As we move into the summer months, state comprehensive privacy law developments continue to steadily emerge. Most notably, in the weeks since our last update, the Texas legislature passed the Texas Data Privacy and Security Act (HB 4) a bill that will, upon Governor Greg Abbott’s signature, become the nation’s tenth comprehensive privacy law. You can read our coverage of this bill here.
Elsewhere, new bills emerged in Maine and Pennsylvania, while bills in Delaware and Oregon continue to advance in the legislative process. All of these developments and more are detailed in the sections below.
Two new comprehensive privacy law proposals have emerged in Maine and Pennsylvania — both states where another comprehensive privacy bill is already under consideration. The Maine Data Privacy and Protection Act (LD 1977) would create a private right of action under which plaintiffs could seek at least $5,000 in damages per violation. The Pennsylvania Consumer Data Privacy Act (HB 1201), in contrast, does not create a private right of action, but would require controllers to recognize opt-out preference signals beginning in 2026.
- Bill Title: Data Privacy and Protection Act (LD 1977)
- Date of Introduction: May 23, 2023.
- Current Status: As of June 11, 2023, LD 1977 had been referred to the Joint Judiciary Committee (5/25/23).
- Key Provisions:
- Defines “covered entity” as “a person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing or transferring covered data.”
- Exempts two categories: (1) government agencies or service providers that exclusively and solely process information provided by government entities, and (2) a person that meets the following criteria for the period of the three preceding calendar years or if in existence less than three years, for the period that it has been in existence: (a) the person’s average annual gross revenues during the period did not exceed $20 million, (b) the person, on average, did not annually collect or process the covered data of more than 75,000 individuals during the period beyond the purpose of initiating, billing for, finalizing or otherwise collecting payment for a requested service or product, as long as all covered data for that purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a covered entity's return policy; and (c) no component of the person's revenue comes from transferring covered data during a year or part of a year if the person is an entity that has been in existence for less than one year.
- Prohibits a covered entity from collecting, processing, or transferring covered data unless the collection, processing or transfer is limited to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the individual to whom the data pertains. The Act further notes specific allowed purposes for the use of such data.
- Creates various prohibitions and limitations for the collecting, processing, or transferring of sensitive data, including limitations on the processing of sensitive information for the purposes of targeted advertising.
- Requires covered entities and service providers to implement and maintain reasonable policies, practices and procedures that reflect the role of the covered entity or service provider in the collection, processing and transferring of covered data, as well as consider various factors. Further, the Act requires that covered entities assign privacy and data security officers and outlines duties for such officers.
- Prohibits obtaining affirmative consent through the use of dark patterns.
- Creates specific requirements for covered data collected for the purposes of targeted advertising, including the requirement to obtain affirmative consent.
- Creates rights for individual consumers, including: the right to access covered data and information regarding such data, the right to correct a verifiable substantial inaccuracy, the right to request the deletion of covered data, and the right to request the exportation of covered data.
- Creates heightened requirements for “large data holders,” defined as a covered entity or service provider that, in the most recent calendar year, had annual gross revenues of $250 million or more and collected, processed, or transferred the covered data of more than 5 million individuals or devices that identify or are linked or reasonably linkable to one or more individuals, excluding covered data collected and processed for specified purposes.
- Requires data brokers to register, pay an annual fee to the Maine AG, and submit information regarding their data use practices, including a description of the categories of information processed.
- Requires that covered entities conduct impact assessments. Covered entities that use covered algorithms in specified manners that pose a consequential risk to individuals must conduct impact assessments of such algorithms.
- Authorizes state AG, a district attorney, or a counsel for a municipality to bring a civil action to enforce the Act or rules promulgated under the Act and to seek damages, civil penalties, restitution, or other compensation on behalf of the residents of Maine, as well as reasonable attorney’s fees.
- Creates private right of action for individuals who suffer violation of Act. Plaintiffs may obtain no less than $5,000 in damages per violation, injunctive relief, declaratory relief, reasonable attorney’s fees, and litigation costs. The right to bring a private right of action does not apply to claims against small businesses.
- Would go into effect 180 days after the adjournment of the First Special Session of the 131st Legislature.
- Bill Title: Consumer Data Privacy Act (HB 1201)
- Date of Introduction: May 19, 2023.
- Current Status: As of June 11, 2023, HB 1201 had been referred to the House Commerce Committee (5/19/23).
