State legislatures kept busy last year, passing seven new comprehensive privacy laws, and wrapping up 2024 with a total of nineteen state comprehensive laws imposed across the country. We did not see a similar early finish line crossing as we did last year with New Jersey’s bill enactment in January (although we note the significant and quick passage of New York Health Information Privacy Act elsewhere in the state privacy law landscape). However, several state representatives have been signaling early enthusiasm for comprehensive privacy laws with pre-filed legislation in Oklahoma, New York, and South Carolina, and five bills added to the legislative docket in Massachusetts by the second week. Although there are some new statutory texts to scrutinize, we are also seeing several reintroduced versions of bills from prior legislative sessions from states like Illinois, New York, and Pennsylvania. We summarize key trends and provisions of these bills below.
We will be providing recurring updates on state comprehensive privacy law legislation over the next several months. To track the latest developments alongside us this state legislative season, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
KEY TRENDS AND HIGHLIGHTS
- Bill re-introductions: The majority of bills introduced since the legislative sessions opened has been re-introduced versions of bills from prior state legislatures. Most notably, three of Massachusetts’s docketed bills adopted almost identical language from last year’s Massachusetts Data Privacy Protection Act (Senate Bill 2770), which made it out of committee last year but did not gain enough traction to pass before the close of the legislative session. Other hopeful bill re-introductions included Illinois’s Privacy Rights Act, Massachusetts’s Information Privacy and Security Act, New York’s Data Protection Act, and Pennsylvania’s Consumer Data Privacy Act proposals, as summarized below.
- Expansion of “personal information” and “sensitive data” definitions: As we’ve seen across other regulatory actions (like last year’s FTC enforcement actions against Avast Limited, InMarket Media, and X-Mode Social and Outlogic), regulators are beginning to expand the types of data protected under federal and state enforcement. Most of the bills below now consider geolocation data and biometric data to be either “sensitive data” or “personal data” regulated under the bill. Massachusetts Data Privacy Act even requires covered entitles that collect geolocation data to develop and maintain a Location Privacy Policy. Other bills like South Carolina’s HB 3401, Oklahoma’s SB 546, and Pennsylvania’s HB 78 define personal data as including pseudonymous data when it can be “linked or reasonably linked” to an identifiable individual. Oklahoma’s Computer Data Privacy Act also recognizes IP addresses, web browsing information, and inferences (drawn from other personal information) about a consumer’s preferences and characteristics as personal information within scope of the law.
- State AGs continue as the enforcement mechanism of choice: Unsurprisingly, all these bills grant enforcement authority to the state AG. There are a few notable limited private rights of action proposed; namely the private right of action against alleged violations only by large data holders in the Massachusetts Data Privacy Act and the Illinois Privacy Rights Act’s proposed private right of action for consumers impacted by security breaches. Like last year, some bills also continued to empower rulemaking authority to state AG offices in Illinois, Massachusetts, and New York.
NEW PROPOSALS
Hawaii
- Bill Title: Consumer Data Protection Act (Senate Bill 1037)
- Date of Introduction: January 17, 2025
- Current Status: As of January 23, SB 1037 has passed first reading (1/21/25).
- Key Provisions:
- Applies to persons that conduct business in Hawaii or produce products or services that are targeted to residents of the State and during a calendar year that: (1) control or process personal data of at least 100,000 consumers; or (2) control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.
- Exempts various entities and data types, including: government entities; institutions of higher education; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by FERPA; information governed by FCRA; personal data governed by the Driver’s Privacy Protection Act; and certain employment-related information. An entity that complies with COPPA’s verifiable parental consent requirements is deemed to comply with the Act’s parental consent requirements.
- Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
- Definition of “sale” includes exchange of personal data for other valuable consideration as well as monetary consideration
- Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to correct inaccuracies; the right to delete personal data; the right to data portability; and the right to opt out of the processing of personal data for purposes of targeted advertising or sale of personal data.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; purposes for processing; how consumers may exercise data rights; categories of personal data shared with third parties; categories of third parties with whom personal data is shared; and an active email address or other online mechanism consumers can use to contact the controller.
