The early weeks of 2024 have seen continued activity on the state comprehensive privacy law front. Since our last update, at least 11 new comprehensive privacy bills have been proposed. In particular, Georgia, Hawaii, Illinois, Maryland, Nebraska, Pennsylvania, Vermont, and West Virginia have entered the fray with new bills, while yet another bill was proposed in the Kentucky legislature (in addition to the two covered in our previous update). This makes at least 10 states that have thus far introduced new comprehensive privacy legislation in 2024. Some of these bills, as well as various carryover proposals from the 2023 legislative session, have already begun to advance through the legislative process via hearings, work sessions, and committee approvals. Finally, New Hampshire’s comprehensive privacy law continues to move towards formal enactment, with the House and Senate enrolling the amended version passed by the House and thus setting the bill up for signature by the governor.
NEW PROPOSALS
Since our last update, at least 11 comprehensive privacy bills have been proposed across 9 state legislatures (Georgia, Hawaii, Illinois, Kentucky, Maryland, Nebraska, Pennsylvania, Vermont, and West Virginia), with Illinois and West Virginia introducing two bills each.
Notably, several of these bills have already begun to move forward in the legislative process. Specifically, Kentucky HB 15 and West Virginia HB 5338 have already received committee approvals, while proposals in Maryland (SB 541/HB 567) and Nebraska (LB 1294) have been the subject of committee hearings.
Most of the proposed bills constitute relatively standard comprehensive privacy law proposals, generally adhering to the framework seen in the non-California comprehensive privacy laws enacted to date (this includes Kentucky HB 15, which, as noted above, has already received a committee approval). However, a few features of these bills are worth noting:
- CCPA/CPRA Imitation Bills: Two of the proposed bills are notable for taking heavy inspiration from the California model.
- Illinois’s Privacy Rights Act (SB 3517) is modeled on the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA). For instance, this bill mirrors some of the CCPA/CPRA’s key definitions (e.g., personal information, sensitive personal information, “sharing” of personal information) and consumer data rights, and would create a Privacy Protection Agency with a mission and scope of authority similar to that of the California Privacy Protection Agency (CPPA).
- West Virginia’s HB 5112 is similarly CCPA/CPRA-inspired, though it does not go so far as to create a CPPA-style privacy regulator.
- Both bills also include versions of the CCPA/CPRA’s limited private right of action for victims of personal information security breaches.
- Affirmative Defenses: The Georgia Consumer Privacy Protection Act (SB 473) is notable for creating an affirmative defense to enforcement claims under the Act for entities that comply with a privacy policy that conforms to the NIST privacy framework (A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0) or an equivalent framework.
- West Virginia’s HB 5338 includes a more-limited affirmative defense for actions related to data breaches, providing a safe harbor for businesses that implement cybersecurity programs in conformance with various industry standards, such as those promulgated by NIST, FedRAMP, CIS, ISO/IEC, and CMMC.
- Limitation on Use of Personal Data for Advertising: In what would likely be a highly disruptive development for the adtech industry, the Maryland Online Data Privacy Act (SB 541/HB 567) includes a provision that would prohibit the collection of personal data “for the sole purpose of content personalization or marketing” without consumer consent, except where the processing is “strictly necessary” for the provision of the specific product or service requested by the consumer.
In the following sections, we provide summaries of each of the 11 bills noted above.
Georgia
1. Bill Title: Georgia Consumer Privacy Protection Act (SB 473)
2. Date of Introduction: February 8, 2024
3. Current Status: As of February 18, SB 473 had been referred to the Senate Science and Technology Committee (2/9/24).
4. Key Provisions:
- Applies to entities that conduct business in Georgia, exceed $25 million in revenue and either (1) control or process personal information of at least 25,000 Georgia residents and derive more than 50% of gross revenue from sale of personal information; or (2) control or process personal information of at least 175,000 Georgia residents.
- Exempts various entities and information types, including: state and local government entities; financial institutions or data subject to the GLBA; insurance companies; covered entities, business associates, and protected health information governed by HIPAA; nonprofit entities; institutions of higher education; information governed by FCRA, the Driver’s Privacy Protection Act (DPPA), FERPA, and the Farm Credit Act; and certain employment-related information.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
- Defines “sale of personal information” to include exchanges of personal information “for monetary or other valuable consideration.”
