Proposed Legislation in the States
- State Consumer Data Protection
- State Fundraising Solicitation Law
- State Donor Privacy and Confidentiality
States: Consumer Data Protection
As anticipated, privacy legislation came back in full force this year after the pandemic derailed over twenty such legislative efforts in 2020. Following are a few of the state bills we’re following:
Alaska HB 159 is sponsored by the House Rules Committee at the request of Republican Gov. Mike Dunleavy (the Senate companion is SB 116). The House Labor and Commerce Committee held a hearing on May 12 but has yet to take action. The bill would:
- Require a business to notify the consumer before collecting information.
- Grant consumers the right to be informed of the personal information that the business collects.
- Grant consumers the right to request deletion of their personal information.
- Grant consumers the right to be advised of personal information sold or disclosed to third parties.
- Grant consumers the right to opt out of the sale of their personal information.
- Provide for a private right of action.
Colorado SB 190 passed the Senate Appropriations Committee on May 14. Significant amendments were made in House Committee, the amended bill was passed by the House, and the Senate passed the House-amended version on June 8. It was signed into law by Governor Polis on July 7. The law takes effect on July 1, 2023. Major provisions include:
- Enable a consumer to opt-out of the processing of their personal information.
- Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information.
- The right to correct inaccurate personal information.
- The right to have personal information deleted.
- Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
- Does not contain a private right of action.
Florida HB 969 is dead for this year. It was passed by the Senate on April 29 but no further action was possible before adjournment on April 30.
Maine LD 1655 (“Data Broker Registry”) was reported unfavorably out of joint committee of jurisdiction on May 21. It is not likely to be revived this year. Maine LD 1714 (“Maine Consumer Privacy Act”) is a comprehensive data privacy proposal but was never reported out of committee. The Maine legislative website pronounced it dead as of June 2.
New York SB 6701, sponsored by Sen. Kevin Thomas, D-New York, passed the Senate Consumer Protection Committee, final action on May 24. Sent to Rules Committee on June 10 as preparation for Senate floor vote. The bill is known as the “New York Privacy Act” (Assembly companion A 680) and, importantly, is predicated on opt-in. It establishes a cluster of consumer rights, among them:
- Providing access to any of a consumer’s data being processed.
- The correction of any inaccurate consumer personal data.
- Deleting the consumer’s personal data under specified circumstances.
- Restricting the processing of the personal data.
- A private right of action for enforcement.
Ohio HB 376, sponsored by Rep. Rick Carfagna, R-Genoa Township, was introduced on July 12 and, as of 07/23, has not been referred to a committee. The bill has support of Republican Gov. Mike DeWine. The bill (the Ohio Personal Privacy Act) would grant consumers:
- the right to obtain a copy of their personal data
- the right to deletion of any personal data collected for a business purpose
- the right to have any inaccurate personal information corrected
- the right to opt-out of the sale of their personal information.
The bill would apply to businesses that satisfy one or more of the following three criteria: Annual gross revenues exceeding $25 million; Processes or controls the data of 100,000 or more consumers; Derives over half of its revenue from the sale of personal data and processes or controls data on 25,000 or more consumers.
Significantly, the bill contains a private right of action.
Oklahoma 1602, known as the Oklahoma Computer Data Privacy Act, passed the first chamber in March with an 85-11 vote but did not move forward in the Senate by the time the legislature adjourned on May 27. Had it been enacted, this would have been among the first opt-in consent frameworks in the U.S.
Pennsylvania HB 1126, sponsored by Rep. Ed Neilson, D-Philadelphia, was referred to the House Consumer Affairs Committee on April 7. There has been no recorded Committee activity to date (7/12/2021). The bill (“Consumer Data Privacy Act” would give consumers the right to:
- Know what personal information is being collected about them.
- Know whether and to whom their personal information is sold or disclosed.
- Decline or opt-out of the sale of their personal information.
- Access the personal information that has been collected.
The inaction may be due to the fact the legislature is majority Republican in both chambers. While there are Republican co-sponsors on HB 1126, Republicans are not generally friendly to business regulation of this sort.
Texas HB 3741 (link to text only) was referred to the House Business and Industry Committee on March 29. The bill would grant consumers various rights including:
- The right to know the information being collected.
- The right to correct inaccurate personal information.
- The right to access and obtain their personal information.
- The right to delete their sensitive personal information.
- Use of data predicated on consumer opt-in.
The Committee took no action on the legislation. The legislature adjourned on May 31.
Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2 and will take effect on January 1, 2023. The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale. It includes an opt-in consent requirement for sensitive data. Nonprofits are largely exempt.
Washington SB 5062 Hearings were held in each house and each house amended it significantly. The full Senate passed its amended version. The House was deep in its process but was unable to take final action before the legislature’s regular-session adjournment on April 25. The bill as amended would grant a collection of consumer rights, among them:
- To learn whether a business is processing their personal data and to have access to that data.
- To have inaccurate data corrected.
- To have their personal data deleted.
- Opt-out of the use of their personal data for the purposes of targeted advertising or of the sale of their personal data.
Additional requirements would be placed directly upon data “controllers, among them:
- Limit collection of personal data to what is required or relevant for a specified purpose.
- Establish and implement data security practices.
- Obtain consumer consent in order to process sensitive data.
- Exempting nonprofit organizations registered with the secretary of state who collect personal data during legitimate activities relating to the organization’s tax-exempt purpose and do not sell that information.
Given the significant time and attention given to the legislation this year, it’s a good bet the legislation will have an encore in 2022.
States: Fundraising Solicitation Law
California AB 488 passed the Assembly following a 59-18 party-line vote on May 28. The bill passed the Senate Judiciary Committee on June 29 in a 9-1 vote. The bill was heard in Senate Appropriations on July 15 and was placed on the “suspense file” (a routine procedure by which the Committee considers the competing interests of those measures carrying relatively high price tags).
TNPA supplied written testimony to the Committee in June, asking for additional “fixes” for two remaining important matters. Neither was addressed. TNPA’s lobbyist in California, Kris Rosa, appeared at the June 29 hearing on our behalf. It’s important to note TNPA participated in a multi-year stakeholder process for this legislation and the process resulted in many necessary changes to the original draft created by the Attorney General’s office.
The bill would establish new requirements for online fundraising by third parties (whether or not for the benefit of named nonprofits). However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.).
The new California categories of solicitation law oversight are unique. If California’s approach proves itself useful (according to the AG, we suppose), other states are likely to follow suit. Charity officials in other states are surely paying attention.
States: Donor Privacy and Confidentiality
New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. The legislation was necessary to undo a rider on 2020 budget legislation inserted by Gov. Cuomo. That legislation would have required all nonprofits registered with the Attorney General under the solicitation law to also register with the Department of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG already collects Sched B from registrants).
Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. When in full voice, nonprofits are often heard – and often acceded to.
The legislature has not sent the bill to Gov. Cuomo (as of 07/12/21) for signing or veto. It’s worth noting the impetus for his legislation (to give the state a free hand in collecting and sharing donor information) has been rendered irrelevant by the recent U.S. Supreme Court decision. The decision almost certainly makes the NY AG’s current collection of Schedule B unlawful. It would do the same to the Gov’s legislation (collection by Department of State) which SB 4817A seeks to rescind.