- Key Provisions:
Applies to an entity that is organized for the profit or financial benefit of its shareholders or owners, collects consumers’ information and determines the purposes and means of processing such data, does business in Pennsylvania, and satisfies any of the following thresholds: (a) has annual gross revenues in excess of $10 million; (b) alone or in combination, annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households or devices; or (c) derives at least 50% of annual revenues from selling consumers' personal information.
Exempts various entities and information types, including the state and any political subdivisions, nonprofits, institutions of higher education, specified national securities associations, financial institutions or data subject to GLBA, entities and information subject to HIPAA, information governed by FCRA, personal data governed by the Driver’s Privacy Protection Act, personal data governed by the Farm Credit Act, and specified employment-related data. In addition, entities compliant with COPPA’s verifiable parental consent requirements are deemed compliant with the Act’s parental consent requirements.
Creates rights for individual consumers, including: the right to confirm whether a controller is processing a consumer’s personal data and to access that data; the right to correct inaccuracies in collected personal data; the right to delete personal data; the right to obtain a portable copy of personal data; and the right to opt out of the processing of personal data for the purposes of targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Incorporates privacy by design principles, such as purpose limitation and reasonable data security practices.
Prohibits the processing of sensitive data without obtaining consumer consent. Also prohibits the processing of data for the purposes of sale or targeted advertising where the controller has actual knowledge or willfully disregards that a consumer is younger than 16 years of age.
Requires that controller publish privacy notice that includes categories of personal data processed; purposes for processing personal data; description of how consumers may exercise their data rights; categories of personal data shared with third parties; categories of third parties with which personal data is shared; and an active email or other online mechanism the consumer may use to contact the controller.
Requires that controllers, no later than January 1, 2026, allow a consumer to opt out of the processing of personal data for the purpose of targeted advertising or the sale of such data through an opt-out preference signal.
Requires data protection assessments for each of the controller's processing activities, created or generated after July 1, 2024, which present a heightened risk of harm to a consumer.
Grants state AG exclusive enforcement authority, as well as the authority to issue guidance. Violations of Act are deemed unfair methods of competition and unfair or deceptive acts or practices under Pennsylvania law.
Creates 60-day cure period for alleged violators of the Act during the period of July 1, 2024, through December 31, 2025. After this period, the Act grants the state AG the discretion to grant a controller a cure period based on the consideration of certain factors.
Does not create a private right of action.
Would go into effect immediately upon enactment.
UPDATES ON EXISTING PROPOSALS
Most notably, the Texas Data Privacy and Security Act (HB 4) was signed by the House and Senate after a conference committee and sent to Governor Greg Abbott on May 30, while Florida Governor Ron DeSantis signed the Florida Digital Bill of Rights into law on June 6.
Elsewhere, the Delaware Personal Data Privacy Act crossed chambers, with the House passing the bill on June 8. Additionally, Oregon’s SB 619 continues to advance in the legislative process, with the Joint Committee on Ways and Means passing the bill on June 5.
Finally, the past few weeks saw legislative calendars doom two bills that had passed a chamber. Specifically, the Oklahoma legislature closed without passage of the Oklahoma Computer Data Privacy Act, which had passed the House back in March, while the New York Privacy Act, despite a late-breaking passage by the Senate on June 8, was unable to progress in the Assembly before the end of the New York legislative session.
- Active Bills That Have Cleared Legislative Chamber
- The Delaware Personal Data Privacy Act (HB 154) was passed by the House and assigned to the Senate Banking, Business, Insurance and Technology Committee on June 8.
- The New York Senate passed the New York Privacy Act (S. 365) on June 8. However, the New York legislative session closed on June 9 before the Assembly could take any action on the bill.
- The New Hampshire House Judiciary Committee held a work session on SB 255 on June 7.
- The Oklahoma legislature closed on May 26 without passage of the Oklahoma Computer Data Privacy Act (HB 1030).
- New Jersey S. 332 was passed by the Assembly Science, Innovation, and Technology Committee with amendments on May 11.
- Committee Approvals
- The Oregon Joint Committee on Ways and Means passed SB 619 on June 5.
- Legislative Work Sessions
- The Maine Joint Judiciary Committee held a work session on the Maine Consumer Privacy Act (LD 1973) on May 25.
- Legislative Session Closures
- The New York legislative session closed without passage of any of the state’s numerous privacy bills.
- The Illinois legislative session closed without passage of the Illinois Data Privacy and Protection Act (HB 3385).
- The Minnesota legislative session closed without passage of the Minnesota Consumer Data Privacy Act (HF 2309/SF 2915) and HF 1367.