With the focus trained on national legislation to safeguard data and privacy, legislative activity at the state level often gets overlooked, though it has flourished in recent years. Many states either passed, rejected or have pending bills primarily focused on compelling businesses to inform customers about how their data is used. Here is a quick rundown of the major wins and losses from across the United States – at the very least these bills give organizations a peek at what’s on lawmakers’ minds.
ARIZONA – saw three bills fail in 2019.
• Failed: AZ HB 2259 would have required a commercial website that collects personal information from more than 500 users to establish a secure personal information portal that allows a person to access their own information and correct any errors.
• Failed: AZ HB 2478 relates to biological characteristics and biometric identifiers. It would have provided that a person may not enroll an individual’s biometric identifier in a database for a commercial purpose unless the person provides a mechanism to prevent the subsequent use of the identifier for a commercial purpose without consent.
• Failed: AZ HB 2524 would have required a website developer or software application that uses the microphone or camera functionality of a device to collect audio or image data to disclose the data that is being collected and the reason it is being collected to the user.
CALIFORNIA – Home to the well-known California Consumer Protection Act which went into effect January 1 considered several other proposals.
• Pending: HB 2259, if passed, would have required a commercial website that collects personal information from more than 500 users to establish a secure personal information portal that allows a person to access their own information and correct any errors.
• Passed: CA AB 1202 requires data brokers to register with and provide certain information to the attorney general. Defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.
• Pending: CA AB 950, if passed, would require a business that conducts business in California, and collects a California resident’s consumer data, to disclose to the consumer the monetary value to the business of their consumer data by posting the average monetary value to the business of a consumer’s data.
CONNECTICUT – State government only gave the go-ahead to one of seven privacy-related bills.
• Failed: CT HB 5333 was designed to stop retailers from using facial recognition software for marketing purposes.
• Failed: CT HB 6544 was designed to prohibit consumer genetic testing companies from sharing any collected genetic data with health or life insurance companies.
• Passed: CT SB 1108 establishes a task force to examine what information businesses in Connecticut should be required to disclose to consumers concerning their personal information that is retained or sold by such businesses.
HAWAII – had the dubious honor of having its governor veto a bill that would have protected consumers from having their GPS location data monetized.
• Vetoed: HI HB 702 would have Prohibited the sale of location data collected using GPS systems without the explicit consent of the individual who is the primary user of the GPS-equipped device.
• Pending: HI HB 761 specifies that retailers may provide proof of purchase in electronic form to those belonging to their awards program but requires the businesses to have reasonable safeguards to protect members’ personal information.
• Passed: HI HCR 225 convenes a task force to examine and recommend laws and regulations to update the state’s privacy law.
ILLINOIS – considered 14 bills, only one of which was passed.
• Passed: IL HB 2189, which amended the Genetic Information Privacy Act, to now say that any companies in this are prohibited from sharing any genetic test information or other personally identifiable information about a consumer with any health or life insurance company without written consent from the consumer.
• Pending: IL HB 2736, if passed, will create the Right to Know Act. This would require an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in the who use or visit its commercial website or online service must notify those customers of certain specified information pertaining to its personal information sharing practices.
• Pending: IL SB 2263 would create the Data Privacy Act. The act would provide for the regulation of the use and sale of data; defines terms; establishes consumer rights to copies of information held by persons who control and process data; provide for the correction of inaccurate data; provide for restrictions on the use of personal data; provide for the enforcement of the Act by the Attorney General; provide civil penalties; preempts home rule.
KENTUCKY – didn’t make legislative progress on privacy last year but voted to study the issue further.
• Failed: KY SB 240 and KY SB 243. The first would have made it a felony to disseminate PII on the internet about a minor, while the second would have created a new section of KRS.B. Chapter 365 prohibiting telecommunications companies from disclosing or transmitting to a third party any location data derived from a cellular phone without the consent of the customer.
LOUISIANA – which experienced several high-profile data intrusions in 2019, acted on two bills concerning the sale of consumer data.
• Failed: LA HB 465, which would have created the Internet and Social Media Data Privacy and Protection Act designed to protect consumer’s private confidential information that is obtained by internet, broadband, and social media companies.
• Passed: LA HR 249, which requests that the Louisiana Public Service Commission to establish a task force to study the effects of the sale of consumer personal information by an internet access service provider, social media company, or search engine.
MAINE
• Passed: ME SB 275 is a bill that prohibits of broadband internet access service provider from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to such, provides other exceptions under which a provider may use, disclose, sell, or permit access to customer personal information.
MASSACHUSETTS – didn’t see a lot of legislative action in 2019, but has several issues still awaiting approval.
• Pending: MA HB 349 regulates advertising on the internet.
• Pending: MA HB 350 relates to the online collection of personal information from children and minors.
• Pending: MA HB 382 covers the collection, use, disclosure or dissemination of personal information from customers of telecom or internet service providers.
MARYLAND – didn’t get privacy on the books last year.
• Failed: MD HB 901 requires certain businesses that collect a consumer’s personal information to provide notice consumers at or before the point of collection, authorizes a consumer to submit a certain request for information and requires a certain business to comply with said request for information in a certain manner and within 45 days after receiving a verifiable consumer request.
• Failed: MD SB 490 prohibits a person from using a scanning device to scan or swipe an identification card or a driver’s license of an individual to obtain the personal information of the individual. Additionally this information cannot be retained, sold or transferred.