- Controllers must also “clearly and conspicuously disclose” the manner in which consumers may opt out of processing for purposes of sale of personal data or targeted advertising, if controller performs such processing.
- Incorporates privacy by design principles, such as reasonable security measures.
- Prohibits controllers from processing sensitive data without obtaining the consumer's consent
- Does not create private right of action; rather, grants exclusive enforcement authority to the Hawaii attorney general.
- Requires that the Hawaii AG provide entities with a thirty-day cure period before initiating an enforcement action.
- In enforcement action, the Hawaii AG may obtain actual damages up to $7,500 per violation.
- Establishes a Consumer Privacy Special Fund into which money obtained through enforcement actions shall be deposited.
Illinois
- Bill Title: Privacy Rights Act (Senate Bill 52)
- Date of Introduction: January 13, 2025
- Current Status: As of January 23, SB 52 has been referred to Assignments (1/13/25).
- Key Provisions:
- Applies to businesses that do business in Illinois and satisfy at least one of the following thresholds: (1) exceed $25 million in annual gross revenue; (2) annually buy, sell, or share personal information of at least 100,000 Illinois residents; or (3) derive 50% or more of annual revenues from selling or sharing personal information.
- Exempts various entities and information types, including: protected health information and covered entities governed by HIPAA; personal information governed by the GLBA; personal information governed by the DPPA; certain employment-related information; and certain commercial information.
- Defines “sale” to include exchanges of personal information “for monetary or other valuable consideration.”
- Requires businesses that sell, share, or disclose personal information to a third party, service provider, or contractor to enter into a data processing agreement with that entity.
- Creates CCPA/CPRA-style rights for consumers, including: the right to delete personal information; the right to correct inaccurate personal information; the right to know what personal information a business is collecting and to access that personal information; the right to know what personal information a business is selling or sharing; the right to opt-out of the sale or sharing of personal information; and the right to limit the use and disclosure of sensitive personal information.
- Requires that businesses provide consumers with a privacy notice that contains information listed in the statute.
- Requires that businesses that sell or share personal information or disclose sensitive personal information for specified purposes provide “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links on their homepages (or a single combined link).
- Requires businesses to comply with opt-out requests conveyed via opt-out preference signals.
- Creates a private right of action for consumers impacted by personal information security breaches, allowing those consumers to seek the greater of actual damages or between $100 and $750 per consumer per incident.
- Imposes civil penalties of up to $2,500 per violation (for most violations) or $7,500 per violation (for intentional violations or violations involving consumers under the age of 16).
- Grants the AG and Agency rulemaking authority and identifies a range of topics on which rules are to be promulgated.
Massachusetts
Massachusetts Data Privacy Act
- Bill Titles: Senate Docket 267, Senate Docket 495, House Docket 2110
- Date of Introduction: Docketed on January 13, 2025.
- Current Status: As of January 23, these bills remain on the docket to be introduced.
- Key Provisions:
- Applies to entities that operate commercially in Massachusetts and (1) exceed $20 million in revenue or (2) collect or process personal information of at least 25,000 individuals (excluding purposes related to billing or payments)
- Exempts various entities and information types, including: government entities; personal information subject to HIPAA or FERPA, and nonpublic personal information processed by financial institutions subject to the GLBA.
- Defines “covered data” to include “derived data, inferences, and unique persistent identifiers” that identify or can be reasonably linked (alone or in combination with other date) to an individual or device.
- Defines a “covered high-impact social media company” as a covered entity that operates platforms primarily used for sharing user-generated content with more than 300 million monthly active users and generates $3 billion or more in annual revenue.
- Proposes an extensive list for what is considered “sensitive covered data,” including precise geolocation information; all covered data of a minor; “covered data processed concerning an individual’s past, present or future mental” or physical health condition; covered data processed related to sexual orientation, reproductive health, or “philosophical beliefs;” and “covered data that reveals an individual’s online activities over time and across [websites].”
