skip to Main Content
JOIN TNPA
“We need someone who is focused on our concerns, our issues … how we work and how we relate to our donors and fulfill our missions.” - Steve Abrahamson, Vice President, Direct Response, National Audubon Society

Legislation in the States

State Legislatures in Session (9/22/2022)

Included below:

This information is prepared by TNPA staff based on reports supplied by FOCUS, a Leonine business, and up-to-date as of September 22, 2022.

States: Consumer Data Protection / Data Privacy

As anticipated, privacy legislation came back in full force in 2021 after 20+ legislative efforts were derailed by the pandemic in 2020.  The “come back” trend has continued in 2022.

States that have passed bills into law:

NOW LAW: California (from the CA AG website): The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and the CCPA regulations provide guidance on how to implement the law. This law secures new privacy rights for California consumers, including:

Businesses are required to give consumers certain notices explaining their privacy practices. The CCPA applies to many businesses, including data brokers.

NOW LAW: Colorado SB 190 was signed into law by Governor Polis on July 7, 2021. The law takes effect on July 1, 2023. Major provisions include: 

  • Enable a consumer to opt-out of the processing of their personal information. 
  • Confirm whether or not a controller is processing personal data concerning the consumer and to provide access to that information. 
  • The right to correct inaccurate personal information. 
  • The right to have personal information deleted.
  • Controllers would be required to provide a meaningful privacy notice to consumers detailing their various rights
  • Does not contain a private right of action.

Nonprofit organizations are NOT exempted from the requirements of the law.

NOW LAW: Connecticut SB 6/Public Act 22-15, sponsored by Senate President Pro Tempore Martin Looney, D-New Haven, was signed by Democratic Gov. Ned Lamont on May 10 and takes effect July 1, 2023. The law will grant consumers various rights including:

  • The right to confirm whether or not a controller is processing the consumer’s personal data.
  • The right to correct inaccuracies in their personal data.
  • The right to delete personal data provided by or obtained about the consumer.
  • The right to obtain a copy of the consumer’s personal data processed by the controller.
  • The right to opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects.

Controllers will be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers will also be prohibited from processing the sensitive data of a consumer without their affirmative consent. The law will not apply to nonprofit organizations, does not provide a private right of action and will grant controllers a right to cure at the discretion of the attorney general. The law will also specify that a controller is not required to authenticate an opt-out request but will be able to deny a request if the controller has reasonable and documented belief that the request is fraudulent. Controllers will be required to send notice to the person making the request that they believe the request is fraudulent.

NOW LAW: Utah SB 227was signed by Republican Gov. Spencer Cox on March 24 and takes effect December 31, 2023. The law will grant consumer’s various rights including:

  • The right to confirm whether a controller is processing the consumer’s personal data and to access their data.
  • The right to correct inaccurate personal data.
  • The right to delete the consumer’s personal data.
  • The right to obtain their personal data in an easily portable format.
  • The right to opt-out of the processing of their data for the purposes of targeted advertising or the sale of personal data.

The law does not apply to nonprofit organizations and does not contain a private right of action.

NOW LAW: Virginia SB 1392, known as the Virginia Consumer Data Protection Act, was signed by Governor Ralph Northam on March 2, 2021, and will take effect on January 1, 2023.  The CDPA grants consumers the right to confirm, correct, and delete personal data and opt-out of use of data for advertising or sale.  It includes an opt-in consent requirement for sensitive data.  Nonprofits are largely exempt.

The following bills, each amending a portion of the Virginia Consumer Data Protection Act (2021) have been passed by both houses of the General Assembly and are awaiting the signature of the Governor:

  • VA SB 393, was presented to the governor on on March 11, alongside an identical bill, HB381 (see below).
  • VA SB 516, sponsored by Sen. David Marsden, D-Burke, which would authorize the attorney general to pursue actual damages to the extent they exist if a controller or processor continues to violate the bill. The bill would also include political organizations under the definition of a nonprofit and abolish the consumer privacy fund. The bill passed the House Energy and Commerce Committee on February 24 and the House on March 1.
  • Virginia HB 381 was delivered to Republican Gov. Glenn Youngkin on March 11. Governor Youngkin will have until April 11 to sign or veto the bill or it becomes law. The bill would amend the Consumer Data Protection Act to specify that a controller that has obtained personal data about a consumer from a source other than the consumer would be deemed in compliance with a consumer’s request to delete such data by either retaining a record of the deletion request and the minimum data necessary for ensuring the consumer’s personal data remains deleted or by opting the consumer out of the processing of that data for targeted advertising, sale or profiling. An identical bill, SB 393, was also presented to the governor on that same day.
  • VA HB 714, sponsored by Del. Cliff Hayes, D-Chesapeake, passed the Senate General Laws and Technology Committee and the Senate Finance and Appropriations Committee on March 2 and the Senate on March 2. The bill is now pending delivery to Republican Gov. Glenn Youngkin. The bill would include political organizations under the definition of a nonprofit.

Proposed laws:

Alaska HB 159 [The legislature adjourned without further action on May 18, 2022] sponsored by the House Rules Committee at the request of Republican Gov. Mike Dunleavy, was heard in the House Rules Committee on March 18; the committee received an overview of various state privacy efforts from Ryan Harkins a Senior Director of Public Policy at Microsoft but did not vote on the bill during the hearing. This broad privacy bill would:

  • Require a business that collects a consumer’s personal information to notify the consumer before collecting the information and provide various disclosures.
  • Grant consumers the right to request a business provide specified information including the categories and specific pieces of personal information that the business collects.
  • Grant consumers the right to request deletion of their personal information collected by a business from the preceding five years.
  • Grant consumers the right to request the disclosure of personal information sold or disclosed to third parties.
  • Grant consumers the right to opt out of the sale of their personal information.
  • Prohibit third parties from disclosing information unless it was collected in compliance with the bill’s other provisions.
  • Provide for a private right of action for violations of the bill.
  • Require the annual registration of data brokers with the commissioner of commerce. 

