By Samantha Ann Schwartz
The European Union launched GDPR in 2018, immediately casting the U.S. to the also-ran position when it comes to protecting consumer data rights.
Since GDPR went into effect, only California has successfully passed a comprehensive data privacy law. Just 14 states formally introduced a data privacy law and if it were up to big tech, the fewer the states, the better.
Companies are holding out for a federal privacy law, and for good reason. A federal data privacy law would streamline compliance across the 50 states and its territories. It would also allow companies to lobby on Capitol Hill.
A successful data privacy law allows for adequate consumer protection without stifling industry innovations; compliant companies should be able to answer these questions:
Here, CIO Dive tracks the states pursuing data privacy laws. For each state, there is a brief description of the law's requirements, its status and a link to the original law.
The Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law in June 2018. The legislation is currently circulating committee, undergoing amendments.
Amendments currently in progress include requiring data brokers to register with the Attorney General, expanding "publicly available" information exempted from personally identifiable information (PII), and clearly disclosing the use of facial recognition technology.View the law
Connecticut's bill is modeled after the CCPA and applies to companies that generate more than $25 million in revenue. The state defined PII as data "related to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
The Committee on Government Administration and Elections filed a Substitute Senate Bill, representing the most recent version of the bill. It was submitted in January to establish a task force pertaining to data privacy.View the law
Hawaii's bill would have required businesses to disclose or delete which categories of PII they collect upon "verifiable request" from the individual, according to the bill. It also planned to restrict the sale of PII for consumers 16 or younger.
Hawaii, Connecticut, California and Texas recognize 16 as the minimum age of consent to privacy. However, the proposed legislation did not include a right to action and did not consider penalties imposed by the Hawaii Office of Consumer Protection.
The bill died in the state Senate after failing to move to its second reading by March 2, 2019.View the law
The Data Transparency and Privacy Act includes the "right to transparency." The right requires an entity that collects PII data, based on website visits, to identify all categories of data processes and the third parties it shares it with. The private entity must then "provide a description of the process, if any such process exists," for consumers to request changes to their data collection preferences, according to the bill.
The bill has undergone several rounds of amendments in May, with a third reading deadline established for May 31.View the law
The Online Consumer Protection Act has a projected effective date of Jan. 1, 2021, though it's currently still in consideration. The bill calls for the "broad public participation" of the Office of the Attorney General. Upon reason to believe a business violates a regulation, the AG would have the authority to bring action or seek penalty.
Maryland’s bill ticks all of the same boxes as the CCPA, including a consumer’s right to access collected or shared data, delete, and opt-out. It also affords consumers transparency, notice requirements and data portability for their own purposes.View the law
Massachusetts' bill does not allow PII to fall under "publicly available" information provided by government entities. Biometric data does not fall under publicly available data, though it includes fingerprinting.
The bill gives its constituents the right to pursue legal action against businesses if their PII is wrongfully collected or stored. Consumers "need not suffer a loss of money or property" from the data violation to seek legal action, according to the bill.
The legislation is currently awaiting a joint committee hearing.View the law
Nevada has an existing law for data collection security that the data privacy bill is expanding, particularly with the right to opt-out and the right of legal action upon violation.
Nevada's bill borrows language from the CCPA, allowing consumers to opt-out of data distribution performed by entities that own or operate internet or website services for commercial purposes.
Unlike the CCPA, the state's bill stops short of expanding the notice obligation or right to deletion. Consumers are allowed to pursue private right of action for injuries as a result of a violation.View the law
The Consumer Information Privacy Act was introduced in January 2019, though its progress is postponed indefinitely. The law would have allowed consumers to request the categories of information a business collects, discloses or sells for a business purpose. It also requires the entity to disclose what categories of third parties were given the data.View the law
The Right to Know Act is waiting in the state's Senate and narrows in on disclosure transparency, while discluding other consumer rights outlined by the CCPA. New York’s bill limits the consumer right of access in part due to the scope of the bills reach — anyone who does business in New York.View the law
HB 1485, North Dakota's original legislation, pertained to entities that exceed $25 million in gross annual revenue and prohibited disclosure of PII without written consent from consumers. It included penalties per violation. Unlike the CCPA, however, the bill didn't contain notice obligations unless requested by consumers.
Through a series of amendments, the bill became "an act to provide for a legislative management study of consumer personal data disclosures."View the law
The Consumer Privacy Protection Act closely resembles the CCPA, checking all the boxes for the right of access, sharing, deletion, portability and opting-out. The bill also includes biometric information, like a consumer's DNA, imagery of their iris, retina, fingertip, face, palm and so forth.
The bill is currently awaiting a measure for "further study" recommended by committee as of late April.View the law
Texas is in the unique position of having two data privacy bills making their way through committee. The bills were introduced independently on the same day in March.
The Texas Privacy Protection Act (TPPA) is more GDPR-like, regulating personal "identifying" information, or information relating to an individual. The Texas Consumer Protection Act more closely resembles the CCPA, which promotes the regulation of PII.View the TPPA View the TCPA
The Washington Privacy Act applies to any legal entity that has business in Washington or targets its residents. The law is applicable to companies that control or process PII of at least 100,000 consumers.
The bill died in the state House on April 28, 2019 after almost unanimously passing the state Senate.View the law