- Creates rights for consumers, including: the right to confirm whether a controller is processing a consumer’s personal information; the right to access said personal information; the right to correct inaccurate personal information; the right to delete personal information; the right to data portability; and the right to opt-out of the processing of personal information for purposes of sale of personal information, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Prohibits controllers from processing sensitive data without a consumer’s consent.
- Requires that controllers provide consumers with a privacy notice that includes: categories of personal information processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal information the controller sells to third parties; and categories of third parties to which controller sells personal information.
- If controller sells personal information or processes personal information for purposes of targeted advertising, it must “clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.”
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”
- Does not create a private right of action; rather, grants exclusive enforcement authority to the Georgia AG.
- Requires that the AG provide entities with a 60-day cure period before initiating an enforcement action.
- State AG may seek civil penalties of up to $7,500 per violation, with treble damages available for knowing or willful violations.
- Creates an affirmative defense for entities that comply with a privacy policy that conforms to the NIST privacy framework (“A Tool for Improving Privacy through Enterprise Risk Management Version 1.0”) or an equivalent framework.
Hawaii
1. Bill Title: Hawaii Consumer Data Protection Act (SB 3018)
2. Date of Introduction: January 24, 2024
3. Current Status: As of February 18, SB 3018 had been referred to the Senate Commerce and Consumer Protection Committee (1/26/24).
4. Key Provisions:
- Applies to entities that conduct business in Hawaii or target products or services to Hawaii residents and during a calendar year: 1) Control or process personal data of at least 100,000 consumers; or 2) Control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.
- Exempts various entities and information types, including: government entities; nonprofit organizations; institutions of higher education; the National Crime Bureau; covered entities, business associates, and protected health information governed by HIPAA; financial institutions and data subject to the GLBA; information governed by FCRA; personal data governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; and certain employment-related information.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Exempts individuals acting “[i]n a commercial or employment context.”
- Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to correct inaccurate data; the right to delete personal data; the right to data portability; and the right to opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions made by the controller that results in the provision or denial by the controller of financial and lending services; housing; insurance; education enrollment; criminal justice; employment opportunities; health care services; or access to basic necessities, including food and water.
- Requires controllers to recognize requests to opt-out of sale or sharing of personal data conveyed through various methods including global privacy controls (also known as opt-out preference signals).
- Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; purposes for processing; method for exercising consumer data rights; specific categories of personal data shared with or sold to third parties; categories of third parties with whom personal data is shared or sold (including location where the third party retains the data, length of time the third party retains the data, and uses of the data by the third party); and controller’s active email address or other online mechanism to contact controller.
- Additionally, if controller processes personal data for purposes of targeted advertising or sale to third parties, that processing must be “conspicuously disclose[d].”
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers conduct data protection assessments for processing activities that involve processing of personal data for purposes of targeted advertising, sale of personal data, and certain types of profiling.
- Does not create a private right of action; rather, grants exclusive enforcement authority to the Department of the Attorney General. The department shall also be granted rulemaking authority.
- Requires that the Department of the Attorney General provide entities with a thirty-day cure period before initiating an enforcement action.
- In enforcement action, the Department of the Attorney General may obtain damages of up to $7,500 per violation.
- Establishes a consumer privacy special fund into which money obtained through enforcement actions shall be deposited.
- Would take effect on July 1, 2024.
Illinois (SB 3517)
1. Bill Title: Privacy Rights Act (SB 3517)
2. Date of Introduction: February 9, 2024
3. Current Status: As of February 18, SB 3517 had been referred to the Senate Assignments Committee (2/9/24).
4. Key Provisions:
- Applies to businesses that do business in Illinois and satisfy at least one of the following thresholds: (1) exceed $25 million in annual gross revenue; (2) annually buy, sell, or share personal information of at least 100,000 Illinois residents; or (3) derive 50% or more of annual revenues from selling or sharing personal information.
- Exempts various entities and information types, including: protected health information and covered entities governed by HIPAA; personal information governed by the GLBA; personal information governed by the Farm Credit Act; personal information governed by the DPPA; certain employment-related information; and certain commercial information.
