As California Attorney General Xavier Becerra advises consumers of all their new rights under the California Consumer Privacy Act (CCPA), multiple states are introducing their own privacy acts, some of which are remarkably similar to the CCPA. The most-watched privacy legislation is perhaps in Washington State, described below, which very nearly passed its Privacy Act last year.
At the other end of the spectrum, a House Concurrent Resolution was introduced in Arizona declaring:
- “That the Members of the Legislature oppose the enactment of laws, the adoption of regulations or the imposition of out-of-state standards that would restrict or otherwise dictate standards related to consumer data privacy, absent a clear nexus with consumer harm.
- That the Members of the Legislature believe a single federal standard for comprehensive consumer data privacy regulation is preferable to a state-by-state approach.”
Florida HB 963 (SB 1670)
HB 963 (SB 1670) is an online privacy act that applies to an “operator” defined as a person who:
- Owns or operates a website or online service for commercial purposes.
- Collects and maintains covered information from consumers who reside in Florida and use or visit the website or online service.
- Purposefully directs activities toward Florida or purposefully executes a transaction or engages in any activity with Florida or a resident thereof.
The substantive provisions do not apply to:
- Operators located in Florida;
- Operators with revenue primarily from a source other than the sale or lease of goods, services, or credit on websites or online webservices; or
- Operators with websites or online services with less than 20,000 unique visitors per year.
The legislation would exclude, among others, entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), certain manufacturers or servicers of motor vehicles, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). Note that the GLBA exemption is broader than the CCPA which only excludes “personal information collected, processed, sold, or disclosed pursuant to the [GLBA].”
Operators must provide notice to Florida consumers that includes a description of:
- Categories of covered information collected;
- Categories of third parties with whom covered information is shared;
- Process to review and request changes to covered information;
- Whether a third party may collect covered information over time and across websites; and
- Effective date of the notice.
Operators are required to provide an email address, toll-free telephone number, or website for submission of verified requests not to sell information.
The legislation does not provide for a private right of action, and the Florida attorney general is tasked with rulemaking and enforcement via injunction and/or a civil penalty of $5,000 per violation. Operators have a 30-day period to cure violations.
Illinois SB 2330
SB 2330 is the “Data Transparency and Privacy Act” and is akin to the CCPA, requiring similar notices and providing similar exemptions with respect to the GLBA, HIPAA and FCRA.
The legislation applies to a “business” that “does business” in Illinois and:
- Collects or discloses the personal information of 50,000 or more “persons, Illinois households, or the combination thereof”; or
- Derives 50% or more of its annual revenue from the sale of consumers’ personal information.
Note that “consumer” is defined as a person residing in Illinois, but the first standard above applies to “persons,” which is undefined and could be interpreted to mean 50,000 persons wherever located. The legislation does not have a dollar threshold like the CCPA ($25M annual gross revenue).
Businesses must conduct risk assessments of “processing activities involving personal information” and make them available to the attorney general upon request.
Enforcement would be carried out by the Illinois attorney general under the Illinois Consumer Fraud and Deceptive Business Practices Act. Like the CCPA, the private right of action exists only for a breach that is the “result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices. . .” There is no opportunity to cure a violation.
Nebraska LB 746
LB 746 is the “Nebraska Consumer Data Privacy Act” and is also very similar to the CCPA. It applies to a “business” that “does business” in Nebraska and:
- Has annual gross revenue over $10M;
- Buys, receives, sells or shares personal information of 50,000 or more consumers; or
- Derives 50% or more of its revenue from selling consumers’ personal information.
The legislation differs from the CCPA in that it excludes financial institutions subject to the GLBA rather than just personal information collected, processed, sold, or disclosed pursuant to the GLBA. Additionally, there is no private right of action and no opportunity to cure a violation.
The attorney general may adopt rules and impose a civil penalty up to $7,500 per violation.
New Hampshire HB 1680
HB 1680 is virtually identical to the CCPA in every respect.
South Carolina H 4812
- H 4812 is titled “South Carolina Biometric Data Privacy Act” and applies to a business that is “authorized to conduct business in and operating within this State.”
A business must provide a consumer a notice at collection, and no biometric information may be collected without the consumer’s consent. The legislation provides consumers the right to know, access and delete biometric information and to opt-out of its sale. Any business that collects biometric data must post a “Do Not Sell My Biometric Information” link on its website.
The legislation requires that in the event of a breach of “business data,” which is undefined, all consumers must be notified within 72 hours or face a fine of $5,000 per consumer. There are no other parameters, unlike the state’s existing data breach notification law which appears inconsistent in several respects, though the legislation “may not be construed to limit the penalties” under the existing law.
The legislation provides a private right of action with damages of $1,000 or actual damages for a negligent violation, $10,000 or actual damages for an intentional or reckless violation, plus attorney’s fees and costs.
Virginia HB 473
HB 473 is the Virginia Privacy Act and applies to any entity that “conducts business” in Virginia or “produces products or services that are intentionally targeted to residents of [Virginia]” and:
- “Controls or processes personal data of not fewer than 100,000 consumers; or
- Derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.”
The legislation includes the right to know, access, correct and delete personal data, and a right to opt out of its sale.
A controller must conduct a risk assessment of its processing activities and provide it to the attorney general upon request.
The legislation includes a 30-day right to cure, and violations may be enforced under the Virginia Consumer Protection Act which includes a private right of action and enforcement by the attorney general.
Washington SB 6281
SB 6281 was introduced Jan. 14, and the first public hearing was the next day. As stated by the sponsor, Sen. Reuven Carlyle, Chair of the Environment, Energy & Technology Committee: “The policy goal is that we try to take the best of the two global standards, the European standard and the State of California, and customize it to Washington State in a responsible way.”
Indeed, the legislation contains many CCPA-like requirements but also focuses on the roles and responsibilities of “controllers” and “processors” like the GDPR. Several industry representatives who testified at the public hearing indicated their eagerness for the legislation to become the national model rather than the CCPA.
The legislation “applies to legal entities that conduct business in Washington or produce products or services that are targeted to residents of Washington, and that satisfy one or more of the following thresholds:
- Controls or processes personal data of one hundred thousand consumers or more; or
- Derives over fifty percent of gross revenue from the sale of personal data and processes or controls personal data of twenty-five thousand consumers or more.”
For the most part, the Act generally excludes from its provisions the same information and entities as the CCPA.
The legislation gives consumers the right to access, correct, delete and receive their personal data as well as to opt-out of its sale. Controllers can require “authentication” of the consumer’s identity before complying with consumer requests with the exception, oddly, of a request to opt-out of the sale of information.
If a consumer request is denied, the controller must inform the consumer of her or his right to appeal the decision to the controller. Additionally, “the controller must clearly and prominently ask the consumer whether the consumer consents to having the controller submit the appeal, along with any action taken or not taken by the controller in response to the appeal and the controller’s written explanation of the reasons in support thereof, to the attorney general.”
Controllers must conduct data protection assessments which must be provided to the attorney general if requested in relation to an investigation.
The Act does not provide for any private right of action. Enforcement is vested with the attorney general and a violation may result in an injunction or a civil penalty up to $7,500 per violation.
West Virginia SB 260
SB 260 applies to retail establishments and provides that consumers’ identification cards may only be scanned for specific purposes and the information may not be sold.