The weeks since our last update have seen continued developments in the state comprehensive privacy law arena. Bills passed by the Indiana, Tennessee, and Montana legislatures were officially signed into law by those states’ governors. Meanwhile, the Texas Data Privacy and Security Act moves closer to enactment, with that state’s House and Senate passing slightly differing versions of the same bill that will need to be resolved in a conference committee. In addition, as we have previously covered, the Florida legislature recently passed a bill that, while narrower in scope than truly comprehensive privacy laws passed by other states this year, will still have important impacts on companies operating in that state. And on top of all this, we continue to see additional states throw their hats into the proverbial comprehensive privacy law ring, with Delaware and Maine becoming the 25th and 26th states to introduce proposals this legislative session.

NEW PROPOSALS

Delaware and Maine have both introduced comprehensive privacy law proposals in the past two weeks. The Delaware Personal Data Privacy Act (HB 154)— which notably provides only a discretionary 60-day cure period — has already received approval from one committee and currently resides with the House Appropriations Committee. The Maine Consumer Privacy Act (LD 1973), meanwhile, is scheduled for a hearing before the Senate Judiciary Committee on May 22 and is unique in requiring that consumers opt-in (rather than opt-out) to processing for purposes of targeted advertising, sale of personal data, and profiling. Neither bill includes a private right of action.

Delaware

1. Bill Title:  Delaware Personal Data Privacy Act (HB 154)
2. Date of Introduction: May 12, 2023.
3. Current Status: As of May 21, 2023, HB 154 had been passed by the Technology and Telecommunications Committee (5/16/23) and assigned to the Appropriations Committee (5/17/23).
4. Key Provisions:

• Applies to controllers or processors that conduct business in Delaware, produce products or services that are targeted to Delaware residents, and that during the preceding calendar year control or process personal data of: 1) not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 2) not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data.
• Exempts various entities and information types, including state or state political subdivision entities (excluding institutions of higher education), financial institutions that are subject to GLBA, information subject to HIPAA, information governed by FCRA; information governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; information governed by the Farm Credit Act, specified employee-related information, information subject to the Airline Deregulation Act, and the personal data of a victim of or witness to specified crimes. A controller that complies with the Children’s Online Privacy Protection Act (COPPA) is deemed in compliance with obligations under this Act with respect to a consumer who is a child.
• Definition of a “consumer” exempts individuals acting in commercial or employment context.
• Creates rights for individual consumers, including: the right to confirm whether a controller is processing a consumer’s personal data and to access such data; the right to correct inaccurate personal data; the right to delete personal data; the right to obtain a portable copy of personal data; the right to obtain a list of specific third parties to which the controller has disclosed such personal data; and the right to opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
• Incorporates privacy by design principles, such as purpose limitation and reasonable data security practices.
• Prohibits controller from processing sensitive data without consumer consent.
• Requires that controller provide a meaningful privacy notice that includes (1) categories of personal data processed; (2) purposes for processing personal data; (3) description of how consumers may exercise their data rights; (4) categories of personal data shared with third parties; (5) categories of third parties with which personal data is shared; and (6) an active electronic email address.
• Requires that controllers comply with universal opt-out mechanisms.
• Requires data protection assessments by controllers that process the data of not less than 100,000 consumers where processing activities present a heightened risk of harm: (1) the processing of information for purposes of targeted advertising; (2) the sale of personal information; (3) the processing of data for purposes of profiling if certain risk factors are met; and (4) the processing of sensitive data.
• Grants the state Department of Justice (“DOJ”) enforcement authority over the Act.
• Provides a discretionary 60-day cure period, under which the DOJ may consider specific factors when determining whether to grant an allegedly violating entity the opportunity to cure a violation.
• Act would go into effect on January 1, 2025 (if enacted before or on January 1, 2024) or January 1, 2026 (if enacted after January 1, 2024).