Alaska HB 222 [The legislature adjourned without further action on May 18, 2022], sponsored by Rep. George Rauscher, R-Sutton, was pre-filed on January 7. The bill was referred to the Labor & Commerce Committee on January 18.  The bill would require a business that collects a consumer’s personal information to notify a consumer, at or before the point of collection, of the following:

  • The categories of personal information and sensitive personal information the business will collect and the purposes and whether the business will sell or share the information.
  • The length of time the business will retain each category of personal information.
  • The proviso the business cannot retain personal information for longer than is reasonably necessary for the specified purpose.

The bill would also grant consumers the right to:

  • Correct inaccurate personal information.
  • Receive a disclosure about the categories of information collected, sources of that information, specific pieces of information collected and the business or commercial purpose for collecting, sharing, or selling.
  • Direct the business not to sell or share their personal information, i.e., opt out.
  • Limit the businesses’ use of sensitive personally identifiable information.
  • Receive a disclosure with specified information about the sale of their data.

The bill contains a private right of action but only for data breaches.

Colorado SB 190 (See top of page for “NOW LAW” section.)

Connecticut SB 6/Public Act 22-15 (See top of page for “NOW LAW” section.)

Delaware HB 262 passed the House with amendments on May 5, 2022, and was heard in the Senate Banking, Business and Insurance Committee on June 8; the committee took testimony, including from Vermont Deputy Attorney General Christopher Curtis, but did not vote on the bill during the hearing.  The bill would require data brokers to annually register with the consumer protection unit of the Department of Justice and pay an annual fee. As part of the registration process the data broker would be required to provide the following information:

  • The name and primary physical, email and internet address of the data broker and links to all applicable privacy policies.
  • The method consumers can use to opt-out if the data broker permits consumers to do so.
  • A statement specifying the data collection, databases, or sales activities from which the data broker does not allow a consumer to opt-out.
  • A description of the data broker’s processes for verifying the purchasers of its brokered personal information. A separate statement would also be required if the broker deals the personal information of minors.
  • The number of data security breaches that the data broker has experienced within the past three years.
  • Answers to specified questions including whether the data broker limits the use of personal information by a purchaser or licensee.

The bill does not contain a private right of action.

District of Columbia B24-451, sponsored by City Council Chair Phil Mendelson is a verbatim rendition of a model law very recently proposed by the Uniform Law Commission. The bill will be known as the “Uniform Personal Data Protection Act of 2021” and is slated to be referred to the Judiciary and Public Safety Committee on November 2.  The bill would: 

  • It would grant consumers the right to copy or correct their personal data. 
  • Permit “compatible” data practices without consent if the processing of the data is consistent with the expectations of the data subject or is likely to benefit the data subject. 
  • Prohibit data practices that may cause a substantial risk of harm to data subjects including processing likely to cause harassment, financial harm or that fails to provide reasonable data security. 
  • The bill would permit incompatible data practices which include practices neither prohibited or compatible with a consumer’s consent. Tailored messaging including advertising would be considered a compatible use. 
  • Does not contain a private right of action

Florida HB 9, sponsored by Rep. Fiona McFarland, R-Sarasota, passed the House Commerce Committee with a substitute on February 10, 2022. Known as the Florida Privacy Act, the legislation is dead for a second consecutive year after the Senate did not act on the bill amid House and Senate budget negotiations, Florida Politics reports. The bill is expected to be reintroduced next year. The bill would require a controller that collects personal information about a consumer to maintain an online privacy policy that is updated at least every 12 months and contains:

  • A list of categories of personal information the business collects.
  • The consumer’s right to request deletion or correction of personal information.
  • The consumer’s right to opt-out of the sale or sharing to third parties.

A controller that collects personal information would be required to:

  • Inform consumers of the categories of personal information to be collected and the purposes for which the information will be used.
  • To adopt and implement a retention schedule that prohibits the use or retention of the information after the initial purpose has been fulfilled or three years after the consumer’s last interaction with the controller.

The bill would also grant a consumer various rights including:

  • The right to request a copy of personal data collected, sold or shared.
  • The right to have personal data deleted or corrected.
  • The right to opt-out of the sale or sharing of their personal data. Once a consumer has opted-out, controllers would be required to wait at least 12 months before requesting a consumer to authorize the sale or sharing of their data.

Georgia SB 394, sponsored by Sen. Greg Dolezal, R-Cumming, was introduced on January 26, 2022, and has not yet been referred to a committee. The bill, to be known as the Georgia Computer Data Privacy Act, would entitle consumers to various privacy rights including:

  • The right to request the categories and specific items of personal information that a business has collected on them.
  • The right to request deletion of their personal information. Businesses would be required to direct service providers to delete the consumer’s information.
  • The right to request the categories of information that a business has sold or disclosed for a business purpose, as well as the categories of third parties to whom the information was sold or disclosed.
  • The right to opt-out of the sale of their personal data and could authorize someone else to opt-out on their behalf.

Businesses would be required to provide notice to consumers on their internet homepage that:

  • The personal information could be sold.
  • Identifies the persons to whom the data would or could be sold.
  • The pro rata value of the consumer’s personal information.
  • The consumer has the right to opt-out of the sale of their data.

Businesses would also be required to provide a link on their homepage that allows a consumer to opt-out of the sale of their data. Beginning September 1, businesses would not be allowed to sell personal data to a third party without a consumer’s consent. Third parties would not be able to further sell the data unless a consumer has received notice and opts-in to the sale of their data. Businesses would not be allowed to collect personal data without first providing notice and obtaining the consumer’s consent. The bill would grant consumers a private right of action in addition to enforcement by the attorney general.

