibit advertising sale of digital apps, games, audio works, digital books, digital codes and digital goods for sale or rent. It would require companies to obtain an affirmative, distinct and separate acknowledgment from the purchaser that indicates they are receiving a license to access the digital goods. The measure includes a complete list of licensing restrictions and conditions and an expectation that access to the goods may be revoked. The seller must provide clear and conspicuous disclosure that buying or purchasing the good is considered a license and then link to the full licensing terms and conditions. However, digital goods advertised with an option for consumers to download permanently for use offline are excluded.
California AB 1824 passed the Assembly Appropriations Committee on April 24, 2024 and is now pending on the Assembly floor. The bill would require a business to which another business transfers the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the transferee assumes control of all or part of the transferor to comply with a consumer’s opt-out direction to the transferor. Another privacy bill,
AB 3048, also passed the committee that same day. The bill would prohibit a business from developing or maintaining a browser or device that does not include a setting that enables a consumer to send an opt out preference signal to their business.
Another California privacy bill, SB 1076, had been scheduled for a hearing in the Senate Judiciary Committee on April 23; however, the bill was removed from the agenda at the request of bill sponsor Sen. Scott Wilk, R-Lancaster. An alternative hearing date has not yet been set. This bill would amend the state’s data broker law to impose additional requirements on the accessible deletion mechanism regarding authorized agents. The bill would, in part, require an authorized agent aiding in a deletion request to be registered with, and certified by, the California Privacy Protection Agency and would prohibit the authorized agent from charging the consumer a fee. The bill would also authorize a data broker to deny a deletion request if the data broker has a good faith, reasonable, and documented belief that the request is fraudulent or if the request was submitted through an authorized agent who has not provided the consumer’s signed permission demonstrating the agent’s authority to act on the consumer’s behalf.
California AB 2877 passed the Assembly Privacy and Consumer Protection Committee on April 29, 2024 and is now pending in the Assembly Appropriations Committee. The bill would prohibit the personal information from consumers less than 16 years of age from being used to train an artificial intelligence system or service unless the consumer or the consumer’s parent or guardian, as specified, has affirmatively authorized that use of the consumer’s personal information. The bill would require that, if affirmative authorization is given, the personal information be deidentified and aggregated before being used to train an artificial intelligence system.
California AB 2877 was read a second time in the Assembly on May 9, 2024 and is now pending on the third reading calendar. Another privacy bill, AB 3204, has been scheduled for a hearing in the Assembly Appropriations Committee on May 16 at 9:30 AM and would require data digesters to annually register with the California Privacy Protection Agency. The bill would define a data digester as a business that uses personal information to train artificial intelligence.
California AB 2877 passed the Senate Judiciary Committee with amendments on June 27, 2024 and is now pending in the Senate Appropriations Committee. The amendments add exemptions for fine tuning artificial intelligence systems to protect consumers from immanent threats to their health or safety and data that has been deidentified and aggregates the personal information of the consumer prior to training or fine-tuning an artificial intelligence system or service.
California AB 2877 has been scheduled for a hearing in the Senate Appropriations Committee on August 5, 2024 at 10:00 AM.
California AB 1949 was vetoed by Democratic Gov. Gavin Newsom on September 28, 2025. Governor Newsom’s veto message can be found here. The bill would have prohibited a business from selling or sharing the personal information of a consumer if the business has actual knowledge that the consumer is under 18 years of age and would have made revisions to prohibit a business from selling or sharing the personal information of a consumer over 13 years of age, but under 18 years of age, unless the consumer or the consumer’s parent or guardian had affirmatively authorized the sale or sharing of the consumer’s personal information. The bill would have required a business to treat a consumer as under 18 years of age if the consumer, through a platform, technology or mechanism, transmits a signal indicating that the consumer is under 18 years of age. The bill would have taken effect January 1, 2026. A two-thirds majority of both chambers is required to override Governor Newsom’s veto; the bill had previously passed the Assembly, 60-0-19, and the Senate, 33-0-7.
California AB 1008 was delivered to Democratic Gov. Gavin Newsom on September 12, 2024. Governor Newsom has until September 30 to act upon this legislation or it would become law without his signature. The bill would define that “publicly available” does not include information gathered from websites using automated mass data extraction; personal information can exist in various formats. The bill would define terms related to personal information, such as advertising and marketing, aggregate consumer information and biometric information. It would outline what constitutes a business and the thresholds for data collection and processing that apply. The bill would also describe business purposes for using personal information and specify what qualifies as consumer consent. Additionally, it would include definitions for sensitive personal information, service providers and third parties, emphasizing the protection and proper handling of personal data.
California AB 3048 was vetoed by Democratic Gov. Gavin Newsom on September 20, 2024; the legislature could override a veto with a two-thirds vote of elected members in each chamber. The bill would have required browsers and mobile operating systems to include a setting that enables a consumer to send an opt-out preference signal to a business with which a consumer interacts.
Delaware HB 262 passed the House with amendments on May 5, 2022, and was heard in the Senate Banking, Business and Insurance Committee on June 8; the committee took testimony, including from Vermont Deputy Attorney General Christopher Curtis, but did not vote on the bill during the hearing. The bill would require data brokers to annually register with the consumer protection unit of the Department of Justice and pay an annual fee. As part of the registration process the data broker would be required to provide the following information:
- The name and primary physical, email and internet address of the data broker and links to all applicable privacy policies.
- The method consumers can use to opt-out if the data broker permits consumers to do so.
- A statement specifying the data collection, databases, or sales activities from which the data broker does not allow a consumer to opt-out.
- A description of the data broker’s processes for verifying the purchasers of its brokered personal information. A separate statement would also be required if the broker deals the personal information of minors.
- The number of data security breaches that the data broker has experienced within the past three years.
- Answers to specified questions including whether the data broker limits the use of personal information by a purchaser or licensee.
The bill does not contain a private right of action.
District of Columbia B24-451, sponsored by City Council Chair Phil Mendelson is a verbatim rendition of a model law very recently proposed by the Uniform Law Commission. The bill will be known as the “Uniform Personal Data Protection Act of 2021” and is slated to be referred to the Judiciary and Public Safety Committee on November 2. The bill would:
- It would grant consumers the right to copy or correct their personal data.
- Permit “compatible” data practices without consent if the processing of the data is consistent with the expectations of the data subject or is likely to benefit the data subject.
- Prohibit data practices that may cause a substantial risk of harm to data subjects including processing likely to cause harassment, financial harm or that fails to provide reasonable data security.
- The bill would permit incompatible data practices which include practices neither prohibited or compatible with a consumer’s consent. Tailored messaging including advertising would be considered a compatible use.
- Does not contain a private right of action.
Florida HB 9, sponsored by Rep. Fiona McFarland, R-Sarasota, passed the House Commerce Committee with a substitute on February 10, 2022. Known as the Florida Privacy Act, the legislation is dead for a second consecutive year after the Senate did not act on the bill amid House and Senate budget negotiations, Florida Politics reports. The bill is expected to be reintroduced next year. The bill would require a controller that collects personal information about a consumer to maintain an online privacy policy that is updated at least every 12 months and contains:
- A list of categories of personal information the business collects.
- The consumer’s right to request deletion or correction of personal information.
- The consumer’s right to opt-out of the sale or sharing to third parties.
A controller that collects personal information would be required to:
- Inform consumers of the categories of personal information to be collected and the purposes for which the information will be used.
- To adopt and implement a retention schedule that prohibits the use or retention of the information after the initial purpose has been fulfilled or three years after the consumer’s last interaction with the controller.
The bill would also grant a consumer various rights including:
- The right to request a copy of personal data collected, sold or shared.
- The right to have personal data deleted or corrected.
- The right to opt-out of the sale or sharing of their personal data. Once a consumer has opted-out, controllers would be required to wait at least 12 months before requesting a consumer to authorize the sale or sharing of their data.
Florida HB 1547, sponsored by Rep. Fiona McFarland, R-Sarasota, was filed on March 7, 2023 and has not yet been referred to a committee. The bill would define a controller to mean a sole proprietorship, partnership, limited liability company, corporation, association or legal entity that meets the following requirements:
- Is organized or operated for the profit or financial benefit of its shareholders or owners.
- Does business in this state.
- Collects personal information about consumers or is the entity on behalf of which such information is collected.
- Determines the purposes and means of processing personal information about consumers alone or jointly with others.
- Makes in excess of $1 billion in gross revenues, as adjusted in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
- Satisfies one of the following:
- Derives 50 percent or more of its global annual revenues from providing targeted advertising or the sale of ads online.
- Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle.
The bill would, in part:
- Prohibit a controller from collecting a consumer’s precise geolocation data or personal information through a voice recognition feature, without their authorization.
- Require a controller that operates a search engine to provide a consumer with information of how the controller’s search engine algorithm prioritizes or deprioritizes political partisanship or political ideology in its search results.
- Require a controller that collects personal information about consumer’s to maintain an up to date privacy policy that meets specified requirements.
- Require controllers or direct processors to inform consumers, at or before the point of collection, the categories of personal information to be collected and the purposes for which the information will be used.
- Grant consumers the right to:
- Request a copy of their personal information that is collected, sold or shared including the third parties to which the personal information was sold or shared.
- Have personal information deleted or corrected.
- Opt-out of the sale or sharing of their personal data. Controllers would be required to post a link on their homepage entitled “Do Not Sell or Share My Personal Information” that enables a consumer to opt-out.
- Require contracts between controllers and processors to contain specified language including prohibiting the processor from selling, sharing, retaining, using or disclosing the personal information for purpose that violates the bill’s provisions.
- Prohibit social media companies that are predominately accessed by children from collecting, selling or sharing the personal information of any known child.
Controllers would be defined as any sole proprietorship, partnership, limited liability company, corporation or association that meets specified requirements including making in excess of $1 billion in global revenue. The bill does not contain a private right of action. A similar bill, SB 262, sponsored by Sen. Jennifer Bradley, R-Fleming Island, has been scheduled for a hearing in the Senate Commerce and Tourism Committee on March 13 at 3:30 PM. Similarly, Republican Gov. Ron DeSantis recently unveiled a proposed digital bill of rights. A press release about the proposal can be found here with specific details of the proposal being found here.
Florida HB 1547, passed the House Regulatory Reform and Economic Development Subcommittee with a substitute on March 29. While the text of the substitute was not immediately available two associated amendments have been released. The first makes technical changes and the second adds a section relating to the safety of children in online spaces. The bill is now pending in the House Commerce Committee.
Florida HB 1547, passed the House Commerce Committee on April 24, 2023 and is now pending on the House second reading calendar.
A similar bill, SB 262, sponsored by Sen. Jennifer Bradley, R-Fleming Island, passed the Senate Rules Committee with a substitute on April 24, 2023. The bill is now pending on the Senate Special Order Calendar for April 28, 2023. A full analysis of the substitute’s numerous changes can be found here.
Georgia SB 394, sponsored by Sen. Greg Dolezal, R-Cumming, was introduced on January 26, 2022, and has not yet been referred to a committee. The bill, to be known as the Georgia Computer Data Privacy Act, would entitle consumers to various privacy rights including:
- The right to request the categories and specific items of personal information that a business has collected on them.
- The right to request deletion of their personal information. Businesses would be required to direct service providers to delete the consumer’s information.
- The right to request the categories of information that a business has sold or disclosed for a business purpose, as well as the categories of third parties to whom the information was sold or disclosed.
- The right to opt-out of the sale of their personal data and could authorize someone else to opt-out on their behalf.
Businesses would be required to provide notice to consumers on their internet homepage that:
- The personal information could be sold.
- Identifies the persons to whom the data would or could be sold.
- The pro rata value of the consumer’s personal information.
- The consumer has the right to opt-out of the sale of their data.
Businesses would also be required to provide a link on their homepage that allows a consumer to opt-out of the sale of their data. Beginning September 1, businesses would not be allowed to sell personal data to a third party without a consumer’s consent. Third parties would not be able to further sell the data unless a consumer has received notice and opts-in to the sale of their data. Businesses would not be allowed to collect personal data without first providing notice and obtaining the consumer’s consent. The bill would grant consumers a private right of action in addition to enforcement by the attorney general.
Georgia SB 473, sponsored by Sen. John Albers, R-Roswell, was referred to the Senate Science and Technology Committee on February 9, 2024 where it is scheduled for a hearing on February 15 at 2:00 PM. The bill does not apply to nonprofits. The bill would apply to a person that conducts business in the state by producing products or services targeted to consumers of the state that exceeds $25 million in revenue and that:
- Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
- Control or process the personal data of at least 175,000 consumers.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill does not contain a private right of action but does contain a 60 day right to cure.
Georgia SB 473, passed the Senate as amended by the Senate Science and Technology Committee following a 37 to 15 February 27, 2024. The amendment replaces many explicit exemptions for entities regulated under federal law with a blanket statement stating that nothing in the bill would construed to conflict with management of health records under title 31 or mandated by any other provision of federal law. The latest version also removes the exemption for nonprofits.
Georgia SB 473 passed the House Technology and Infrastructure Committee with amendments on March 20, 2024. The bill is now pending in the House Rules Committee. While the amendments have not been made available online it was noted during the hearing that the amendments add some clean-up language regarding HIPPA, Georgia Power and the Atlanta Braves.
Georgia HB 498 passed the Senate Public Safety Committee with amendments on March 21, 2024. The bill does not apply to nonprofits. The bill previously related to funeral directors. The bill would apply to a person that conducts business in the state by producing products or services targeted to consumers of the state that exceeds $25 million in revenue and that:
- Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
- Control or process the personal data of at least 175,000 consumers.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill does not contain a private right of action but does contain a 60 day right to cure.
Hawaii SB 21, sponsored by Senate Judiciary Committee Chair Karl Rhoads, D-Honolulu, was referred to the Senate Commerce and Consumer Protection Committee on January 20, 2022. The bill would propose an amendment to the state constitution establishing the right of each person to own and have an exclusive property right in the data they generate on the internet.
Hawaii SB 974, sponsored by Senate Assistant Majority Whip Chris Lee, D-Honolulu, was filed on January 23, 2022 and has not yet been referred to a committee. The bill would grant consumers the following rights:
- The right to confirm whether or not a controller is processing the consumer’s personal data.
- The right to correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
- The right to delete personal data provided by or obtained about the consumer.
- The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to a controller without hinderance.
- The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 25 percent of their gross revenue from the sale of personal data. The bill does not apply to nonprofit organizations and does not contain a private right of action. Prior to initiating any action the Department of the Attorney General would be required to provide 30 days’ notice and provide a right to cure. A similar bill, SB 1110, sponsored by Senate Assistant Majority Whip Gilbert Keith-Agaran, D-Maui, was filed on January 23 and has not yet been referred to a committee. Notable differences found in SB 1110 include but are not limited to:
- Modifying the right obtain a copy of their personal data by specifying that the format would be required to allow the consumer to transmit the data to another controller only where the processing is carried out by automated means.
- Specifying that the bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their gross revenue from the sale of personal data.
- The inclusion of a private right of action and the absence of any right to cure provisions.
Hawaii SB 974, passed the Senate Commerce and Consumer Protection Committee with amendments on February 15, 2023. The text of amendments was not immediately available; however, during the hearing the committee noted they would be adopting the recommended amendments put forward by the attorney general.
Hawaii SB 974, passed the Senate following a 23-1 vote on March 7. Recent amendments exempt the national insurance crime bureau from the bill’s provisions and specify that if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller would be required to disclose the processing to the affected consumer.
