skip to Main Content
“We need someone who is focused on our concerns, our issues … how we work and how we relate to our donors and fulfill our missions.” - Steve Abrahamson, Vice President, Direct Response, National Audubon Society

Policy in the States

Privacy Policy: Activity in the States

As anticipated, privacy legislation is coming back in full force. The pandemic derailed over twenty such legislative efforts in 2020. The five noted below are just the beginning. If this alone doesn’t make the case for federal pre-emption, the need will be crystal-clear when another one or two dozen states follow suit before spring is over.

Florida HB 969, sponsored by Rep. Fiona McFarland, R-Sarasota, was prefiled on February 15. The legislature is scheduled to convene on March 2. The bill would require businesses that collect personal information about a consumer to maintain an online privacy policy that is updated at least every 12 months. A consumer would have the right to request that the business disclose the categories and specific pieces of personal information that the business has collected about the consumer. Businesses would be required to notify consumers at or before the point of collection of the categories of personal information to be collect, as well as the purposes for which the personal information will be used. Businesses would be required to follow a retention schedule which would prohibit the use and retention of the information after the satisfaction of the initial purpose or one year after the consumer has last interacted with the business whichever occurs first. The bill would provide for a private right of action but only for data breaches.

Minnesota HF 36, sponsored by Rep. Mohamud Noor, DFL-Minneapolis, was referred to the House Commerce, Finance, and Policy Committee on January 7. The bill contains robust disclosure requirements before personal information is collected and additional disclosures with an opt-out before personal information may be sold to a third party. It also includes a private right of action. Coverage is limited to “businesses.”

New York SB 1349, sponsored by Sen. Brad Holyman, D-Manhattan, was referred to the Senate Consumer Protection Committee on January 11. The bill would require a business that retains a customer’s personal information to make that information available to the customer free of charge upon request. If a business discloses the information to third parties it would be required to provide the names and contact information of the third parties that received the information and the categories of personal information that were disclosed. The companion bill, AB 400, sponsored by Asm. Nily Rozic, D-Queens, was referred to the Assembly Consumer Affairs and Protection Committee on January 6.

North Dakota HB 1330, sponsored by Rep. Jim Kasper, R-Fargo, was referred to the House Industry, Business, and Labor Committee on January 13. The bill would prohibit a “covered entity” (no explicit exemption for nonprofits) from selling a user’s data unless that user opts-in to allow the sale. A covered entity that violates the bill’s provisions would be civilly liable to the user for a minimum of $10,000.

Oregon HB 2392, a tax on sales of data sponsored by Rep. Pam Marsh, D-Ashland, was pre-filed and will be considered when the legislature convenes on January 19. The bill would impose a tax of five percent of the gross receipts for business engaging in the sale of state resident’s personal information.

Washington SB 5062, sponsored by Sen. Reuven Carlyle, D-Seattle, is modeled on California’s comprehensive privacy law and gives consumers broad rights of notification, data deletion, and opt-outs. The bill contains only a very narrow private right of action and explicitly does not cover nonprofits (but, ominously, only until July 31, 2026). Given the extensive work on the legislation in previous sessions, the bill is expected to move quickly to passage.

The bill passed the Senate Ways and Means Committee with a substitute on February 15. The bill, to be known as the Washington Privacy Act, would grant a consumer the right to correct, delete, and opt-out of data usage. The bill would require controllers to provide consumers with a secure and reliable way to submit a request to exercise a consumer’s right. It would apply to any entity that conducts business in Washington that controls or processes the data of 100,000 consumers or more or derives over 25 percent of its gross revenue from the sale of personal data and processes the data of 25,000 consumers or more. The bill would not apply to nonprofit corporations until July 31, 2026. The bill does not contain a private right of action except for specific provisions relating to contact tracing.

Other bills with similar provisions to the Washington Privacy Act include:

  • Connecticut SB 893, sponsored by the Joint General Law Committee, which was referred to that committee on February 17. The bill has been scheduled for a hearing in that committee on February 25 at an undisclosed time.
  • Utah SB 200, sponsored by Sen. Kirk Cullimore, R-Sandy, which was referred to the Senate Rules Committee on February 16.
  • Virginia SB 1392, passed the Senate on February 4 and was heard in the House Communications, Technology and Innovation Committee on February 8. Another similar bill HB 2307, passed the House on January 29 and is now pending in the Senate General Laws and Technology Committee. Both bills were continued into the legislature’s special session which convened on February 10.

There is another Washington bill that looks quite different from the one above. Washington HB 1433, sponsored by Rep. Shelley Kloba, D-Kirkland, which was introduced on January 29 is to to be known as the People’s Privacy Act. Covered entities would be required to make both a long form and short form privacy policy, which could be no more than 500 words long, persistently and conspicuously available. A covered entity would be required to ensure that individuals interact with the short form privacy policy upon their first visit to the covered entity’s website or mobile application. A covered entity would be required to obtain freely given, specific, informed and unambiguous opt-in consent before processing an individual’s personal information or making changes in the processing of their personal information. The option to withhold consent would be required to be as prominently displayed as the option to consent and the covered entity must provide a mechanism for an individual to withdraw consent. Interaction with the entities terms of service or privacy policy would not constitute opt-in consent.

A covered entity would be required to respond to verified requests from individuals no later than 30 days after they are received but could request additional time under certain circumstances. A covered entity would be prohibited from disclosing captured personal data to third parties unless the third party is contractually bound to meet the same privacy and security obligations as the covered entity. A covered entity would be prohibited from processing information it has obtained from third parties unless it has obtained and individual’s opt-in consent. The bill would provide a private right of action with liquidated damages of $10,000 per violation or actual damages, whichever is greater. The bill would also allow the attorney general, city attorney or county prosecutor to initiate an action with court penalties that could include injunctive relief or fines of $25,000 or four percent of annual revenue, whichever is greater.

Back To Top