MINNESOTA – has several bills awaiting attention. Among them are:
• Pending: MN SB 433 relates to telecommunications, data privacy, prohibits collection of personal information absent customers express written approval.
• Pending: MN SB 2912 requires controllers to provide, correct, or restrict processing of personal data upon a consumer’s request; requires controllers to provide a privacy notice and document risk assessment; provides for liability and civil penalties; provides the attorney general with enforcement authority.
MISSISSIPPI – lawmakers rejected one privacy-related proposal.
• Failed: MS HB 1253 would have created the Mississippi Consumer Privacy Act, that would have authorized a consumer to request that a business disclose the categories and specific pieces of personal information collected about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
MONTANA – also did not have any luck passing privacy legislation.
• Failed: MT D 1243, if passed, would have restricted companies from selling data without the express consent of user, relates to privacy.
• Failed: MT D 2087 would have established an online personal information protection act.
NEVADA – has a single bill in the wings.
• Pending: NH H 536 is intended to prohibit businesses from using, disclosing, or retaining biometric information about an individual.
NEW JERSEY – has 14 privacy-related issues pending, including:
• Pending: NJ AB 206, which if passed, would require commercial websites and online service operators to notify customers of collection and disclosure of personally identifiable information to third parties.
• Pending: NJ AB 1927 would require ISPs to keep confidential subscriber’s personally identifiable information unless the subscriber authorizes, in writing or email, allowing the ISP to disclose information.
NEW MEXICO
• Failed: NM SB 176 would have passed the consumer information privacy act, provides definitions, establishes consumer rights, establishes obligations for businesses that collect or use personal consumer information, provides for promulgation of rules, establishes civil causes of action, provides penalties, establishes the consumer privacy fund, provides for distributions.
NEW YORK – was by far the busiest state with 25 pieces of privacy-related legislation in the works for 2020.
• Pending: NY AB 235 relates to prohibiting private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.
• Pending: NY AB 3818 would establish the Online Consumer Protection Act, define terms, require an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices.
NORTH DAKOTA – worked on a pair of bills in 2019.
• Passed: ND HB 1485 provides for a legislative management study of consumer personal data disclosures.
• Failed: ND HB 1524 concerns the regulation of data brokers and provides a penalty.
PENNSYLVANIA – has two items on its docket.
• Pending: PA HB 246, if passed, will regulate electronic mail solicitations, protects privacy of Internet consumers, regulates use of data about Internet users, prescribes penalties.
• Pending: PA HB 1049 would provide for consumer data privacy, the rights of consumers and duties of businesses relating to the collection of personal information and for duties of the attorney general.
RHODE ISLAND – is taking a look at one of the major security issues facing the world, IoT.
• Pending: RI HB 5480 would establish that IoT equip the devices with reasonable security features.
• Pending: RI HB 5930 would Create the Consumer Privacy Protection Act, requires businesses that collect, maintain or sell personal information to notify consumers and would disclose the information and the businesses’ use of the information, provides that consumers may opt out and have personal information deleted.
SOUTH CAROLINA – did not act one way or the other on any bills.
• Pending: SC HB 3339 is set to force telecom or ISPs that have entered into a franchise agreement, right of way agreement, or other contract with the state of South Carolina or one of its political subdivisions may not collect personal information from a customer resulting from the customer’s use of the telecommunications.
• Pending: SC HB 3701 would enacts the state Cellular Data Privacy Protection Act, defines relevant terms, prohibits a mobile telecommunications provider from selling a customer’s personal data to a third party, imposes a penalty, authorizes the attorney general to investigate and enforce alleged violations of this act.
TEXAS – passed one bill and rejected two pieces of legislation.
• Passed: TX HB 4390 would have created the Texas Privacy Protection Advisory Council. Revises provisions relating to security breaches.
• Failed: TX HB 2282 concerned the applicability of certain limitations on the capture and use of biometric identifiers to financial institutions.
• Failed: TX HB 4518 concerned the privacy of a consumer’s personal information collected by certain businesses, imposes a civil penalty.
UTAH – lawmakers rejected the lone bill presented.
• Failed: H.B. 490, which, if passed, would have prohibited an ISP from using, disclosing, selling, or permitting access to a customer’s personal information except under certain circumstances; require ISPs to provide notice to customers related to the use of their personal information, maintain measures to protect customer personal information, and enacts other provisions.
VERMONT – looks to make a constitutional change.
• Pending: VT PR 3 would amend the Constitution of the State of Vermont specifically to provide that each individual has a right to privacy.
WASHINGTON – has five bills pending.
• Pending: WA HB 1503 concerns data sales and governance.
• Pending: WA HB 1854 protects consumer data.
• Pending: WA HB 2046 increases consumer data transparency.
• Pending: WA SB 5376 protects consumer data.
• Pending: WA SB 5377 concerns data sales and governance.
PUERTO RICAN – lawmakers were also active.
• Pending: PR HB 300 would create the Law for the Protection of the privacy of our children and young people for the purpose of prohibiting any operator, employee, or agent of an Internet site classified as a Social Network that can publish personal information from users under the age of residents in Puerto Rico beyond the name and city of residence without the express consent of the father or mother with the power of paternal authority.
• Pending: PR SB 1231, if passed, would create the Law for the Protection of Digital Privacy in order to protect the personal information (PII) belonging to consumers and guarantee the right to privacy in the digital era.