Hawaii HB 1497, sponsored by House Speaker Scott Saki, D-Honolulu, was referred to the House Higher Education and Technology Committee on January 30 and passed that committee with amendments on February 1. While the text of the amendment was not immediately available the committee noted during the hearing that changes will include:
- The removal of provisions that give consumers the right to access their personal data.
- The addition of a 30 day right to cure.
- The removal of the private of action.
The bill would grant consumers the following rights:
- The right to confirm whether or not a controller is processing the consumer’s personal data.
- The right to correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
- The right to delete personal data provided by or obtained about the consumer.
- The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to another controller, where the processing is carried out by automated means.
- The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their gross revenue from the sale of personal data. The bill does not apply to nonprofit organizations. A companion bill, SB 1110, sponsored by Senate Assistant Majority Whip Gilbert Keith-Agaran, D-Maui, was referred to the Senate Commerce and Consumer Protection Committee on January 27.
Hawaii SB 3018, sponsored by Sen. Chris Lee, D-Kailua, was filed on January 24, 2024 and has not yet been referred to a committee. The bill does not apply to nonprofits. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data provided by the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions made by the controller that result in the provision or denial of specified services including housing, insurance and education. The law does not contain a private right of action but does contain 30-day right to cure language. Other privacy bills that were recently filed include HB 1668, sponsored by Rep. Adrian Tam, D-Waikiki, which was referred to the House Higher Education and Technology Committee on January 24 and SB 2581, sponsored by Sen. Stanley Chang, D-Honolulu, which was referred to the Senate Commerce and Consumer Protection Committee on January 24. These bills would establish data broker registries.
Illinois HB 4447, sponsored by Rep. John Cabello, R-Machesney Park, was referred to the House Rules Committee on January 16, 2024. The bill would establish a data broker registry.
Illinois HB 4447 passed the House Consumer Protection Committee with an amendment on April 2, 2024.
Illinois HB 5581, sponsored by Rep. Hoan Huymh, D-Chicago, was referred to the House Rules Committee on February 9, 2024 where it awaits further assignment. The bill does not apply to nonprofits. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and during a one year period:
- Control or process the personal data of at least 35,000 consumers excluding data processed solely for the purposes of a payment transaction.
- Control or process the personal data of not less than 10,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. A consumer would be permitted to opt out using global privacy controls. The bill does not contain a private right of action but does contain a 60 day right to cure that would expire December 31, 2025. A similar bill, SB 3517, sponsored by Sen. Sue Rezin, R-Morris, was referred to the Senate Assignments Committee.
Iowa HSB 12, sponsored by the House Economic Growth and Technology Committee, passed a subcommittee on January 23. The bill remains pending in the House Economic Growth and Technology Committee. The bill would grant consumers the following rights:
- The right to confirm whether or not a controller is processing the consumer’s personal data.
- The right to delete personal data provided by the consumer.
- The right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller with an exception for specified personal information that is subject to security breach protection.
- The right to opt-out of processing for the purposes of target advertising or the sale of personal data.
Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without providing a consumer with clear notice and the opportunity to opt-out. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The bill exempts nonprofits. The bill does not contain a private right of action but does contain a 30-day right to cure before the attorney general could initiate any action. A companion bill, SSB 1071, was referred to the Senate Technology Committee on January 23.
Louisiana HB 947, sponsored by Rep. Paula Davis, R-Baton Rouge, was referred to the House Commerce Committee on April 4, 2024. The bill does not apply to nonprofits. The bill would apply to controllers or processors that conduct business in the state or persons that produce products or services that are targeted to state residents and have an annual revenue of $25 million or more as well as meet one of the following thresholds during a calendar year:
- Control or process the personal data of at least 100,000 consumers, excluding data processed solely for the purposes of completing a payment transaction.
- Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data provided by the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or the sale of data. The bill does not contain a private right of action but does contain a 30-day right to cure.
Maine LD 1973, sponsored by Sen. Lisa Keim, R-Oxford, has been scheduled for a hearing in the Joint Judiciary Committee on October 17 at 10:00 AM. The bill does not apply to nonprofits. This omnibus privacy bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to residents of the state and that during the preceding calendar year:
- Controlled or processed the personal data of not less than 100,000 consumers.
- Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25 percent of gross revenue from the sale personal data.
It would grant consumers the following rights:
- The right to confirm whether or not a controller is processing the consumer’s personal data and to access that personal data unless it would require the controller to reveal a trade secret.
- The right to correct inaccuracies in their personal data.
- The right to delete personal data provided by or obtained about the consumer.
- The right to obtain a copy of that data in a readily usable format.
The bill would prohibit a controller from processing the personal data of a consumer for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant decisions concerning the consumer unless the consumer has opted in. The bill would also require a controller, no later than July 1, 2025, to delete a consumer’s personal data for the purposes of targeted advertising or the sale of personal data if the consumer has not opted in. The platform, technology or mechanism for opting in could not unfairly disadvantage another controller or make use of a default setting. Consumers would be able to designate another person to act as their authorized agent. Controllers would be required to provide a reasonably accessible, clear and meaningful privacy notice, limit the collection to what is reasonably necessary and conduct a data protection impact assessment involving specified processing activities. The bill does not contain a private right of action but does contain a 30-day right to cure.
Another data privacy bill, LD 1977, sponsored by Rep. Margret O’Neil, D-Saco, is also up for consideration during the same hearing. This bill contains numerous definitions that determine the applicability of the bills various provisions including defining a “covered entity” as a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data. “Covered entity” would also include a person that controls, is controlled by or is under common control with the covered entity. “Covered entity” would not include an entity that is acting as a service provider. The bill also contains many novel definitions that include covered high impact social media, covered algorithm, covered language, large data holder and small business. The bill would not apply to government agencies or certain person’s that meet the following criteria for the preceding three calendar years:
- The person’s average annual gross revenues during the period did not exceed $20 million.
- The person, on average, did not annually collect or process the covered data of more than 75,000 individuals during the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.
- No component of the person’s revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.
The bill would prohibit a covered entity from collecting or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The bill would specify numerous allowed purposes for the collection, processing or transferring of covered data including but not limited to the completion of a transaction, fulfillment of an order and providing first party advertising. The bill would require covered entities to obtain a consumer’s affirmative consent before engaging in or directing the transfer of covered data or engaging in targeted advertising and would also be required to provide consumers with the opportunity to opt out. The bill would also grant various individual rights involving covered data including:
- The right to access their covered data, except back up or archival data, that is collected, processed or transferred by a covered entity or service provider within the preceding 24 months in a format that an individual can understand and download from the internet. If applicable a covered entity would also be required to provide access to the categories of third parties to which the covered entity has transferred for consideration the consumer’s covered data with the option to obtain the names of third parties or service providers and description of the purpose for which the covered entity transferred the data.
- The right to correct a verifiable substantial inaccuracy, inaccuracy or substantially incomplete information.
- The right to delete covered data of the individual that is processed by the covered entity and make reasonable efforts to notify all third parties or service providers to which the covered entity transferred the covered data of the individual’s deletion request.
- The right to export to the individual or directly to another entity the covered data of an individual.
If a covered entity makes material changes to its privacy policy it would be required to notify each affected individual prior to the change and provide them with the opportunity to withdraw their consent. The bill also imposes requirements on large data holders to annually disclose specified metrics including but not limited the number of verified requests received to access, delete, opt out of covered data transfers, opt out of targeted advertising and the median number of days it took to substantively respond to requests. Large data holders must also provide a short-form version privacy policy of no more than 500 words and keep copies of any prior versions of their privacy policy for the past 10 years publicly accessible on their website. The bill also contains provisions that establish a data broker registry. The bill would provide for enforcement by the attorney general, district attorney or municipal counsel. The bill also contains a private right of action with damages of $5,000 per person per violation annual adjusted for inflation or actual damages whichever is greater among other specified damages and relief.
Maine LD 1973 was heard in the Joint Judiciary Committee on October 17, 2023 and remains pending in that committee. The committee received testimony from the attorney general’s office, the Electronic Privacy Information Center (EPIC), the State Privacy and Security Coalition, and numerous Maine state associations.
Maine LD 1973 has been scheduled for a hearing in the Joint Judiciary Committee on November 8, 2023 at 1:00 PM.
Maine LD 1973 and LD 1977 were heard in the Joint Judiciary Committee on November 8, 2023. The committee heard testimony from both bill sponsors Sen. Lisa Keim, R-Oxford, and Sen. Margret O’Neil, D-Saco, respectively, along with the Bureau of Financial Institutions, Bureau of Consumer Credit Protection, Bureau of Insurance, L.L. Bean, and Consumer Reports but did not vote on the bill. The committee also received a comparison chart prepared by committee staff comparing both bills with the Connecticut law. The committee is scheduled to meet again on November 29 at 10:00 AM and December 11 at 10:00 AM with consumer privacy expected to be on the agenda for both hearings.
LD 1973 does not apply to nonprofits, however, sponsor Senator Keim noted during the hearing that she wanted to remove this exemption.
Maine LD 1973 and LD 1977 have been scheduled for a hearing in the Joint Judiciary Committee on December 11, 2023 at 10:00 AM. LD 1973 does not apply to nonprofits, however, sponsor Sen. Lisa Keim, R-Oxford, noted during a previous hearing that she wanted to remove this exemption.
Maine LD 1973 and LD 1977 have been scheduled for a hearing in the Joint Judiciary Committee on January 11, 2024 at 1:02 PM. LD 1973 does not apply to nonprofits, however, sponsor Senator Lisa Keim, R-Oxford, noted during a previous hearing that she wanted to remove this exemption.
Maine LD 1973 and LD 1977 were heard in the Joint Judiciary Committee on January 11, 2024. The committee heard from LL Bean, Consumer Reports and continued work through redline amendments submitted by both bill sponsors. A comparison of the redline amendments can be found here. The committee is scheduled to consider both bills again on January 18 at 1:00 PM.
Maine LD 1973 and LD 1977 were heard in the Joint Judiciary Committee on January 18. The committee continued to work through redline changes but also heard testimony from the State Privacy and Security Coalition but did not vote on the bill during the hearing. A comparison of the redline amendments can be found here.
Maine LD 1973 and LD 1977 were heard in the Joint Judiciary Committee on February 14, 2024. The committee discussed entity level exemptions and thresholds among other provisions.
Maine LD 1973 and LD 1977 were heard in the Joint Judiciary Committee on March 14, 2024; information from the hearing was not immediately available. LD 1973 does not apply to nonprofits, however, sponsor Sen. Lisa Keim, R-Oxford, once again reiterated during this hearing that she would like to see this exemption removed.
Maine LD 1977 passed the Joint Judiciary Committee with amendments following an 8-6 party line vote on March 26, 2024. The text of the amendments was not immediately available but according to the Maine Morning Star one of the changes includes exclusive attorney general enforcement. As introduced, LD 1977 contains numerous definitions that determine the applicability of the bills’ various provisions and would define a “covered entity” as a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data. “Covered entity” would also include a person that controls, is controlled by or is under common control with the covered entity. “Covered entity” would not include an entity that is acting as a service provider. The bill also contains many novel definitions that include covered high impact social media, covered algorithm, covered language, large data holder and small business. The bill would not apply to government agencies or certain persons that meet the following criteria for the preceding three calendar years:
- The person’s average annual gross revenues during the period did not exceed $20 million.
- The person, on average, did not annually collect or process the covered data of more than 75,000 individuals during the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.
- No component of the person’s revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.
The bill would prohibit a covered entity from collecting or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The bill would specify numerous allowed purposes for the collection, processing or transferring of covered data including but not limited to the completion of a transaction, fulfillment of an order and providing first party advertising. The bill would require covered entities to obtain a consumer’s affirmative consent before engaging in or directing the transfer of covered data or engaging in targeted advertising and would also be required to provide consumers with the opportunity to opt out. The bill would also grant various individual rights involving covered data including:
- The right to access their covered data, except back up or archival data, that is collected, processed or transferred by a covered entity or service provider within the preceding 24 months in a format that an individual can understand and download from the internet. If applicable a covered entity would also be required to provide access to the categories of third parties to which the covered entity has transferred for consideration the consumer’s covered data with the option to obtain the names of third parties or service providers and description of the purpose for which the covered entity transferred the data.
- The right to correct a verifiable substantial inaccuracy, inaccuracy or substantially incomplete information.
- The right to delete covered data of the individual that is processed by the covered entity and make reasonable efforts to notify all third parties or service providers to which the covered entity transferred the covered data of the individual’s deletion request.
- The right to export to the individual or directly to another entity the covered data of an individual.
If a covered entity makes material changes to its privacy policy, it would be required to notify each affected individual prior to the change and provide them with the opportunity to withdraw their consent. The bill would also impose requirements on large data holders to annually disclose specified metrics including but not limited the number of verified requests received to access, delete, opt out of covered data transfers, opt out of targeted advertising and the median number of days it took to substantively respond to requests. Large data holders would also be required to provide a short-form version privacy policy of no more than 500 words and keep copies of any prior versions of their privacy policy for the past 10 years publicly accessible on their website. The bill also contains provisions that would establish a data broker registry. The bill would provide for enforcement by the attorney general, district attorney or municipal counsel. The bill also contains a private right of action with damages of $5,000 per person per violation annually adjusted for inflation or actual damages, whichever is greater among other specified damages and relief.
Maine LD 1977 passed the House with amendments following a 75-70 vote on April 16, 2024; however, the bill failed following a 15-18 vote in the Senate on April 17.
According to the Bangor Daily News, bill sponsor Rep. Maggie O’Neil, D-Sacco, noted she was “disappointed” with the vote and noted that Maine retailer L.L. Bean worked to kill the bill and “was more interested in carrying water for Facebook than in meaningful protections for Mainers.”
Maryland SB 698, sponsored by Senate President Pro Tempore Malcom Augustine, D-Cheverly, was referred to the Senate Finance Committee on February 6 and has been scheduled for a hearing in that committee on March 8 at 1:00 PM. While the bill text was not immediately available the bill summary states, “Establishing generally the manner in which a controller or a processor may process a consumer’s personal data; authorizing a consumer to exercise certain rights in regards to the consumer’s personal data; requiring a controller of personal data to establish a method for a consumer to exercise certain rights in regards to the consumer’s personal data; regulating the use of biometric data by a controller; etc.” A companion bill, HB 807, sponsored by Del. Sara Love, D-Bethesda, was referred to the House Economic Matters Committee on February 8 and also does not currently have any associated bill text.
Maryland HB 807, sponsored by Del. Sara Love, D-Bethesda, has been scheduled for a hearing in the House Economic Matters Committee on February 22 at 1:00 PM. The bill would grant consumer’s the following rights:
- The right to confirm whether a controller is processing the consumer’s personal data.
- The right to access their data if a controller is processing a consumer’s personal data.
- The right to correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
- The right to delete personal data provided by or obtained about the consumer.
- The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to another controller, where the processing is carried out by automated means.
- The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 25 percent of their revenue from the sale of personal data. The bill does apply to nonprofit organizations but does contain a private right of action. A companion bill, SB 698, sponsored by Senate President Pro Tempore Malcom Augustine, D-Cheverly, was referred to the Senate Finance Committee on February 6 and has been scheduled for a hearing in that committee on March 8 at 1:00 PM.
Maryland HB 567, sponsored by Del. Sara Love, D-Potomac, was referred to the House Economic Matters Committee on January 24, 2024. Nonprofits are not exempt from the bill. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of at least 35,000 consumers, excluding data processed solely for the purposes of completing a payment transaction.
- Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. A consumer would be permitted to opt out using global privacy controls. The bill contains a private right of action with no right to cure language. A companion bill, SB 541, sponsored Sen. Dawn Gile, D-Severna Park, has been scheduled for a hearing in the Senate Finance Committee on February14 at 1:00 PM.
