State Comprehensive Privacy Law Update – February 22, 2022

State Comprehensive Privacy Law Update – February 22, 2022

Insight Blog

Several comprehensive privacy bills are being considered at the state level. This blog post provides notable updates on bills companies should be paying attention to as they move through their respective legislatures. We will continue to keep you posted on updates to these bills and others as they occur.  

Since our last update, various privacy bills have been introduced, including those in Arizona, Oklahoma, Rhode Island, Wisconsin, and Iowa. These new laws mostly model the laws currently in place in California, Colorado, and Virginia (including in terms of the types of data they exempt), but it’s unclear as to whether any of these laws will gain enough traction in their respective legislatures to pass into law. 

Arizona

  • Bill title: HB 2790
  • Current status: As of February 18, 2022, the bill had been introduced in the Arizona House of Representatives.
  • Key provisions:
    • Applies to entities that have annual gross revenues of at least $25M that conduct business in Arizona or produce products or services that are intentionally targeted to Arizona residents, and that either a) control or process the data of 100,000 consumers or more; or b) derive over 35 percent of gross revenue from the sale of personal information and process or control personal information of 25,000 consumers or more.
    • Exempts state and local governments; personal data regulated by HIPAA; employment records; and businesses and activities covered by the Fair Credit Reporting Act.
    • Creates individual rights for consumers, including the right to be notified if personal data is being processed, held, or sold to data brokers; the right to be notified of the type and category of personal data that has been sold and to whom; the right to receive a copy of the personal data that controller processes or maintains (or the right to know the category / type of personal information if a copy is unavailable); the right to be notified, at or before the point of collection, of the categories of personal data to be collected and purposes for collection; the right to have their personal data corrected; and the right to be notified that they have a right to have their data deleted.
    • Defines “personal data” or “personal information” to include “sensitive data.”
    • Does not create a private right of action. Violations only enforceable by the Arizona AG’s office.
    • Creates a thirty-day cure period after entity receives notice of alleged noncompliance.
    • Allows civil penalties up not more than $2,500 for each violation or $7,500 for each intentional violation.
    • Establishes a consumer privacy fund to consist of civil penalties imposed, and the AG can administer the fund.  

Oklahoma 

  • Bill title: Oklahoma Computer Data Privacy Act of 2022, HB 2969
  • Current status: As of February 18, 2022, the bill had been introduced in the Oklahoma House, and a substitute of the bill unanimously passed the Technology Committee. 
  • Key provisions: These provisions are from the Committee’s proposed substitute bill. 
    • Applies to entities that determine the purposes and means of the processing of consumers’ personal information, that do business in Oklahoma, and that either: a) have annual gross revenues of over $15M in the preceding calendar year; b) alone or in combination, annually buy, receive, share, or disclose for commercial purposes the personal information of 50,000 or more consumers, households or devices, or c) derive 25 percent or more of annual revenues from sharing consumers’ personal information.
    • Exempts personal data and covered entities regulated by HIPAA; and information subject to the GLBA and the Fair Credit Reporting Act.
    • Businesses must do the following at a consumers’ request: delete consumer’s data, disclose consumer’s personal data to them, and disclose if this data is shared and the category of third parties with whom information was shared. Businesses must also conspicuously inform consumers of their rights to opt out of personalized advertising. 
    • Does not create a private right of action. Violations enforceable by the Oklahoma AG’s office. 
    • Allows civil penalties of up to $7,500 for each intentional violation and up to $2,500 for each unintentional violation. 
    • Would go into effect on November 1, 2023. 

Rhode Island 

  • Bill title: Data Transparency and Privacy Protection Act, H7400
  • Current status: As of February 18, 2022, the bill had been introduced in the Rhode Island House and had been referred to the House Innovation, Internet & Technology Committee. 
  • Key provisions:
    • Applies to operators, which it defines as entities that own a website or online service operated for commercial purposes, and that collect and maintain personally identifiable information from Rhode Island customers who use or visit the website or online service. 
    • Operators need to disclose to customers the categories of personally identifiable information it collects through its website or online service; and the categories of third-party persons with whom it may disclose that information. 
    • Exempts state and local government contractors and agents; and personal data regulated by HIPAA and the GLBA. 
    • Does not create a private right of action. Violations only enforceable by the Rhode Island AG’s office. 
    • Intentional disclosures in violation of Act carry fine of not less than $100 nor more than $500 per disclosure. 
    • This would take effect on January 1, 2023.

Wisconsin 

  • Bill title: Assembly Bill 957; Senate Bill 957
  • Current status: As of February 18, 2022, Assembly Bill 957 had been introduced in the Wisconsin Assembly and had been referred to the Committee on Consumer Protection.  And as of the same date, the companion bill (Senate Bill 957) had been introduced in the Wisconsin Senate and referred to Committee on Government Operations, Legal Review and Consumer Protection.
  • Key provisions:
    • Applies to controllers that, alone or with others, determine the purpose and means of processing personal data, and that either a) process the personal data of at least 100,000 consumers or b) control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. 
    • Exempts data regulated by HIPAA and the GLBA; and covered entities regulated by HIPAA. 
    • Creates individual rights for consumers, including the right to confirm whether a controller is processing the consumer’s personal data and to access this data; the right to correct inaccuracies; the right to have their information deleted; the right to obtain a copy of their personal data; and the right to opt out of the processing of this data for targeted advertising, the sale of their data, and certain forms of automated processing of their data. 
    • Requires consent for processing of “sensitive data.”
    • Does not create a private right of action. Violations only enforceable by the Wisconsin AG’s office. 
    • Creates a thirty-day cure period after entity receives notice.
    • Allows penalties up to $7,500 for each violation. 
    • Would go into effect January 1, 2024. 

