Proposed Legislation in the States
- State Consumer Data Protection
- State Fundraising Solicitation Law
- State Donor Privacy and Confidentiality
States: Consumer Data Protection
As anticipated, privacy legislation came back in full force in 2021 after 20+ legislative efforts were derailed by the pandemic. There is every reason to believe the “come back” trend will continue in 2022. Following are a few of the state bills we’re following:
Alaska HB 159 is sponsored by the House Rules Committee at the request of Republican Gov. Mike Dunleavy (the Senate companion is SB 116). The House Labor and Commerce Committee held a hearing and took testimony on December 6 but took no votes. The Committee did make clear its intent to advance the legislation when the legislature reconvenes January 18, 2022. The bill would:
- Require a business to notify the consumer before collecting information.
- Grant consumers the right to be informed of the personal information that the business collects.
- Grant consumers the right to request deletion of their personal information.
- Grant consumers the right to be advised of personal information sold or disclosed to third parties.
- Grant consumers the right to opt out of the sale of their personal information.
- Provide for a private right of action.
Colorado SB 190 passed the Senate Appropriations Committee on May 14. Significant amendments were made in House Committee, the amended bill was passed by the House, and the Senate passed the House-amended version on June 8. It was signed into law by Governor Polis on July 7. The law takes effect on July 1, 2023. Major provisions include:
- Enable a consumer to opt-out of the processing of their personal information.
- Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information.
- The right to correct inaccurate personal information.
- The right to have personal information deleted.
- Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
- Does not contain a private right of action.
District of Columbia B24-451, sponsored by City Council Chair Phil Mendelson is a verbatim rendition of a model law very recently proposed by the Uniform Law Commission. The bill will be known as the “Uniform Personal Data Protection Act of 2021” and is slated to be referred to the Judiciary and Public Safety Committee on November 2. The bill would:
- It would grant consumers the right to copy or correct their personal data.
- Permit “compatible” data practices without consent if the processing of the data is consistent with the expectations of the data subject or is likely to benefit the data subject.
- Prohibit data practices that may cause a substantial risk of harm to data subjects including processing likely to cause harassment, financial harm or that fails to provide reasonable data security.
- The bill would permit incompatible data practices which include practices neither prohibited or compatible with a consumer’s consent. Tailored messaging including advertising would be considered a compatible use.
- Does not contain a private right of action.
Florida HB 969 is dead for this year. It was passed by the Senate on April 29 but no further action was possible before adjournment on April 30.
Maine LD 1655 (“Data Broker Registry”) was reported unfavorably out of joint committee of jurisdiction on May 21. It is not likely to be revived this year. Maine LD 1714 (“Maine Consumer Privacy Act”) is a comprehensive data privacy proposal but was never reported out of committee. The Maine legislative website pronounced it dead as of June 2.
Massachusetts: The Massachusetts Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity met on October 13 and heard a small armada of forty or so bills. Included were HB 136 (Rep. Rogers, D-Cambridge), HB 142 (Rep. Vargas, D-Haverhill), and SB 46 (Majority Leader, Sen. Creem, D-Newton).
The hearing was attended by numerous industry representatives and privacy advocates. Among the latter were Electronic Privacy Information Center, ACLU, and Electronic Frontier Foundation. All of the bills above concern us in that they contain opt-in requirements and private right of action for enforcement. The emphasis from industry was for keeping in line with standards already established by state privacy bills, such as those in VA and CA.
The sense of the Committee was to push forward with one or more of these bills. The response to the pleas for uniformity from industry was to assert that, lacking action from Congress, Massachusetts must set its own standards and not be restrained by what other states had done. We will keep tracking these and advise which measure (or measures) gains traction and advances in the process.
Minnesota HF 1492, (“Minnesota Consumer Data Privacy Act”) sponsored by Rep. Steve Elkins, DFL-Bloomington. An information-only hearing in the House Commerce Finance and Policy Committee was held on September 27. The bill would grant the right to:
- Confirm whether a controller is processing their personal data and, if so, have access to that data.
- Correct inaccurate personal data.
- Have personal data deleted.
- Obtain personal data from a controller in a format allowing transmission to another controller.
- Opt-out of the processing of personal data for the purposes of targeted advertising or of the sale of personal data.
The bill does not contain a private right of action. It would apply to: legal entities that conduct business in Minnesota or produce products or services that are targeted to state residents, and that either process the personal data of 100,000 or more consumers or derive 25 percent of gross revenue from the sale of personal data and process the personal data of 25,000 or more consumers. The bill contains a delayed effective date July 31, 2026, for higher education institutions and nonprofit corporations.