Maryland HB 567, was heard in the House Economic Matters Committee on February 13, 2024. The committee heard testimony from the State Privacy and Security Coalition and the Computer and Communications Industry Association, among others, but did not vote on the bill during the hearing. A companion bill, SB 541, sponsored Sen. Dawn Gile, D-Severna Park, was heard in the Senate Finance Committee. The committee took testimony from the bill sponsor, Electronic Privacy Information Center, the State Privacy and Security Coalition, TechNet and NetChoice, among others, but did not vote on the bill during the hearing.
Maryland HB 567 passed the House Economic Matters Committee with amendments on March 14, 2024. Nonprofits are not exempt from the bill. The amendments would, in part, add limited exemption language for HIPPA, specify that required data protection assessments would apply to processing activities that occur on or after October 1, 2025 and make changes to provisions around loyalty programs, including specifying that the sale of personal data would not be considered functionally necessary to provide a loyalty program, among other changes.
A companion bill, SB 541, passed the Senate Finance Committee with amendments on March 11. The amendments would, in part, add limited exemption language for HIPPA, specify that required data protection assessments would apply to processing activities that occur on or after October 1, 2025 and add exemptions for nonprofit entities that assist with investigating insurance fraud or first responders in responding to disaster events.
Maryland HB 567 passed the House following a 105-32 vote on March 18, 2024 and is now pending in the Senate Finance Committee where the bill has been scheduled for a hearing on March 21 at 1:00 PM. A companion bill, SB 541, passed the Senate on March 14 and is now pending in the House Economic Matters Committee.
Maryland HB 567 was heard in the Senate Finance Committee on March 21, 2024; where the committee briefly heard from bill sponsor Del. Sara Love, D-Bethesda, but did not vote on the bill.
A similar bill, HB 567, passed the Senate with amendments following a 42-2 vote on April 5 and the Senate concurred with those amendments on April 8. The bill is also now pending delivery to Governor Moore. Nonprofits are not exempt from the bill.
Massachusetts HB 83, which contains similar provisions to Maine LD 1977, has been scheduled for a hearing in the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on October 19, 2023 at 1:00 PM. This bill contains numerous definitions that determine the applicability of the bill’s various provisions including defining a “covered entity” as a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data. “Covered entity” would also include a person that controls, is controlled by or is under common control with the covered entity. “Covered entity” would not include an entity that is acting as a service provider. The bill also contains many novel definitions that include covered high impact social media, covered algorithm, covered language, large data holder and small business. The bill would not apply to government agencies or certain persons that meet the following criteria for the preceding three calendar years:
- The person’s average annual gross revenues during the period did not exceed $20 million.
- The person, on average, did not annually collect or process the covered data of more than 75,000 individuals during the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.
- No component of the person’s revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.
The bill would prohibit a covered entity from collecting or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The bill would also grant various individual rights involving covered data including:
- The right to access their covered data, except back up or archival data, that is collected, processed or transferred by a covered entity or service provider within the preceding 24 months in a format that an individual can understand and download from the internet. If applicable a covered entity would also be required to provide access to the categories of third parties to which the covered entity has transferred for consideration the consumer’s covered data with the option to obtain the names of third parties or service providers and description of the purpose for which the covered entity transferred the data.
- The right to correct a verifiable substantial inaccuracy, inaccuracy or substantially incomplete information.
- The right to delete covered data of the individual that is processed by the covered entity and make reasonable efforts to notify all third parties or service providers to which the covered entity transferred the covered data of the individual’s deletion request.
- The right to export to the individual or directly to another entity the covered data of an individual.
- The right to opt out of covered data transfers and targeted advertising.
If a covered entity makes material changes to its privacy policy it would be required to notify each affected individual prior to the change and provide them with the opportunity to withdraw their consent. The bill also imposes requirements on large data holders to annually disclose specified metrics including but not limited the number of verified requests received to access, delete, opt out of covered data transfers, opt out of targeted advertising and the median number of days it took to substantively respond to requests. Large data holders must also provide a short-form version privacy policy of no more than 500 words and keep copies of any prior versions of their privacy policy for the past 10 years publicly accessible on their website. The bill also contains provisions that establish a data broker registry. The bill would provide for enforcement by the attorney general but also contains a private right of action permitting the court to award damages of $15,000 per person per violation annually adjusted for inflation or liquidated damages of not less than 0.15 percent of annual global revenue, whichever is greater among other specified damages and relief. A companion bill, SB 25, is also up for consideration during the hearing.
Another similar privacy bill, HB 60, has been scheduled for consideration during the same hearing. This bill does not apply to nonprofits but would grant consumers various rights including the right to opt out of the processing of their data for the purposes of the sale of their data, targeted cross contextual advertising and targeted first party advertising. The bill contains a limited private right of action for data breaches and contains 30 day right to cure language. A companion bill, SB 227, has been scheduled for a hearing in the Joint Economic Development and Emerging Technologies Committee on October 19 at 10:00 AM.
Massachusetts HB 83, which contains similar provisions to LD 1977, was heard in the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on October 19, 2023 and is awaiting further action. The committee took testimony from Consumer Reports, Accountable Tech and the State Privacy and Security Coalition, among others, but did not vote on the bill during the hearing. A companion bill, SB 25, was also heard and remains pending in that committee.
Another similar privacy bill, HB 60, was considered during the same hearing. This bill does not apply to nonprofits, but would grant consumers various rights, including the right to opt out of the processing of their data for the purposes of the sale of their data, targeted cross contextual advertising and targeted first party advertising. The bill contains a limited private right of action for data breaches and contains a 30 day right to cure. A companion bill, SB 227, was heard in the Joint Economic Development Committee on that same day and is awaiting further action.
Massachusetts HB 1555 has been scheduled for a hearing in the Joint Judiciary Committee on November 21, 2023 at 10:00 AM. The bill would apply to nonprofits. This broad privacy bill, which would establish an internet bill of rights, would require that personal data be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to purposes for which it is processed.
- Accurate and where necessary kept up to date.
- Kept in a form that permit identification of data subjects for no longer than is necessary.
- Processed in a manner that ensures appropriate security.
Processing of personal data would only be legal if at least one of the following applies:
- The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary in order to protect the vital interests of the data subject or another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Data subjects would also be entitled to correct inaccurate personal information, obtain a copy of the personal data being processed or the erasure of their personal data without undue delay. The bill would provide that anyone who has suffered material or non-material damage under the bill has the right to receive compensation from the controller or processor.
Massachusetts SB 227 has been scheduled for a hearing in the Joint Advanced Information Technology, Cybersecurity and the Internet Committee on February 2, 2024 at 10:00 AM. This bill does not apply to nonprofits, but would grant consumers various rights, including the right to opt out of the processing of their data for the purposes of the sale of their data, targeted cross contextual advertising and targeted first party advertising. The bill contains a limited private right of action for data breaches and contains a 30 day right to cure. A companion bill, HB 60, remains pending in that committee.
Massachusetts HB 4632 passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 13 and is now pending in the House Ways and Means Committee. The bill is the new draft of several privacy bills including HB 60, HB 63, HB 80, HB 83 and SB 227. The bill, to be known as the “Massachusetts Data Privacy Act,” contains numerous definitions that determine the applicability of the bills’ various provisions and would define a “covered entity” as a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data. “Covered entity” would also include a person that controls, is controlled by or is under common control with the covered entity. “Covered entity” would not include an entity that is acting as a service provider. The bill also contains many novel definitions that include covered high impact social media, covered algorithm, covered language, large data holder and small business. The bill would not apply to government agencies or certain persons that meet the following criteria for the preceding three calendar years:
- The person’s average annual gross revenues during the period did not exceed $20 million.
- The person, on average, did not annually collect or process the covered data of more than 75,000 individualsduring the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity’s return policy.
- No component of the person’s revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.
The bill would prohibit a covered entity from collecting or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The bill would specify numerous allowed purposes for the collection, processing or transferring of covered data including but not limited to the completion of a transaction, fulfillment of an order and providing first party advertising. The bill would require covered entities to obtain a consumer’s affirmative consent before engaging in or directing the transfer of covered data or engaging in targeted advertising and would also be required to provide consumers with the opportunity to opt out. The bill would also grant various individual rights involving covered data including:
- The right to access their covered data, except back up or archival data, that is collected, processed or transferred by a covered entity or service provider within the preceding 24 monthsin a format that an individual can understand and download from the internet. If applicable a covered entity would also be required to provide access to the categories of third parties to which the covered entity has transferred for consideration the consumer’s covered data with the option to obtain the names of third parties or service providers and description of the purpose for which the covered entity transferred the data.
- The right to correct a verifiable substantial inaccuracy, inaccuracy or substantially incomplete information.
- The right to delete covered data of the individual that is processed by the covered entity and make reasonable efforts to notify all third parties or service providers to which the covered entity transferred the covered data of the individual’s deletion request.
- The right to export to the individual or directly to another entity the covered data of an individual.
If a covered entity makes material changes to its privacy policy, it would be required to notify each affected individual prior to the change and provide them with the opportunity to withdraw their consent. The bill would also impose requirements on large data holders to annually disclose specified metrics, including but not limited to, the number of verified requests received to access, delete, opt out of covered data transfers, opt out of targeted advertising and the median number of days it took to substantively respond to requests. Large data holders would also be required to provide a short-form version privacy policy of no more than 500 words and keep copies of any prior versions of their privacy policy for the past 10 years publicly accessible on their website. The bill also contains provisions that would establish a data broker registry. The bill would provide for enforcement by the attorney general, district attorney or municipal counsel. The bill also contains a private right of action with damages of $5,000 per person per violation annually adjusted for inflation or actual damages, whichever is greater among other specified damages and relief. A similar privacy bill, SB 2770, which is the new draft of SB 25, passed the Joint Advanced Information Technology, the Internet and Cybersecurity Committee on May 9 and is now pending in the Senate Ways and Means Committee.
Michigan SB 655, sponsored by Sen. Rosemary Bayer, D-West Bloomfield, was referred to the Senate Finance, Insurance and Consumer Protection Committee on November 9, 2023. The Michigan legislature has adjourned for the year but the bill will carry over. The bill would apply to nonprofits. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derives any revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer and the right to opt out of processing for the purposes of targeted advertising and the sale of personal data. The bill contains a private right of action but also contains 30-day right to cure provisions.
Minnesota SF 950, sponsored by Sen. Eric Lucero, R-St. Michael, was referred to the Senate Commerce and Consumer Protection Committee on January 30. The bill would prohibit a business from collecting, using or disclosing a consumer’s personal information without the consumer’s consent. In order to receive a consumer’s consent a business would be required, at or before the point of collection, to notify the consumer of:
- The categories of personal information the business collects about the consumer.
- The categories of sources from which the business collects the personal information about the consumer.
- The purpose of collecting each category of personal information.
- The categories of persons to which the personal information could be disclosed and the purpose for the disclosure, for each category of personal information.
A business would not be permitted to collect additional categories of personal information or disclose additional personal information without providing notice and obtaining the consumer’s consent. The bill would define business to mean “an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, or any other legal or commercial entity that is organized or operated for the profit or financial benefit of the business’s shareholders or other owners.” The bill would define personal information to mean “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” The bill contains a private right of action. It does not currently have a companion.
Minnesota HF 1367, sponsored by Rep. Mohamud Noor, DFL-Minneapolis, was referred to the House Commerce, Finance and Policy Committee on February 6. The bill would require a business that collects personal information about a consumer to notify a consumer at or before the point of collection of the following:
- The categories of personal information the business collects about the consumer.
- The categories of sources from which the business collects the personal information.
- The business or commercial purpose for collecting each category of personal information.
- The service providers that each category will be shared with and the business purpose for the disclosure.
- The consumer’s right to access personal information.
- The consumer’s right to deletion of personal information.
A business that sells personal information to a third party would be required to notify the consumer regarding the categories of information that could be sold, the categories of third parties to which the information could be sold and that they have the right to opt-out of the sale. The third party would be prohibited from selling the information unless the consumer has received explicit notice and is afforded the opportunity to opt-out. Businesses must provide at least two designated requests addresses including a conspicuous link on the website homepage titled “Do Not Sell My Personal Information.” The bill contains a private right of action. Last session, an identical bill, SF 36, also sponsored by Representative Noor, failed to advance.
Minnesota HF 2309, sponsored by Rep. Steve Elkins, DFL-Bloomington, was considered during a special meeting of the Legislative Commission on Data Practices. The committee heard testimony from the National Conference of State Legislatures, Consumer Reports, The State Privacy and Security Coalition and the Future of Privacy Forum. The bill remains pending in the House Commerce Finance and Policy Committee. The legislature is scheduled to begin its legislation session on February 12, 2024. The bill contains a delayed effective date that would apply to nonprofits beginning July 31, 2028. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. If a consumer’s data is profiled in furtherance of these effects a consumer would have the right to question the result of the profiling and be informed of the reason why the profiling resulted in the decision and the actions the consumer could have taken to receive a different decision. The bill contains a time limited 30-day right to cure until January 31, 2026. A companion bill, SF 2915, remains pending in the Senate Commerce and Consumer Protection Committee.
Minnesota HF 2309 passed the House Commerce Finance and Policy Committee with an amendment on February 26, 2024. The amendment makes numerous changes including adding language regarding dark patterns, adding an exemption and requirements for small businesses and changing the effective date to July 1, 2025, among other changes. The bill contains a delayed effective date that would apply to nonprofits beginning July 31, 2029.
Minnesota HF 2309 passed the House Judiciary, Finance and Civil Law Committee with an amendment on March 5, 2024. The amendment makes changes to the definition of geolocation information.
Minnesota SF 2915 has been scheduled for a hearing in the Senate Judiciary and Public Safety Committee on March 18, 2024 at 12:30 PM. The bill contains a delayed effective date that would apply to nonprofits beginning July 31, 2029. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. If a consumer’s data is profiled in furtherance of these effects a consumer would have the right to question the result of the profiling and be informed of the reason why the profiling resulted in the decision and the actions the consumer could have taken to receive a different decision. The bill contains an exemption and requirements for small businesses. The bill also contains a time limited 30-day right to cure until January 31, 2026.
Minnesota SF 2915 was heard in the Senate Judiciary and Public Safety Committee on March 20, 2024; the committee considered proposed amendments, however, no action was taken during the hearing.
Minnesota SF 2915 passed the Senate Judiciary and Public Safety Committee on March 21, 2024. The amendments, in part, would add language giving consumers the right to request the specific third parties to which the controller disclosed their personal information. If the controller does not maintain this data, it would be able to substitute a list of specific third parties where a controller has disclosed any consumers’ personal information. The amendment would also permit consumers to designate an authorized agent which could include either another person or various technologies such as global device or browser setting.
A companion bill, HF 2309, passed the House State and Local Government Finance and Policy Committee with an amendment on March 12 and is now pending in the House Ways and Means Committee.
Minnesota SF 2915 has been scheduled for a hearing in the Senate State and Local Government and Veterans Committee on April 5, 2024 at 11:30 AM. The bill contains a delayed effective date that would apply to nonprofits beginning July 31, 2029.
A companion bill, HF 2309, passed the House State and Local Government Finance and Policy Committee with an amendment on March 12 and is now pending in the House Ways and Means Committee.
Minnesota SF 2915 passed the Senate State and Local Government and Veterans Committee with amendments on April 5.
