Policy in the States
As anticipated, privacy legislation is coming back in full force. The pandemic derailed over twenty such legislative efforts in 2020. The five noted below are just the beginning. If this alone doesn’t make the case for federal pre-emption, the need will be crystal-clear when another one or two dozen states follow suit before spring is over.
Minnesota HF 36, sponsored by Rep. Mohamud Noor, DFL-Minneapolis, was referred to the House Commerce, Finance, and Policy Committee on January 7. The bill contains robust disclosure requirements before personal information is collected and additional disclosures with an opt-out before personal information may be sold to a third party. It also includes a private right of action. Coverage is limited to “businesses.”
New York SB 1349, sponsored by Sen. Brad Holyman, D-Manhattan, was referred to the Senate Consumer Protection Committee on January 11. The bill would require a business that retains a customer’s personal information to make that information available to the customer free of charge upon request. If a business discloses the information to third parties it would be required to provide the names and contact information of the third parties that received the information and the categories of personal information that were disclosed. The companion bill, AB 400, sponsored by Asm. Nily Rozic, D-Queens, was referred to the Assembly Consumer Affairs and Protection Committee on January 6.
North Dakota HB 1330, sponsored by Rep. Jim Kasper, R-Fargo, was referred to the House Industry, Business, and Labor Committee on January 13. The bill would prohibit a “covered entity” (no explicit exemption for nonprofits) from selling a user’s data unless that user opts-in to allow the sale. A covered entity that violates the bill’s provisions would be civilly liable to the user for a minimum of $10,000.
Oregon HB 2392, a tax on sales of data sponsored by Rep. Pam Marsh, D-Ashland, was pre-filed and will be considered when the legislature convenes on January 19. The bill would impose a tax of five percent of the gross receipts for business engaging in the sale of state resident’s personal information.
Washington SB 5062, sponsored by Sen. Reuven Carlyle, D-Seattle, is modeled on California’s comprehensive privacy law and gives consumers broad rights of notification, data deletion, and opt-outs. The bill contains only a very narrow private right of action and explicitly does not cover nonprofits (but, ominously, only until July 31, 2026). Given the extensive work on the legislation in previous sessions, the bill is expected to move quickly to passage.
The bill passed the Senate Ways and Means Committee with a substitute on February 15. The bill, to be known as the Washington Privacy Act, would grant a consumer the right to correct, delete, and opt-out of data usage. The bill would require controllers to provide consumers with a secure and reliable way to submit a request to exercise a consumer’s right. It would apply to any entity that conducts business in Washington that controls or processes the data of 100,000 consumers or more or derives over 25 percent of its gross revenue from the sale of personal data and processes the data of 25,000 consumers or more. The bill would not apply to nonprofit corporations until July 31, 2026. The bill does not contain a private right of action except for specific provisions relating to contact tracing.
Other bills with similar provisions to the Washington Privacy Act include:
- Connecticut SB 893, sponsored by the Joint General Law Committee, which was referred to that committee on February 17. The bill has been scheduled for a hearing in that committee on February 25 at an undisclosed time.
- Utah SB 200, sponsored by Sen. Kirk Cullimore, R-Sandy, which was referred to the Senate Rules Committee on February 16.
- Virginia SB 1392, passed the Senate on February 4 and was heard in the House Communications, Technology and Innovation Committee on February 8. Another similar bill HB 2307, passed the House on January 29 and is now pending in the Senate General Laws and Technology Committee. Both bills were continued into the legislature’s special session which convened on February 10.
A covered entity would be required to respond to verified requests from individuals no later than 30 days after they are received but could request additional time under certain circumstances. A covered entity would be prohibited from disclosing captured personal data to third parties unless the third party is contractually bound to meet the same privacy and security obligations as the covered entity. A covered entity would be prohibited from processing information it has obtained from third parties unless it has obtained and individual’s opt-in consent. The bill would provide a private right of action with liquidated damages of $10,000 per violation or actual damages, whichever is greater. The bill would also allow the attorney general, city attorney or county prosecutor to initiate an action with court penalties that could include injunctive relief or fines of $25,000 or four percent of annual revenue, whichever is greater.