- Defines “sale” to include exchanges of personal information “for monetary or other valuable consideration.”
- Provides CCPA/CPRA-style definitions for “personal information,” “sensitive personal information,” and “sharing” (defining the latter to refer to disclosures of personal information to third parties for purposes of cross-context behavioral advertising).
- Requires that businesses provide a notice at collection to consumers that informs consumers of: categories of personal information to be collected; purposes for such collection; whether said personal information will be sold or shared; categories of sensitive personal information to be collected and purposes for such collection; and length of time for which business intends to retain each category of personal information.
- Requires businesses that sell, share, or disclose personal information to a third party, service provider, or contractor to enter into a data processing agreement with that entity.
- Creates CCPA/CPRA-style rights for consumers, including: the right to delete personal information; the right to correct inaccurate personal information; the right to know what personal information a business is collecting and to access that personal information; the right to know what personal information a business is selling or sharing; the right to opt-out of the sale or sharing of personal information; and the right to limit the use and disclosure of sensitive personal information.
- Requires that businesses provide consumers with a privacy notice that contains: a description of the consumer’s data rights and how they may be exercised; categories of personal information collected; categories of sources from which this personal information is collected; business or commercial purposes for collecting, selling, or sharing personal information; categories of third parties to which personal information is disclosed; and categories of personal information sold, shared, or disclosed for a business purpose.
- Requires that businesses that sell or share personal information or disclose sensitive personal information for specified purposes provide “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links on their homepages (or a single combined link).
- The bill provides an exception to this requirement for businesses that allow consumers to exercise these rights via opt-out preference signal.
- Require businesses to comply with opt-out requests conveyed via opt-out preference signals.
- Creates a private right of action for consumers impacted by personal information security breaches, allowing those consumers to seek the greater of actual damages or between $100 and $750 per consumer per incident.
- This private right of action applies only to personal information security breaches.
- Establishes a Privacy Protection Agency possessing enforcement and rulemaking authority.
- Creates civil penalties of up to $2,500 per violation (for most violations) or $7,500 per violation (for intentional violations or violations involving consumers under the age of 16).
- The Agency may seek similar amounts via administrative fines.
- Creates a Consumer Privacy Fund into which administrative fines and settlement money will be deposited.
- Grants the AG and Agency rulemaking authority and identifies a range of topics on which rules are to be promulgated.
Illinois (HB 5581)
1. Bill Title: Illinois Privacy Rights Act (HB 5581)
2. Date of Introduction: February 9, 2024
3. Current Status: As of February 18, SB 5581 had been referred to the Rules Committee (2/9/24).
4. Key Provisions:
- Applies to entities that conduct business in Illinois or target products or services to Illinois residents and during a one-year period: a) Control or process personal data of not less than 35,000 consumers excluding personal data processed only for the purpose of completing a transaction; or b) Control or process personal data of not less than 10,000 consumers and derive over 25% of gross revenue from the sale of personal data.
- Exempts various entities and information types, including: government entities or political subdivisions of the state; nonprofit organizations; institutions of higher education; national securities associations under the Security Exchange Act; financial institutions and data subject to the GLBA; covered entities, business associates, and protected health information governed by HIPAA; information governed by FCRA; personal data governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; certain employment-related information; personal information collected under the Airline Deregulation Act; and personal information maintained or used for compliance with the federal Controlled Substances Act.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Defines “sale” to include exchanges of personal information “for monetary or other valuable consideration.”
- Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to correct inaccurate data; the right to delete personal data; the right to data portability; and the right to opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
- Requires controllers to recognize requests to opt-out of processing of personal data conveyed through various methods including global privacy controls (also known as opt-out preference signals).
- Prohibits controllers from processing children’s (between the ages of 13 and 16) personal information for purposes of targeted advertising or sale of personal information without consumer consent.
- Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; purposes for processing; method for exercising consumer data rights; specific categories of personal data shared with or sold to third parties; categories of third parties with whom personal data is shared; and controller’s active email address or other online mechanism to contact controller.
