The past two weeks have seen continued developments in the state comprehensive privacy legislative landscape. Maryland, Minnesota, and Texas have entered the fray with new proposals, bringing the total number of states that have proposed comprehensive privacy legislation this session to at least 16. Meanwhile, already-proposed bills continue to move forward — most notably, the Indiana and New Jersey Senates passed bills that now move to their counterpart legislative chambers for consideration.  

NEW PROPOSALS

Five new bills have emerged since our last post. As noted above, new comprehensive privacy legislation has emerged in Maryland, Minnesota, and Texas. In addition, two new bills have been proposed in New York, adding to what is shaping up to be a crowded field of privacy legislation in that state, with four bills now having been introduced.

Notably, this new crop of bills includes another proposal — Minnesota’s HF 1367 — lacking general exemptions for entities and information governed by other laws (e.g., HIPAA, GLBA, FCRA, and FERPA). Though none of the bills sharing this lack of exemptions have gained traction to date (New York’s Digital Fairness Act and Massachusetts’s Internet Bill of Rights have not advanced past the committee stage, and Mississippi’s Consumer Data Privacy Act died in committee), we will continue to keep an eye on them and provide you with important updates. 

Maryland

1. Bill Title: Online and Biometric Data Privacy Act (SB 698/HB 807)
2. Current Status: As of February 11, 2023, SB 698 had been referred to the Finance Committee, and HB 807 had been referred to the Economic Matters Committee. 
3. Key Provisions:

• Applies to entities that conduct business in Maryland or produce services or products targeted to Maryland residents and during the preceding calendar year satisfied one of the following requirements: (1) controlled or processed personal data of at least 100,000 consumers; or (2) controlled or processed personal data of at least 25,000 consumers and derived more than 25% of gross revenue from sale of personal data.
• Exempts various entities and information types, including state political or judicial entities, specified securities associations, entities and information subject to HIPAA, entities subject to GLBA, information subject to FCRA, information subject to FERPA, and certain employment-related information. In addition, an entity that complies with COPPA’s parental consent requirements is deemed compliant with the Act’s parental consent requirements.
• Creates individual rights for consumers, including the right to confirm whether a controller is processing personal data; the right to access personal data; the right to correct data; the right to delete data; the right to obtain a portable copy of personal data (if the processing of the data is done by automatic means); and the right to opt out of the processing of data for purposes of targeted advertising, sale of data, and “[p]rofiling in furtherance of solely automated decisions that produce legal or similarly significant effects.”
• Incorporates privacy by design principles, including purpose limitation and reasonable security measures.
• Allows consumers to exercise their opt-out rights via opt-out preference signals, browser settings, browser extensions, and global device settings.
• Requires that controllers obtain consumer consent before processing sensitive data.
• Imposes additional requirements on controllers regarding the collection, use, disclosure, storage, and protection of biometric data. Notably, controllers are prohibited from selling, leasing, or trading consumer biometric data.
• Requires controller to conduct data protection assessment for processing activities that “present a heightened risk of harm to a consumer,” including processing for purposes of targeted advertising, sale of personal data, processing of sensitive data, and processing for purposes of profiling (where profiling presents certain specified risks).
• Generally, Act to be enforced by state AG and Division of Consumer Protection, with violations treated as unfair, abusive, or deceptive trade practices under Maryland law. 
• Creates a limited private right of action for individuals injured by controller’s sale, leasing, or trade of biometric data.
• Establishes a “Task Force to Study Online Data Privacy” to analyze issues including algorithmic decision-making, children’s privacy, and data colocation. 
• Act would take effect on October 1, 2023.

Minnesota

1. Bill Title: HF 1367
2. Current Status: As of February 11, 2023, the bill had been referred to the Commerce Finance and Policy Committee.
3. Key Provisions:

• Applies to businesses that (1) have annual gross revenue exceeding $25 million; (2) annually buy or sell personal information of 50,000 or more individuals, households, or devices; or (3) derive 50% or more of their annual revenue from selling personal information.
• Creates individual rights for consumers, including: the right to access personal information; the right to obtain information in a portable format; the right to opt-out of the sale of personal information; and the right to delete personal information.
• Requires businesses to provide a “Do Not Sell My Personal Information” link on their homepages allowing consumers to exercise their right to opt-out.
• Authorizes state AG to bring action to enforce Act.
• Creates a private right of action for individuals injured by a violation of the Act.
• State AG and individuals may obtain the greater of between $100 and $750 per consumer, per violation, or actual damages. For a “willful and malicious violation,” state AG and individuals may obtain “exemplary damages in an amount not exceeding three times other damages awarded.”
• Act would take effect on June 30, 2024.