- Imposes a duty of loyalty on data controllers and processors to engage with data in “reasonably necessary” and “proportionate” to defined purposes.
- Prohibits deceptive advertising and the use of dark patterns.
- Requires express consent before the collection or processing of sensitive information.
- Creates rights for consumers, including: the right to access personal information, the categories of processors receiving covered data; and the description of purpose for third-party processing; the right to correct inaccurate covered data; the right to delete covered data; the right to opt out of covered data transfers, targeted advertising, and profiling.
- Requires covered entities that collect Massachusetts residents’ location data must provide the resident with a Location Privacy Policy and obtain discrete consent for the purpose prior to collecting or processing that data.
- Prohibits covered entities from transferring sensitive data without an individual’s consent and processing sensitive data for targeted advertising.
- Requires that covered entities and service providers provide consumers with a privacy notice that contains the information required under the statute.
- Imposes requirements on service providers, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the covered entity.
- Requires data brokers to annually register with the Office of Consumer Affairs and Business Regulation (OCABR) and place a “clear, conspicuous,.. [and] readily accessible” notice on their website or mobile app that identifies them as a data broker.
- Grants enforcement and rulemaking authority to the Massachusetts AG and identifies violations of this law as an unfair or deceptive act or practice (UDAP) that can be enforced and penalized under Massachusetts’s UDAP law.
- AG may seek civil penalties not less than 0.15% of the annual global revenue or $15,000, whichever is greater, per violation.
- Creates a private right of action for violations by large data holders only.
- Would take effect one year after enactment.
Massachusetts Information Privacy and Security Act
- Bill Title: Senate Docket 2355
- Date of Introduction: Docketed on January 13, 2025.
- Current Status: As of January 23, this bill remains on the docket to be introduced.
- Key Provisions:
- Applies to controllers and processors that conduct business in Massachusetts processing of personal information by controllers and processors not established in Massachusetts, when processing is related to (1) offering of goods or services targeted to Massachusetts residents or (b) monitoring of Massachusetts residents’ behavior when behavior takes place in Massachusetts
- Additionally, sections 7–17 and 26 (which primarily address consumer rights and the Act’s private right of action) only apply to controllers that satisfied one of the following during the previous calendar year: (1) controller’s annual global gross revenue exceeded $25 million; (2) controller was a data broker; or (3) controller “determined the purposes and means of processing” of personal information of at least 100,000 Massachusetts residents.
- Exempts various entities and information types, including: state government; certain nonprofits; information governed by HIPAA, FCRA, DPPA, FCA, FERPA, GLBA or the Airline Deregulation Act; and certain employment-related information.
- Entities that comply with COPPA’s parental consent requirements are deemed compliant with the Act’s parental consent requirements.
- Defines “personal information” broadly to include “unique persistent identifiers.” For context, the bill defines “unique persistent identifiers” to include a unique pseudonym.
- Creates individual rights for consumers, including the right to access personal information; the right to obtain a portable version of personal information; the right to delete personal information; the right to correct personal information; the right to revoke consent for processing of personal information; and the right to opt out of processing for purposes of sale of personal information, targeted cross-contextual advertising, or targeted first-party advertising.
- Allows individuals to exercise their opt-out rights via browser extensions, global device settings, and opt-out preference signals.
- Prohibits controllers from processing sensitive information for purposes of sale or targeted cross-contextual or first-party advertising without individual’s consent. Also generally prohibits processing of individual’s sensitive information without consent, subject to limited exceptions.
- Requires that controllers provide consumers with a privacy notice that includes, among other details, whether or not any personal information is sold to, processed in, stored in or otherwise accessible to China, Iran, Russia, Korea, or Cuba.
- Requires data brokers to register with state AG. Data brokers that fail to register may be liable for a civil penalty of up to $500 per day, with the total penalty capped at $100,000 per year.
- Incorporates privacy by design principles, such as by requiring controllers to identify and mitigate privacy risks and harms throughout their product and service design, development, and implementation processes.