New York SB 6701, sponsored by Sen. Kevin Thomas, D-New York, passed the Senate Consumer Protection Committee on May 24. It was sent to Rules Committee on June 10 as preparation for Senate floor vote, as yet not forthcoming. The bill is known as the “New York Privacy Act” (Assembly companion A 680) and, importantly, is predicated on opt-in. It establishes a cluster of consumer rights, among them:
- Providing access to any of a consumer’s data being processed.
- The correction of any inaccurate consumer personal data.
- Deleting the consumer’s personal data under specified circumstances.
- Restricting the processing of the personal data.
- A private right of action for enforcement.
Ohio HB 376, sponsored by Rep. Rick Carfagna, R-Genoa Township, was introduced on July 12 hear in the Government Oversight Committee on September 28. The legislature is in regular session. The bill has support of Republican Gov. Mike DeWine. The Chamber of Commerce and the office of the Attorney General testified in favor. The Committee did not take a vote.
The bill (the Ohio Personal Privacy Act) would grant consumers:
- the right to obtain a copy of their personal data
- the right to deletion of any personal data collected for a business purpose
- the right to have any inaccurate personal information corrected
- the right to opt-out of the sale of their personal information.
The bill would apply to businesses that satisfy one or more of the following three criteria: Annual gross revenues exceeding $25 million; Processes or controls the data of 100,000 or more consumers; Derives over half of its revenue from the sale of personal data and processes or controls data on 25,000 or more consumers.
Significantly, the bill contains a private right of action.
Oklahoma HB 2968, sponsored by Rep. Collin Walke, D-Oklahoma City, was pre-filed on September 9, to be in process when the legislature convenes its 2022 session on February 7. The bill would require a “business” to only collect and share information with third parties that is reasonably necessary to provide a good or service to a consumer who has requested it. Businesses would also be required to inform consumers that they have the right to:
- opt out of personalized advertising
- request a business delete their personal information
- learn what information is retained by the business
- request corrections to inaccurate personal information.
The business would be required to provide at least two methods for submitting a designated request. The bill does not contain a private right of action. A similar bill, HB 2969, sponsored by Rep. Walke was also pre-filed on Sept 9.
Pennsylvania HB 1126, sponsored by Rep. Ed Neilson, D-Philadelphia, was referred to the House Consumer Affairs Committee on April 7. There has been no recorded Committee activity to date. The legislature is in regular session. The bill (“Consumer Data Privacy Act”) would give consumers the right to:
- Know what personal information is being collected about them.
- Know whether and to whom their personal information is sold or disclosed.
- Decline or opt-out of the sale of their personal information.
- Access the personal information that has been collected.
The inaction may be due to the fact the legislature is majority Republican in both chambers. While there are Republican co-sponsors on HB 1126, Republicans are not generally friendly to business regulation of this sort.
Pennsylvania HB 2202, sponsored by Rep. Robert Mercuri, R-Wexford (joined by numerous cosponsors), was referred to the House Consumer Affairs Committee on December 13. It would apply to businesses with annual gross revenues of more than $20 million which buys, receives, sells or shares the data of 100,000 or more consumers, or derives 50 percent or more of its annual revenue from selling consumers personal information.
This broad privacy bill would grant consumers various rights including to:
- Know whether a business is processing personal information about the consumer.
- Know whether their personal information is processed for the purposes of targeted advertising or the sale of personal information.
- Decline or opt out of the processing of personal information for specified purposes including targeted advertising.
- Access, correct and delete their information.
The bill does not include a private right of action.
Tennessee General Assembly’s Joint Ad Hoc Committee on data privacy met on November 8 and 9. The committee heard testimony from numerous businesses and organizations including the Tennessee Chamber, the Tennessee Business Roundtable, and Facebook (Meta). Speakers urged the committee to avoid adding to the patchwork of differing state laws and implored it not to include a private right of action. Committee co-chair Rep. Johnny Garrett, R-Goodlettsville, stated the goal of any legislation would be to offer protections to consumers without creating a compliance burden. One member, Rep. John Ray Clemmons, D-Nashville, suggested waiting for federal action on the subject would be in the best interests of preserving the state’s strong business climate. No votes were taken.
Texas HB 3741 (link to text only) was referred to the House Business and Industry Committee on March 29. The bill would grant consumers various rights including:
- The right to know the information being collected.
- The right to correct inaccurate personal information.
- The right to access and obtain their personal information.
- The right to delete their sensitive personal information.