New York

1. Bill Title: New York Data Protection Act (A2587/S4201)
2. Current Status: As of February 11, 2023, the bills had been referred to the Governmental Operations Committee (A2587) and the Investigations and Government Operations Committee (S4201).
3. Key Provisions:

• Applies only to state government entities and contractors.
• Exempts information governed by FCRA.
• Creates individual rights, including: the right to request that a government entity or contractor disclose the categories and specific pieces of personal information that it has collected or shared about an individual; and the right to delete personal information held by government entities and contractors.
• Prohibits government entities and contractors from sharing personal information with a contractor or sub-contractor unless the information is “crucial to the purpose for which such government entity or contractor has contracted such contractor or subcontractor's services.”
• Prohibits government entities and contractors from sharing personal information with another government entity or contractor unless “such information is crucial to the performance of such other government entity or contractor's duties, and such other government entity or contractor cannot procure such personal information on its own without serious hardship.”
• Does not create a private right of action. Instead, individuals whose personal information is compromised “as a result of a government entity or contractor's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” may request action by the state AG.
• Act would take effect one year after enactment.

New York

1. Bill Title: Senate Bill 3162 
2. Current Status: As of February 11, 2023, the bill had been referred to the Consumer Protection Committee. 
3. Key Provisions:

• Applies to businesses that collect personal information, do business in New York, and satisfy at least one of the following requirements: (1) annual gross revenue exceeding $50 million; (2) annually sells personal information of at least 100,000 consumers or devices; or (3) derives 50% or more of annual revenue from selling consumers’ personal information.
• Exempts entities and information governed by HIPAA and information governed by FCRA.
• Creates individual rights for consumers, including: the right to request that a business disclose details about personal information it has collected, sold, or disclosed for a business purpose; and the right to opt-out of the sale of personal information.
• Requires businesses to provide a “Do Not Sell My Personal Information” link on their homepages allowing consumers to exercise their right to opt-out.
• Creates a private right of action for individuals who suffer a violation of the Act, allowing the individual to obtain the greater of $1,000 or actual damages for each violation. If the business’s violation was knowing and willful, then the individual may recover the greater of $1,000 to $3,000 or actual damages for each violation.
• Authorizes the state AG to bring civil action to enforce the Act. State AG may seek civil penalty of up to $7,500 per intentional violation.
• Allows individual who becomes aware of a violation based on non-public information to request that the state AG bring a civil action against the violator. If the state AG does not bring an action within 90 days of the request, the individual may bring the action. In either scenario, the individual is entitled to a portion of the civil penalty, if the action is successful (15% if the state AG brings the action; between 25% and 50% if the individual brings the action). 
• Businesses that suffer data breaches as the result of “fail[ure] to implement and maintain reasonable security procedures and practices” are deemed to have violated the Act. 
• Authorizes state AG to adopt regulations to further purposes of the Act.
• Creates a “consumer privacy fund” within the state’s general fund, into which civil penalties would be deposited. Fund is intended to offset costs incurred by state courts and the state AG in implementing and enforcing the Act.
• Act would take effect 180 days after enactment.