- Requires that controllers conduct risk assessments for specified processing activities, including: processing for purposes of sale of personal information or targeted cross contextual and/or targeted first-party advertising; processing for purposes of profiling that poses certain specified risks; processing sensitive information; and any other processing “likely to result in a high risk of harm to individuals.”
- Requires that large data holders include in their risk assessments analysis of the entity’s use of algorithms and other artificial intelligence techniques in processing.
- Establishes a 30-day cure period for violating entities before state AG may initiate civil action.
- Imposes civil penalties of up to $7,500 per violation, as well as injunctive relief. Entities that violate an injunction or order are liable for a civil penalty of up to $10,000 per violation.
- Authorizes the state AG authority to enforce the act and to adopt regulations to support its implementation.
- Creates a private right of action for consumers impacted by personal information security breaches. Individuals may seek damages (the greater of up to $500 per individual per incident or actual damages), injunctive, declaratory, and other relief.
- In security breach actions, controllers are shielded from punitive damages if they had implemented a cybersecurity program conforming to one of several enumerated frameworks, including, for example, the NIST Cybersecurity Framework.
- Subject to limited exceptions, the Act would take effect 18 months after passage. However, the Act would take effect 30 months after passage for nonprofit organizations and institutions of higher education.
Massachusetts Consumer Data Privacy Act
- Bill Title: House Bill 2135
- Date of Introduction: Docketed on January 15, 2025
- Current Status: As of January 23, this bill remains on the docket to be introduced.
- Key Provisions:
- Applies to entities that conduct business in Massachusetts or target products or services to Massachusetts residents and satisfy at least one of the following conditions: (1) annually control or process personal data of at least 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or (2) derived revenue from the sale of personal data.
- Exempts various entities and information types, including: government entities; protected health information governed by HIPAA; data subject to the GLBA; information governed by FCRA; information governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; and certain employment-related information.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed compliant with the Act’s parental consent requirements.
- Defines “sale of personal data” as “exchange of personal data for monetary consideration or other valuable consideration by the controller to a third party.”
- Proposes an extensive list for what is considered “sensitive covered data,” including biometric data; precise geolocation data; and data revealin:g racial or ethnic origin, color, national origin, religious beliefs, mental or physical health condition or diagnosis, status as pregnant, sex life, sexual orientation, status as transgender or non-binary, philosophical beliefs or union membership, status as a military servicemember or veteran, income level or indebtedness, or citizenship or immigration status.
- Creates rights for consumers, including: the right to confirm whether a controller is collecting or processing the consumer’s personal data; the right to access that personal data; the right to obtain a list of a specific third-parties receiving personal data; the right to correct inaccurate data; the right to delete personal data; the right to data portability; and the right to opt-out of targeted advertising, the transfer of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
- Requires controllers to recognize requests to opt-out of sale or sharing of personal data conveyed through opt-out preference signals.
- Requires that controllers provide consumers with a privacy notice that contains the information required under the statute.
- Prohibits controllers from processing sensitive data without allowing the consumer to opt out.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers conduct data protection assessments for processing activities that present a heightened risk of harm to the consumer.
- Creates a private right of action, so long as the violating party is not a small business. The court may award a plaintiff damages of at least $15,000 per violation.
- A controller or processor is a small business if, over the past three years, its average gross revenue didn’t exceed $20,000,000, it did not annually collect, process, retain, or transfer the personal data of more than 200,000 individuals on average, and did not transfer personal data to a third party in exchange for revenue.
- In enforcement action, Massachusetts AG may obtain damages of at least $15,000 per violation.
- Would take effect 180 days after enactment.
New York
- Bill Title: New York Data Protection Act (Assembly Bill A974)
- Date of Introduction: January 8, 2025
- Current Status: As of January 23, A 974 had been referred to Consumer Affairs and Protection (1/8/25).
- Key Provisions:
- Applies to legal persons that conduct business in New York or produce products or services targeted to New York residents and (1) have annual gross revenue of $25 million or more; and/or (2) control or process the personal data of 50,000 or more consumers; and/or (3) derive over fifty percent of gross revenue from the sale of personal data.
