As we move closer to the end of many states’ legislative sessions, a number of comprehensive privacy law proposals continue to work their way through the legislative process. Since our last update, Nebraska became the sixteenth state to enact a comprehensive privacy law, with Governor Jim Pillen approving the Nebraska Data Privacy Act on April 17. Elsewhere, the Maryland Online Data Privacy Act remains under review by Governor Wes Moore, while bills in Vermont and Minnesota continue to work their way through the committee process. Finally, the Maine and Wisconsin legislative sessions adjourned, bringing a close to efforts to pass comprehensive privacy legislation in those states, at least for this year.
NEW PROPOSALS
Though the pace of new legislative proposals has slowed in the past several weeks, Louisiana nonetheless entered the fray in early April with a proposal that largely hews to the standard, non-California privacy law model.
Louisiana
1. Bill Title: Louisiana Consumer Privacy Act (HB 947)
2. Date of Introduction: April 2, 2024
3. Current Status: As of May 1, HB 947 had been referred to the House Commerce Committee on April 3.
4. Key Provisions:
- Applies to entities that do business in Louisiana or target products or services to Louisiana residents, have annual revenues of at least $25 million, and satisfy one of the following thresholds: (1) control or process the personal data of at least 100,000 Louisiana residents in a calendar year; or (2) derive over 50% of their gross revenue from sale of personal data and control or process personal data of at least 25,000 Louisiana residents.
- Exempts various entities and information types, including: government entities and government contractors; tribes; institutions of higher education; nonprofits; HIPAA covered entities, business associates, and protected health information; various types of information related to healthcare and medical research; information governed by FCRA; financial institutions and personal data governed by the GLBA; personal data governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; personal data governed by the Farm Credit Act; and certain employment-related information.
- Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
- Exempts individuals “acting in an employment or commercial context” from its definition of “consumer.”
- Defines “sale” as the “exchange of personal data for monetary or other valuable consideration by a controller to a third party” (emphasis added).
- Creates rights for consumers, including the right to confirm whether a controller is processing a consumer’s personal data; the right to access personal data; the right to data portability; the right to correct inaccurate personal data; the right to delete personal data; and the right to opt-out of the processing of personal data for purposes of targeted advertising or sale of personal data.
- Requires that a contract govern a processor’s execution of data processing activities on behalf of a controller.
- Requires that controllers provide consumers with a privacy notice that includes categories of personal data processed; purposes for such processing; description of how consumers may exercise their data rights; categories of personal data shared with third parties; and categories of third parties with which personal data is shared.
- If controller sells personal data or engages in targeted advertising, it must “clearly and conspicuously disclose” to the consumer how the consumer may opt out of such processing.
- Requires that controllers provide consumers with “clear notice” and opportunity to opt-out before processing their sensitive data.
- Requires that controllers conduct data protection assessments before initiating any “processing that presents a heightened risk of harm to a consumer.”
- Such processing includes processing for purposes of targeted advertising and certain types of profiling; sale of personal data; and processing of sensitive data.
- Does not create a private right of action; rather, grants exclusive enforcement authority to the state Attorney General (AG).
- Establishes a 30-day cure period for alleged violations of the Act.
- Authorizes the state AG to obtain actual damages, as well as civil fines of up to $7,500 per violation.
- Creates a “Consumer Privacy Account” into which funds collected through enforcement actions under the Act will be deposited.
- Would take effect on December 31, 2024.
UPDATES ON EXISTING PROPOSALS
As noted above, Nebraska Governor Jim Pillen signed the Nebraska Data Privacy Act into law on April 17. That bill was included in LB 1074, as part of a larger legislative package. The bill’s passage makes Nebraska the sixteenth state with a comprehensive privacy law. Maryland is likely to become the seventeenth state in the coming weeks. However, as of now, the Maryland Online Data Privacy Act (SB 541/HB 567) remains under review by Governor Wes Moore.
Elsewhere, Vermont H. 121 continues to advance towards its second chamber passage (though the Vermont legislative session adjourns on May 10), while the Minnesota Consumer Data Privacy Act — now incorporated into larger omnibus bills (HF 5295 and SF 5301) — continues to wind its way through the committee process.
Finally, the Maine and Wisconsin legislative sessions closed on April 17 and April 11, respectively, without passage of the comprehensive privacy bills that were under consideration, including two proposals (Maine LD 1977 and Wisconsin AB 466) that had passed a chamber.
Active Bills That Have Cleared Legislative Chamber
- Vermont H. 121, which passed the House on March 22, has received approvals from the Senate Appropriations Committee and Senate Economic Development, Housing and General Affairs Committee in the past week.
- Additionally, the bill received a hearing before the Senate Committee on Health and Welfare on May 1.
- Pennsylvania HB 1201, which passed the House on March 18, was referred to the Senate Communications and Technology Committee on April 4.
Committee Approvals
- The Minnesota Consumer Data Privacy Act (HF 2309/SF 2915) has been incorporated into larger omnibus bills in both chambers (HF 5295 and SF 5301, respectively).
- SF 5301 was approved by the Senate Commerce and Consumer Protection Committee on April 18 and referred to the Senate Finance Committee.
- HF 5295 was approved by the House Commerce Finance and Policy Committee on April 24 and referred to the House Ways and Means Committee.
Committee Referrals
- After receiving a hearing before the House Cybersecurity, Data Analytics, and IT Committee on April 4, the Illinois Data Privacy and Protection Act (HB 3385) was re-referred to the Rules Committee on April 5.
Bill Deaths
- Maine’s legislative session closed on April 17 without passage of either the Maine Data Privacy and Protection Act (LD 1977) (which passed the House on the last day of the legislative session, but was rejected by the Senate) or the Maine Consumer Privacy Act (LD 1973/SP 807) (which was rejected by both the Senate and House).
- Wisconsin’s legislative session adjourned on April 11 without passage of AB 466, which had passed the Assembly in November 2023, or its companion bill SB 642.