Minnesota SF 5301 was heard in the Senate Finance Committee on April 19, 2024 where it remains pending. The committee heard testimony from Commerce Commissioner Grace Arnold among others. This omnibus commerce bill contains privacy provisions previously found in SF 2915. Nonprofits are not exempt from the bill. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. If a consumer’s data is profiled in furtherance of these effects a consumer would have the right to question the result of the profiling and be informed of the reason why the profiling resulted in the decision and the actions the consumer could have taken to receive a different decision. The bill contains an exemption and requirements for small businesses and also contains a time limited 30-day right to cure until January 31, 2026.
Minnesota HF 5295 passed the House Commerce Finance and Policy Committee on April 24, 2024 and is now pending in the House Ways and Means Committee. This commerce supplemental budget bill contains privacy provisions previously found in SF 2915. Nonprofits are not exempt from the bill. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. If a consumer’s data is profiled in furtherance of these effects, a consumer would have the right to question the result of the profiling and be informed of the reason why the profiling resulted in the decision and the actions, the consumer could have taken to receive a different decision. The bill contains an exemption and requirements for small businesses and also contains a time limited 30-day right to cure until January 31, 2026. A companion bill, SF 5301, was heard in the Senate Finance Committee on April 19 where it remains pending.
Omnibus privacy provisions have also been included in the agriculture, commerce, and energy supplemental budget bill, HF 4975, which passed the House Ways and Means Committee on April 29 and is now pending on the House floor. A Senate companion, SF 4942, passed the Senate Finance Committee on April 24 and is pending on the Senate floor.
Minnesota SF 4942 passed the Senate on May 6, 2024, and has been placed on the House calendar for a final vote on May 9. This commerce supplemental budget bill contains privacy provisions previously found in SF 2915. Nonprofits are not exempt from the bill. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data concerning the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similar significant effects. If a consumer’s data is profiled in furtherance of these effects, a consumer would have the right to question the result of the profiling and be informed of the reason why the profiling resulted in the decision and the actions, the consumer could have taken to receive a different decision. The bill contains an exemption and requirements for small businesses and also contains a time limited 30-day right to cure until January 31, 2026. A companion bill, HF 4975, was indefinitely postponed on May 7.
Minnesota SF 4942 passed the House on May 9, 2024; however, the Senate refused to concur with House amendments and so the bill is now pending in conference committee.
Missouri SB 731 was prefiled on December 1, 2023. The legislature is scheduled to convene its 2024 session on January 3. The bill would not apply to nonprofits. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents, have annual revenue of $25 million or more and satisfies one of the following conditions:
- Control or process the personal data of 100,000 or more consumers.
- Control or process the personal data of 25,000 or more consumers and derive more than 50 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data provided by the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising. The law does not contain a private right of action but does contain 30-day right to cure language.
Nebraska LB 1294, sponsored by Sen. Eliot Bostar of Lincoln, was referred to the Banking, Commerce and Insurance Committee on January 17, 2024. Senator Bostar is a member of the committee. The bill has been scheduled for a hearing in that committee on January 30 at 1:30 PM. Nonprofits are exempt from the bill. The bill, to be known as the Data Privacy Act, would apply to a person that:
- Conducts business in this state or produces a product or service consumed by residents of this state.
- Processes or engages in the sale of personal data
- Is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale or sharing of their personal data, the right to opt out of processing for the purposes of targeted advertising, data sale or profiling in furtherance of a decision that produces legal or similarly significant effects. The law does not contain a private right of action but does contain 30-day right to cure language.
New Hampshire HB 314, sponsored by Rep. Keith Erf, R-Weare, which was referred to the House Judiciary Committee on January 9. The bill has been scheduled for a hearing in that committee on January 19 at 10:00 AM. A prior bill, HB 597, also sponsored by Representative Erf, passed the House las session.
New Hampshire LSR 2025-246, sponsored by House Judiciary Committee Chair Bob Lynn, R-Windham, was filed for the upcoming 2025 session, which is scheduled to begin on January 8. This legislative service request has no text yet available; according to its title, it would regard “the expectation of privacy in the collection and use of personal information.”
New Jersey AB 4811, sponsored by Asm. Bill Moen, D-Camden, was referred to the Assembly Science, Innovation and Technology Committee on October 20, 2022. The bill would require the Division of Consumer Affairs to establish and maintain a data broker registry. Data brokers would be required to pay a registration fee of $100 per year and provide the following following information:
- The name and primary physical, email and internet addresses of the data broker.
- Whether the data broker permits a consumer to opt-out of the data brokers’ collection practices including the method to request an opt-out.
- A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out.
- Whether the data broker uses a credentialing process for purchasers of the data.
- Any information the data broker has about the security breaches it has experienced.
- A separate statement detailing the data collection practices, database sales activities, and opt out methods that are applicable to minors as well as whether the data broker has any knowledge that it possess the brokered personal information of minors.
- Any information the division deems appropriate to implement.
Brokered personal information would include but not be limited to: name, address, date of birth, unique biometric data and social security number. Data brokers would not inlcude e-commerce platforms, 411 directory asssistance services, providing publicly available information related to a consumer’s business or profession, and providing publicly available information via real time alert services for health and safety purposes.
New Jersey SB 2349, sponsored by Sen. John McKeon, D-West Orange, which would, in part, set up a data broker registry and was referred to the Senate Commerce Committee on January 29, 2024 and companion bill, AB 2184, which is pending in the Assembly Consumer Affairs Committee.
New Jersey AB 4045 passed the Assembly State and Local Government Committee with amendments on March 11, 2024 and is now pending in the Assembly Appropriations Committee. This bill would make broad changes to the state’s public records law, including in part prohibiting public records requests made by or for data brokers and would prohibit data obtained through records requests from being sold. The bill also contains a data broker registry requirement. A companion bill, SB 2930, passed the Senate Budget and Appropriations Committee on March 11. According to The New York Times, the bill is moving on an “unusually fast track” and could be on the desk of Democratic Gov. Phil Murphy in less than two weeks.
New Jersey SB 2980 was referred to the Senate Law and Public Safety Committee on March 18, 2024. The bill would prohibit persons, state and local agencies, and businesses from posting or publishing on the Internet the home addresses or unpublished home telephone numbers of members of the Armed Forces of the United States or the New Jersey National Guard. The bill would also prohibit persons, businesses, and associations from disclosing on the Internet the home address or unpublished home telephone number of a member of the Armed Forces of the United States or the New Jersey National Guard under circumstances in which a reasonable person would believe that providing that information would expose another to harassment or risk of harm to life or property. The bill would define disclosure as soliciting, selling, manufacturing, giving, providing, lending, trading, mailing, delivering, transferring, publishing, distributing, circulating, disseminating, presenting, exhibiting, advertising or offering.
New Jersey AB 4741 sponsored by Assembly Deputy Speaker Herb Conway Jr., D-Delran, and Assembly Deputy Majority Leader William Moen, D-Barrington, was referred to the Assembly Science, Innovation and Technology Committee on September 12, 2024. The bill would amend the state’s current data privacy law to require a controller or processor to deidentify personal data before the data is sold. The bill would also prohibit the reidentification of previously deidentified data before or after data sale. Controllers and processors would also be prohibited from providing a third party with the means to reidentify the data or engaging a third party for the proposes of reidentifying the data.
New York SB 365, sponsored by Senate Consumer Protection Committee Chair Kevin Thomas, D-Levittown, was referred to that committee on January 4, 2023. This bill, to be known as the New York Privacy Act, would require a controller to facilitate certain consumer rights including:
- The right to confirm if a consumer’s personal data is being processed and providing access to the data.
- The right to correct inaccurate consumer personal data.
- The right to delete the consumer’s personal data if certain conditions are met.
- The right to opt-out the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
- The right a copy of the consumer’s personal data in a structured, commonly used and machine-readable format.
When a consumer objects, the consumer would be required to communicate the consumer’s objection to any third parties. The bill would define personal data to include any information relating to an identified or identifiable natural person but would not include de-identified data. The bill contains a private right of action and does not exempt nonprofits.
New York SB 365, passed that committee on April 25, 2023. An identical bill from last year, SB 6701 also sponsored by Senator Thomas, did not advance last session.
New York SB 365, passed the Senate Internet and Technology Committee with amendments on May 22, 2023 and is now pending in the Senate Finance Committee. The amendments in part exempt nonprofits and remove the private right of action.
New York SB 365, was amended and re-referred to Senate Finance Committee on June 4, 2023. The amendment in part removes language relating to automated decision making.
New York SB 365, passed the Senate on June 8, 2023 and was referred to the Assembly Consumer Affairs and Protection Committee. The legislature adjourned for the year on June 10, however, the bill will carryover. The bill does not apply to nonprofits.
The bill also contains provisions that require data brokers to annually register with the attorney general. The bill does not contain a private right of actions. A similar bill, AB 7423, which will also carryover, covers nonprofits and was amended and re-referred to the Assembly Codes Committee on June 5, 2023.
New York SB 365, passed that committee on February 6, 2024 and is now pending in the Senate Internet and Technology Committee. During the brief hearing Senator Thomas was asked specifically about nonprofits not being exempted and he pointed to the consumer and revenue threshold provisions noting those alone would exempt many nonprofits. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
-
- Have annual gross revenues of more than $25 million.
- Control or process the personal data of 50,000 or more consumers.
- Derives over than 50 percent of gross revenue from the sale of personal data.
- Have annual gross revenues of more than $25 million.
When a consumer objects, the consumer would be required to communicate the consumer’s objection to any third parties. The bill also contains provisions that require data brokers to annually register with the attorney general. The bill does not have a companion.
New York SB 365, passed the Senate on June 3, 2024 and is now pending in the Assembly Consumer Affairs and Protection Committee.
Another omnibus privacy bill, Rhode Island HB 7787, has been scheduled for a hearing in the House Innovation, Internet and Technology Committee on June 6 at 3:45 PM.
New York AB 417, sponsored by Assembly Consumer Affairs and Protection Committee Chair Nily Rozic, D-Queens, was referred to that committee on January 9. The bill, to be known as the “Right to Know Act,” would require a business that retains a customer’s personal information to make that information available to the customer free of charge upon request. If a business discloses the information to third parties it would be required to provide the names and contact information of the third parties that received the information and the categories of personal information that were disclosed. Personal information include but is not limited to identity information such as name, alias nicknames and usernames as well as physical addresses, email addresses, telephone numbers and birthdate or age.
New York SB 2277, sponsored by Sen. Brian Kavanagh, D-New York City, was referred to the Senate Internet and Technology Committee on January 19. The bill, to known as the “Digital Fairness Act” would specify that covered entities are required to make both a long form and short form privacy policy, which could be no more than 500 words long, persistently and conspicuously available. A covered entity would be required to ensure that individuals interact with the short form privacy policy upon their first visit to the covered entity’s website or mobile application. A covered entity would be required to obtain freely given, specific, informed and unambiguous opt-in consent before processing an individual’s personal information or making changes in the processing of their personal information. The option to withhold consent would be required to be as prominently displayed as the option to consent and the covered entity must provide a mechanism for an individual to withdraw consent. Interaction with the entities terms of service or privacy policy would not constitute opt-in consent. Covered entities would be prohibited from discriminating against individuals who do not opt-in but would be able to process information to operate a loyalty program provided the information is only processed for the operation of the program and opt-in consent is obtained.
A covered entity would be required to respond to verified requests from individuals no later than 90 days after they are received. A covered entity would be prohibited from disclosing captured personal data to third parties unless the third party is contractually bound to meet the same privacy and security obligations as the covered entity. A covered entity would be prohibited from processing information it has obtained from third parties unless it has obtained and individual’s opt-in consent. Individual’s aged 13 and older would be able to exercise rights granted under the bill’s provisions. The bill would provide a private right of action with liquidated damages of $10,000 per violation or actual damages, whichever is greater. The bill would also allow the attorney general, city attorney or district attorney to initiate an action with court penalties that could include injunctive relief or fines of $25,000 or four percent of annual revenue, whichever is greater. The bill does not currently have a companion. A prior bill, AB 6042, sponsored by Asm. Catalina Cruz, D-Queens, died in the Assembly Consumer Affairs and Protection Committee last session.
New York SB 3163, sponsored by Senate Judiciary Committee Chair Brad Hoylman, D-New York City, was referred to the Senate Consumer Protection Committee on January 30.
The bill, to be known as the “Right to Know Act,” would require a business that retains a customer’s personal information to make that information available to the customer free of charge upon request. If a business discloses the information to third parties it would be required to provide the names and contact information of the third parties that received the information and the categories of personal information that were disclosed. Personal information would include but is not limited to identity information such as name, alias nicknames and usernames as well as physical addresses, email addresses, telephone numbers and birthdate or age. A companion bill, AB 417, sponsored by Assembly Consumer Affairs and Protection Committee Chair Nily Rozic, D-Queens, was referred to that committee on January 9.
New York AB 3593, sponsored by Asm. Linda Rosenthal, D-New York City, which was referred to the Assembly Consumer Affairs and Protection Committee on February 3. The bill does not currently have a companion.
New York AB 6319, sponsored by Asm. Michaelle Solages, D-Valley Stream, which was referred to the Assembly Science and Technology Committee on April 3, 2023. This privacy bill is identical to the federal American Data Privacy Protection Act which was introduced in congress last session. The bill does not currently have a companion.
New York SB 8305 was amended a re-referred to the Senate Finance Committee on March 11, 2024. This budget bill now contains privacy provisions found in SB 365. Nonprofits are not exempt from the bill. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Have annual gross revenues of more than $25 million.
- Control or process the personal data of 50,000 or more consumers.
- Derives more than 50 percent of gross revenue from the sale of personal data.
- Have annual gross revenues of more than $25 million.
This bill, to be known as the New York Privacy Act, would require a controller to facilitate certain consumer rights including:
- The right to confirm if a consumer’s personal data is being processed and provide access to the data.
- The right to correct inaccurate consumer personal data.
- The right to delete the consumer’s personal data if certain conditions are met.
- The right to opt-out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similar significant effects concerning the consumer.
- The right to obtain a copy of the consumer’s personal data in a structured, commonly used and machine-readable format.
When a consumer objects, the consumer would be required to communicate the consumer’s objection to any third parties. The bill would define personal data to include any information relating to an identified or identifiable natural person but would not include de-identified data. The bill also contains provisions that require data brokers to annually register with the attorney general. The bill also contains provisions relating to the protection of child data and cybersecurity as well.
North Carolina SB 525, sponsored by Sen. Bobby Hanig, R-Powell’s Point, which was referred to the Senate Rules and Operations Committee on April 4, 2023.
Ohio HB 376, sponsored by Rep. Rick Carfagna, R-Genoa Township, passed the House Government Oversight Committee with a substitute on February 9, 2022. The bill has support of Republican Gov. Mike DeWine.
The bill (the Ohio Personal Privacy Act) would grant consumers:
- the right to obtain a copy of their personal data
- the right to deletion of any personal data collected for a business purpose
- the right to have any inaccurate personal information corrected
- the right to opt-out of the sale of their personal information.
The bill would apply to businesses that satisfy one or more of the following three criteria: Annual gross revenues exceeding $25 million; Processes or controls the data of 100,000 or more consumers; Derives over half of its revenue from the sale of personal data and processes or controls data on 25,000 or more consumers.
Significantly, the bill contains a private right of action.
Ohio HB 345, sponsored by Rep. Thomas Hall, R-Madison Township, was introduced on November 29, 2023 and has not yet been referred to a committee. The bill does apply to nonprofits. This privacy bill would apply to businesses that conduct business in this state, or produce products or services targeted to consumers in this state and meets one or more of the following criteria:
- Has annual gross revenues in excess of $25 million.
- Controls or processes the personal data of 100,000 or more consumers during the calendar year.
