PRA Alert-Out of those 25 states, nine have legislation introduced that would allow for a Private Right of Action (PRA). Those states are Alaska, Florida, Georgia, Illinois, Massachusetts, Minnesota, North Carolina, New York, and Washington.
Out of all the states mentioned above, Utah, Wisconsin, Florida, Virginia, Washington, Indiana, Iowa, Oklahoma, New York, Ohio, and Massachusetts (ordered by when the state will adjourn) have seen the most recent movement. It is important to keep in mind that while a state listed may have more than one privacy bill introduced, the following bills are the ones that have received attention.
UT SB 227, introduced by Sen. Kirk Cullimore, follows Virginia’s privacy law, but the main differences are that it does not provide opt out rights for profiling that creates a legal result or impact. It provides consumers the right to access, correction, deletion, portability, and the right to opt-out of certain processing, including the “sale” of personal data. The bill also does not require impact assessments. There is no PRA, the bill would be enforceable only by the Attorney General's office. There is a 30-day right to cure that does not sunset. The effective date is December 31, 2023.
On March 3, the Utah state legislature passed through HB 227, sending the Utah Consumer Privacy Act (CPA) to the desk of Governor Spencer Cox, where it now awaits signature to become law.
Utah’s session ended on March 4.
Wisconsin AB 957, introduced by Representative Shannon Zimmerman (R), is very similar to Virginia’s privacy law. The measure does not contain a private right of action, does not require controllers to recognize universal opt out signals, contains a thirty-day right to cure that does not sunset, and does not grant rulemaking authority. If passed, the law would go into effect on January 1, 2024.
The measure passed out of the Wisconsin Assembly and now is in the Senate where it was read for the first time and referred to the Committee on Government Operations, Legal Review and Consumer Protection.
Wisconsin ends its legislative work on March 10.
Florida HB 9, introduced by Representative Fiona McFarland (R), follows the California Consumer Privacy Act (CCPA) in many ways. It requires companies to not retain data for longer than what is needed to fulfill its initial purpose. It also includes correction rights and expands opt out from mere sales to sharing. With regards to a PRA, the measure provides limited applicability of the PRA to businesses that meet a certain size threshold. Specifically, for companies with annual gross revenue between $50 million and $500 million, the private right of action would apply, but the plaintiff would not be entitled to recover attorney’s fees. For companies with annual gross revenue over $500 million, the private right of action would apply, and the plaintiff would be entitled to recover attorney’s fees. The Department of Legal Affairs is tasked with general enforcement.
HB 9 has passed out of the House floor, where it now heads to the Senate, where a similar measure was squashed last year due to the same backlash this bill has received. The bill has faced significant opposition from the business community.
Florida’s session ends on March 11.
While Virginia passed its privacy law last year, there have been efforts to provide amendments. Most recently, amendment HB 381, passed the legislature. The amendment will allow controllers that have “obtained personal data about a consumer from a source other than the consumer” to be “in compliance with a consumer's request to delete… by opting the consumer out of the processing of that data for targeted advertising, sale, or profiling.” This would assist data brokers and other companies that do not directly process consumer data to comply with requests to delete.
Virginia’s session ends on March 12.
While Washington had a slew of privacy bills, they did not make the cutoff, as the last day to pass bills out of their house of origin was February 15. However, while HB 1850 missed the deadline for bills to pass out of their house of origin, it is being considered necessary to implement the budget and, therefore, not subject to the deadline. The bill would create opt out rights over targeted advertising, data sharing, and profiling, which may be exercised by user-enabled global privacy controls. The bill would further require annual registration of covered entities, create a Consumer Data Privacy Commission (with rulemaking authority), and provide for private rights of action.
The measure passed out of Washington House Appropriations Committee on February 28, and now moves to the House Rules Committee.
Washington’s session ends on March 10.