- Exempts various entities and information types, including: certain nonprofits, information collected by covered entity or business associates governed by HIPAA; data processed by state and local governments and municipal corporations for processes other than sale; personal data collected, processed, sold, or disclosed pursuant to GLBA; personal data regulated by FERPA; and employee information.
- Defines “sensitive data” to include precise geolocation data and “sale” as the “disclosure.... sharing, licensing, making available” personal data for monetary “or other valuable consideration.”
- Requires that controllers provide consumers with a public privacy notice that contains the information required under the statute.
- Creates rights for consumers, including: the right to access (i.e. confirm whether the controller is processing the consumer’s personal information and to access the personal information); the right to obtain a copy of the data in a portable and readily usable format; the right to correct inaccuracies in the consumer’s personal information; the right to delete personal data provided by the consumer or obtained by the controller about the consumer; and the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Requires opt-in consent is required to process consumers’ sensitive data or make changes to existing processing that was previously consented to.
- Incorporates privacy by design principles, such as purpose limitation and reasonable safeguards to protect consumer data.
- Requires data protection assessments for activities that present heightened risk of harm.
- Requires data brokers to register with the New York AG, pay an annual fee, and submit information regarding their data use practices including a description of the method of processing consumer requests. The AG would maintain a statewide public registry.
- Requires controllers to submit a list to the New York AG of all data brokers to which the controller provided personal data to in the preceding year.
- Creates penalties for data brokers that fail to register or that submit false information in registration. Creates civil penalty of $1,000 for each day the data broker fails to register or correct false information, an amount equal to the fees that were due during the period it failed to register, and expenses incurred by the New York AG in the investigation and prosecution of the action.
- Authorizes the AG to enforce the act and any violations within six years of the unlawful alleged practices. The AG is also empowered to promulgate rules to carry out the provisions of the act.
- Imposes civil penalties of up to $20,000 per violation.
- Would go into effect immediately, with certain sections taking effect two years after they become law.
Oklahoma
Senate Bill 546
- Bill Title: Senate Bill 546
- Date of Introduction: January 13, 2025
- Current Status: As of January 23, pre-filed legislation; first reading scheduled for February 3, 2025.
- Key Provisions:
- Applies to entities that (1) conduct business in Oklahoma or target products or services to Oklahoma residents; (2) have annual revenues of at least $25 million; and (3) either (a) control or process personal data of 100,000 or more consumers or (b) derive over 50% of gross revenue from sale of personal data and control or process personal data of 25,000 or more consumers.
- Exempts various entities and data types, including: state entities or subdivisions; financial institutions and data governed by the GLBA; covered entities, business associates, and protected health information subject to HIPAA; institutions of higher education; nonprofit organizations; information governed by FCRA; personal data governed by FERPA; and personal data governed by the Driver’s Privacy Protection Act.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed compliant with the Act’s parental consent requirements.
- Exempts individuals “acting in an employment or commercial context” from its definition of “consumer.”
- Expands definition of “personal data” to include pseudonymous data, when used in conjunction with additional information that reasonably links the data to an identified or identifiable person.
- Defines “sale of personal data” as “monetary or other valuable consideration by the controller to a third party” with notable exclusions.
- Defines “sensitive data” to include genetic, biometric, and precise geolocation data.
- Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to correct inaccuracies; the right to delete personal data; the right to data portability; and the right to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers provide consumers with a privacy notice that contains the information required under the statute.
- Prohibits controllers from processing sensitive data without obtaining the consumer’s consent, or in the case of processing the sensitive data of a known child, without processing that data in accordance with COPPA.
- Requires, controllers conduct data protection assessments for sale and processing of data, the processing of sensitive data, any processing activities involving personal data which present a heightened risk of harm to consumers, and the processing of data for purposes of profiling, if the profiling presents certain reasonably foreseeable risks.
- Does not create private right of action; rather, grants exclusive enforcement authority to the Oklahoma AG.