Iowa

  • Bill title: HSB 674; SF2208
  • Current status: As of February 18, 2022, the House Bill had been introduced in the Iowa House and had been voted out of the Information Technology Committee. The Senate Bill had been introduced in the Senate and was referred to the Commerce Committee.  
  • Key provisions: The bills have some substantive differences, and these are noted below. 
    • Applies to persons conducting business in Iowa or producing products or services targeted to Iowa residents, and during that calendar year, either: a) controlling or processing personal data of 100,000 consumers or more; or b) controlling or processing personal data of 25,000 consumers or more and deriving over 50 percent of gross revenues from the sale of personal data.
    • Exempts state and local governments; personal data and entities regulated by HIPAA and GLBA. 
    • Creates individual rights for consumers, including the right to correct inaccuracies in their data; the right to delete their personal data; the right to obtain a copy of their personal data; and the right to opt out of the processing of their personal data for purposes of targeted advertising, and sale of their data.
    • Requires consent for processing of “sensitive data.”
    • The House version does not create a private right of action, and notes that violations are only enforceable by the Iowa AG’s office. The Senate version does not specify whether a private right of action is created but gives the AG some enforcement authority.  
    • The House version creates a thirty-day cure period after entity receives notice.  The Senate version does not create a cure period. 
    • The House version allows civil penalties up to $7,500 for each violation. The Senate version notes that civil penalties should not exceed $40,000 per violation. 
    • Would go into effect on January 1, 2024.   

Georgia 

  • Bill title: Georgia Computer Data Privacy Act, SB 394
  • Current status: As of February 18, 2022, the bill had been introduced in the Georgia General Assembly and was referred to the Committee on Science and Technology. 
  • Key provisions:
    • Applies to businesses that a) do business in Georgia; b) collect consumers’ personal information or have personal information collected on their behalf; c) alone or with others determine the purpose for and means of processing consumers’ personal information; d) have annual gross revenues over $50M; e) alone or with others annually buy, sell, receive or share personal information of 100,000 or more consumers, households, or devices, and f) derive 50 percent or more of their annual revenue from sale of personal information. 
    • Exempts personal data and covered entities regulated by HIPAA; and personal data covered by GLBA and the Fair Credit Reporting Act. 
    • Creates individual rights for consumers, including the right to request disclosure and deletion of certain information; the right to opt in and out of the sale of their personal information; the right to be informed about the nature, use and purpose of collected personal information; and the right to consent for use of personal information. 
    • Creates a private right of action. Violations are also enforceable by the Georgia AG’s office. 
    • Allows civil penalties up to $2,500 for each violation or $7,500 for each intentional violation.
    • Would go into effect September 1, 2022. 

There has also been movement on other bills we are tracking.  Some key developments include: 

The New York Privacy Act Advances through Consumer Protection Committee: The New York Privacy Act (S6701A) passed the New York Senate Consumer Protection Committee on February 8, and now moves to the Internet and Technology Committee for review. The Act creates a private right of action, and the New York Attorney General can also enforce the Act.

Ohio Personal Privacy Act is Reported Out of Committee: The Ohio Personal Privacy Act (H.B. No. 376) was reported out of the Government Oversight committee on February 9, with eight members voting in favor and five voting against. The new version of the Bill is substantially the same, but it adds an exemption for personal data regulated by COPPA.  Notably, the Bill creates an affirmative defense if a business creates, maintains, and complies with a written privacy program that conforms to the National Institute of Standards and Technology (NIST) privacy framework and if a business provides individuals with substantive rights outlined in the Bill. 

Alaska Privacy Bill Moves to Judiciary Committee: Alaska’s Consumer Data Privacy Act (HB 159) was referred to the House Judiciary Committee on February 7. This Bill was introduced at the request of Governor Mike Dunleavy in 2021. Entities covered by the Act include businesses that either a) alone or in combination with others, annually buy, sell, or share the personal information of 100,000 or more consumers or households; or b) derive 50 percent or more of annual revenue from selling or sharing personal information of consumers. The Bill, however, exempts information regulated by HIPAA or the GLBA and employee information.

Florida Privacy Bill Passes Committee Hearing: Florida’s Consumer Data Privacy Bill (HB 9) was voted out of the Commerce Committee on February 10. The Bill was amended slightly—including to adjust the age that requires opt-in for minors from 16 to 18—but the contours of the Bill remain the same.  Notably, HB9 creates a private right of action for certain claims. Next, HB9 will be reviewed by the Judiciary Committee.     

Mississippi Bill Dies in the Senate Judiciary Committee: Mississippi’s Bill creating the “Mississippi Consumer Data Privacy Act”—SB 2330—died in the Senate Judiciary, Division A Committee earlier this month. Notably, the bill would have created a private right of action, in addition to allowing enforcement by the Mississippi Attorney General.

Authors

More from this series