- Derives over 50 percent of its gross revenue from the sale of personal data and controls or processes the data of 25,000 or more consumers.
It would grant consumers various rights including, but not limited to, the right to delete personal data, obtain a copy of that data, and request that a business not sell their data or process it for the purposes of targeted advertising. Controllers would be required to provide a reasonably accessible, clear and meaningful privacy policy. The bill does not contain a private right of action but does contain a 30 day right to cure. The bill would also specify that a business has an affirmative defense against violations if that business creates, maintains and complies with a written privacy program that reasonably conforms to the national institute of standards and technology privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0” and provides individuals with the rights specified in the bill.
Oklahoma HB 1030, sponsored by Rep. Josh West, R-Grove, was prefiled on January 4. The legislature is scheduled to convene its 2023 session on February 6. The bill is identical to the engrossed version of HB 2969, sponsored by former Rep. Colin Walke, D-Oklahoma City, which passed the House last session but did not advance further. This broad privacy bill would in part require businesses that meet the specified threshold to:
- Notify consumers on its website that they have the right to opt-in to the sale of their personal data and provide a method to do so.
- Obtain a consumer’s consent before collecting their personal data.
- Upon consumer request, disclose personal data as well as the data that is shared and the categories of parties with whom the information was shared.
- Delete data, including data that was shared with third parties, upon consumer request.
- Respond to requests within 45 days with extensions.
The bill would prohibit a business from:
- Sharing personal data to third parties unless it is necessary to provide a requested good or service or for security purposes.
- Denying services or altering prices based on a consumer’s rights granted in the measure.
The bill does not apply to nonprofits and does not contain a private right of action.
Oklahoma HB 1030 passed the House with amendments following a 84 to 11 vote on March 8, 2023 and is now pending in the Senate. The amendment changes the effective date of the bill to one year after enactment. This opt-in privacy bill would apply to a business that does business in this state, collects consumers’ personal information or has that information collected on the business’ behalf, alone or in conjunction with others, determines the purpose for and means of processing consumers’ personal information, and satisfies one or more of the following thresholds:
-
- Annual gross revenue in an amount that exceeds $15 million.
- Alone or in combination with others, annually buys, sells or receives or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices.
- Derives 25 percent or more of the business’ annual revenue from selling consumers’ personal information.
It would also apply to an entity that controls or is controlled by a business as described above and that shares the same or substantially similar brand name and/or common database for consumers’ personal information. The bill would require businesses to notify consumers on its website that they have the right to opt-in to the sale of their personal data and provide a method to do so. Businesses would also be required to obtain a consumer’s consent before collecting their personal data. The bill does not contain a private right of action.
Pennsylvania HB 2202 was heard in the House Consumer Affairs Committee on May 25; the committee took testimony from Microsoft and SPSC, among others, but did not vote on the bill during the hearing. This broad privacy bill would grant consumers various rights including the right to:
- Know whether a business is processing personal information about the consumer.
- Know whether their personal information is processed for the purposes of targeted advertising or the sale of personal information.
- Decline or opt out of the processing of personal information for specified purposes including targeted advertising.
- Access, correct, and delete their information.
The bill does not include a private right of action.
The bill would specify that personal information processed by a business or service provider could only be processed only to an extent that is necessary, reasonable and proportionate for an authorized purpose. The bill would not include a private right of action. The bill would only apply to businesses that have annual gross revenues of more than $20 million, buys, receives, sells or shares the data of 100,000 or more consumers, or derives 50 percent or more of its annual revenue from selling consumers personal information.
Pennsylvania HB 2257, sponsored by Rep. Malcom Kenyatta, D-Philadelphia, was referred to the House Consumer Affairs Committee on January 20. The bill, to be known as the Pennsylvania Consumer Data Protection Act, is modeled after the Virginia law and would grant consumers various rights including:
- The right to confirm whether or not a controller is processing the consumer’s personal data and the right to access that data.
- The right to correct inaccurate personal data.
- The right to delete their personal data.
- The right to obtain a copy of the consumer’s personal data in a portable and, to the extent possible, readily usable format.
- The right to opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
The bill contains right to cure language providing controllers or processors 30 days to rectify any violations under the bill. The bill does not contain a private right of action and does not apply to nonprofit organizations.
Pennsylvania HB 708, sponsored by Rep. Malcom Kenyatta, D-Philadelphia, was referred to the House Commerce Committee on March 27. The bill would apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:
- Controls or processes personal data of at least 100,000 consumers.
- Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.
The bill would grant consumer various rights including, but not limited to, the right to delete data they provided and opt-out of the sale of their personal data. The bill does not contain a private right of action but does contain a 30-day right to cure before the attorney general could initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.
Pennsylvania HB 1201, sponsored by Rep. Ed Neilson, D-Philadelphia, has been scheduled for a hearing in the House Consumer Affairs Committee on September 6, 2023 at 11:00 AM. The bill does not apply to nonprofits. The bill would apply to businesses that meet one or more of the following thresholds:
- Has annual gross revenues in excess of $10 million.
- Alone or in combination, annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices.
- Derives at least 50 percent of annual revenues from selling consumers’ personal information.
It would grant consumers various rights including, but not limited to, the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale of their data. Controllers would be required to provide a reasonably accessible, clear and meaningful privacy notice and to conduct a data protection impact assessment involving specified processing activities. The bill does not contain a private right of action. A bill last session, HB 1126, also sponsored by Representative Nelson did not advance.
Pennsylvania HB 1201 passed the House Commerce Committee with amendments on November 15, 2023. The amendments, in part, alter the definition of personal data to include any information that is linked or reasonably linkable to an identified or identifiable individual.
Pennsylvania HB 1201 passed the Senate Communications and Technology Committee with amendments on June 26, 2024. The amendments make numerous changes including clarifying that nothing in the bill could be construed as providing the basis for a private right of action under this bill or any other law.
Pennsylvania HB 1201 was recommitted to the Senate Communications and Technology Committee on July 2, 2024. The bill had previously passed that committee with amendments on June 26.
Pennsylvania HB 1947, sponsored by Rep. Rob Mercuri, R-Pine Township, was referred to the House Consumer Protection, Technology and Utilities Committee on January 9, 2024. The bill is a refile of HB 2202 from last session. Nonprofits are not exempted from this bill. The bill would only apply to businesses that have annual gross revenues of more than $50 million, buys, receives, sells or shares the data of 100,000 or more consumers, or derives 50 percent or more of its annual revenue from selling consumers personal information. The bill would grant consumers various rights including the right to:
- Know whether a business is processing personal information about the consumer.
- Know whether their personal information is processed for the purposes of targeted advertising or the sale of personal information.
- Decline or opt out of the processing of personal information for specified purposes including targeted advertising.
- Access, correct and delete their information.
The bill would specify that personal information processed by a business or service provider could only be processed only to an extent that is necessary, reasonable and proportionate for an authorized purpose. The bill would not include a private right of action.
Pennsylvania SB 1279, sponsored by Sen. Maria Collett, D-Lower Gwynedd Township, was referred to the Senate Communications and Technology Committee on July 12, 2024. The bill does not apply to nonprofits. This privacy bill would apply to businesses that meet one or more of the following thresholds:
- Hasannual gross revenues in excess of $10 million.
- Alone or in combination, annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices.
- Derivesat least 50 percent of annual revenues from selling consumers’ personal information.
It would grant consumers various rights including, but not limited to, the right to delete personal data whether or not the data was previously provided, obtain a copy of that data and opt out of the sale of their data. Controllers would be required to provide a reasonably accessible, clear and meaningful privacy notice and to conduct a data protection impact assessment involving specified processing activities. It specifies that nothing in the bill would create a private right of action. Another privacy bill, HB 1201, was recommitted to the Senate Communications and Technology Committee on July 2. The bill had previously passed that committee with amendments on June 26. The amendments make numerous changes including clarifying that nothing in the bill could be construed as providing the basis for a private right of action under this bill or any other law.
Rhode Island HB 5354, sponsored by Rep. Evan Shanley, D-Warwick, which was referred to the House Innovation, Internet and Technology Committee on February 3.
Rhode Island HB 5354 was heard House Innovation Internet and Technology Committee on March 2, 2023 where the committee held the bill for further study. The bill, to be known as the Rhode Island Data Transparency and Privacy Protection Act, would require online service providers and commercial websites that collect, store and sell personally identifiable information to disclose what categories of personally identifiable information they collect and to what third parties they sell the information.
Rhode Island HB 7787 passed the House on June 10, 2024 and is now pending on the Senate calendar. Nonprofits are exempt from the bill. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 35,000 consumers.
- Control or process the personal data of not less than 10,000 consumers and derive more than 20 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to correct inaccuracies in their personal, the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill does not contain a right to cure or a private right of action. A similar bill, SB 2500, is also pending on the Senate calendar.
Tennessee SB 73, sponsored by Sen. Bo Watson, R-Hixon, was prefiled on January 4. The legislature is scheduled to convene on January 10, 2023. Senator Watson serves as the Chair of both the Finance, Ways and Means and Rules committees. The bill, to be known as the “Tennessee Information Protection Act,” would require controllers to comply with authenticated consumer requests to exercise the right to:
- Confirm whether or not a controller is processing the consumer’s personal data and to access that data.
- Delete personal data provided by the consumer.
- Obtain a copy of the consumer’s personal data in a portable and, to the extent possible, readily usable format.
- Opt out of the sale of their personal data.
Controllers would be required to respond to authenticated requests within 45 days but could request an extension of an additional 45 days to comply. Controllers would also be required, in part, to:
- Limit the collection of personal information to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer.
- Not process personal information for purposes that is beyond what is reasonably necessary.
- Establish, implement and maintain reasonably data security practices.
- Not process sensitive data without obtaining the consumer’s consent.
- Conduct and document a data protection assessment of various processing activities including but not limited to processing information for the purposes of targeted advertising or the sale of personal information.
The bill would also require a controller or processor to create, maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology framework. The bill contains 60 day right to cure language but does not contain a private right of action. The bill would apply to entities that control or process personal data of at least 100,000 consumers or at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of data. The bill does not apply to nonprofits.
Tennessee SB 73 has been scheduled for a hearing in the Senate Commerce and Labor Committee on March 14, 2023 at 1:30 PM. The bill would apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:
-
- Controls or processes personal data of at least 100,000 consumers.
- Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The bill does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice.
Tennessee SB 73 has been placed on the Senate floor calendar for April 13, 2023 after previously being deferred on March 30, 2023 and April 6, 2023. A companion bill, HB 1181, passed the House Commerce Committee on April 4, 2023 and is now pending on the House calendar for April 10, 2023.
Tennessee HB 1181, unanimously passed the House on April 10, 2023 and is now pending committee referral in the Senate. The bill would apply to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:
- Controls or processes personal data of at least 100,000 consumers.
- Controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data they provided and opt-out of the sale of their personal data. The bill does not contain a private right of action but does contain a 60-day right to cure before the attorney general could initiate any action. Controllers would also be required to provide a reasonably accessible, clear and meaningful privacy notice. A companion bill, SB 73 has been placed on the Senate floor calendar for April 13 after previously being deferred on March 30, 2023 and April 6, 2023.
Tennessee HB 1181 was delivered to Republican Gov. Bill Lee, who will have until May 18, 2023 to sign or veto the bill or it becomes law.
Tennessee SB 1658, sponsored by Sen. Heidi Campbell, D-Nashville, was referred to the Senate Commerce and Labor Committee on January 10, 2024. The bill would amend the Tennessee Information Protection Act to require controllers to annually register with the attorney general’s consumer protection division. No later than July 1, 2025, the division would be required to have an accessible deletion mechanism in a conspicuous location. Controllers would be required to access the deletion mechanism at least once every 45 days and delete all required personal information related to a consumer who made the request and direct their affiliates to do the same. The bill does not currently have a companion.
Texas HB 1844, sponsored by Rep. Giovanni Capriglione, R-South Lake, was filed on February 3 and has not yet been referred to a committee. The bill, to be known as the Texas Data Privacy and Security Act, would grant consumers the right to:
- Confirm whether or not a controller is processing the consumer’s personal data.
- Correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
- Delete personal data provided by or obtained about the consumer.
- Obtain a copy of their personal data if the data is available in a digital format.
- Opt-out of processing for the purposes of target advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. The bill would require controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would apply to businesses that:
- Conduct business in the state or produce a product or service consumed by residents of the state.
- Process or engage in the sale of personal data.
- Are not a small business as defined by the Small Business Administration.
It does not apply to nonprofit organizations. The bill contains 30 day right to cure language and does not contain a private right of action.
Vermont SB 269, sponsored by Senate Economic Development, Housing and General Affairs Committee Vice Chair Allison Clarkson, D-Woodstock, was referred to that committee on January 17, 2024. Committee Chair Sen. Kesha Ram-Hinsdale, D-Shelburne, is co-sponsoring the bill. Nonprofits are not exempt. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Control or process the personal data of not less than 25,000 consumers and derives more than 25 percent of their gross revenue from the sale of personal data.
The bill would grant consumers various rights including, but not limited to, the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale or sharing of their personal data, the right to opt out of processing for the purposes of targeted advertising or data sale. The law does not contain a private right of action but does contain 60-day right to cure language for a one-year period beginning July 1.
Another bill HB 789, sponsored by Rep. Tristan Roberts, D-Halifax, was referred to the House Commerce and Economic Development Committee on January 12. The bill would set up a study committee to study data trusts and to consider updates to Vermont’s statutory provisions governing personal information protection companies.
Vermont HB 121, sponsored by House Commerce and Economic Development Committee Chair Michael Marcotte, R-Newport, was vetoed by Republican Gov. Phil Scott on June 13, 2024. While the House easily overrode the veto following a 128-17 vote on June 17, the Senate failed to override following a 14-15 vote on that same day. According to FOCUS’ Vermont lobbying team, privacy legislation will almost certainly return next session.
As enrolled, the bill would have contained a first in the nation private right of action that would have sunset January 1, 2029.
Nonprofits would not have been exempted from this bill with limited exceptions for victim services organizations, nonprofits that provide programming to radio or TV networks or a nonprofit organization established to detect fraudulent acts concerning insurance.
The proposal would have granted consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
Virginia HB 1688, sponsored by House Communications, Technology and Innovation Committee Chair Emily Brewer, R-Smithfield, was prefiled on January 9 and has not yet been referred to a committee. The legislature began its 2023 session on January 11. The bill would amend the Consumer Data Protection Act to require operators to obtain verifiable parental consent prior to registering any child with the operator’s product or service or before collecting, using, or disclosing such child’s personal data. The bill would also prohibit a controller from knowingly processing the personal data of a child for purposes of:
- Targeted advertising.
- The sale of such personal data.
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
The bill would also amend the definition of child under the act to include any natural person younger than 18 years of age. A companion bill, SB 1026, sponsored by Sen. David Suetterlein, R-Roanoke, was prefiled and referred to the Senate General Laws and Technology Committee on January 7.
Virginia HB 1688, passed committee with a substitute on January 30. The amendment removes references to and the definition of operator form the bill. The bill would amend the Consumer Data Protection Act to require operators to obtain verifiable parental consent prior to registering any child with the controller or processor’s product or service or before collecting, using or disclosing such child’s personal data.
Virginia SB 1026, sponsored by Sen. David Suetterlein, R-Roanoke, was heard in the Senate General Laws and Technology Committee on January 18; the committee took testimony but did not vote on the bill. The bill would amend the Consumer Data Protection Act to require operators to obtain verifiable parental consent prior to registering any child with the operator’s product or service or before collecting, using, or disclosing such child’s personal data. The bill would also prohibit a controller from knowingly processing the personal data of a child for purposes of:
- Targeted advertising.
