State Comprehensive Privacy Law Update – January 18, 2024

State Comprehensive Privacy Law Update – January 18, 2024

Blog WilmerHale Privacy and Cybersecurity Law

Following a busy 2023 in which seven states enacted comprehensive privacy laws, we entered this year expecting additional activity on this front across state legislatures. The opening weeks of 2024 have not disappointed. Most notably, the New Jersey governor has already signed a comprehensive privacy bill passed by the legislature, and another bill is nearing passage in the New Hampshire legislature. (You can find our analysis of the New Jersey bill here and the New Hampshire bill here). Meanwhile, a handful of bills have been introduced in other state legislatures, as well, including two bills in Kentucky (which in 2023 saw a comprehensive privacy bill pass the Senate, only to die in the House) and Missouri. We summarize the key trends and provisions of those bills below. 

We will be providing recurring updates on state comprehensive privacy law legislation over the next several months. To stay informed on the latest developments this state legislative season,  please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TRENDS AND HIGHLIGHTS

  • Broadly similar structure and provisions: Generally speaking, the three proposed bills adhere to the structure and substance of the non-California state comprehensive privacy laws that have been enacted to date. For example, the bills articulate similar scopes of applicability and exemptions (though the Missouri bill is somewhat notable in including a general revenue applicability threshold of $25 million), create a set of consumer data rights, and include similar enforcement provisions (see below).
  • No private rights of action: None of the three proposed bills includes a private right of action, instead granting the relevant state attorney general exclusive enforcement authority. Notably, all three bills also establish a 30-day cure period allowing violators to remedy their violations before being subject to an enforcement action.
  • Kentucky Consumer Data Protection Act: Of these three bills, the Kentucky Consumer Data Protection Act (Senate Bill 15) is likely the one to watch for businesses, as it includes the most-substantive requirements. Most notably, the bill includes relatively novel privacy notice provisions that would require controllers to disclose, for each third party to which personal data is sold or shared: (1) the location at which the third party retains the data; (2) the length of time for which the third party retains the data; and (3) the uses to which the third party puts the data. Additionally, the bill establishes distinctive restrictions on “tracking” conducted by controllers and allows consumers to opt-out of such processing. Unique among the three 2024 bills, SB 15 would also require the recognition of opt-out preference signals, establish a right to correct inaccurate personal data, and require companies to conduct data protection assessments for certain types of higher-risk data processing. The Kentucky Senate passed a similar version of this bill in 2023, meaning that we are likely to see further action on this legislation over the coming weeks.

NEW PROPOSALS

Kentucky

Kentucky Consumer Data Protection Act

1. Bill Title: Kentucky Consumer Data Protection Act (Senate Bill 15)

  2. Date of Introduction: January 2, 2024

  3. Current Status: As of January 17, SB 15 had been referred to the Economic Development, Tourism, and Labor Committee (1/3/24). 

  4. Key Provisions:

  • Applies to entities that conduct business in Kentucky or target products or services to Kentucky residents and satisfy at least one of the following conditions: (1) annually control or process personal data of at least 50,000 Kentucky residents or (2) annually control or process personal data of at least 25,000 Kentucky residents and derive over 50% of gross revenue from sale of personal data. 
  • Exempts various entities and information types, including: state entities; financial institutions and data subject to the GLBA; covered entities, business associates, and protected health information governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; information governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; and certain employment-related information. Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements. 
    • Though state entities are listed as exempt from the Act’s requirements, the Act also includes narrower provisions related to privacy notices, data security, data sharing, and data collection that remain applicable to these entities.
  • Exempts individuals acting “[i]n a commercial or employment context,” as well as independent contractors, from its definition of “consumer.” 
  • Definition of “sale” is limited to “exchange of personal data for monetary consideration.”
  • Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to correct inaccurate data; the right to delete personal data; the right to data portability; and the right to opt-out of targeted advertising, tracking, and sale or sharing of personal data. 
    • “Tracking” is defined as “combining personal data obtained from a consumer’s activities within a controller’s own commonly branded websites or online applications with personal data obtained from a third party for targeted advertising.”
    • "Sharing” is defined as the disclosing of personal data “by a controller to a third party for targeted advertising or tracking, whether or not for monetary or other valuable consideration,” including transactions “in which no money is exchanged.” 
  • Requires controllers to recognize requests to opt-out of sale or sharing of personal data conveyed through global privacy controls (also known as opt-out preference signals). 
  • Incorporates privacy by design principles, such as reasonable security measures and purpose limitation.
  • Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; purposes for processing; method for exercising consumer data rights; specific types of personal data shared with or sold to third parties; categories of third parties with whom personal data is shared or sold (including location where the third party retains the data, length of time the third party retains the data, and uses of the data by the third party); controller’s contact information; and length of time for which controller will retain consumer’s personal data. Additionally, if controller processes personal data for purposes of targeted advertising, tracking, or sale or sharing with third parties, that processing must be “conspicuously disclose[d].” 
  • Prohibits controllers from processing sensitive data “without allowing the consumer to opt out.”
  • Prohibits controllers from processing children’s (under age 13) personal data for purposes of targeted advertising or tracking and requires consumer consent for such processing (as well as sale or sharing of personal data) in relation to consumers ages 13 through 17. 
  • Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
  • Requires that controllers conduct data protection assessments for processing activities that involve processing of personal data for purposes of targeted advertising, sale of personal data, and certain types of profiling. 
  • Does not create a private right of action; rather, grants exclusive enforcement authority to the Kentucky Attorney General.
  • Requires that the Kentucky AG provide entities with a thirty-day cure period before initiating an enforcement action.
  • In enforcement action, Kentucky AG may obtain damages of up to $7,500 per violation.
  • Establishes a consumer privacy fund into which money obtained through enforcement actions shall be deposited.
  • Would take effect on January 1, 2026. 