- Additionally, if controller processes personal data for purposes of targeted advertising or sale to third parties, that processing must be “conspicuously disclose[d].”
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers conduct data protection assessments for high-risk data processing activities, including processing of personal data for purposes of targeted advertising, sale of personal data, and specified types of profiling, as well as the processing of sensitive data.
- Does not create a private right of action; rather, grants exclusive enforcement authority to the Illinois Attorney General. A violation of this act will constitute an unfair or deceptive practice under the state Fraud and Deceptive Business Practices Act.
- Requires the AG to provide an entity with a 60-day cure period before initiating an enforcement action, but sunsets that provision on December 31, 2025. After expiration of this clause, the cure period becomes discretionary based on several specified factors.
- Would take effect on January 1, 2025.
Kentucky
1. Bill Title: HB 15
2. Date of Introduction: February 2, 2024
3. Current Status: As of February 18, HB 15 had been approved by the House Small Business and Information Technology Committee (2/14/24).
4. Key Provisions:
- Applies to persons that conduct business in Kentucky or target products or services to Kentucky residents and during a calendar year control or process personal data of at least: (a) 100,000 consumers; or (b) 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
- Exempts various entities and information types, including: government entities or political subdivisions of the state; financial institutions and data subject to the GLBA; covered entities, business associates, and protected health information governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; personal data governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; and certain employment-related information.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Defines “sale” to include exchanges of personal information “for monetary consideration.”
- Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to correct inaccurate data; the right to delete personal data; the right to data portability; and the right to opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Prohibits the processing of sensitive data concerning a consumer without obtaining the consumer’s consent.
- Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; purposes for processing; the methods that a consumer may use to exercise their rights; specific categories of personal data shared with third parties; and categories of third parties with whom personal data is shared.
- Additionally, if controller processes personal data for purposes of targeted advertising or sale to third parties, that processing must be “conspicuously disclose[d].”
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Does not create a private right of action; rather, grants exclusive enforcement authority to the Kentucky Attorney General.
- Requires the AG to provide an entity with a 30-day cure period before initiating an enforcement action. State AG may seek civil penalties of up to $7,500 per each continued violation.
- Establishes a consumer privacy special fund into which money obtained through enforcement actions shall be deposited.
- Would take effect on January 1, 2026.
Maryland
1. Bill Title: Maryland Online Data Privacy Act of 2024 (SB 541/HB 567)
2. Date of Introduction: January 24, 2024
3. Current Status: As of February 18, the House Economic Matters Committee held a hearing on HB 567 on February 13 and the Senate Finance Committee held a hearing on SB 541 on February 14.
4. Key Provisions:
- Applies to persons that conduct business in Maryland or target Maryland residents for services or products and either (1) controlled or processed the personal data of at least 35,000 consumers or (2) controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data in the immediately preceding calendar year.
- Exempts various entities and information types, including: government entities or political subdivisions of the state; financial institutions and data subject to the GLBA; registered securities or futures associations, HIPAA PHI; personal information subject to the Fair Credit Reporting Act; personal data governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; certain employment-related information; and personal data subject to the Airline Deregulation Act.
- Defines “child” as the same as in the Children’s Online Privacy Protection Act (COPPA): an individual under the age of 13. Compliance with the COPPA consent requirements also fulfills the parental consent requirements for this statute.
- The Act also prohibits controllers from processing a consumer’s personal data for targeted advertising or selling personal data without consent “if the controller knew or should have known that the consumer is at least 13 years old and under the age of 18 years.”
- Prohibits some activities related to consumer health data, reflecting similar language as in Washington’s My Health My Data Act, such as: prohibiting the use of a geofence for consumer health reasons or in proximity to a mental health facility or reproductive health facility, and prohibiting the selling of consumer health data without consent.
- Creates rights for consumers, including the rights to access, correct, and delete data. It also grants the right to obtain a list of third parties who have received the consumer’s personal data from the controller and the right to opt out of processing of personal data for targeted advertising, sale of personal data, or profiling.
- Prohibits a controller from (1) collecting personal data “for the sole purpose of content personalization or marketing” without consumer consent, except where the processing is “strictly necessary” for the provision of the specific product or service requested by the consumer and (2) selling sensitive data, where “sale of personal data” includes “the exchange of personal data by a controller to a third party for monetary or other valuable consideration” (subject to exceptions).