- The sale of such personal data.
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.
The bill would also amend the definition of child under the act to include any natural person younger than 18 years of age. A companion bill, HB 1688, sponsored by House Communications, Technology and Innovation Committee Chair Emily Brewer, R-Smithfield, is pending in that committee.
Washington HB 1616, sponsored by Rep. Shelley Kloba, D-Kirkland, was referred to the House Civil Rights and Judiciary Committee on January 26, 2023. The bill, to be known as the people’s privacy act, would afford a consumer various rights including:
- The right to know what personal information a covered entity processes, including the categories and specific pieces of personal information the covered entity possesses.
- The right to access and obtain their personal information that is processed by a covered entity, in a machine-readable format.
- The right to refuse consent for any processing of their personal information that is not essential to the primary transaction.
- The right to correct inaccurate personal information.
- The right to require a covered entity or data processor to delete their information.
- The right not to be subject to surreptitious surveillance.
Covered entities would be required to make both a long form and short form privacy policy, which could be no more than 500 words long, persistently and conspicuously available. A covered entity would be required to ensure that individuals interact with the short form privacy policy upon their first visit to the covered entity’s website or mobile application. A covered entity would be required to obtain freely given, specific, informed and unambiguous opt-in consent before processing an individual’s personal information or making changes in the processing of their personal information. The option to withhold consent would be required to be as prominently displayed as the option to consent and the covered entity must provide a mechanism for an individual to withdraw consent. Interaction with the entities terms of service or privacy policy would not constitute opt-in consent. Covered entities would be prohibited from discriminating against individuals who do not opt-in but would be able to process information to operate a loyalty program provided the information is only processed for the operation of the program and opt-in consent is obtained. The biggest difference between this version and last session’s HB 1433 is the addition of language that would require covered entities to conduct a data processing assessment of specified processing activities including targeted advertising.
A covered entity would be required to respond to verified requests from individuals no later than 30 days after they are received but could request additional time under certain circumstances. A covered entity would be prohibited from disclosing captured personal data to third parties unless the third party is contractually bound to meet the same privacy and security obligations as the covered entity. A covered entity would be prohibited from processing information it has obtained from third parties unless it has obtained and individual’s opt-in consent. Individual’s aged 13 and older would be able to exercise rights granted under the bill’s provisions. The bill would provide a private right of action with liquidated damages of $10,000 per violation or actual damages, whichever is greater. The bill would also allow the attorney general, city attorney or county prosecutor to initiate an action with court penalties that could include injunctive relief or fines of $25,000 or four percent of annual revenue, whichever is greater. A companion bill, SB 5643, sponsored by Senate Majority Caucus Chair Bob Hasegawa, D-Seattle, was referred to the Senate Environment, Energy and Technology Committee on January 31.
Washington HB 2149, sponsored by House Consumer Protection and Business Committee Vice Chair, Rep. Christine Reeves, D-Federal Way, was referred to that committee on January 8 and has been scheduled for a hearing on January 19, 2024 at 8:00 AM. The bill would prohibit transacting entities who collect personal information from a consumer at the point of sale from selling or sharing that information without the consumer’s express permission. A transacting entity would be defined as any of the following:
- A resident individual who engages regularly in commercial activity for the purpose of generating income.
- A corporation or nonprofit corporation, limited liability company, partnership or limited liability partnership, business trust, joint venture, or other form of business organization the constituent parts of which share an economic interest.
- A financial institution.
- The state or any political subdivision.
- An individual that controls, is controlled by, or is under common control with a person as specified above.
Another privacy bill, HB 2277, sponsored by Rep. Shelby Kloba, D-Kirkland, was referred to the House Consumer Protection and Business Committee on January 10. This bill would establish a data broker registry.
Washington HB 2149, sponsored by House Consumer Protection and Business Committee Vice Chair Rep. Christine Reeves, D-Federal Way, has been scheduled for a hearing in that committee January 19, 2024 at 8:00 AM.
Washington HB 2149, was scheduled to be heard in that committee January 19, 2024; however, the bill was deferred and an alternative date was not immediately available.
Another privacy bill, HB 2277, sponsored by Rep. Shelby Kloba, D-Kirkland, was considered during the hearing. The bill has been scheduled for an executive session on January 25. This bill would establish a data broker registry.
West Virginia HB 5338, sponsored by House Technology and Infrastructure Committee Chair Daniel Linville, R-Milton, was heard in that committee on January 30, 2024 and remains pending. The bill is also co-sponsored by House Speaker Roger Hanshaw, R-Clay. The bill would not apply to nonprofits. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of at least 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
- Have annual gross revenues generated in the state of more than $25 million.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. A consumer would be permitted to opt out using global privacy controls. The bill does not contain a private right of action but does contain a 30 day right to cure.
Another privacy bill, HB 5112, sponsored by House Minority Leader Pro Tem. Kayla Young, D-Kanawha, was referred to the House Technology and Infrastructure Committee on January 25.
West Virginia HB 5338, passed that committee with amendments on February 2, 2024 and remains pending.
West Virginia HB 5338 was vetoed by Republican Gov. Jim Justice on March 27, 2024. According to West Virginia Watch, Governor Justice stated in his veto message that he was concerned about the “unintended consequences” the bill could bring.
West Virginia HB 3498, sponsored by House Technology and Infrastructure Committee Chair Daniel Linville, R-Milton, was referred to that committee on February 14. The bill would grant consumer’s the following rights:
- The right to confirm whether a controller is processing the consumer’s personal data and to access that data.
- The right to correct inaccuracies in the consumer’s data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.
- The right to delete personal data provided by or obtained about the consumer.
- The right to obtain a copy of their personal data in a format that is portable, to the extent technically feasible, is readily usable and allows the consumer to transmit the data to another controller, where the processing is carried out by automated means.
- The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child and precise geolocation data. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The bill would not apply to nonprofit organizations. It contains 30 day right to cure language but does not contain a private action. Another bill, HB 3453, sponsored by Del. Kayla Young, D- Kanawha, was also referred to the House Technology and Infrastructure Committee on February 14.
West Virginia HB 5698, sponsored by Del. Daniel Linville, R-Cabell, was introduced on February 26, 2024 and quickly passed the House on February 28. The bill would not apply to nonprofits. It would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:
- Control or process the personal data of at least 100,000 consumers.
- Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
- Have annual gross revenues generated in the state in that exceed $25 million.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects. The bill does not contain a private right of action but does contain a 30 day right to cure.
Wisconsin AB 466, sponsored by Asm. Shannon Zimmerman, R-River Falls, was referred to the Assembly Consumer Protection Committee on October 5, 2023. The bill was heard in that committee on October 11 but remains pending. The bill would not apply to nonprofits. The bill would apply to persons that conduct business in the state or persons that produce products or services that are targeted to state residents and:\
- Control or process the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.
- Control or process the personal data of not less than 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal data.
The bill would grant consumers various rights including but not limited to the right to delete data provided by or obtained about the consumer, the right to opt-out of the sale of their personal data and the right to opt out of processing for the purposes of targeted advertising. The law does not contain a private right of action but does contain 30-day right to cure language.
Wisconsin AB 466 passed the Assembly on November 14, 2023. Recent amendments would permit a consumer to exercise their rights via user-enabled global privacy controls.
Wisconsin AB 466 was heard in the Senate Shared Revenue, Elections and Consumer Protection Committee on December 19, 2023. The committee heard testimony from bill sponsor Rep. Shannon Zimmerman, R-River Falls, the Wisconsin Grocers Association, Advanced Medical Technology Association, BSA the Software Alliance, the State Privacy and Security Coalition, and the Consumer Healthcare Products Association but did not vote on the bill during the hearing. Prior Assembly amendments would permit a consumer to exercise their rights via user-enabled global privacy controls. The bill would not apply to nonprofits.
A companion, SB 642, was also heard during the same hearing.
Representative Zimmerman also introduced a related privacy bill, AB 824, which was referred to the Assembly State Affairs Committee on December 22. This bill would require data owners, defined as any person that generates, collects or uses data for its own purposes, to limit access to, sharing of, and use of its data to what is adequate, relevant and reasonably necessary for the purposes for which the data is collected or generated. Data custodians, defined as any person that provides data security and storage on behalf of a data owner, would be required to establish and ensure compliance with internal policies and procedures related to data access control, data retention and data destruction, auditing capabilities and the performance of audits among other requirements. Data stewards, defined as any person that uses or facilitates the use of data on behalf of a data owner, would be required to establish and ensure compliance with internal policies and procedures related to various data handling practices. The bill would also specify that if a data owner enters into an agreement with a custodian or steward, the agreement would be required to identify all relevant parties, data sets, permitted uses and restrictions of data, confidentiality requirements, laws governing the data, and laws governing the agreement. The agreement would also be required to include statements regarding the response to security incidents and the terms for terminating the agreement among other provisions.
Wisconsin AB 466 passed the Senate Shared Revenue, Elections and Consumer Protection Committee on February 15, 2024 and is now pending on the Senate floor. Previously adopted Assembly amendments would permit a consumer to exercise their rights via user-enabled global privacy controls.
Wisconsin, AB 824 was heard in Assembly State Affairs Committee on February 7, 2024; the committee took testimony but did not vote on the bill. This bill would require data owners, defined as any person that generates, collects or uses data for its own purposes, to limit access to, sharing of and use of its data to what is adequate, relevant and reasonably necessary for the purposes for which the data is collected or generated. Data custodians, defined as any person that provides data security and storage on behalf of a data owner, would be required to establish and ensure compliance with internal policies and procedures related to data access control, data retention and data destruction, auditing capabilities and the performance of audits among other requirements. Data stewards, defined as any person that uses or facilitates the use of data on behalf of a data owner, would be required to establish and ensure compliance with internal policies and procedures related to various data handling practices. The bill would also specify that if a data owner enters into an agreement with a custodian or steward, the agreement would be required to identify all relevant parties, data sets, permitted uses and restrictions of data, confidentiality requirements, laws governing the data and laws governing the agreement. The agreement would also be required to include statements regarding the response to security incidents and the terms for terminating the agreement among other provisions.
States: Donor Privacy and Confidentiality
STATES THAT HAVE PASSED BILLS INTO LAW:
NOW LAW: Georgia SB 534 was signed by Republican Gov. Brian Kemp on May 2, 2022 and took immediate effect. The law prohibits state agencies, absent the showing of compelling interest, to impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. Any additional reporting or filing requirements are required to be narrowly tailored to achieve the compelling state interest. The bill defines charitable organizations as 501(C)3 organizations.
NOW LAW: Indiana HB 1212, sponsored by House Speaker Pro Tempore Mike Karickhoff, R-Kokomo, was signed by Republican Gov. Eric Holcomb and takes effect July 1. The law will prohibit, with certain exceptions, a state or local agency from collecting or disclosing information that identifies an individual or business entity as a member, supporter, volunteer, or donor of financial or nonfinancial support to a nonprofit organization.
NOW LAW: New Hampshire SB 302/Chapter 336 was signed by Republican Gov. Chris Sununu on July 25, 2022 and takes effect January 1. The law will prohibit a public agency from:
- Requiring an individual or entity to provide the public agency with personal information.
- Releasing, publicizing or otherwise publicly disclosing any data that directly or indirectly identifies a person as a member, supporter, volunteer, or donor of financial or nonfinancial support.
- Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.
NOW LAW: New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. It was delivered to Gov. Hochul on November 1 and she signed it into law on November 12, 2022.
This legislation was necessary to undo a rider on 2020 budget legislation inserted by then Gov. Cuomo. That rider would have required all nonprofits registered with the Attorney General under the solicitation law to perform a duplicative (literally) registration with the NY Dept of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG collected Sched B from registrants until dissuaded by the U.S. Supreme Court donor privacy decision in July 2021).
Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. That effort was successful.
NOW LAW: Virginia SB 324/Chapter 19, sponsored Sen. Jill Vogel, R-Upperville, was signed by Republican Gov. Glenn Youngkin on August 4, 2022 and takes effect January 1, 2023. The law will prohibit a state agency from:
- Requiring an individual or entity to provide the public agency with personal donor information.
- Requiring any bidder, offeror, contractor or grantee of the organization to provide the agency with personal donor information.
- Disclosing personal donor information without the express written permission of every individual who is identifiable from the potential release of such information, including identifiable as members, supporters or volunteers, or donors to the agency.
PROPOSED BILLS:
Hawaii HB 2416 was delivered to Democratic Governor David Ige on May 4 who will have until May 18 to act on the bill or it becomes law. The bill would in part require 501(c)4 organizations operating as a noncandidate committee to disclose the name and address of donors who donate an aggregate of more than $10,000. The bill would prohibit donations from being used for electioneering communications, independent expenditures or contributions without the written consent of the donor.
Louisiana SB 179, a look-a-like bill to Georgia SB 534 (see above), was delivered to Democratic Gov. John Bel Edwards on May 27 who will have until June 6 to sign or veto the bill or it becomes law. The bill would prohibit state agencies, absent the showing of compelling interest, impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature would be able to review any requirements that are more restrictive. The bill defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious, or eleemosynary organization.
Missouri HB 2120 passed the House on April 6 and passed the Senate Government Accountability and Fiscal Oversight Committee with a substitute on May 9. The bill would prohibit a public agency from:
- Requiring an individual to provide the public agency with personal information.
- Requiring any 501(c) tax exempt organization to provide the public agency with personal information.
- Releasing, publicizing, or otherwise publicly disclosing personal information in possession of the agency.
- Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.
Nebraska LB 823 was heard in the Government, Military and Veterans Affairs Committee on January 27; information from the hearing was not immediately available. The bill would prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required.
North Carolina SB 636 was passed by the House Judiciary Committee with a substitute on on August 19 on a vote of 59-33 and by the Senate on August 25 by 25-19. Both votes were strict party line, Republicans in favor, Democrats opposed. It was sent to Gov. Roy Cooper for signing or veto on August 27. The Governor, a Democrat, vetoed the bill on September 3, saying the legislation was unnecessary and could prejudice existing campaign contribution laws. At this writing, it is unclear whether the legislature will seek to override the veto. An override requires a 60% vote in each chamber.
The bill would have exempted, except as specifically required by state and federal law, nonprofit donor information from disclosure under the public records law, including any attachments or other information submitted with IRS 990 or 990-EZ forms. The bill also defines donor information as “confidential” in numerous instances in NC law in which state officials and legislators are prohibited from using, or restricted in their use of, “confidential information.”
Pennsylvania HB 2087, sponsored by Rep. John Hershey, R-Mifflintown, was referred to the House State Government Committee on November 16. Joined as co-sponsors were eight additional Republican Representatives, including State Government Committee Chair Grove. The bill’s intent is to prohibit state agencies from collecting or disclosing any information which would identify an individual as a donor/supporter of a nonprofit organization, except when required by law to do so.
The prohibition would apply to:
- An agency’s request made to an individual.
- An agency’s request made to a charitable organization seeking information on individual donors.
- An agency’s request made to a current or prospective contractor or grantee seeking the names of charitable organizations to which they have provided financial or nonfinancial support.
The legislation would also make it illegal for an agency to “Release, publicize or otherwise publicly disclose...” donor information in its possession.
States: Charitable Solicitation
STATES THAT HAVE PASSED BILLS INTO LAW:
NOW LAW: California AB 488 Governor Gavin Newsom signed the bill into law on October 7, 2021. The law takes effect January 1, 2023.
TNPA participated in a multi-year stakeholder process for this legislation which resulted in many necessary changes to the original draft created by the Attorney General’s office. Nevertheless, significant issues remain to be resolved through the means of rulemaking during the course of the coming year. The Attorney General conducts the rulemaking. The bill’s stakeholders, including TNPA, will undoubtedly participate in the process.