- Use of data predicated on consumer opt-in.
The Committee took no action on the legislation. The legislature adjourned on May 31, though is currently in special session.
Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2 and will take effect on January 1, 2023. The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale. It includes an opt-in consent requirement for sensitive data. Nonprofits are largely exempt.
Washington SB 5062 Hearings were held in each house and each house amended it significantly. The full Senate passed its amended version. The House was deep in its process but was unable to take final action before the legislature’s regular-session adjournment on April 25. The bill as amended would grant a collection of consumer rights, among them:
- To learn whether a business is processing their personal data and to have access to that data.
- To have inaccurate data corrected.
- To have their personal data deleted.
- Opt-out of the use of their personal data for the purposes of targeted advertising or of the sale of their personal data.
Additional requirements would be placed directly upon data “controllers, among them:
- Limit collection of personal data to what is required or relevant for a specified purpose.
- Establish and implement data security practices.
- Obtain consumer consent in order to process sensitive data.
- Exempting nonprofit organizations registered with the secretary of state who collect personal data during legitimate activities relating to the organization’s tax-exempt purpose and do not sell that information.
Given the significant time and attention given to the legislation this year, it’s a good bet the legislation will have an encore in 2022.
States: Fundraising Solicitation Law
California AB 488 passed the Assembly following a 59-18 party-line vote on May 28. The bill passed the Senate Judiciary Committee on June 29 in a 9-1 vote. It passed the Senate on a 30-9 vote on September 1, concurred in by the Assembly on September 2. It was enrolled and presented to Gov. Gavin Newsom on September 10. The Governor signed the bill into law on October 7. The law takes effect January 1, 2023.
TNPA participated in a multi-year stakeholder process for this legislation which resulted in many necessary changes to the original draft created by the Attorney General’s office. Nevertheless, significant issues remain to be resolved through the means of rulemaking during the course of the coming year. The Attorney General conducts the rulemaking. The bill’s stakeholders, including TNPA, will undoubtedly participate in the process.
The bill establishes new requirements for online fundraising by third parties. However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.).
The new California categories of solicitation law oversight are unique and will surely draw the attention of charity officials in other states. It is likely other states will let the California experiment play out rather than rush to emulate. Nonprofits currently receiving significant funds from the newly regulated platforms will also be watching. It is not a forgone conclusion the legislation and forthcoming regulations will strike the right balance between protecting donors and allowing support dollars to flow to nonprofit missions.
States: Donor Privacy and Confidentiality
New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. It was delivered to Gov. Hochul on November 1 and she signed it into law on November 12.
This legislation was necessary to undo a rider on 2020 budget legislation inserted by then Gov. Cuomo. That rider would have required all nonprofits registered with the Attorney General under the solicitation law to perform a duplicative (literally) registration with the NY Dept of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG collected Sched B from registrants until dissuaded by the U.S. Supreme Court donor privacy decision in July 2021).
Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. That effort was successful.
North Carolina SB 636 was passed by the House Judiciary Committee with a substitute on on August 19 on a vote of 59-33 and by the Senate on August 25 by 25-19. Both votes were strict party line, Republicans in favor, Democrats opposed. It was sent to Gov. Roy Cooper for signing or veto on August 27. The Governor, a Democrat, vetoed the bill on September 3, saying the legislation was unnecessary and could prejudice existing campaign contribution laws. At this writing, it is unclear whether the legislature will seek to override the veto. An override requires a 60% vote in each chamber.
The bill would have exempted, except as specifically required by state and federal law, nonprofit donor information from disclosure under the public records law, including any attachments or other information submitted with IRS 990 or 990-EZ forms. The bill also defines donor information as “confidential” in numerous instances in NC law in which state officials and legislators are prohibited from using, or restricted in their use of, “confidential information.”
Pennsylvania HB 2087, sponsored by Rep. John Hershey, R-Mifflintown, was referred to the House State Government Committee on November 16. Joined as co-sponsors were eight additional Republican Representatives, including State Government Committee Chair Grove. The bill’s intent is to prohibit state agencies from collecting or disclosing any information which would identify an individual as a donor/supporter of a nonprofit organization, except when required by law to do so.
The prohibition would apply to:
- An agency’s request made to an individual.
- An agency’s request made to a charitable organization seeking information on individual donors.
- An agency’s request made to a current or prospective contractor or grantee seeking the names of charitable organizations to which they have provided financial or nonfinancial support.
The legislation would also, in its own words, make it illegal for an agency to “Release, publicize or otherwise publicly disclose...” donor information in its possession.