- Requires that controllers provide an easy mechanism for consumers to revoke their consent and a “reasonably accessible [and] clear” privacy notice that includes elements stipulated in the Act, including: categories of personal data processed; purposes for said processing; description of how a consumer may exercise their data rights; categories of third parties with which the controller shares personal data; categories of personal data shared with third parties; and email address or online mechanism for contacting the controller.
- Additionally, controller must “conspicuously disclose” its processing of personal data for purposes of sale, targeted advertising, or profiling.
- States that controllers “may” allow consumers to opt-out of processing for purposes of sale of personal data or targeted advertising via opt-out preference signal “[o]n or before October 1, 2025.”
- It is unclear whether the permissive “may” language is a drafting error.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller and requiring a duty of confidentiality with respect to the personal data on all processors.
- Requires a controller to regularly conduct a data protection assessment for each “processing activit[y] that present[s] a heightened risk of harm to a consumer” (which is a term defined in the relevant section of the Act).
- Any violation of the Act constitutes an “unfair, abusive, or deceptive trade practice” within the meaning of Maryland’s Consumer Protection Act and falls under the enforcement authority of the Maryland Division of Consumer Protection and Attorney General.
- Notably, this Act is excluded from the Consumer Protection Act’s private right of action.
- Would take effect on October 1, 2024.
Nebraska
1. Bill Title: Data Privacy Act (LB 1294)
2. Date of Introduction: January 16, 2024
3. Current Status: As of February 18, the Banking, Commerce and Insurance Committee had held a hearing on LB 1294 on January 30.
4. Key Provisions:
- Applies to entities that (1) conduct business in Nebraska or target products or services to Nebraska residents and (2) process or sell personal data.
- Exempts various entities and data types, including: small businesses; state agencies; financial institutions and data subject to the GLBA; covered entities, business associates, and information governed by HIPAA; nonprofit organizations; institutions of higher education; specified utilities providers; information governed by FCRA, the DPPA, FERPA, and the Farm Credit Act; and certain employment-related data.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Though small businesses are generally exempted from the Act’s requirements, they are prohibited from selling sensitive personal data without consumer consent.
- Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
- Defines “sale” to include exchanges of personal data “for monetary or other valuable consideration.”
- Creates rights for consumers, including: the right to confirm whether a controller is processing a consumer’s personal data and to access that data; the right to correct inaccurate personal data; the right to delete personal data; the right to data portability; and the right to opt-out of the processing of personal data for purposes of targeted advertising, sale, or profiling “in furtherance of a decision that produces a legal or similarly significant effect.”
- Allows consumers to exercise their right to opt-out of the processing of their personal data for purposes of targeted advertising and sale via opt-out preference signals.
- Controllers are generally required to recognize opt-out preference signals, but the Act includes an exemption if the controller “does not possess the ability to process the request.”
- Prohibits controllers from processing sensitive data without obtaining a consumer’s consent.
- Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared.
- The Act also requires explicit notices if the controller sells sensitive data or biometric data (e.g., “NOTICE: We may sell your sensitive personal data”).
- If the controller sells personal data or processes personal data for purposes of targeted advertising, it must “clearly and conspicuously disclose that process[ing] and the manner in which a consumer may exercise the right to opt out of that process[ing].”
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- Requires that controllers conduct data protection assessments for high-risk data processing activities, including processing of personal data for purposes of targeted advertising, sale of personal data, and specified types of profiling, as well as the processing of sensitive data.
- Does not create a private right of action; rather, grants exclusive enforcement authority to the Nebraska AG.
- Requires that the Nebraska AG provide entities with a 30-day cure period before initiating an enforcement action.
- Creates civil penalties of up to $7,500 per violation.
- Would take effect on January 1, 2025.
Pennsylvania
1. Bill Title: Consumer Data Privacy Act (HB 1947)
2. Date of Introduction: January 9, 2024
3. Current Status: As of February 18, HB 1947 had been referred to the House Consumer Protection, Technology, and Utilities Committee (1/9/24).