Indiana SB 358 passed the Senate Commerce and Technology Committee with amendments on January 27 and unanimously passed the Senate on February 1, 2022. The bill is now pending committee referral in the House. As amended, the bill would grant consumers the following rights:

  • The right to confirm whether or not a controller is processing the consumer’s personal data.
  • The right to correct inaccuracies in the consumer’s personal data that the consumer previously provided to the controller.
  • The right to delete personal data provided by or obtained about the consumer.
  • The right to obtain a copy or a representative summary of the consumer’s personal data that the consumer previously provided to the controller. The controller would have the discretion to send either a copy or a representative summary.
  • The right to opt-out of processing for the purposes of target advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. Controllers would also be prohibited from processing the sensitive data of a consumer without their affirmative consent. Sensitive data is defined to include but is not limited to biometric data, personal data collected from a known child, and precise geolocation data. The bill would apply to businesses that conduct business in the state or produces products or services that are targeted to residents of the state and process the personal data of 100,000 or more consumers or processes the personal data of 25,000 or more consumers and derives more than 50 percent of their revenue from the sale of personal data. The bill does apply to nonprofit organizations and does not contain a private right of action.

Iowa The House passed a privacy bill on March 22, 2022, which is unlikely to advance further.

Kentucky SB 15, sponsored by Sen. Whitney Westerfield, R-Hopkinsville, was referred to the Senate Economic Development, Tourism and Labor Committee on January 18, 2022. The bill would require controllers to comply with authenticated consumer requests to exercise the right to:

  • Confirm whether or not a controller is processing the consumer’s personal data and to access that data.
  • Delete personal data provided by the consumer.
  • Obtain a copy of the consumer’s personal data in a portable and, to the extent possible, readily usable format.
  • Opt out of targeted advertising.
  • Opt out of tracking.
  • Opt out of the sale or sharing of their personal data.

Controllers would be required to establish, implement and maintain reasonable data security practices and could not process sensitive data concerning a consumer for a nonexempt purpose without giving them the opportunity to opt-out. Upon a request of the attorney general’s office a controller would be required to provide the agency with the specific third parties, if any, with whom the controller shares or sells personal data including the location where they retain the data, the length of time they retain the data and the third party’s use or uses of the data. The bill contains a limited private right of action but is otherwise enforceable by the attorney general. The bill would apply to entities that control or process personal data of at least 10,000 consumers.

Louisiana HB 987, sponsored by Rep. Daryl Deshotel, R-Avoyelles Parish, has been scheduled for House floor debate on May 31. The bill, to be known as the Louisiana Consumer Privacy Act, would grant consumer’s various rights including:

  • The right to confirm whether a controller is processing their personal data.
  • The right to access their data.
  • The right to obtain a copy of their data in a portable format, to the extent technically feasible, readily usable format, to the extent practicable, and allows a consumer to transmit the data to another controller without impediment, if the processing is carried out by automated means.
  • The right to delete personal data provided to the controller.
  • The right to opt out of the processing of their personal data for the purposes of targeted advertising or the sale of their data.

Controllers would be required to provide consumers with a reasonably accessible, clear and meaningful privacy notice. Controllers would be required to respond to verified consumer requests within 45 days but could request an extension of an additional 45 days. The bill does not apply to nonprofit corporations. The bill would give the attorney general exclusive enforcement authority and contains right to cure language.

Maryland SB 11 passed the Senate on March 17, 2022, and was heard in House Economic Matters Committee. The committee took testimony from Consumer Reports and Common Sense media among others but did not vote on the bill.

The bill would create a privacy workgroup tasked with providing a report to the legislature including findings and recommendations including any recommended legislation for the 2023 session.

Massachusetts HB 4514, sponsored by the Joint Advanced Information Technology, the Internet and Cybersecurity Committee, passed the committee on March 3, 2022, is now pending in the Joint Healthcare Financing Committee. The bill, which is a new version of multiple previous privacy bills pending in the committee, would create the Massachusetts Information Privacy and Security Act that would specify that personal information would be:

  • Processed lawfully, fairly and in a transparent manner in relation to the individual.
  • Collected for specified legitimate purposes and not further processed in an incompatible manner.
  • Processed in a manner that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  • Maintained in a form that permits identification for no longer than is necessary for purposes for which the information is processed.
  • Processed in a manner that ensures the information is appropriately secure.

Processing of personal information would be deemed lawful if at least one of the following applies:

  • The individual has given consent to the processing of their information.
  • Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract.
  • Processing is necessary for compliance with a legal obligation.
  • Processing is necessary in order to protect the vital interests of the individual or of another natural person.
  • Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party except where such interests are overridden by the individual’s reasonable expectations of privacy.

Controllers would be required to assess the following factors when determining whether there is a legitimate interest for processing:

  • The possible consequences and cognizable harms for the individual whose personal information would be processed.
  • The amount and nature of the personal information that would be processed.
  • The need for security and confidentiality of the personal information.
  • The context in which the personal information would be collected.
  • Whether the processing is necessary and proportionate in relation to the purposes or whether to controller or third party can achieve their legitimate interests in another less intrusive way.

The bill would also grant consumers various rights including:

  • The right to a meaningful privacy notice including various disclosures including the length of time the controller intends to retain each category of personal information.
  • The right to know and access personal information including the specific pieces of personal information that the controller has collected and the categories of sources from which the information has been collected.
  • The right to data portability.  

Michigan HB 5989, sponsored by Rep. Sarah Anthony, D-Lansing, was referred to the House Communications and Technology Committee on April 12, 2022. The bill, to be known as the Consumer Privacy Act, would grant consumer’s the right to:

  • Know what personal data are being collected about them.
  • Know whether their personal data is sold or disclosed and to whom.
  • Say no to the sale of their personal data or the processing of their data for the purposes of targeted advertising or in furtherance of decisions that produce legal or similarly significant effects regarding a consumer.
  • Access the personal data that has been collected about them.
  • Request that a business delete any personal data that has been collected about them.
  • Request that a business correct inaccurate personal information.
  • Not be discriminated against for exercising their privacy rights.
  • Obtain a copy of their personal data in a portable format and, to the extent feasible, readily usable format.

