Press "Enter" to skip to content

State Privacy Legislation Update: What’s New and What’s Ahead

There are currently over 40 comprehensive consumer data privacy bills pending in the states as we enter the third month (for most states) of the legislative sessions.

Although the dread of the often-referenced “patchwork” of dissimilar state privacy laws still looms, the good news is that the majority of the bills are not moving, moving slowly, or dead.  Nevertheless, there are some that are working their way toward the finish line, and a few that appear to have come back from the dead, as explained below.

The following chart shows how various privacy legislation components included in 47 bills measure up:

2022 state privacy legislation

You can download a chart here that provides details about each of the 47 bills and their current legislative status.

WHAT WAS NEW IN FEBRUARY

Arizona HB 2790 was introduced Feb. 8, but apparently did not make it past the committee deadline of Feb. 18.

Florida HB 9 was amended by committee substitute and reported favorably out of the House Commerce Committee on Feb. 10, and out of the House Judiciary Committee on Feb. 23.

Indiana SB 358 was amended in the Senate, passed, and voted favorably out of the House committee on Feb. 17. Notably, the amendment removed the private right of action contained in the original version.

Iowa House Study Bill 674 passed in committee and was refiled on Feb. 23, as HF 2506 and SF 2208.

Massachusetts H 136, S 46, S 50, and S 220, all carryovers from 2021, morphed into S 2687 on Feb. 14.

Mississippi SB 2330 died in committee Feb. 1.

Ohio HB 376 was amended by committee substitute on Feb. 9.  Among other changes, the legislation now provides a consumer the right to request correction of inaccurate data.  This chart explains the numerous other differences between the introduced bill and the substitute.

Oklahoma HB 2969, the Oklahoma Computer Data Privacy Act, was introduced on Feb. 7, and amended by committee substitute on Feb. 21.  The substitute adds a prohibition against selling a consumer’s personal information to a third party without the consumer’s consent, i.e., “opt in.”

Utah SB 227 is a fast-moving bill that was introduced Feb. 17 and passed in the Senate and transmitted to the House on Feb. 25.  The original bill provided a consumer the right to: 1)  confirm processing of their personal data; 2) obtain information regarding the categories of personal data collected; 3) correct inaccurate data; 4) delete personal data provided by the consumer; 5) obtain a copy of the personal data provided by the consumer; and 6) opt-out of processing if for targeted advertising or the sale of the personal data.  In part, the first and second bill substitutes deleted the second and third rights and added the right to access the personal data.  The Utah legislative session is scheduled to conclude March 4.

Washington HB 1433 has had no movement and is presumed dead.

On Feb. 17, SB 5062 was placed in the “Senate Rules ‘X’ file,” which is described as where bills go “if they are no longer eligible for consideration.”  However, on Feb. 24, it was moved to the “Rules White Sheet,” which is described as “where bills are sent immediately after being passed out of a standing committee,” and “is, more or less, a review calendar.”

HB 1850 was assigned to the Committee on Civil Rights & Judiciary which voted it out on Feb. 2 as amended by a committee substitute. It then was referred to the Committee on Appropriations (avoiding a deadline faced by the CRJ Committee). On Feb. 28, Appropriations adopted a second substitute that, in part:

  1. Strikes all provisions relating to consumer rights;
  2. Retains provisions relating to the Consumer Data Privacy Commission;
  3. Removes requirements that the Commission conduct data protection audits of
    controllers and processors;
  4. Provides a private right of action only if: a) the Commission has determined in an
    administrative hearing that a violation occurred; and b) the consumer suffered
    demonstrable economic loss or physical harm.

Notably, the second substitute provides that the act does not become effective unless the
engrossed second substitute for SB 5062 becomes law by July 1, 2022.

Wisconsin AB 957 was introduced Feb. 3, SB 957 and SB 977 were introduced Feb. 9, and AB 1050 was introduced Feb. 17.  Of the four, only AB 957 is moving, having passed as amended by the Assembly on Feb. 23 and referred to committee in the Senate.

WHAT’S AHEAD IN MARCH

Of the states with pending privacy legislation, six have crossover deadlines in March, and others have various committee and floor deadlines.  There are a handful of bills that are now in the second chamber or poised to be there soon, so it is possible that March could bring the passage of another comprehensive state data privacy law.

COMPLIANCE

My March 15 webinar discussing amendments to the federal Safeguards Rule will touch on the implications these amendments have on state legislation. Register now for this Receivables Management Association International webinar.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.