4. Key Provisions:
- Applies to business that does business in Pennsylvania and that satisfies one or more of the following thresholds: (i) has annual gross revenues in excess of $25 million; (ii) alone or in combination, annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers; or (iii) derives 50% or more of annual revenues from selling consumers' personal information.
- Exempts individuals acting “[i]n a commercial or employment context.”
- Defines “sale” to include “exchange of personal information for monetary or other valuable consideration.”
- Creates rights for consumers, including: the right to know whether a controller is processing the consumer’s personal data and whether the consumer’s personal data is being processed for the purpose of targeted advertising or the sale of personal information; the right to access said information; the right to opt-out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer; the right to correct inaccurate personal information; and the right to delete personal information.
- Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed; the categories of sources from which such information is collected; purposes for processing; the categories of personal information a business shares with third parties; the specific pieces of personal information collected; method for exercising consumer data rights; and if the business sells information to a third party or processes personal information for targeted advertising, the sale or processing and the manner in which a consumer may exercise the consumer's right to opt out of the sale or processing.
- Prohibits controllers from processing children’s (under age 16) personal information for purposes of targeted advertising or sale of personal information, subject to certain consent-based exceptions.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
- A business will be deemed in violation of this act if the business fails to cure an alleged violation within 60 days of being notified of said noncompliance.
- A violation of this act will constitute a violation of the Pennsylvania Unfair Trade Practices and Consumer Protection Law. A violation may result in civil penalties not more than $2,500 for each unintentional violation and not more than $7,500 for each intentional violation.
- Grants the Pennsylvania Attorney General rulemaking authority.
- Would take effect “in one year” (likely one year after enactment)
Vermont
1. Bill Title: Vermont Data Privacy Act (S. 269)
2. Date of Introduction: January 17, 2024
3. Current Status: As of February 18, S. 269 had been referred to the Senate Committee on Economic Development, Housing and General Affairs (1/17/24).
4. Key Provisions:
- Applies to persons that conduct business in Vermont or target Vermont residents for services or products and either (1) controlled or processed the personal data of at least 100,000 consumers or (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data in the preceding calendar year.
- Exempts various entities and information types, including: financial institutions and data subject to the GLBA; entities and data subject to HIPAA; personal information subject to the Fair Credit Reporting Act; personal data governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; certain employment-related information; and personal data subject to the Airline Deregulation Act.
- Defines “child” as the same as in the Children’s Online Privacy Protection Act (COPPA): an individual under the age of 13. Compliance with the COPPA consent requirements also fulfills the parental consent requirements for this statute.
- The Act also prohibits controllers from processing the consumer’s personal data for targeted advertising or selling personal data without consent “where a controller has actual knowledge, and willfully disregards” that the consumer is 13 to 15 years old, inclusive.
- Creates rights for consumers, including the rights to access, correct, and delete data. It also grants the right to data portability “to the extent technically feasible” and the right to opt out of processing of personal data for targeted advertising, sale of personal data, or profiling.
- Requires that controllers provide an easy mechanism for consumers to revoke their consent and provide a “reasonably accessible [and] clear” privacy notice that includes elements stipulated in the Act, including: categories of personal data processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal data that controller shares with third parties; categories of third parties with which personal data is shared; and an email address or online mechanism for contacting the controller.
- Additionally, controller must “clearly and conspicuously disclose” processing of personal data for purposes of sale or targeted advertising.
- Requires that controllers recognize global opt-out preference signals by January 1, 2026.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller and requiring a duty of confidentiality with respect to the personal data on all processors.
- Requires a controller to conduct and document a data protection assessment for each of its “processing activities that presents a heightened risk of harm to a consumer,” which is a term defined in the relevant section of the Act and includes the processing of personal data for targeted advertising, the sale of personal data, and the processing of sensitive data. This requirement would apply to processing activities created or generated after July 1, 2024 and would not be retroactive.
- Any violation of the Act constitutes an “unfair and deceptive act in commerce” within the meaning of Vermont’s consumer protection law and falls under the enforcement authority of the Attorney General. There is no private right of action.