Controllers would be required to limit data collection to what is adequate, relevant and reasonably necessary in relation to the purposes for which the personal data was processed. Controllers would also be required to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would give the attorney general exclusive enforcement authority and contains right to cure language.

Minnesota HF 1492 (“Minnesota Consumer Data Privacy Act”) is sponsored by Rep. Steve Elkins, DFL-Bloomington. An information-only hearing in the House Commerce Finance and Policy Committee was held on September 27, 2021. The bill would grant the right to: 

  • Confirm whether a controller is processing their personal data and, if so, have access to that data. 
  • Correct inaccurate personal data. 
  • Have personal data deleted. 
  • Obtain personal data from a controller in a format allowing transmission to another controller. 
  • Opt-out of the processing of personal data for the purposes of targeted advertising or of the sale of personal data. 

The bill does not contain a private right of action. It would apply to: legal entities that conduct business in Minnesota or produce products or services that are targeted to state residentsand that either process the personal data of 100,000 or more consumers or derive 25 percent of gross revenue from the sale of personal data and process the personal data of 25,000 or more consumersThe bill contains a delayed effective date July 31, 2026, for higher education institutions and nonprofit corporations. 

Nebraska LB 1188 [The legislature adjourned without further action on April 19, 2022, “postponing” the bill], sponsored by Sen. Mike Flood of Omaha, was referred to the Banking Commerce and Insurance Committee on January 24. The committee is scheduled to consider the bill during a hearing on February 28 at 1:30 PM. The bill, to be known as the Uniform Data Protection Act, would grant consumers various rights including the right to copy or correct their personal data. The bill would authorize compatible data practices that could be performed without a consumer’s consent if the processing of the data is consistent with the expectations of the data subject or is likely to benefit the data subject including for targeted advertising. The bill would prohibit data practices that could cause a substantial risk of harm to data subjects including processing likely to cause harassment, financial harm or that fails to provide reasonable data security. The bill would permit incompatible data practices which include practices neither prohibited or compatible with a consumer’s consent. The bill does not contain a private right of action.

 

New Jersey SB 332, sponsored by Senate Majority Whip Troy Singleton, D-Delran, was amended on the Senate floor on August 8 and remains pending in the Senate. The bill would require commercial internet websites and online service operators to notify consumers of the collection and disclosure of personally identifiable information to third parties including:

  • The categories of the personal identifiable information that the operator collects through the internet website or online service.
  • All third parties with which the operator could disclosure a consumer’s personally identifiable information.
  • Whether a third party could collect personally identifiable information over time and across different commercial internet websites.
  • A description of the process for an individual consumer to review or request changes to their personal information.
  • The process by which an operator notifies consumers of material changes to the required notification.

An operator would be required to create a webpage that, by verified request, allows a consumer to opt out of the sale of their personally identifiable information. The amendment removes the private right of action from the bill.

New York SB 6701 was amended and re-referred to the Senate Internet and Technology Committee on May 31. The committee is not expected to hold further meetings this year. The amendments make numerous changes including changing the bill from an opt-in to an opt-out framework with the exception of the processing of sensitive data. This bill, to be known as the New York Privacy Act, would require a controller, defined as the natural or legal person which alone or jointly with others determines the purposes and means of the processing of the personal data, to facilitate certain consumer rights including:

  • Confirming if a consumer’s personal data is being processed and providing access to the data.
  • Correcting inaccurate consumer personal data.
  • Deleting the consumer’s personal data if certain conditions are met.
  • Restricting the processing of the personal data.
  • Provide the consumer with any of the personal data that they provided to the controller.
  • A private right of action for enforcement.

A consumer would also be able to object to the processing of their personal data for direct marketing purposes. When a consumer objects, the consumer would be required to communicate the consumer’s objection to any third parties. The bill would define personal data to include any information relating to an identified or identifiable natural person but would not include de-identified data. The bill contains a private right of action.

Ohio HB 376, sponsored by Rep. Rick Carfagna, R-Genoa Township, passed the House Government Oversight Committee with a substitute on February 9, 2022. The bill has support of Republican Gov. Mike DeWine.

The bill (the Ohio Personal Privacy Act) would grant consumers:

  • the right to obtain a copy of their personal data
  • the right to deletion of any personal data collected for a business purpose
  • the right to have any inaccurate personal information corrected
  • the right to opt-out of the sale of their personal information.

The bill would apply to businesses that satisfy one or more of the following three criteria: Annual gross revenues exceeding $25 million; Processes or controls the data of 100,000 or more consumers; Derives over half of its revenue from the sale of personal data and processes or controls data on 25,000 or more consumers.

Significantly, the bill contains a private right of action.

Oklahoma HB 2968, although it passed the House, did not move in the Senate in this session.

Oregon HB 4017 [The legislature adjourned without further action on March 4, 2022], sponsored by the House Business and Labor Committee at the request of Democratic Attorney General Ellen Rosenblum, passed that committee with amendments on February 11. The bill would prohibit data brokers from collecting, selling, or licensing personal data within the state without first registering with the Department of Consumer and Business Services.

Pennsylvania HB 2202 was heard in the House Consumer Affairs Committee on May 25; the committee took testimony from Microsoft and SPSC, among others, but did not vote on the bill during the hearing. This broad privacy bill would grant consumers various rights including the right to:

  • Know whether a business is processing personal information about the consumer.
  • Know whether their personal information is processed for the purposes of targeted advertising or the sale of personal information.
  • Decline or opt out of the processing of personal information for specified purposes including targeted advertising.
  • Access, correct, and delete their information.

The bill does not include a private right of action. 

The bill would specify that personal information processed by a business or service provider could only be processed only to an extent that is necessary, reasonable and proportionate for an authorized purpose. The bill would not include a private right of action. The bill would only apply to businesses that have annual gross revenues of more than $20 million, buys, receives, sells or shares the data of 100,000 or more consumers, or derives 50 percent or more of its annual revenue from selling consumers personal information.

