Several comprehensive privacy bills are being considered at the state level. This blog post provides notable updates on bills companies should be paying attention to as they move through their respective legislatures. We will continue to keep you posted on updates to these bills and others as they occur.
Since our last comprehensive update, there has been some movement on the bills we have been tracking. Most notably, on March 24, the Utah Consumer Privacy Act was signed into law by Governor Spencer Cox. Utah now joins California, Colorado, and Virginia as the fourth state with a comprehensive privacy law. The law has broad exemptions for entities regulated under certain federal laws (with language that is seemingly broader than the exemptions in place in California), is only enforceable by the Utah AG (and includes a 30-day cure period), does not provide the Utah AG with any rulemaking authority, and does not provide consumers with the ability to opt-out of processing using a global privacy control. It is set to go into effect on December 31, 2023.
It remains unclear as to whether any other state will join these four in terms of passing comprehensive privacy legislation before the state legislative sessions end this year (though we have highlighted some possibilities below. It is also uncertain as to whether a fourth state passing a privacy law will be enough for Congress to act on the issue. Businesses looking to stay on top of their compliance obligations should pay attention to these developments. We will also continue to provide important updates though our Privacy and Cybersecurity Blog.
Oklahoma’s Computer Data Privacy Act, HB 2969, was passed by the Oklahoma House on March 23, with a vote of 74 to 15. This bill applies to entities that: (1) do business in Oklahoma; (2) collect consumers’ personal information or have that information collected on their behalf; (3) determine the purposes and means of the processing of consumers’ personal information, and (4) satisfy one or more of the following thresholds: a) have annual gross revenues of over $15M; b) alone or in combination, annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households or devices, or c) derive 25 percent or more of annual revenues from selling consumers’ personal information. Violations of the bill are enforceable by the Oklahoma Attorney General’s office, and the bill does not create a private right of action.
The Iowa House passed a privacy bill, House File 2506, on March 14. The bill will now be considered in the Senate. The bill applies to persons conducting business in Iowa, or producing products or services targeted to Iowa residents, and that during a calendar year, either (a) control or process personal data of at least 100,000 consumers of (b) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data. The bill gives the Iowa Attorney General exclusive enforcement authority and creates a thirty-day cure period. The bill would not create any private right of action for consumers. If passed into law, it would go into effect on January 1, 2024.
Maryland’s Senate replaced its consumer protection and child safety bill, SB 11, with a bill to establish a workgroup on online consumer personal information privacy. The workgroup is tasked with reviewing current practices of business entities relating to personal information and to report its findings and recommendations by December 1, 2022. This bill passed the Senate on March 17. Maryland’s House also passed a biometric data privacy bill, HB 259, on March 19, which has many similarities to the Biometric Information Privacy Act in Illinois. The bill requires certain entities possessing biometric data to develop a policy and make it available to the public, and to establish a data retention schedule and destruction guidelines for biometric data. The bill also authorizes certain affected individuals to bring an action against the private entity.
Multiple state legislatures ended their sessions this month, ending consideration for privacy bills being considered. Florida’s privacy bills—SB 1864 and H B9—each died in their respective committees, with the regular legislative session ending on March 11. The Washington legislature ended its session on March 10, and 2SSB 5062 failed to pass by the deadline. Indiana’s consumer privacy and data protection bills—HB 1261 and SB 358—also died with the end of the legislative session on March 14. And Wisconsin’s Privacy Act, SB 957, failed to pass the Assembly prior to the end of the last general-business floor-period on March 10.