Texas

1. Bill Title: Texas Data Privacy and Security Act (HB 1844)
2. Current Status: As of February 11, 2023, the bill had been filed in the House. 
3. Key Provisions:

• Applies to entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or sell personal data; and (3) are not small businesses.
• Exempts various entities and information types, including state government entities, financial institutions and data governed by GLBA, entities and information governed by HIPAA, nonprofit organizations, institutions of higher education, information governed by FCRA, information governed by FERPA, and certain employment-related information. In addition, entities that comply with COPPA’s parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Creates individual rights for consumers, including: the right to confirm whether a controller is processing data; the right to access personal data; the right to correct personal data; the right to delete personal data; the right to obtain a portable copy of personal data; and the right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling “in furtherance of a decision that produces a legal or similarly significant effect.”
• Incorporates privacy by design principles, such as purpose limitation and reasonable security practices.
• Prohibits controllers from processing sensitive data without obtaining consumer’s consent.
• Requires controllers to conduct data protection assessment for processing activities including: processing for purposes of targeted advertising; processing for purposes of profiling when profiling presents certain “reasonably foreseeable risk[s]”; processing of sensitive data; and any processing that “present[s] a heightened risk of harm to consumers.”
• Grants state AG exclusive authority to enforce the Act. Does not create a private right of action.
• Creates a thirty-day cure period for violators before state AG may initiate a civil action.
• State AG may seek civil penalty of up to $7,500 per violation. State AG also authorized to obtain injunctive relief.
• Act would take effect on September 1, 2023.

UPDATES ON EXISTING PROPOSALS

Various proposals continue to move forward in state legislative chambers. Most notably, the Indiana and New Jersey Senates passed bills, while legislative proposals continue to move through the committee process in Iowa and Hawaii.  

• Indiana Senate Passes SB 5: The Indiana Senate passed Senate Bill 5 on February 9. The bill now moves to the Indiana House, where a competing comprehensive privacy law proposal (HB 1554) was introduced in January. Notably, neither SB 5 nor HB 1554 create a private right of action. 
• New Jersey Senate Passes Bill from 2022: The New Jersey Senate passed a privacy bill (S. 332) on February 2 that was originally introduced in January 2022. The bill is more limited in scope than many of the comprehensive privacy bills that we have analyzed in our updates, but includes the following provisions of note: 
  • Creates individual rights for consumers, including the right to request that an operator disclose details about personal information it has disclosed to a third party and the right to opt out of the sale of personal information.
  • Exempts entities and information governed by HIPAA, entities governed by GLBA, and information governed by FCRA.
  • State AG has exclusive authority to enforce the Act. Does not create a private right of action. 
  • Creates a 30-day cure period for violators before the state AG may bring an enforcement action. 
  • Grants authority to the Division of Consumer Affairs in the Department of Law and Public Safety to promulgate rules and regulations to implement the Act. 
  • Act would take effect 180 days after enactment.
• Companion Bill to Iowa HSB 12 Passes Committee Vote: Senate Study Bill 1071, a companion bill to House Study Bill 12, which we have previously profiled, was approved by the Senate Committee on Technology on February 8. HSB 12 remains under consideration by the House Committee on Economic Growth and Technology, having passed a subcommittee vote on January 23. Neither bill contains a private right of action.
• Companion Bill for Hawaii Consumer Data Protection Act Moves Forward: Hawaii House Bill 1497, a companion bill to Senate Bill 1110, was passed by the Committee on Higher Education and Technology and referred to the Consumer Protection and Commerce Committee on February 6. Notably, the Committee on Higher Education and Technology amended the original proposal by removing the right to access and private right of action, and adding a thirty-day cure period. 
• Companion Bills Introduced for Washington and Tennessee Proposals: Washington’s People’s Privacy Act (HB 1616) and the Tennessee Information Protection Act (SB 73) both saw companion bills introduced on January 31 — SB 5643 in Washington and HB 1181 in Tennessee. Washington’s bill creates a private right of action and would require unambiguous opt-in consent for the collection of personal information, while Tennessee’s bill would not create a private right of action, but would require that controllers and processors maintain privacy programs compliant with the National Institute of Standards and Technology (NIST) privacy framework.
• Oklahoma Proposal Referred to Committee: Oklahoma’s Computer Data Privacy Act (HB 1030) was referred to the Government Modernization and Technology Committee on February 7. This bill does not create a private right of action but would require that businesses obtain consent before collecting personal information. 
• Mississippi Consumer Data Privacy Act Dies in Committee: Mississippi Senate Bill 2080 is our first legislative casualty of the 2023 session, dying in the Judiciary Committee on January 31.