Pennsylvania HB 2257, sponsored by Rep. Malcom Kenyatta, D-Philadelphia, was referred to the House Consumer Affairs Committee on January 20. The bill, to be known as the Pennsylvania Consumer Data Protection Act, is modeled after the Virginia law and would grant consumers various rights including:

  • The right to confirm whether or not a controller is processing the consumer’s personal data and the right to access that data.
  • The right to correct inaccurate personal data.
  • The right to delete their personal data.
  • The right to obtain a copy of the consumer’s personal data in a portable and, to the extent possible, readily usable format.
  • The right to opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

The bill contains right to cure language providing controllers or processors 30 days to rectify any violations under the bill. The bill does not contain a private right of action and does not apply to nonprofit organizations.

Pennsylvania HB 2715, sponsored by Rep. Frank Burns, D-Johnstown, was referred to the House Consumer Affairs Committee on June 30. The bill would require data brokers to annually register with the attorney general’s office. The bill would also require data brokers to provide specified information to consumers including on how they would be able to opt out of the sale of their personal information. The registration fee would $400 with civil penalties of $100 for each day beyond the deadline that they fail to register.

Tennessee General Assembly’s Joint Ad Hoc Committee on data privacy met on November 8 and 9, 2021. The committee heard testimony from numerous businesses and organizations including the Tennessee Chamber, the Tennessee Business Roundtable, and Facebook (Meta). Speakers urged the committee to avoid adding to the patchwork of differing state laws and implored it not to include a private right of action. Committee co-chair Rep. Johnny Garrett, R-Goodlettsville, stated the goal of any legislation would be to offer protections to consumers without creating a compliance burden. One member, Rep. John Ray Clemmons, D-Nashville, suggested waiting for federal action on the subject would be in the best interests of preserving the state’s strong business climate. No votes were taken.

Utah SB 227 (See top of page for “NOW LAW” section.)

Virginia SB 1392 (See top of page for “NOW LAW” section.)

Washington HB 1850 failed to pass prior to the legislature’s adjournment on March 11 and is unlikely to advance further.  The bill would grant consumer’s various rights including:

  • The right to confirm whether or not a controller is processing the personal data concerning the consumer and access the personal data.
  • The right to correct inaccurate personal information.
  • The right to request deletion of their personal data.
  • The right to obtain their personal data.
  • The right to opt-out of the processing of their personal data for the purposes of targeted advertising, the sharing of personal data or profiling in furtherance of decisions that produce legal effects concerning a consumer.

Consumers would be able to exercise their rights by designating an authorized agent, via user-enabled global privacy controls or the parent or guardian of a minor. Controllers would also be required to provide consumers with a reasonably accessible, clear and meaningful privacy notice. The bill would also impose an annual registration requirement for data controllers or processors that provides specified information and annual fee on every data controller or data processor. The bill would provide a private right of action but would also provide a right to cure for a limited time. The bill does not apply to nonprofits until July 31, 2027. The first substitute previously adopted by the House Civil Rights and Judiciary Committee made numerous changes including but not limited to:

  • Modifying the definition of share to no longer exempt certain types of personal data disclosures or transfers such as disclosures to processors and affiliates, or data disclosures that are part of a merger or acquisition.
  • Modifying the definition of targeted advertising by providing that targeted advertising means obtaining information about a consumer to display an advertisement rather than displaying an advertisement based on a consumer’s personal data. The substitute no longer excludes advertising based on activities within a controllers commonly branded websites or applications.
  • Modifying the private right of action to allow recovery of reasonable attorney’s fees and costs.
  • Delaying the effective date of the bill as well as the expiration date of the right to cure provisions.

The most recent House Appropriations Committee substitute specifies that the bill would only take effect if SB 5062, the Washington Privacy Act, passes before July 1 (see below). The substitute would make numerous other changes including granting consumers a private right of action for violations of SB 5062, creating a state data privacy coalition and would impose an annual fee on controllers and processors of personal data. All full committee summary of the substitute can be found here.

Washington SB 5062 was moved to the Senate Rules Committee “white sheet” on February 24. The white sheet is where bills are sent immediately after being passed out of a standing committee and is more or less, a review calendar. As previously substituted the bill would grant a consumer the right to:

  • Confirm whether a controller is processing their personal data and access that data.
  • Correct inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of that data.
  • Delete their personal data.
  • Obtain their personal data from a controller in a way that allows the consumer to transmit the data to another controller.
  • Opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal effects concerning a consumer.

Controllers would be required to:

  • Provide consumers with a meaningful privacy notice.
  • Limit collection of personal data to what is required or relevant for a specified purpose.
  • Establish and implement data security practices.
  • Prohibit processing that violates state or federal law.
  • Obtain consumer consent in order to process sensitive data.

The bill would require controllers to provide consumers with a secure and reliable way to submit a request to exercise a consumer’s right. It would apply to entities that conduct business in Washington that controls or processes the data of 100,000 consumers or more or derives over 25 percent of its gross revenue from the sale of personal data and processes the data of 25,000 consumers or more. The amendment makes numerous changes including:

  • Exempting nonprofit organizations that registered with the secretary of state, collect personal data during legitimate activities relating to the organization’s tax-exempt purpose and do not sell that information.
  • Giving consumers the right to access personal data a controller is processing rather than just categories of information.

West Virginia HB 4454, sponsored by Del. Ken Reed, R-Berkley, was referred to the House Judiciary Committee on January 31. The bill would grant consumer’s the right to opt-out of the sale or sharing of their personal information. Businesses that sell or share consumer information with third parties would be required to provide notice to consumers that their information could be shared or sold and they have the right to opt-out. Businesses would also be required to post links on their internet homepage entitled “Do Not Sell or Share my Personal Information” and “Limit the Use of my Sensitive Personal Information.”