Maine

1. Bill Title:  Maine Consumer Privacy Act (LD 1973)
2. Date of Introduction: May 18, 2023.
3. Current Status: As of May 21, 2023, LD 1973 had been scheduled for a hearing before the Senate Judiciary Committee on May 22 (5/18/23).   
4. Key Provisions:

• Applies to entities that conduct business in Maine or produce products or services targeted to Maine residents and, during the previous calendar year: (1) controlled or processed personal data of at least 100,000 consumers (excluding controlling or processing done solely for purposes of completing a payment transaction); or (2) controlled or processed personal data of at least 25,000 consumers and derived more than 25% of gross revenue from sale of personal data.
• Exempts various entities and information types, including state or state political subdivision entities, specified nonprofits, institutions of higher education, specified national securities associations, financial institutions and information subject to GLBA, entities and information subject to HIPAA, information governed by FCRA, personal data subject to FERPA, and certain employment-related data. In addition, entities compliant with COPPA’s verifiable parental consent requirements are deemed compliant with the Act’s parental consent requirements.
• Definition of “consumer” exempts individuals acting in commercial or employment context.
• Creates rights for individual consumers, including: the right to confirm whether a controller is processing a consumer’s personal data and to access that data; the right to correct inaccurate personal data; the right to delete personal data; and the right to obtain a portable copy of personal data. 
• Prohibits controller from processing personal data for purposes of targeted advertising, sale of personal data, or “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer” unless consumer opts in to said processing.
• Incorporates privacy by design principles, such as purpose limitation and reasonable data security practices.
• Prohibits controller from processing sensitive data without consumer consent.
• Requires that controller publish privacy notice that includes categories of personal data processed; purposes for processing personal data; description of how consumers may exercise their data rights; categories of personal data shared with third parties; and categories of third parties with which personal data is shared.
• Allows controllers to recognize “opt-in preference signal” approved by other states.
• Requires that controller conduct data protection assessment for processing that “presents a heightened risk of harm to a consumer,” including processing of personal data for targeted advertising, sale of personal data, processing of personal data for certain types of profiling, and processing of sensitive data.
• Grants state AG exclusive enforcement authority. Violations of Act are deemed unfair trade practices under Maine law.
• Creates 30-day cure period for alleged violators of the Act.
• Would repeal Me. Rev. Stat. tit. 35-A, § 9301 (“Privacy of broadband Internet access service customer personal information”).

UPDATES ON EXISTING PROPOSALS

As noted above, Indiana’s Senate Bill 5, the Tennessee Information Protection Act, and the Montana Consumer Data Privacy Act were officially enacted into law, receiving their respective state governor signatures on May 1, May 11, and May 19, respectively. In addition, the Florida legislature passed SB 262, including a Florida Digital Bill of Rights that, while more limited in scope than traditional state comprehensive privacy laws, will still have important impacts on businesses operating in Florida.

Meanwhile, the Texas Data Privacy and Security Act was passed by the Senate with amendments on May 10. The bill will now move to a conference committee to resolve minor differences between the Senate version and its House-passed counterpart. In addition, the New Jersey legislature moved forward companion versions of its narrower state privacy law proposal, and the New York Privacy Act continues to advance in the Senate and Assembly.

Finally, state legislatures in Hawaii, Maryland, Vermont, and Washington closed without passage of comprehensive privacy law proposals under consideration (including a Hawaii bill — SB 974 — that had cleared a legislative chamber).

Other bills continue to move forward in the legislative process as outlined below.

• Active Bills That Have Cleared Legislative Chamber
  • The Texas Data Privacy and Security Act (HB 4) was passed by the House on April 5 and passed by the Senate on May 10. It will be subject to a conference committee to resolve differences between the differing bill versions passed by each chamber.
  • New Jersey S. 332 was passed by the Assembly Science, Innovation, and Technology Committee with amendments on May 11. 
  • New Hampshire’s SB 255 was considered in Executive Session by the House Judiciary Committee on May 3.
  • The Oklahoma Computer Data Privacy Act (HB 1030) remains under consideration by the Senate Rules Committee as of March 29.
• Committee Approvals
  • New Jersey A. 1971 (a companion to S. 332) was passed by the Assembly Science, Innovation and Technology Committee on May 11.
  • The New York Privacy Act (S. 365) was reported by the Internet and Technology Committee and referred to the Finance Committee on May 22. In addition, a companion bill (A. 7423) was introduced in the Assembly on May 19 and referred to the Consumer Affairs And Protection Committee.
• Bill Deaths
  • Legislative sessions in Hawaii, Maryland, Vermont, and Washington closed without passage of the following proposals:
    • Hawaii: SB 974 and SB 1110/HB 1497.
    • Maryland: Online and Biometric Data Privacy Act (SB 698/HB 807)
    • Vermont: H. 121
    • Washington: People's Privacy Act (HB 1616/SB 5643)