- Requires that the Oklahoma AG provide entities with a 30-day cure period before initiating an enforcement action.
- In enforcement action, Oklahoma AG may obtain up to $7,500 per violation.
- Would go into effect on January 1, 2026.
Oklahoma Computer Data Privacy Act
- Bill Title: House Bill 1012
- Date of Introduction: December 13, 2024
- Current Status: As of January 23, HB 1012 is pre-filed legislation and has a first reading scheduled for February 3, 2025 (12/13/24).
- Key Provisions:
- Applies to entities that conduct business in Oklahoma; act as a controller for consumer personal information collected; and satisfies one of the following: (1) exceed $15 million in annual gross revenue, (2) buys, sells, or receives personal information of 50,000+ consumers or devices, (3) derive more than 25% of annual revenue from sale of personal information.
- Exempts various entities and data types, including: covered entities, business associates, and information governed by HIPAA; data subject to the GLBA; data subject to the Driver’s Privacy Protection Act; and nonprofit organizations.
- Defines “personal information” to include IP address; internet activity such as “browsing or search history;” geolocation data; professional or employment-related information; and “inferences drawn from [any other defined personal information] to create a profile about a consumer that reflects the consumer’s preferences, characteristics… behavior… [and] abilities or aptitudes.”
- Creates rights for consumers, including: the right to disclosure of personal data collected; the right to delete personal data; the right to disclosure of the categories of information and third-party recipients of personal information sold or disclosed for a business purpose; the right to opt out of the sale of the consumer's personal information to third parties; the right to prohibit retention, use, or disclosure of personal data.
- Requires businesses that sell consumer personal information to third parties to provide notice on their website and a “clear and conspicuous link” for consumers to consent to the sale. Third parties, like data brokers, must receive affirmative consent to sell personal information.
- Requires that businesses provide consumers with a privacy notice that contains the information required under the statute. Businesses must obtain opt-in consent to collect consumer personal information.
- Allows the payments to a consumer for the collection, sale, or disclosure of their personal information.
- If a conflict of consumer data protection laws exists between Oklahoma and another state, the “provision of law that affords the greatest privacy or protection to consumers prevails.”
- Does not create a private right of action; rather, grants enforcement authority to the Oklahoma AG.
- Creates civil penalties of up to $2,500 per violation (or $7,500 if the violation is intentional).
- Would take effect one year after enactment.
Pennsylvania
- Bill Title: Consumer Data Privacy Act (House Bill 78)
- Date of Introduction: January 14, 2025
- Current Status: As of January 23, HB 78 had been referred to Commerce (1/14/25).
- Key Provisions:
- Applies to entities that conducts business in Pennsylvania and either (i) has an annual gross revenue in excess of $10,000,000; (ii) alone or in combination, annually buys or receives, sells or shares for commercial purposes, alone or in combination, the personal information of at least 50,000 consumers, households, or devices; or (iii) derives at least 50% of annual revenues from selling consumer’s personal information.
- Exempts various entities and data types, including: state entities; financial institutions and data subject to the GLBA; covered entities, business associates, and information governed by HIPAA; identifiable private information related to human subjects research; patient safety work product; information used for public health purposes; information governed by FCRA, the Driver’s Privacy Protection Act (DPPA), FERPA; information maintained for emergency contacts; information used to administer benefits; and certain employment-related information.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed compliant with the Act’s parental consent requirements.
- Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
- Defines “sensitive data” to include genetic, biometric, and precise geolocation data.
- Defines “pseudonymous data” as “personal data that cannot be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to appropriate and technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.”
- For context, “personal data” is defined as “[a]ny information that is linked or reasonably linkable to an identified or identifiable individual.”
- Creates rights for consumers, including: the right to confirm whether a controller is processing a consumer’s personal information (unless confirmation or access would reveal a trade secret); the right to correct inaccurate personal information; the right to delete personal information; the right to data portability; and the right to opt-out of the processing of personal information for purposes of sale of personal information, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Prohibits controllers from processing sensitive data without consumer’s consent, or in the case of processing sensitive data concerning a known child, without processing the data in accordance with COPPA.