Wisconsin AB 957, sponsored by Asm. Shannon Zimmerman, R-River Falls, passed the Assembly Consumer Protection Committee on February 22 and passed the Assembly with an amendment on February 23.The bill would grant consumers various rights including:

  • The right to confirm whether or not a controller is processing the personal data concerning the consumer and access the personal data.
  • The right to correct inaccurate personal information.
  • The right to request deletion of their personal data.
  • The right to obtain their personal data.
  • The right to opt-out of the processing of their personal data for the purposes of targeted advertising, the sharing of personal data or profiling in furtherance of decisions that produce legal effects concerning a consumer.

Controllers would be required to provide consumers with a reasonably accessible and clear privacy policy that includes:

  • The categories of personal data processed by the controller.
  • The purpose of processing personal data.
  • How consumers could exercise their rights including how a consumer can appeal a controller’s decision.
  • The categories of personal data shared with third parties.
  • The categories of third parties, if any, with whom the controller shares personal data.

The bill contains a 30-day right to cure and does not contain a private right of action. A companion bill, SB 957, sponsored by Sen. Joan Ballweg, R-Markesan, was referred to the Senate Government Operations, Legal Review and Consumer Protection Committee on February 9.

States: Donor Privacy and Confidentiality

States that have passed bills into law:

NOW LAW: Georgia SB 534 was signed by Republican Gov. Brian Kemp on May 2 and took immediate effect. The law prohibits state agencies, absent the showing of compelling interest, to impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. Any additional reporting or filing requirements are required to be narrowly tailored to achieve the compelling state interest. The bill defines charitable organizations as 501(C)3 organizations.

NOW LAW: New Hampshire SB 302/Chapter 336 was signed by Republican Gov. Chris Sununu on July 25 and takes effect January 1. The law will prohibit a public agency from:

  • Requiring an individual or entity to provide the public agency with personal information.
  • Releasing, publicizing or otherwise publicly disclosing any data that directly or indirectly identifies a person as a member, supporter, volunteer, or donor of financial or nonfinancial support.
  • Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

NOW LAW: New York SB 4817A (companion A 1141A) was passed by the Senate on June 9, followed by the Assembly on June 10. It was delivered to Gov. Hochul on November 1 and she signed it into law on November 12.

This legislation was necessary to undo a rider on 2020 budget legislation inserted by then Gov. Cuomo. That rider would have required all nonprofits registered with the Attorney General under the solicitation law to perform a duplicative (literally) registration with the NY Dept of State. It also would have required confidential donor information (that provided in Form 990 Schedule B) to be provided to the Department but with looser protections than afforded to the same information by the AG’s office (the AG collected Sched B from registrants until dissuaded by the U.S. Supreme Court donor privacy decision in July 2021). 

Strong objections to wasteful duplicate reporting and to the prospective disclosure of private donor information led two New York nonprofits (Nonprofit New York and Lawyer’s Alliance) to lead a grassroots effort, joined by TNPA, to support SB 4817A. That effort was successful.

NOW LAWVirginia SB 324/Chapter 19, sponsored Sen. Jill Vogel, R-Upperville, was signed by Republican Gov. Glenn Youngkin on August 4 and takes effect January 1. The law will prohibit a state agency from:

  • Requiring an individual or entity to provide the public agency with personal donor information.
  • Requiring any bidder, offeror, contractor or grantee of the organization to provide the agency with personal donor information.
  • Disclosing personal donor information without the express written permission of every individual who is identifiable from the potential release of such information, including identifiable as members, supporters or volunteers, or donors to the agency.

Proposed bills:

Hawaii HB 2416 was delivered to Democratic Governor David Ige on May 4 who will have until May 18 to act on the bill or it becomes law. The bill would in part require 501(c)4 organizations operating as a noncandidate committee to disclose the name and address of donors who donate an aggregate of more than $10,000. The bill would prohibit donations from being used for electioneering communications, independent expenditures or contributions without the written consent of the donor. Organizations would be required to notify donors that their name and address could be reported under the disclosure rules listed above. If the donor fails to provide written consent, then the organization would be required to transmit to the donor, within 30 days, confirmation from the organization’s highest ranking official that the donation will not be used for electioneering purposes.

Louisiana SB 179, a look-a-like bill to Georgia SB 534 (see above), was delivered to Democratic Gov. John Bel Edwards on May 27 who will have until June 6 to sign or veto the bill or it becomes law. The bill would prohibit state agencies, absent the showing of compelling interest, impose any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature would be able to review any requirements that are more restrictive. The bill defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious, or eleemosynary organization.

Missouri HB 2120 passed the House on April 6 and passed the Senate Government Accountability and Fiscal Oversight Committee with a substitute on May 9. The bill would prohibit a public agency from:

  • Requiring an individual to provide the public agency with personal information.
  • Requiring any 501(c) tax exempt organization to provide the public agency with personal information.
  • Releasing, publicizing, or otherwise publicly disclosing personal information in possession of the agency.
  • Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

Missouri HB 2120, sponsored by Rep. Jered Taylor, R-Republic, has been scheduled for a hearing in the House Emerging Issues Committee on February 15 at 4:00 PM. The bill would prohibit a public agency from:

  • Requiring an individual to provide the public agency with personal information.
  • Requiring any 501(c) tax exempt organization to provide the public agency with personal information.
  • Releasing, publicizing, or otherwise publicly disclosing personal information in possession of the agency.

Requiring any current or perspective contractor or grantee to provide the agency with a list of entities exempt from federal income taxation to which it has provided financial or nonfinancial support.

Nebraska LB 823 was heard in the Government, Military and Veterans Affairs Committee on January 27; information from the hearing was not immediately available. The bill would prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required.

