Press "Enter" to skip to content

2020 Consumer Data Privacy Legislation Builds on 2019’s Momentum, But Few Enactments

USA flagOn the heels of the EU’s General Data Protection Regulation (GDPR) going into effect in 2018, and passage of the California Consumer Privacy Act of 2018 (CCPA), 2019 proved to be a banner year for introduction of state consumer data privacy legislation.  Approximately 149 bills were introduced and 17 were enacted, and numerous states pressed forward with additional privacy legislation in 2020.

Consumer Data Privacy Legislation in General

The year 2020 was a carryover year for a number of state legislatures, meaning that some legislation introduced in 2019 could continue to be in play.  Additionally, new legislation was introduced in many states, including Arizona, California, Connecticut, Florida, Hawaii, Idaho, Illinois, Louisiana, Maryland, Michigan, Minnesota, Missouri, Mississippi, Nebraska, New Hampshire, New Jersey, New York, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin and West Virginia.  This brought the total number of active bills in 2020 to almost 200, as follows:

The legislation addressed a variety of issues, from restrictions on the use of genetic, biometric and geolocation data to comprehensive data privacy regimes like the CCPA or GDPR.  Of these, Michigan passed SB 172 relating to privacy policies provided by licensed insurers, and Virginia passed SB 101 relating to the use and retention of data scanned from driver’s licenses.  California is discussed below.

CCPA/GDPR-Type Legislation

Most of the legislation that proposed comprehensive protection followed the CCPA model, while a handful were a CCPA-GDPR hybrid.  None of this legislation was enacted. Our chart (linked here) provides a comparison of some of these bills in terms of thresholds, protections, exemptions and penalties.


The CCPA has been amended a number of times since enactment, and 2020 was no exception.  AB 713 conformed portions of the CCPA relating to deidentified patient data to the requirements of the Health Insurance Portability and Accountability Act Privacy Rule.  AB 1281 extended the existing exclusions for personal information associated with business-to-business communications and for certain employment-related personal information to Jan. 1, 2023.

Additionally, the Office of the California Attorney General has been hard at work on CCPA regulations.  The original  proposed regulations were filed in October 2019, and proposed modifications were issued in February and March 2020.  The “final” regulations became effective Aug. 14, and a third set of proposed modifications were issued in October and a fourth set in December. 

The regulations are generally perceived as being quite helpful in untangling the CCPA’s hastily-drafted requirements, and this level of rulemaking activity by the AG demonstrates a unique willingness to correct technical issues and to take action in response to public comments.

Finally, the California Privacy Rights Act (CPRA) was approved by voters in November and will substantially modify the CCPA effective Jan. 1, 2023.  Among other things, the CPRA: introduces “sensitive data” and new requirements regarding its use; provides consumers the right to correct their personal information; requires some businesses to conduct annual risk assessments and audits; requires notification as to how long a business intends to retain categories of information; outlines contractual requirements for businesses, contractors, service providers and third parties; and, creates the California Privacy Protection Agency.


With increased data breaches, security issues associated with working from home and concerns regarding COVID-19 tracing, consumers’ (and legislators’) interest in privacy laws is at an all-time high.  That, combined with additional time to explore the pros and cons of existing privacy laws, suggests that not only will the upward trend of legislation continue, but there will be a greater percentage of enactments.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.