The bill establishes new requirements for online fundraising by third parties. However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.).
The new California categories of solicitation law oversight are unique and will surely draw the attention of charity officials in other states. It is likely other states will let the California experiment play out rather than rush to emulate. Nonprofits currently receiving significant funds from the newly regulated platforms will also be watching. It is not a forgone conclusion the legislation and forthcoming regulations will strike the right balance between protecting donors and allowing support dollars to flow to nonprofit missions.
NOW LAW: Colorado SB 129 was signed by Democratic Gov. Jared Polis on May 24, 2024 and takes effect September 23. This donor privacy law will prohibit a public agency from requiring any person to provide the public agency with data that identifies a member of a nonprofit entity or compelling the disclosure of member-specific data and would provide for penalties for violations.
NOW LAW: Colorado SB 16 was signed by Democratic Gov. Jared Polis on June 7, 2024 and takes effect on August 8. The law will authorize a taxpayer to make a charitable contribution to a charitable recipient organization through a qualified intermediary that forwards the contribution to the charitable recipient organization, rather than making the contribution directly to the charitable recipient organization, without losing the right to claim a state income tax credit.
NOW LAW: Georgia SB 433/Act 423 was signed by Republican Gov. Brian Kemp on April 22, 2024 and takes effect July 1. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.
NOW LAW: Georgia SB 412/Act 612 was signed by Republican Gov. Brian Kemp and took immediate effect (May 2024). The law permits the secretary of state, at their discretion, to suspend or revoke the registration of a charitable organization, paid solicitor or solicitor agent for violations of existing law. The law also raises the maximum penalties for violations to $10,000 for a single violation and $100,000 for multiple violations. Governor Kemp also signed SB 414/Act 613, a donor privacy law, on that same day which takes effect July 1.
NOW LAW: Hawaii SB 2693/Act 211 was signed by Democratic Gov. Josh Green on July 5, 2024 and took immediate effect. The law establishes the offense of charitable fraud during a state of emergency. The offense would range from a misdemeanor if the value of the contributions received is less than $750 up to a class B felony for contributions received over $20,000.
NOW LAW: Hawaii SB 2983/Act 205 was signed by Democratic Gov. Josh Green on July 5, 2024 and takes effect January 1, 2026. The law will require charitable fundraising platforms to register with the attorney general before soliciting, permitting, or otherwise enabling solicitations for purported charitable purposes. Fundraising platforms and platform charities will be required to make various disclosures before a person can complete a donation or select or change a recipient charitable organization, including but not limited to the maximum length of time it takes charitable organizations to receive the funds and the fees deducted. Fundraising platforms and platform charities will also be required to make periodic reports to the department on a provided form that will enable the department to ascertain whether charitable funds have been properly solicited, received, held, controlled or distributed.
NOW LAW: Illinois HB 1197/Public Acts 121 was signed by Democratic Gov. J.B. Pritzker on June 30, 2023 and takes effect January 1, 2023. The bill would provide that every charitable organization that receives contributions in excess of $750,000, rather than the $300,000 specified under existing law, would be required to file a written report with the attorney general with specified information. The bill would also require organizations that receive contributions in excess of $25,000 but less than $750,000 to file a simplified report with the attorney general.
NOW LAW: Indiana SB 302/Public Law 40, sponsored by Senate Judiciary Committee Chair Liz Brown, R-Fort Wayne, was signed by Republican Gov. Eric Holcomb on April 20, 2023 and takes effect July 1, 2023. The law will prohibit state agencies or officials from imposing filing or reporting requirements on charitable organizations that are more stringent or burdensome than those imposed by or authorized under state or federal law.
NOW LAW: Kentucky SB 70 was signed by Democratic Gov. Andy Beshear on April 9, 2024 and takes effect 90 days after the adjournment of the legislature which is scheduled for April 15. This would give the law an effective date of July 14. The law will prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the law will grant the donor or their legal representative a private right of action.
NOW LAW: Louisiana SB 179/Act 262 was signed by Democratic Gov. John Bel Edwards on June 3, 2022 and took immediate effect. The law prohibits state agencies from imposing any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature can review any requirements that are more restrictive. The law defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious or eleemosynary organization.
NOW LAW: Mississippi SB 2545 was signed Republican Gov. Tate Reeves on April 15, 2024 and takes effect July 1. The law will define monetary donations to mean cash or cash equivalents.
NOW LAW: New Hampshire SB 375/Chapter 173 was signed by Republican Gov. Chris Sununu on June 7, 2022 and takes effect August 6. The law will prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required under existing law. The law will also raise the compulsory audit threshold for annual reporting by nonprofits from $1 million to $2 million.
NOW LAW: North Carolina SB 429/Session Law 119 was signed into law by Democratic Gov. Roy Cooper on September 14, 2023. The law took immediate effect with certain provisions taking effect October 1. The law will increase the qualifying income threshold for exemption from charitable solicitation requirements to $50,000 from $25,000. The law will also specify that licensure applications are considered filed as of the date they are postmarked or electronically submitted.
NOW LAW: South Dakota HB 1116 passed the Senate on February 21, 2024 and was signed by Republican Gov. Kristi Noem on February 28. The law takes effect July 1. The law will make fraudulent solicitation of charitable contributions a deceptive act or practice.
NOW LAW: Tennesse SB 1935/Chapter 773 was signed by Republican Gov. Bill Lee on April 8, 2022 and took immediate effect. The law removes requirements that financial statements, annual event applications, charitable solicitation applications and athlete agent registrations filed with the secretary of state be sworn under penalty of perjury.
NOW LAW: Tennessee SB 868 was signed by Republican Gov. Bill Lee on April 4, 2023 and takes effect July 1, 2023. The law will extend the prohibitions, requirements and penalties that already apply to telephone solicitations to text message solicitations.
NOW LAW: Tennessee HB 1707 was signed by Republican Gov. Bill Lee on March 7, 2024 and takes effect July 1. The law will amend various provisions regarding charitable solicitations in the state including, in part, adding to the definition of a charitable organization by including a person that is determined by the Internal Revenue Service to be a tax-exempt organization pursuant to the Internal Revenue Code. The law will also:
- Authorize, in addition to other actions authorized by law, the secretary of state, by order, letter, or other appropriate means, to enjoin the charitable organization, professional fundraiser, or other person from continuing an act or violation, or committing other acts in furtherance of it, during the course of an investigation.
- Require renewal registrations to be accompanied by a copy of any and all forms required to be filed by the organization with the U.S. Internal Revenue Service, and any other information the secretary deems appropriate to substantiate how funds were raised and spent by the organization. Such other information must be provided on forms approved by the secretary. At least two authorized officers of the organization, one of whom must be the chief fiscal officer, must certify that the information provided under this law is true and correct to the best of their knowledge.
- Prohibit a person from making any representation that such person is soliciting contributions for or on behalf of a charitable organization or from using or displaying any emblem, device or printed matter belonging to or associated with a charitable organization for the purpose of soliciting or inducing contributions from the public without first being authorized to do so by the charitable organization.
NOW LAW: Utah HB 43 was signed by Republican Gov. Spencer Cox on March 13, 2024 and takes effect May 1. The law will, in part, remove a requirement that charitable organizations register with the Division of Consumer Protection. The law will also prohibit deceptive acts related to charitable solicitations, including falsely indicating that the supplier is affiliated with the charitable organization.
NOW LAW: Virginia HB 1748/Chapter 289 was signed by Republican Gov. Glenn Youngkin on March 23, 2023 and takes effect July 1, 2023. The law will expand the definition of solicitation to include requests made via email. It will also require any contract between a professional solicitor and charitable or civic organization to specify the percentage of gross contributions that the civic organization will receive or the terms upon which a determination can be made. The contract will also be required to specify that at least every 90 days the professional solicitor would be required to provide the charitable or civic organization with access to and use of all information in the professional solicitor’s possession concerning contributors.
NOW LAW: Wisconsin AB 912/Act 151 was signed by Democratic Gov. Tony Evers on March 21, 2024 and took immediate effect. The law raises the audit threshold from $500,000 to $1 million.
PROPOSED BILLS:
Arkansas SB 484, sponsored by Sen. Clarke Tucker, D-Little Rock, was referred to the Senate Insurance and Commerce Committee on March 27, 2023. The committee heard the bill on March 30; however, information from the hearing was not immediately available. The bill would exclude bequests to a charitable organization that is received from a decedent’s estate and testamentary distribution to a charitable organization that is received from a trust from the definition of a charitable contribution.
Connecticut HB 5222 passed the House on May 3; however, the legislature adjourned on May 4 so the bill will not advance further. The bill codifies recent federal caselaw relating to the Connecticut Solicitation of Charitable Funds Act that rendered various provisions relating to the regulation of paid solicitors unenforceable. Specifically, the bill would:
- Reduce to one day, rather than the current 20 days, the notice a solicitor is required to give the Department of Consumer Protection before starting a campaign.
- Eliminate the requirement that copies of the campaign “script” be shared with DCP ahead of the campaign.
- Eliminate the requirement that the solicitor disclose the percentage of gross revenue the charitable organization will receive. A similar requirement to disclose the percentage on written solicitations would also be eliminated.
- Raises the compulsory audit threshold for annual reporting by nonprofits from $500K to $1 million (an overdue and welcome update – not among the constitutionally required changes).
The bill would eliminate the requirement that solicitors share donor names and addresses with the department, though solicitors would still be required to maintain this information internally. However, the AG’s right to inspect donation records would be limited to date and amount with donor identity explicitly excluded. This change is evidently in deference to the U.S. Supreme Court donor privacy ruling in Bonta (go here for more information).
Florida HB 1071, sponsored by Rep. Danny Alvarez, R-Hillsborough, was referred to the House Infrastructure Strategies Committee on January 9, 2024. The bill would, in part, revise the information that charitable organizations and sponsors must provide to the department in an initial registration statement and when claiming certain exemptions, respectively, to include the name and street address of each institution where banking or similar monetary transactions are done by the charitable organization or sponsor, as well as the account numbers associated with all transactions.
Florida HB 1071 was heard in the House Infrastructure Strategies Committee on February 22, 2024; information from the hearing was not immediately available.
Florida HB 1327, sponsored by Rep. Jenna Persons-Mulicka, R-Fort Meyers, was filed on January 5, 2024 and has not yet been referred to a committee. The bill would prohibit the solicitation of contributions or acceptance of contributions or anything of value from a foreign source of concern. A foreign source of concern would, in part, include a partnership, an association, a corporation, an organization, or other combination of persons organized under the laws of or having its place of business in a foreign country of concern which would include the People’s Republic of China, Russia, North Korea, Cuba, Venezuela and Syria. The Department of Agriculture and Consumer Services would be required to create an honest services registry listing charitable organizations that submit an attestation that the organization does not solicit or accept, directly or indirectly, funding, support, or services from a foreign source of concern and the organization’s messaging and content is not directly or indirectly produced or influenced by a foreign source of concern. A companion bill, SB 1458, sponsored by Sen. Keith Perry, R-Gainesville, was referred to the Senate Commerce and Tourism Committee on January 10.
Florida HB 1327 was heard in the House Agriculture and Natural Resources Appropriations Subcommittee on February 12, 2024; the committee took testimony but did not vote on the bill during the hearing.
Illinois SB 72 passed the Senate Judiciary Committee on February 7, 2023 and is now pending on the Senate floor. The bill would provide that every charitable organization that receives contributions in excess of $500,000, rather than the $300,000 specified under existing law, would be required to file a written report with the attorney general with specified information. The bill would also require organizations that receive contributions in excess of $25,000 but less than $500,000 to file a simplified report with the attorney general. A companion bill, HB 5814, sponsored by Rep. Maurice West, D-Rockford, was referred to the House Rules Committee on January 31.
Illinois SB 72 has been placed on the Senate third reading calendar for March 21, 2023.
Maryland HB 72, sponsored by Del. Courtney Watson, D-Ellicott City, was heard in the Senate Judicial Proceedings Committee on March 22; the committee heard from the bill sponsor only and took no action on the bill. The bill would require registration statements to be on a form provided by the secretary of state along with various requirements regarding what the form should contain. However in place of a required audit or financial review the bill would permit organizations to submit supporting documents and an affidavit that attests, among other requirements, that the organization does not use professional solicitors.
Massachusetts HD 1304, sponsored by Rep. Paul McMurtry, D-Dedham, was prefiled on January 18, 2023. The bill would require telemarketers to disclose the percentage share of the contribution raised by a charitable solicitation that will be received by the charitable organization. A similar bill, Oklahoma HB 2268, sponsored by Rep. Ty Burns, R-Pawnee, was prefiled on January 19. The legislature is scheduled to convene its 2023 session on February 6.
Massachusetts SB 910 has been scheduled for a hearing in the Joint Financial Services Committee on October 24, 2023 at 10:00 AM. The bill would raise the audit threshold for public charities from $500,000 to $750,000. If the federal government raises the revenue threshold, the Massachusetts revenue thresholds would conform to the federal thresholds in effect.
Massachusetts SB 910 was heard in the Joint Financial Services Committee on October 24, 2023; no one testified in person on this bill during the hearing.
Mississippi SB 2077, sponsored by Sen. Chris Johnson, R-Hattiesburg, was referred to the Senate Judiciary Division A Committee on January 9. The bill would raise the audit threshold for charitable organizations from $500,000 to $750,000. The bill would also clarify that this threshold is based on a cash basis measurement only.
Mississippi SB 2272 passed the Senate Business and Financial Institutions Committee on February 28, 2024. The bill would amend the registration process for charitable organizations to specify that documents accompanying the organization’s reviewed financial statement would be limited to the most recent fiscal year.
Mississippi HB 1290 passed the House Business and Commerce Committee on February 29, 2024. The bill would prohibit state agencies or officials from imposing any annual filing or reporting requirements on charitable organizations that are more burdensome than the requirements specified in the law.
Mississippi HB 1290 passed the House on March 7, 2024.
Missouri HB 2400 was delivered to Republican Gov. Mike Parsons on May 18 who will have until June 26 to sign or veto the bill or it becomes law. As recently amended, the bill would prohibit state agencies or state officials from imposing any annual filing or reporting requirements on charitable organizations that are more stringent than specified under existing law.
New York SB 9524, sponsored by Senate Budget and Revenue Committee Chair Andrew Gounardes, D-New York City, was referred to that committee on May 16, 2024. The bill would repeal the state personal income tax deduction for charitable contributions for filers making over $10 million. The bill does not currently have a companion.
North Carolina HB 741 passed the House Judiciary 1 Committee with a substitute on May 31, 2023. As substituted, the bill would, in part, exempt additional charitable organizations from the requirement to obtain a charitable solicitation license from the secretary of state by increasing the contribution threshold for requiring a license to $50,000. The exemption would be further expanded by allowing professional fees to be paid to an organizer or incorporator who is a licensed attorney or a licensed accountant. The bill would also:
- Expand the minimum number of natural persons required to be on a board of directors for a nonprofit corporation from one to three with the exception of private foundations.
- Authorize a merger between a charitable or religious corporation and either limited liability company, assuming specified conditions are met, and an unincorporated association.
- Require domestic and foreign nonprofit corporations authorized to conduct affairs in the state to submit annual reports electronically to the secretary of state. The annual reports would be required to include specified information, including the state or country under whose law the corporation is incorporated, address of the registered office, as well as basic information about principal officers.
The bill is now pending in the House Finance Committee.