- Creates a 60-day cure period before the Attorney General may initiate an enforcement action during the period of July 1, 2024 to December 31, 2025. After this period, the Attorney General will have the discretionary authority to decide whether to grant a controller or processor the opportunity to cure.
- Requires the Attorney General to submit an annual report to the Vermont General Assembly summarizing the office’s enforcement activity under the Act.
- The bill also contains sections governing data broker activity such as the notice process for breaches and responding to individual and general opt-outs.
West Virginia
1. Bill Title: HB 5112
2. Date of Introduction: January 25, 2024
3. Current Status: As of February 18, HB 5112 had been referred to the House Technology and Infrastructure Committee (1/25/24).
4. Key Provisions:
- Applies to businesses that, among other requirements, conduct business in West Virginia and satisfy at least one of the following thresholds: (1) have global annual gross revenues exceeding $25 million; (2) annually buy, receive, sell, or share personal information of 50,000 or more West Virginia residents; or (3) derive 50% or more of annual global revenues from selling or sharing personal information.
- Employs a definition of “personal information” that appears to be modeled on that used in the CCPA/CPRA (e.g., including categories for commercial information, “Internet or other electronic network activity information,” and “[p]rofessional or employment-related information”).
- Defines “sell” to include the disclosure of personal information “for monetary or other valuable consideration.”
- Defines “share” to mean “to share, rent, release, disclose, disseminate, make available, transfer, or access a consumer's personal information for advertising.”
- Requires that controllers provide consumers with a privacy notice that includes: all state-specific consumer privacy rights; categories of personal information the business collects about consumers; and categories of personal information that the business sells, shares, or discloses for a business purpose.
- Creates rights for consumers, including: the right to opt-out of the sale or sharing of personal information; the right to delete personal information; the right to correct inaccurate personal information; the right to know specified information about a business’s collection of personal data from a consumer (e.g., specific personal information collected; categories of personal information sold or shared; sources of said personal information; purposes for collection and sale; categories of third parties with which personal information is sold or shared); and the right to data portability.
- Requires businesses to post a “Do Not Sell or Share My Personal Information” link on their Internet homepages that allows a consumer to exercise their opt-out right.
- Requires that businesses provide and adhere to a retention schedule that calls for the deletion of personal information upon the earlier of (1) the satisfaction of the purpose for which the personal information was collected; (2) termination of the relevant contract under which the personal information was collected; or (3) one year after the consumer’s last interaction with the business.
- Imposes requirements on service providers, such as prohibiting service providers from using personal information for purposes other than those specified in their contract with a business.
- Creates a private right of action for individuals “whose nonencrypted and nonredacted personal information or e-mail address, in combination with a password or security question and answer that would allow access to the account” is compromised as the result of a business’s failure to implement reasonable security practices.
- Affected individuals may seek the greater of (1) between $100 and $750 per consumer per incident; or (2) actual damages.
- Authorizes the West Virginia Division of Consumer Protection to bring enforcement actions and seek civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation.
- Treble damages are available if the violation involves a consumer 16 years old or younger.
- Creates a 30-day cure period before the Division may initiate an enforcement action.
- Grants the Division rulemaking authority.
West Virginia
1. Bill Title: HB 5338 (Consumer Data Protection Act and provisions for Safe Harbor for Cybersecurity Programs)
2. Date of Introduction: January 29, 2024
3. Current Status: As of February 18, HB 5338 had been passed by the House Technology and Infrastructure Committee on January 29 and referred to House Finance Committee on February 2.
4. Key Provisions:
This proposed legislation contains sections that create a safe harbor for companies that experience a data breach in addition to a more typical comprehensive data privacy legal framework. The below summary of key provisions addresses both.
- Creates an affirmative defense for any business to use that creates and maintains a compliant cybersecurity program in the event of a data breach and subsequent litigation.
- A business may create such a compliant cybersecurity program by, among other things, conforming to the requirements of various NIST publications (such as the NIST Cybersecurity Framework, NIST Special Publication 800-53, and NIST Special Publication 800-171), as well as the FedRAMP, CIS, ISO/IEC 27000, and CMMC frameworks.
