This legislative session has been marked by the continuing growth of the nation’s patchwork of state comprehensive privacy laws, and the weeks since our last update have been no exception. April saw state legislatures in Indiana, Montana and Tennessee pass state comprehensive privacy bills — positioning those states to become the seventh, eighth and ninth states with such laws on the books. Elsewhere, bills in Texas and Florida crossed legislative chambers, while the New York legislature introduced yet another comprehensive privacy bill into an already crowded field. We detail all of these developments (and more) in the sections below.
NEW PROPOSALS
April saw yet another comprehensive privacy law proposal in the New York state legislature — the seventh this legislative session, by our count. This lengthy proposal would, among other things, create a private right of action for individuals injured by a violation of the Act.
New York
- Bill Title: American Data Privacy and Protection Act (A6319)
- Date of Introduction: April 3, 2023.
- Current Status: As of April 30, 2023, A6319 had been introduced and referred to the Assembly Science and Technology Committee (4/3/23).
- Key Provisions:
- Defines a “covered entity” as any entity that determines the means and purposes of collecting, processing, or transferring personal information and (1) is subject to the FTC Act; (2) is a common carrier subject to the Communications Act of 1934; or (3) is a nonprofit. Exempts government entities from this definition.
- Requires that covered entities employ data minimization principles by limiting data collection, processing, and transfer to that reasonably necessary and proportionate to provide a product or service requested by a consumer or to effect a statutorily-enumerated purpose.
- Imposes a duty of loyalty on covered entities that, among other things, prohibits covered entities from collecting, processing, or transferring sensitive data, subject to certain exceptions and conditions.
- Requires that covered entities publish privacy policies that include, among other things, the categories of personal data collected or processed, the purposes for such collection or processing, information about the covered entity’s transfers of personal data to third parties, the length of time for which personal data will be retained, and a description of the entity’s data security practices. Large data holders are further required to provide a “short form” version of this notice.
- Creates rights for individual consumers, including: the right to access their personal data; the right to access information about personal data collected and transferred; the right to correct inaccurate personal data; the right to delete personal data; the right to obtain a portable copy of personal data; the right to withdraw consent to data processing; the right to object to data transfer (including through an opt-out mechanism); and the right to opt-out of targeted advertising (including through an opt-out mechanism).
- Would establish a Bureau of Privacy within the Division of Consumer Protection.
- Imposes various requirements on “third-party collecting entities” (essentially, data brokers), including notice and registration requirements that are enforceable by civil penalties ($100 per day of violation, not to exceed $10,000 total in any given year).
- Requires the Division to establish a mechanism by which individuals may demand that data brokers delete all personal data relating to them.
- Requires covered entities to conduct biennial privacy impact assessments of their data collection, processing, and transfer activities.
- Requires large data holders that use covered algorithms “in a manner that poses a consequential risk of harm to an individual or group” to conduct annual impact assessments of such algorithms.
- Requires entities that develop covered algorithms to perform evaluations of the algorithms to reduce the risk of potential harms associated with their use.
- Requires covered entities to implement reasonable data security practices, including, among other things, risk management processes, data retention schedules, employee training, designation of a data security officer, and incident response procedures.
- Requires that the Division establish or recognize one or more unified opt-out mechanisms, including global privacy signals, to allow individuals to exercise their rights to object to data transfer and opt-out of targeted advertising.
- Requires large data holders to annually certify their maintenance of internal controls and reporting structures designed to ensure compliance with the Act.
- Requires covered entities with more than 15 employees to appoint at least one privacy officer and one data security officer responsible for implementation of the entity’s privacy and data security programs. Large data holders are further required to appoint a privacy protection officer who reports directly to the company’s highest official and oversees the development and/or implementation of policy reviews, audits, and employee training.
- Grants the Division of Consumer Protection authority to enforce the Act.
- Violations of the Act constitute unfair or deceptive acts or practices and are subject to the penalties outlined in the Federal Trade Commission Act (15 U.S.C. § 41 et seq.)
- Authorizes the state AG to bring civil actions to enforce the Act. State AG may seek civil penalties, damages, injunctive relief, and reasonable attorneys’ fees.
- Creates a private right of action (effective two years after the Act’s effective date) for specific violations of the Act. Plaintiffs may seek compensatory damages, injunctive and declaratory relief, and reasonable attorneys’ fees. For suits brought pursuant to this private right of action, Act establishes a 45-day cure period for small businesses.
- Entities compliant with the data privacy requirements of GLBA, FCRA, FERPA, and HIPAA are deemed compliant with related requirements of the Act, except for Section 1527 of the Act (the Act’s data security requirements). Compliance with GLBA and HIPAA’s information security requirements establishes compliance with Section 1527.
- Establishes a Privacy and Security Victims Relief Fund, into which civil penalties collected pursuant to the Act are to be deposited.
- Grants the Division authority to promulgate rules and regulations related to the Act.
UPDATES ON EXISTING PROPOSALS
In addition to the impending enactment of the Indiana, Montana, and Tennessee bills, the past several weeks have seen cross-chamber movement on two other bills. First, the Texas Data Privacy and Security Act (HB 4) was passed by the House on April 5. Second, Florida’s SB 262 was passed by the Senate on April 28. Neither creates a private right of action, but the Florida proposal is notable for applying only to entities that, among other requirements, have gross annual revenues exceeding $1 billion and either (1) derive 50% or more of gross revenue from providing targeted advertising or the sale of ads; (2) operate a consumer smart speaker and voice command service with an integrated virtual assistant; or (3) operate an app store that features at least 250,000 apps.
Other bills continue to move forward in the legislative process as outlined below.
- Bills That Have Cleared Legislative Chamber
- The Oklahoma Computer Data Privacy Act (HB 1030) was referred to the Senate Rules Committee on March 29.
- Florida’s SB 262 was passed by the Senate on April 28.
- The Texas Data Privacy and Security Act (HB 4) was passed by the House on April 5 and received in the Senate on the same day.
- New Hampshire’s SB 255 received a hearing before the House Judiciary Committee on April 19 and is scheduled for consideration by the Committee in Executive Session on May 3.
- Kentucky Senate Bill 15 died in the House on March 30.
- The Oklahoma Computer Data Privacy Act (HB 1030) remains under consideration by the Senate Rules Committee as of March 29.
- Hawaii’s Consumer Data Protection Act (SB 974) remains under consideration by the House Economic Development, Consumer Protection and Commerce, and Finance Committees as of March 9.
- New Jersey S. 332 remains under consideration by the Assembly Science, Innovation and Technology Committee as of February 6.
- Committee Approvals
- Committee Hearings
- Rhode Island’s SB 754 is scheduled for a hearing before the Commerce Committee on May 2.
- Committee Referrals
- The North Carolina Consumer Privacy Act (SB 525) was referred to the Committee on Rules and Operations of the Senate on April 4.
- Bills Deaths
- Other Bill Developments