Kentucky House Bill 24

1. Bill Title: House Bill 24

2. Date of Introduction: January 2, 2024

3. Current Status: As of January 17, 2024, HB 24 had been referred to the Committee on Committees (1/2/24).

4. Key Provisions:

  • Applies to persons that conduct business in Kentucky or that produce products or services that are targeted to residents of the state that during a calendar year control or process the personal data of at least: (a) 100,000 Kentucky residents; or (b) 25,000 Kentucky residents and derive over 50% of gross revenue from the sale of personal data. 
  • Exempts various entities and data types, including: state agencies or any political subdivisions of the state; financial institutions and data subject to the GLBA; covered entities or business associates, as well as protected health information governed under HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; personal data governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; and certain employment-related information. An entity that complies with COPPA’s verifiable parental consent requirements is deemed to comply with the Act’s parental consent requirements.
  • Exempts individuals “acting in an employment or commercial context” from its definition of “consumer.”
  • Definition of “sale” is limited to “exchange of personal data for monetary consideration.”
  • Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access said data; the right to delete personal data; the right to data portability; and the right to opt-out of targeted advertising or sale of personal data.
  • Incorporates privacy by design principles, such as reasonable security measures.
  • Prohibits controllers from processing sensitive data without presenting consumer with “clear notice and an opportunity to opt out” or in the case of a known child without processing the data in accordance with COPPA.
  • Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; purposes for processing; how consumers may exercise data rights; categories of personal data shared with third parties; and categories of third parties with whom personal data is shared.  
  • Controllers who are engaged in the sale of personal data or targeted advertising must also “clearly and conspicuously disclose” the activities, and the manner in which consumers may opt-out of processing for these purposes.
  • Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s data processing procedures performed on behalf of the controller.
  • Does not create private right of action; rather, grants exclusive enforcement authority to the Kentucky Attorney General.  
  • Requires that the Kentucky AG provide entities with a thirty-day cure period before initiating an enforcement action.
  • In enforcement action, Kentucky AG may seek damages for up to $7,500 per each continued violation. 
  • Establishes a Consumer Privacy Fund into which all civil penalties collected under the act shall be deposited. Kentucky AG’s office shall administer the Fund.
  • Would take effect on January 1, 2026.

Missouri

1. Bill Title: Senate Bill 731

2. Date of Introduction: January 3, 2024

3. Current Status: As of January 17, SB 731 had been referred to the Emerging Issues Committee (1/8/24)

4. Key Provisions:

  • Applies to entities that (1) conduct business in Missouri or target products or services to Missouri residents; (2) have annual revenues of at least $25 million; and (3) either (a) control or process personal data of 100,000 or more Missouri residents or (b) derive over 50% of gross revenue from sale of personal data and control or process personal data of 25,000 or more Missouri residents.
  • Exempts various entities and data types, including: public bodies; institutions of higher education; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by FERPA; information governed by FCRA; personal data governed by the Driver’s Privacy Protection Act; personal data governed by the Farm Credit Act; and certain employment-related information.
  • Exempts individuals “acting in an employment or commercial context” from its definition of “consumer.”
  • Definition of “sale” is limited to “exchange of personal data for monetary consideration.”
  • Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to delete personal data; the right to data portability; and the right to opt-out of the processing of personal data for purposes of targeted advertising or sale of personal data. 
  • Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
  • Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; purposes for processing; how consumers may exercise data rights; categories of personal data shared with third parties; and categories of third parties with whom personal data is shared. 
  • Controllers must also “clearly and conspicuously disclose” the manner in which consumers may opt-out of processing for purposes of sale of personal data or targeted advertising, if controller performs such processing. 
  • Incorporates privacy by design principles, such as reasonable security measures.
  • Prohibits controllers from processing sensitive data without presenting consumer with “clear notice and an opportunity to opt out.”
  • Does not create private right of action; rather, grants exclusive enforcement authority to the Missouri Attorney General.
  • Requires that the Missouri AG provide entities with a thirty-day cure period before initiating an enforcement action. 
  • In enforcement action, Missouri AG may obtain actual damages and up to $7,500 per violation. 
  • Establishes a Consumer Privacy Fund into which money obtained through enforcement actions shall be deposited. 

Authors

More from this series