- Applies to persons that conduct business in West Virginia or target West Virginia residents for services or products and either (1) control or process the personal data of at least 100,000 consumers in a calendar year, (2) control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data, or (3) have annual gross revenues generated in West Virginia which exceed $25,000,000.
- Exempts various entities and information types, including: government entities or political subdivisions of the state; financial institutions and data subject to the GLBA; covered entities, business associates, and PHI subject to HIPAA; nonprofits; higher education institutions; personal information subject to the Fair Credit Reporting Act; personal data governed by the Driver’s Privacy Protection Act; personal data regulated by FERPA; personal data governed by the Farm Credit Act; and certain employment-related information.
- Stipulates that controllers and processors that are compliant with COPPA verifiable parental consent requirements are deemed compliant under this Act as well.
- Creates rights for consumers, including the rights to access, correct, and delete data. It also grants the right to data portability “to the extent technically feasible” and the right to opt out of processing of personal data for targeted advertising, sale of personal data, or profiling.
- Requires consent for the processing of a consumer’s sensitive data.
- Requires controllers to provide a “reasonably accessible, clear, and meaningful” privacy notice that includes elements stipulated in the Act, including: categories of personal data processed; purposes for said processing; how a consumer may exercise their data rights; categories of personal data shared with third parties; and categories of third parties with whom the controller shares personal data.
- Additionally, controller must “clearly and conspicuously disclose” its processing of personal data for purposes of sale or targeted advertising.
- Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller and requiring a duty of confidentiality with respect to the personal data on all processors.
- Requires a controller to conduct and document a data protection assessment for each of the following processing activities using personal data: targeted advertising, sale of personal data, profiling where there is elevated risk of injury to the consumer, processing of sensitive data, and “any processing activities involving personal data that present a heightened risk of harm to consumers.” This requirement would apply to processing activities created or generated after January 1, 2024 and would not be retroactive.
- Creates a 30-day cure period where the Attorney General must provide a controller or processor written notice before initiating an enforcement action.
- Authorizes the Attorney General to enforce the Act and seek damages for a civil penalty up to $7,500 for each violation.
- Grants the Attorney General rulemaking authority and requires the AG to establish a process to support consumers seeking to utilize any personal data protections (e.g., facilitate requesting copies of personal data held by controllers and processors, etc.).
- Establishes the Consumer Privacy Fund on the books of the Comptroller to (1) receive all civil penalties collected from enforcement actions under the Act, and (2) support the Attorney General in enforcing the provisions of the Act.
- Would take effect on January 1, 2025.
UPDATES ON EXISTING PROPOSALS
The primary update on existing proposals concerns New Hampshire’s comprehensive privacy law (SB 255). On January 18, the Senate concurred in the amended version of the bill passed by the House, and the bill was enrolled by the House and Senate on February 16. This development sets the bill up to be transmitted to the New Hampshire governor for signature. You can read more about this bill’s key provisions here.
Elsewhere, we have seen activity on a series of carryover bills from the 2023 legislative session. Specifically, Wisconsin AB 466/SB 642 and the New York Privacy Act (S. 365) were approved by committees, while proposals in Minnesota, Maine, Vermont, and Massachusetts have been the subject of legislative hearings and work sessions.
Committee Approvals
- The Wisconsin Senate Committee on Shared Revenue, Elections and Consumer Protection approved AB 466/SB 642 on February 15.
- AB 466 was passed by the Assembly in November 2023.
- The New York Privacy Act (S. 365) was approved by the Senate Consumer Protection Committee on February 6 and committed to the Internet and Technology Committee.
Hearings and Work Sessions
- The Minnesota House Commerce Finance and Policy Committee held a hearing on the Minnesota Consumer Data Privacy Act (HF 2309) on February 21.
- The Maine legislature has held a series of work sessions on two competing comprehensive privacy law proposals (LD 1977 and LD 1973), most recently on February 14 and February 5.
- The Vermont House Committee on Commerce and Economic Development held a hearing on Vermont H. 121 on February 13.
- The Massachusetts Joint Committee on Advanced Information Technology, the Internet and Cybersecurity held a written-testimony hearing on the Massachusetts Information Privacy and Security Act (S. 227) on February 2.