North Carolina HB 741 passed the House Finance Committee with a substitute on June 13, 2023. Existing law requiring that charitable or religious corporations give 30 days’ advance notice to the attorney general prior to disposing of all or a majority of its property would be maintained.
North Carolina HB 741 passed the House on June 27, 2023 and is now pending further referral in the Senate Rules and Operations Committee.
Pennsylvania HB 1361, sponsored by Rep. Fred Schemel, R-Greencastle, was referred to the House State Government Committee on June 9, 2023. The bill would increase the exemption threshold necessary for registration with the Department of State to $50,000.
Pennsylvania HB 1824, sponsored by Rep. Abigail Salisbury, D-Pittsburgh, was referred to the House State Government Committee on November 8, 2023. The bill would raise the audit threshold for charitable organizations to match federal requirements.
Tennessee HB 805, sponsored by Rep. William Lamberth, R-Portland, was referred to the House Commerce Committee on February 2 and has been scheduled for a hearing in the House Business and Utilities Subcommittee on February 14 at 12:00 PM. The bill would extend the prohibitions, requirements and penalties that already apply to telephone solicitations to text message solicitations. A companion bill, SB 868, sponsored by Sen. Shane Reeves, R-Murfreesboro, was referred to the Senate Commerce and Labor Committee on February 6.
Tennessee HB 805, passed the House Finance, Ways and Means Committee where it is scheduled to be heard on March 7, 2023 and is now pending in the House floor. A companion bill, SB 868, sponsored by Sen. Shane Reeves, R-Murfreesboro, unanimously passed the Senate on March 6, 2023.
Tennessee HB 1802, sponsored by Rep. Tom Leatherwood, R-Arlington, was filed on January 11, 2024 and has not yet been referred to a committee. The bill would raise the audit threshold from $500,000 to $750,000, The bill does not currently have a companion.
Tennessee SB 1661 passed the Senate Commerce and Labor Committee on February 20, 2024 and is now pending in the Senate Calendar Committee. The bill would amend various provisions regarding charitable solicitations in the state including, in part, adding to the definition of a charitable organization by including a person that is determined by the Internal Revenue Service to be a tax-exempt organization pursuant to the Internal Revenue Code. The bill would also:
- Authorize, in addition to other actions authorized by law, the secretary of state, by order, letter, or other appropriate means, to enjoin the charitable organization, professional fundraiser, or other person from continuing an act or violation, or committing other acts in furtherance of it, during the course of an investigation.
- Require renewal registrations to be accompanied by a copy of any and all forms required to be filed by the organization with the U.S. Internal Revenue Service, and any other information the secretary deems appropriate to substantiate how funds were raised and spent by the organization. Such other information must be provided on forms approved by the secretary. At least two authorized officers of the organization, one of whom must be the chief fiscal officer, must certify that the information provided under this bill is true and correct to the best of their knowledge.
- Prohibit a person from making any representation that such person is soliciting contributions for or on behalf of a charitable organization or from using or displaying any emblem, device or printed matter belonging to or associated with a charitable organization for the purpose of soliciting or inducing contributions from the public without first being authorized to do so by the charitable organization.
A companion, HB 1707, passed the House on February 12.
Utah HB 119, sponsored by Rep. James Dunnigan, R-Taylorsville, was prefiled on January 3. The legislature is scheduled to convene its 2023 session on January 17. The bill would exempt federal income tax-exempt charitable organizations from registration requirements under the state’s charitable solicitations act. However, the Division of Consumer Protection would be permitted to include a searchable list on its website of federal tax exempt organizations engaging in specified solicitations.
Utah HB 119 passed the House Political Subdivisions Committee with a substitute on February 1. As substituted, the bill would exempt federal income tax-exempt charitable organizations from registration requirements under the state’s charitable solicitations act. The substitute removed provisions that would have permitted Division of Consumer Protection to include a searchable list on its website of federally tax exempt organizations engaging in specified solicitations.
Utah HB 119 passed the Senate on February 13 and is now pending final enrollment and delivery to Republican Gov. Spencer Cox. The bill would exempt 501(C)6 charitable organizations from registration requirements under the state’s charitable solicitations act. The bill would also provide that an application for a public grant would not be considered a charitable solicitation.
Vermont HB 583, sponsored by House Judiciary Vice Chair, R-West Rutland, was referred to that committee on January 3, 2024. The bill, to be known as the Donor Intent Protection Act, would prohibit a charitable organization that accepts a contribution pursuant to a written donor-imposed restriction from violating the terms of that restriction. If a charitable organization violates the terms of a donor-imposed restriction, the bill would grant the donor or their legal representative a private right of action.
Vermont HB 583, was heard in that committee on May 8, 2024; the committee heard from the Philanthropy Roundtable and the former president of Norwich University but did not vote on the bill.
Virginia HB 464 unanimously passed the Senate on February 28, 2024. The bill would raise the audit threshold from $1 million to $1.5 million.
Virginia HB 464 was delivered to Republican Gov. Glenn Youngkin on March 11, 2024, who will have until April 8 to sign or veto the bill or it becomes law. The bill would raise the audit threshold from $1 million to $1.5 million.
States: Nonprofit Governance
Illinois SB 2930 passed the Senate on April 10, 2024 and is now pending in the House Economic Opportunity and Equity Committee. The bill would, in part, provide that a nonprofit, within 30 days after filing its annual AG990-IL Charitable Organization Annual Report, that reports grants of $1 million or more to other charitable organizations would need to post on its website, if applicable, the aggregated demographic information of the corporation’s directors and officers, including race, ethnicity, gender, disability status, veteran status, sexual orientation and gender identity.
Maryland HB 72, sponsored by Del. Courtney Watson, D-Ellicott City, was referred to the House Economic Matters Committee on January 11. The bill would amend the definition of charitable contribution to exclude donations of property that is intended to redistributed without charge to a benevolent, educational, eleemosynary, humane, patriotic, philanthropic or religious purpose. It would also exclude an authorization for a discount on the use of services or materials, equipment or facilities, including those relating to advertising and broadcast airtime.
Minnesota HF 523, sponsored by Rep. Duane Quam, R-Byron, was referred to the House State and Local Government Finance and Policy Committee on January 18. The bill would prohibit an employee or representative of a state agency acting in their official capacity from vetoing the election or appointment of a potential board member of a nonprofit organization.
Minnesota SF 564, sponsored by Senate Jobs and Economic Development Committee Ranking Minority Member Rich Draheim, R-Madison Lake, was referred to that committee on January 23. The bill would prohibit nonprofit organizations with officers or employees compensated in excess of 125 percent of the governor’s salary from receiving grants under economic development or workforce development programs.
States: Salary Disclosure
Read more about this issue
STATES THAT HAVE PASSED BILLS INTO LAW:
NOW LAW: California SB 1162 /Chapter 559 was signed by Democratic Gov. Gavin Newsom on September 27, 2022, and takes effect January 1, 2023. The law, in part, will expand state pay data reporting requirements to cover contracted employees. The law will require a private employer that has 100 or more employees to submit a pay data report to the Civil Rights Department. This law will revise the timeframe in which a private employer is required to submit this information to require that it be provided on or before the second Wednesday of May 2023, and for each year thereafter on or before the second Wednesday of May. This law will require the pay data report to include the median and mean hourly rate for each combination of race, ethnicity and sex within each job category. It will also require an employer, upon request, to provide to an employee the pay scale for the position in which the employee is currently employed. The bill would require an employer with 15 or more employees to include the pay scale for a position in any job posting. The law will require an employer to maintain records of a job title and wage rate history for each employee for a specified timeframe, to be open to inspection by the labor commissioner
NOW LAW: Maryland HB 649/Chapter 271 will alter the requirement that an employer disclose wage information to an applicant for employment. An employer will be required to disclose wage information in postings and to employees, as specified. A wage range disclosed by an employer will have to be set in good faith. The law also prohibits an employer from taking retaliatory action against employees and requires keeping a record of compliance for at least three years. The law was signed by Democratic Gov. Wes Moore on April 25, 2024 and will take effect on October 1. Cross-filed bill SB 525/Chapter 272 was also signed into law on April 25 and will take effect on October 1.
NOW LAW: Massachusetts HB 4890/Chapter 141 was signed by Democratic Gov. Maura Healey on July 31, 2024 and takes effect October 29, with salary disclosure provisions taking effect October 29, 2025. The law will require:
- Annually, not later than February 1, a covered employer, subject to EEO-1 data report filing requirements, to submit to the state secretary a copy of its EEO-1 data report for the prior year.
- In each odd-numbered year, not later than February 1, a covered employer, subject to federal EEO-3 data report or EEO-5 data report filing requirements, to submit to the state secretary a copy of its EEO-3 data report or EEO-5 data report, as applicable, covering the most recent filing period.
- In each even-numbered year, not later than February 1, a covered employer, subject to federal EEO-4 data report filing requirements, to submit to the state secretary a copy of its EEO-4 data report covering the most recent filing period.
Employers will also be required to:
- Disclose the pay range for a particular and specific employment position in posting it.
- Provide the pay range for a particular and specific employment position to an employee who is offered a promotion, or transfer, to a new position with different job responsibilities.
- Provide the pay range for a particular and specific employment position to an employee holding such position, or to an applicant for such position, upon request.
NOW LAW: New York SB 1326/Chapter 94 was signed by Democratic Gov. Kathy Hochul on March 3, 2023 and takes effect at the same time as SB 9427 from last session which is September 17, 2022. The bill would specify that existing laws around salary disclosure exclude remote work opportunities performed entirely out of state.
NOW LAW: Vermont HB 704 requires that job advertisements include the compensation or compensation range and job description for the advertised position. The act also prohibits employers from taking adverse action against current or prospective employees pursuant to the rights provided in the bill. The act was signed into law by Republican Gov. Phil Scott on June 4, 2024 and will take effect on July 1, 2025. A bill with similar provisions, Minnesota SF 3852/Chapter 110, is an omnibus labor policy act; its provisions include requiring salary ranges be included in job postings. The act was signed into law by Democratic Gov. Tim Walz on May 17 and the relevant provisions will take effect on July 1, 2024 and January 1, 2025.
PROPOSED BILLS:
Minnesota HF 3587 has been scheduled for a hearing in the House Labor and Industry Finance and Policy Committee on March 7, 2024 at 1:00 PM. The bill would require that employers disclose, in each job posting, the starting salary range and a general description of the benefits and other compensation to be offered to a hired job applicant. The bill would also require that employers that do not plan to offer a salary range to list a fixed pay rate. Companion bill SF 3725 was introduced and referred to the Senate Labor Committee on February 15; the bill is sponsored by Sen. Alice Mann, D-Edina.
Minnesota HF 3587 was heard in the House Labor and Industry Finance and Policy Committee on March 7, 2024; the committee took testimony but laid the bill over for possible inclusion. Companion bill SF 3725 was heard in the Senate Labor Committee on March 12, where the committee laid the bill over for possible inclusion in the omnibus bill.
Montana SB 146, sponsored by Sen. Shane Morigeau, D-Missoula, was referred to the Senate Business, Labor and Economic Affairs Committee on January 11. The bill would, in part, require employers to disclose in each job posting the hourly or salary compensation or the range of compensation and a general description of all the benefits and other compensation to be offered to the hired applicant. The bill would also require employers to make reasonable efforts to announce, post or otherwise make known all opportunities for promotion to all current employees on the same calendar day and prior to making a promotion decision. Upon request of an employee offered an internal transfer, an employer would be required to provide the wage scale or salary range for the employee’s new position.
Montana SB 146 was heard in the Senate Business, Labor and Economic Affairs Committee on January 17, 2023. The committee took testimony but did not vote on the bill. The bill would, in part, require employers to disclose in each job posting the hourly or salary compensation or the range of compensation and a general description of all the benefits and other compensation to be offered to the hired applicant. The bill would also require employers to make reasonable efforts to announce, post or otherwise make known all opportunities for promotion to all current employees on the same calendar day and prior to making a promotion decision. Upon request of an employee offered an internal transfer, an employer would be required to provide the wage scale or salary range for the employee’s new position.
New Jersey AB 4683 was introduced and referred to the Assembly Labor Committee on September 12, 2024; the bill is sponsored by the Assembly Majority Conference Leader Annette Quijano, D-Elizabeth, who is a member of the committee. The bill would require employers to announce, post or otherwise make known opportunities for promotion that are advertised internally within the employer or externally on internet-based advertisements, postings, printed flyers or other similar advertisements to all current employees in the affected department of the business prior to making a promotion decision. The bill would also require the disclosure of the hourly wage or salary, or a range of the hourly wage or salary, and a general description of benefits and other compensation programs that the employee would be eligible for in all job postings.
New Jersey SB 3629, sponsored by Sen. Joseph Cryan, D-Union, and the identical companion to AB 4683, was introduced on September 19, 2024 and referred to the Senate Labor Committee. The bill would require employers to announce, post or otherwise make known opportunities for promotion that are advertised internally within the employer or externally on internet-based advertisements, postings, printed flyers or other similar advertisements to all current employees in the affected department of the business prior to making a promotion decision. The bill would also require the disclosure of the hourly wage or salary, or a range of the hourly wage or salary, and a general description of benefits and other compensation programs that the employee would be eligible for in all job postings. Companion AB 4683 remains pending in the Assembly Labor Committee.
Virginia SB 1136 passed the Senate following a 20 to 18 vote on February 3, 2023 and is now pending in the Senate Commerce and Energy Committee. The bill would prohibit employers from:
- Seeking the wage or salary history of a prospective employee.
- Relying on the wage or salary history of a prospective employee in considering them for employment.
- Relying on the wage or salary history of a prospective employee in determining the wages or salary the prospective employee is to be paid upon hire. Except, that if a prospective employee voluntarily provides their salary information the employer would be able to use the salary history to support a wage or salary higher than the employee’s initial offer to the extent that it does not create an unlawful pay differential.
- Refusing to interview, hire, employ or promote a prospective employee or otherwise retaliate against a prospective employee for not providing wage or salary history or for requesting a wage or salary range.
- Failing or refusing to provide a prospective employee the wage or salary range for the position for which the prospective employee is applying prior to discussing compensation and at any time upon the prospective employee’s request.
- Failing to set a wage or salary range in good faith. Any analysis of whether the range or salary range has been set in good faith would need to consider, among other things, the breadth of the wage or salary range.
An employer that violates the bill’s provisions would be liable to a prospective employee for statutory damages between $1,000 and $10,000 or actual damages whichever is greater.
Virginia HB 990 passed the House following a 51 to 47 vote on February 6, 2024. The bill would prohibit a prospective employer from:
- Seeking the wage or salary history of a prospective employee.
- Relying on the wage or salary history of a prospective employee in considering the prospective employee for employment.
- Relying on the wage or salary history of a prospective employee in determining the wages or salary the prospective employee is to be paid.
- Refusing to interview, hire, employ or promote a prospective employee for not providing their salary history.
- Failing or refusing to provide a prospective employee with the wage or salary range for the position they are applying for prior to discussing compensation and at any time upon their request.
- Failing to set a wage or salary range in good faith.
An employer that violates these provisions would be liable to the prospective employee for statutory damages between $1,000 and $10,000 or actual damages whichever is greater. A companion bill, SB 370, passed the Senate on February 5.
Virginia HB 990 passed the Senate as previously substituted following a 21 to 18 vote on February 22, 2024 and the House concurred with those amendments on February 26. A companion bill, SB 370, passed the House on February 23.
Virginia HB 990 was vetoed by Republican Gov. Glenn Youngkin on March 14, 2024; the legislature could override a veto with a two-thirds vote of members present. A companion bill, SB 370, was similarly vetoed by Governor Youngkin.