North Carolina SB 636 was passed by the House Judiciary Committee with a substitute on on August 19 on a vote of 59-33  and by the Senate on August 25 by 25-19. Both votes were strict party line, Republicans in favor, Democrats opposed. It was sent to Gov. Roy Cooper for signing or veto on August 27. The Governor, a Democrat, vetoed the bill on September 3, saying the legislation was unnecessary and could prejudice existing campaign contribution laws.  At this writing, it is unclear whether the legislature will seek to override the veto.  An override requires a 60% vote in each chamber.   

The bill would have exempted, except as specifically required by state and federal law, nonprofit donor information from disclosure under the public records law, including any attachments or other information submitted with IRS 990 or 990-EZ forms. The bill also defines donor information as “confidential” in numerous instances in NC law in which state officials and legislators are prohibited from using, or restricted in their use of, “confidential information.” 

Pennsylvania HB 2087, sponsored by Rep. John Hershey, R-Mifflintown, was referred to the House State Government Committee on November 16. Joined as co-sponsors were eight additional Republican Representatives, including State Government Committee Chair Grove.  The bill’s intent is to prohibit state agencies from collecting or disclosing any information which would identify an individual as a donor/supporter of a nonprofit organization, except when required by law to do so.

The prohibition would apply to: 

  • An agency’s request made to an individual. 
  • An agency’s request made to a charitable organization seeking information on individual donors. 
  • An agency’s request made to a current or prospective contractor or grantee seeking the names of charitable organizations to which they have provided financial or nonfinancial support. 

The legislation would also, in its own words, make it illegal for an agency to “Release, publicize or otherwise publicly disclose...” donor information in its possession.

States: Charitable Solicitation

States that have passed bills into law:

NOW LAW:  Louisiana SB 179/Act 262 was signed by Democratic Gov. John Bel Edwards on June 3 and took immediate effect. The law prohibits state agencies, absent the showing of compelling interest, from imposing any annual filing or reporting requirements on charitable organizations more stringent than specified under existing law. The legislature can review any requirements that are more restrictive. The law defines charitable organizations as a person who holds himself out to be benevolent, civic, recreational, educational, voluntary, health, law enforcement, social service, philanthropic, fraternal, humane, patriotic, religious or eleemosynary organization.

NOW LAW: New Hampshire SB 375/Chapter 173 was signed by Republican Gov. Chris Sununu on June 7 and takes effect August 6. The law will prohibit the state from imposing any annual filing or reporting requirement on a charitable organization that is more stringent than already required under existing law. The law will also raise the compulsory audit threshold for annual reporting by nonprofits from $1 million to $2 million.

NOW LAW: Tennesse SB 1935/Chapter 773 was signed by Republican Gov. Bill Lee on April 8 and took immediate effect. The law removes requirements that financial statements, annual event applications, charitable solicitation applications and athlete agent registrations filed with the secretary of state be sworn under penalty of perjury.

Proposed bills:

California AB 488 passed the Assembly following a 59-18 party-line vote on May 28. The bill passed the Senate Judiciary Committee on June 29 in a 9-1 vote.  It passed the Senate on a 30-9 vote on September 1, concurred in by the Assembly on September 2 It was enrolled and presented to Gov. Gavin Newsom on September 10. The Governor signed the bill into law on October 7. The law takes effect January 1, 2023.

TNPA participated in a multi-year stakeholder process for this legislation which resulted in many necessary changes to the original draft created by the Attorney General’s office. Nevertheless, significant issues remain to be resolved through the means of rulemaking during the course of the coming year.  The Attorney General conducts the rulemaking.  The bill’s stakeholders, including TNPA, will undoubtedly participate in the process.

The bill establishes new requirements for online fundraising by third parties. However, the legislation is NOT applicable to a charity’s own website and online fundraising. Entities defined in the legislation as a “fundraising platform” or “platform charity” would be required to register with the AG and to submit annual reports. The legislation requires a number of compelled disclosures designed to give prospective donors adequate information (such as fees to be deducted from the intended gift, how long it may take for the beneficiary nonprofit to receive its gift, etc.). 

The new California categories of solicitation law oversight are unique and will surely draw the attention of charity officials in other states. It is likely other states will let the California experiment play out rather than rush to emulate.  Nonprofits currently receiving significant funds from the newly regulated platforms will also be watching.  It is not a forgone conclusion the legislation and forthcoming regulations will strike the right balance between protecting donors and allowing support dollars to flow to nonprofit missions

Connecticut HB 5222 passed the House on May 3; however, the legislature adjourned on May 4 so the bill will not advance further. The bill codifies recent federal caselaw relating to the Connecticut Solicitation of Charitable Funds Act that rendered various provisions relating to the regulation of paid solicitors unenforceable. Specifically, the bill would:

  • Reduce to one day, rather than the current 20 days, the notice a solicitor is required to give the Department of Consumer Protection before starting a campaign.
  • Eliminate the requirement that copies of the campaign “script” be shared with DCP ahead of the campaign.
  • Eliminate the requirement that the solicitor disclose the percentage of gross revenue the charitable organization will receive. A similar requirement to disclose the percentage on written solicitations would also be eliminated.
  • Raises the compulsory audit threshold for annual reporting by nonprofits from $500K to $1 million (an overdue and welcome update – not among the constitutionally required changes).

The bill would eliminate the requirement that solicitors share donor names and addresses with the department, though solicitors would still be required to maintain this information internally. However, the AG’s right to inspect donation records would be limited to date and amount with donor identity explicitly excluded. This change is evidently in deference to the U.S. Supreme Court donor privacy ruling in Bonta (go here for more information).

Massachusetts HB 4137 passed the Joint Consumer on Consumer Protection and Professional Licensure on March 14. The bill would amend the required disclosures by telemarketers to include the percentage share of the contribution raised by the solicitation that would be received by the charitable organization.

Mississippi SB 2344, sponsored by Sen. Robert Jackson, D-Marks, was referred to the Senate Business and Financial Institutions Committee on January 17. The bill would make numerous changes to the solicitation law and would specify that every registered charitable organization that receives contributions in excess of $500,000 and all of whose fundraising functions are carried out by persons who are unpaid for would be required to file a financial statement on a four-year cycle. The bill would provide that renewal period for professional solicitors would be every four years.

