Skip to Main Content.
  • Technology, Data Privacy Concept

    New Bills Suggest Privacy is Top of Mind for State Lawmakers

    • Item
    • Item
    • Item
    • Item
Barely a month into the new year and nine states have already introduced their own version of comprehensive privacy bills. While each of the proposed bills has its own unique requirements, many closely resemble the California Consumer Privacy Act (CCPA) or the General Data Protection Regulation (GDPR).
Below are some of the highlights from the proposed state legislation.

Arizona

HB 2729 – Introduced February 5.
  • Provides consumers the right to restrict processing of personal data.
  • Does not apply to state and local governments.
  • Similar applicability thresholds to the CCPA, but includes legal entities that conduct business in the state or produce products or services that are intentionally targeted to residents of Arizona.
  • No private right of action.

Florida

SB 1670 – Introduced January 22.
  • Requires operators of a website or online service that collects information from FL consumers to provide notice regarding the collection and sale of such information and allow consumers to opt-out.
  • Prohibits use of public records data obtained from state agencies to market or solicit products or services without a consumer’s affirmative consent.
  • Applies to a narrower category of businesses than the CCPA and is limited to certain types of “Covered Information” transferred as part of a “Sale” of data.
  • Permits 30-day period to cure violations.
  • No private right of action.

Hawaii

SB 2451 – Introduced January 17.
  • Prohibits a third party from selling or using personal information about a consumer that has been sold to the third party by a business; unless the consumer has received explicit notice, provides express written consent, and is provided an opportunity to exercise the right to opt out.
  • Specifies notification requirements for businesses.

Illinois

SB 2330, Illinois Data Transparency and Privacy Act  – Introduced January 8.
  • Similar notice requirements to the CCPA.
  • Grants consumers certain information rights regarding their personal information.
  • Requires businesses to conduct risk assessments of “processing activities involving personal information” and make them available to the attorney general upon request.
  • Permits a private right of action (only from data breaches).

Maryland

HB 0249 – Introduced January 17.
  • Allows residents to opt-out of third-party disclosure.
  • Does not provide a definition of “sale,” instead, it defines what does not constitute “disclosure.”
  • No private right of action.

Nebraska

LB 746, Nebraska Consumer Data Privacy Act – Introduced January 27.
  • Provides consumers the right to know, access, and delete their personal information (with some exceptions).
  • Prohibits discrimination against consumers for exercising their rights.
  • Requires businesses to have a “Don’t sell my information” link in their website.
  • Applicable to companies with an annual revenue of $10 million.
  • No private right of action.

New Hampshire

HB 1680, Collection of Personal Information by Business Act – Introduced January 8.
  • Same applicability thresholds as CCPA.
  • Broad definition of “sale”
  • Ability for consumers to opt out of the sale of their personal information.
  • Private right of action (only from data breaches).

Virginia*

HB 473, Virginia Privacy Act – Introduced January 8.
  • Provides for consumer rights similar to CCPA, but provides a narrower definition of “sale” (exchange of personal data for monetary consideration).
  • Requires controllers to perform, and make available to the attorney general, risk assessments of each of their processing activities involving personal data.
  • Permits a private right of action.

* The Communications, Technology and Innovation Committee continued this bill to 2021 by voice vote on January 17.

Washington

SB 6281, Washington Privacy Act – Reintroduced January 13.
  • Text of bill is substantially similar to the CCPA.
  • Controllers must conduct a data protection assessment and provide it to the attorney general upon request.
  • Controller and processor contract obligations similar to GDPR’s Article 28 requirements.
  • No private right of action.