Indiana Senate Bill 358, introduced by Senator Liz Brown (R), passed through the state Senate on February 1, however, failed to meet the Indiana House’s February 28 deadline to give Senate bills a third reading. There is also no carryover into 2023. The bill closely mirrored the Virginia Consumer Data Protection Act (VCDPA – passed last year). Specifically, the bill would have provided consumer rights such as the right to request that data be disclosed, deleted, or corrected. Additionally, consumers would have had the right to opt-out of the processing of personal data for purposes of targeted advertising, sale of personal data, and certain profiling activities. The bill also required that covered businesses obtain consumer consent before collecting sensitive personal information.
In addition, the bill provided for a 30-day period to cure, does not contain a PRA (provides for Attorney General enforcement), and did not prohibit retailers from offering different prices, rates, levels or qualities, of goods or services in the context of a loyalty program.
Indiana’s session ends on March 14.
Iowa’s HSB 674 (now renumbered and placed on the calendar as HF 2506) introduced by state Representative Brian Lohse (R), was reported favorably out of the state House Committee on Information Technology on February 15 and approved by the full House on March 14. The bill mirrors Virginia’s privacy law, VCDPA. The measure contains data subject rights and an opt-out for data sales. It also contains AG enforcement, and a 30-day cure period. If it were to become law the effective date is Jan. 1, 2024.
The House bill now advances to the state Senate where timing is uncertain if and when this bill will receive attention.
Iowa’s session ends April 19.
Oklahoma HB 2969, introduced from Reps Walke (D), West (R), and Sims, passed through the House Committee on Technology on February 16. This is a CCPA-style bill with a sweeping affirmative consent requirement. The Act provides that “a business shall not collect a consumer's personal information directly from the consumer prior to notifying the consumer of each category of personal information to be collected and for what purposes information will be used, as well as obtaining the consumer's consent.” There is no PRA, the measure directs the Attorney General to enforce the act.
Oklahoma’s session ends on May 27.
New York:New York’s S6701A, the “New York Privacy Act,” introduced by state Senator Kevin Thomas (D), passed out of the Consumer Protection Committee on February 8. The bill would give consumers the right to notice, opt-in for data processing, access, portability, correction, and deletion rights. The bill would give consumers the right to appeal automated decision-making in the financial services, housing, public accommodation, insurance and health care services. Consumers cannot be discriminated against for failure to opt in. The bill would be enforced by the Attorney General and contains a PRA.
The bill now heads to the Internet and Technology Committee.
New York’s session ends on June 2.
Ohio’s HB 376, carried over from last year’s session by state Representative Rick Carfagna (R), was reported favorably out of the state House Government Oversight Committee on February 9. The bill tracks California’s CCPA in many ways. Similarities include rights to transparency, access, deletion and opting out of data sales and targeted advertising. The law specifically prohibits private rights of action. It also bars discrimination against consumers who have exercised data rights. The Attorney General of Ohio may bring actions against companies and there is a 30-day cure period.
Next steps with the legislation are unclear at this time, as Rep. Carfagna has announced that he will be leaving the legislature.
Ohio’s session ends on December 31.
The Massachusetts Information Privacy and Security Act S2687, introduced by state Senator Cynthia Creem (D), passed the state legislature’s Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on February 1. The bill follows a mixture of California’s CPRA and Colorado’s Colorado Privacy Act (passed last year). It sets out registration requirements for data brokers, includes opt-outs for residents on data collection and consent for data to be sold, and provides for Attorney General enforcement as well as a limited PRA for security breaches. The bill also has a 30-day right to cure provision, as well as requires the processor to meet the same privacy and security obligations as the controller. It does not prohibit retailers from offering different prices, rates, levels or qualities, of goods or services in the context of a loyalty program.
The measure still needs to clear additional committees, and both branches of the Legislature, and then be signed by Governor Charlie Baker.
Massachusetts’ session ends on January 3, 2023.
RILA will continue to keep members apprised of updates. For a full list of state privacy bills being tracked, click here.
If you have any questions, please contact Austin Gold, Director, Government Affairs