- Also requires controllers to refrain from selling or processing a consumer’s data for the purpose of targeted advertising without the consumer’s consent when the controller has actual knowledge or willfully disregards that consumer is younger than 16 years of ages/
- Requires controllers to allow consumers to exercise their right to opt-out of the processing of their personal data for purposes of targeted advertising and sale via opt-out preference signals by no later than January 1, 2027.
- Requires that controllers provide consumers with a privacy notice that contains the information required under the statute.
- If the controller sells personal data or processes personal data for purposes of targeted advertising, it must “clearly and conspicuously disclose the sale or processing and the manner in which a consumer may exercise the right to opt out the sale or processing.”
- Incorporates privacy by design principles, such as purpose limitation and reasonable safeguards to protect consumer data.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers conduct data protection assessments for high-risk data processing activities created or generated after July 1, 2025.
- Does not create a private right of action; rather, grants exclusive enforcement authority to the Pennsylvania AG.
- During the period beginning January 1, 2026, and ending July 1, 2026, requires the Pennsylvania AG to provide entities with a 60-day cure period before initiating an enforcement action, if AG determines that a cure is possible.
- Would take effect in six months.
South Carolina
- Bill Title: House Bill 3401 (adding Chapter 31 “Technology Transparency” to Title 37)
- Date of Introduction: January 14, 2025
- Current Status: As of January 23, pre-filed legislation, referred to Committee on the Judiciary on January 14, 2025
- Key Provisions:
- Applies to persons that conduct business in South Carolina or produce a product or service used by residents of South Carolina and process or engage in the sale of personal data.
- Exempts various entities and data types, including: state agencies or any political subdivisions of the state; financial institutions and data subject to the GLBA; covered entities or business associates, as well as protected health information governed under HIPAA; nonprofit organizations; information governed by FCRA; personal data governed by the Driver’s Privacy Protection Act; and personal data governed by FERPA.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed compliant with the Act’s parental consent requirements.
- Exempts individuals “acting in an employment or commercial context” from its definition of “consumer.”
- Expands “personal data” definition to include pseudonymous data, when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.
- Broadens to the definition of child to under the age of eighteen.
- Defines “sale of personal data” as “monetary or other valuable consideration by the controller to a third party” with exclusions.
- Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access said data; the right to correct inaccuracies; the right to delete personal data; the right to data portability; and the right to opt-out of targeted advertising, sale of personal data, profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer.
- Prohibits controllers from processing or selling sensitive data without obtaining the consumer's consent or, in the case of a known child, without processing the data in accordance with COPPA.
- Requires that controllers provide consumers with a reasonably accessible and clear privacy notice, updated at least annually.
- Controllers who are engaged in the sale of sensitive data must provide the following notice: “NOTICE: This website may sell your sensitive personal data.”
- Controllers who are engaged in the sale of biometric data must provide the following notice: “NOTICE: This website may sell your biometric personal data.”
- Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s data processing procedures performed on behalf of the controller.
- Requires, controllers conduct data protection assessments for sale and processing of data, the processing of sensitive data, any processing activities involving personal data which present a heightened risk of harm to consumers, and the processing of data for purposes of profiling, if the profiling presents certain reasonably foreseeable risks.
- Does not create private right of action; rather, grants exclusive enforcement authority to the South Carolina AG.
- The South Carolina AG may provide entities with a 45-day cure period before initiating an enforcement action but is not required to grant a cure period.
- In enforcement action, South Carolina AG may seek damages for up to $50,000 per violation. Civil penalties may be tripled for violations involving: a South Carolina consumer who is a known child; a failure to delete or correct consumer’s data after receiving an authenticated consumer request or directions from a controller to delete or correct; and the continued sale or sharing of consumer’s personal data after the consumer choose to opt out.
- Would take effect upon approval of the Governor.
- Prohibits government employees from using their position or state resources to form relationships with, make agreements with, or send requests to social media platforms for the purpose of account removal or content moderation.