On the heels of the EU’s General Data Protection Regulation (GDPR) going into effect in 2018, and passage of the California Consumer Privacy Act of 2018 (CCPA), 2019 proved to be a banner year for introduction of state consumer data privacy legislation. Approximately 149 bills were introduced and 17 were enacted, and numerous states pressed forward with additional privacy legislation in 2020.
Consumer Data Privacy Legislation in General
The year 2020 was a carryover year for a number of state legislatures, meaning that some legislation introduced in 2019 could continue to be in play. Additionally, new legislation was introduced in many states, including Arizona, California, Connecticut, Florida, Hawaii, Idaho, Illinois, Louisiana, Maryland, Michigan, Minnesota, Missouri, Mississippi, Nebraska, New Hampshire, New Jersey, New York, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, Wisconsin and West Virginia. This brought the total number of active bills in 2020 to almost 200, as follows:
The legislation addressed a variety of issues, from restrictions on the use of genetic, biometric and geolocation data to comprehensive data privacy regimes like the CCPA or GDPR. Of these, Michigan passed SB 172 relating to privacy policies provided by licensed insurers, and Virginia passed SB 101 relating to the use and retention of data scanned from driver’s licenses. California is discussed below.
Most of the legislation that proposed comprehensive protection followed the CCPA model, while a handful were a CCPA-GDPR hybrid. None of this legislation was enacted. Our chart (linked here) provides a comparison of some of these bills in terms of thresholds, protections, exemptions and penalties.
The CCPA has been amended a number of times since enactment, and 2020 was no exception. AB 713 conformed portions of the CCPA relating to deidentified patient data to the requirements of the Health Insurance Portability and Accountability Act Privacy Rule. AB 1281 extended the existing exclusions for personal information associated with business-to-business communications and for certain employment-related personal information to Jan. 1, 2023.
Additionally, the Office of the California Attorney General has been hard at work on CCPA regulations. The original proposed regulations were filed in October 2019, and proposed modifications were issued in February and March 2020. The “final” regulations became effective Aug. 14, and a third set of proposed modifications were issued in October and a fourth set in December.
The regulations are generally perceived as being quite helpful in untangling the CCPA’s hastily-drafted requirements, and this level of rulemaking activity by the AG demonstrates a unique willingness to correct technical issues and to take action in response to public comments.
Finally, the California Privacy Rights Act (CPRA) was approved by voters in November and will substantially modify the CCPA effective Jan. 1, 2023. Among other things, the CPRA: introduces “sensitive data” and new requirements regarding its use; provides consumers the right to correct their personal information; requires some businesses to conduct annual risk assessments and audits; requires notification as to how long a business intends to retain categories of information; outlines contractual requirements for businesses, contractors, service providers and third parties; and, creates the California Privacy Protection Agency.
With increased data breaches, security issues associated with working from home and concerns regarding COVID-19 tracing, consumers’ (and legislators’) interest in privacy laws is at an all-time high. That, combined with additional time to explore the pros and cons of existing privacy laws, suggests that not only will the upward trend of legislation continue, but there will be a greater percentage of enactments.