Missouri HB 2400 was delivered to Republican Gov. Mike Parsons on May 18 who will have until June 26 to sign or veto the bill or it becomes law. As recently amended, the bill would prohibit state agencies or state officials from imposing any annual filing or reporting requirements on charitable organizations that are more stringent than specified under existing law.

The Mississippi Secretary of State proposed new regulations (FOCUS# REG 263467r) on June 23 dealing with charitable solicitations. The proposed regulation would allow charities that are exempted from filing 990 forms with the IRS to file extensions with the state. The proposal would also specify that it would be a violation of the Mississippi Regulation of Charitable Solicitations Act for a commercial co-venturer to perform any services on behalf of an unregistered charitable organization. Comments on the proposal can be submitted by July 18.

Tennessee HB 2133, sponsored by Rep. Kent Calfee, R-Kingston, has been scheduled for a hearing in the House State Government Subcommittee on Departments and Agencies on March 15. The bill would require each charitable organization and professional solicitor that is required to register with the secretary of state to disclose the following information at the time of solicitation:

  • The legal name of the charitable organization.
  • Each trade name that the organization uses.
  • Each name the organization could be identified or known as.
  • Each distinctive name the organization uses for purposes of solicitation of contributions.

Upon request the organization or professional solicitor would also be required to disclose the program or programs the funds solicited will be used to support, the approximate percentage of contributions solicited in a fiscal year to remain in the state and the process to obtain a free copy of the charitable organization’s registration and financial information from the secretary of state. On all written and printed solicitations, the bill would require a copy of the following statement to be prominently displayed “A copy of [insert name of the charitable organization as it appears on file with the secretary of state]’s registration with the secretary of state and financial information are available for free from the secretary of state. Registration is not an endorsement by this state.” If a solicitation occurs over the internet, then the statement must be prominently displayed on a webpage that identifies a mailing address where funds are to be sent, identifies a telephone number to call or provides for online processing of contributions. The bill would also require registration statements for charitable organizations to include the following information:

  • The name and mailing address of each professional fundraising counsel utilized by the organization.
  • A statement, for first time registrants, as to whether or not the organization believes contributions will exceed $10,000. Initial registrants would also be required to provide a letter from the IRS or other supporting information that the organization is exempt from federal income tax or is organized by a state or jurisdiction as a not-for-profit entity.
  • The approximate percentage of contributions solicited in a fiscal year to remain in the state.
  • The period of time or periods during which solicitations are to be conducted.
  • The identification of the specific methods of solicitation utilized by the charitable organization.
  • Whether the solicitation will be conducted by a professional solicitor. If the organization will use professional solicitors, then the organization would be required to provide the names and address of each professional solicitor, the basis of payment or other consideration payable to each solicitor and the specific amount, formula or percentage of compensation.

The bill would also require organizations to submit additional information including but not limited to the total program services expenses, management and general expenses of the organization and total fundraising expenses of the organization. The bill’s companion, SB 2554 was filed February 2 and has not yet been referred to a committee.

Utah HB 217 passed the House Business and Labor Committee with a substitute on February 2 and passed the House on February 10. It passed the Senate on February 18 and is awaiting final enrollment and delivery to Republican Gov. Spencer Cox. The bill would make numerous changes to the telephone consumer fraud act, including but not limited to:

  • Prohibiting a person from making a telephone solicitation to a cell phone without prior consent.
  • Changing penalty violations of the law to provide that a seller or solicitor is guilty of a class B misdemeanor for a first violation, a class A misdemeanor for a second violation and a third-degree felony for a third or subsequent violation.
  • Permitting the Division of Consumer Protection to conduct an administrative proceeding to enforce provisions of the law, bring a court action to enforce the provisions of the law and issue cease and desist orders, as well as issue administrative fines of up to $2,500 per violation.

States: Nonprofit Governance

District of Columbia B24-987, sponsored by Democratic Council Chair Phil Mendelson at the request of Democratic Attorney General Karl Racine, was referred to the Committee of the Whole on September 20. This bill would allow the attorney general to levy penalties of up to $10,000 against nonprofit leaders who siphon charitable funds. The bill would clarify that the district’s nonprofit statutes do not limit the district’s common law authority over foreign and domestic authority. The bill would also clarify that the attorney general could act to remedy past and present violations of the law. The bill would require the attorney general’s office to be notified of any actions brought by other parties against nonprofits so that it could determine whether to intervene.

New York AB 1237/S 1182 was signed by Democratic Gov. Kathy Hochul on November 8, 2021, and took immediate effect. The law extends emergency orders issued by Gov. Cuomo enabling organizations to avoid legally mandated in-person meetings during the pandemic. The legislature concluded remote/virtual meetings have worked well so, going forward post-pandemic, in-person meetings would not be required.  Accordingly, nonprofits and religious institutions established in New York are now free to hold their mandated meetings remotely (businesses can now do so as well).

States: Salary Disclosure

California SB 1162 was enrolled and presented to Democratic Gov. Gavin Newsom on September 6, who has until September 30 to sign or veto the bill or it becomes law. The bill, in part, would expand state pay data reporting requirements to cover contracted employees. The bill would require a private employer that has 100 or more employees to submit a pay data report to the Civil Rights Department. This bill would revise the timeframe in which a private employer is required to submit this information to require that it be provided on or before the second Wednesday of May 2023, and for each year thereafter on or before the second Wednesday of May. This bill would require the pay data report to include the median and mean hourly rate for each combination of race, ethnicity and sex within each job category. It would also require an employer, upon request, to provide to an employee the pay scale for the position in which the employee is currently employed. The bill would require an employer with 15 or more employees to include the pay scale for a position in any job posting. The bill would require an employer to maintain records of a job title and wage rate history for each employee for a specified timeframe, to be open to inspection by the labor commissioner.

Back To Top