Legislatures follow trends. Four years ago, there were only two U.S. state legislatures that proposed bills to protect consumer data. This year, there have been 34.
Unfortunately, only three states – California, Virginia, and Colorado – have passed such bills. That hasn’t stopped the other states from trying, but how successful should we expect them to be?
What proposals have been submitted?
In February, the Indiana Senate unanimously passed Senate Bill 358 after just one hearing. The legislation features expansive consumer rights and compliance requirements for organizations, and is modelled on Virginia’s Consumer Data Protection Act.
It had its first reading on February 7, 2022, and was referred to the Committee on Commerce, Small Business and Economic Development. That committee voted to pass the bill, but the deadline for third readings of Senate bills in the house has since passed.
Florida’s House Bill 9 has a similar problem. The bill, which increases residents’ right of private action, was voted out of committee on February 10 and passed the House on March 2.
Unfortunately, the Florida legislature adjourned on March 11 before a decision could be made.
Likewise, Utah’s privacy bill – SB 0227 – has the same problem. The legislation, which safeguards Utah residents and allows them rights of access, correction, deletion, and mobility, and the right to opt out of the sale of their personal data, was passed unanimously following a slight amendment.
The legislative session ended on March 4. However, it was unexpectedly signed into law by Utah Governor Spencer Cox last week.
The law takes effect on December 31, 2023 and will apply to businesses with annual revenues of $25 million or more and which meet more of the following criteria:
- They handle personal data of 100,000 or more consumers per year;
- They derive over 50% of gross revenue from the sale of personal data
- They process personal data of 25,000 or more consumers.
Meanwhile, the Wisconsin Assembly passed a privacy protection bill (AB 957). It has been sent to the Senate where it was read first time and referred to committee on Government Operations, Legal Review and Consumer Protection. The Wisconsin 2022 legislative session will adjourn on May 18, 2022.
Legislation in progress
The Oklahoma Computer and Data Privacy Act (HB 2969) was passed out of the House Technology Committee on February 21, 2022, and was recommended for passage.
The Act has had a first reading in the House. The Oklahoma legislative session goes until May 27, so there is still plenty of time to pass the bill.
In Ohio, the House Government Oversight Committee voted HB 376 out of committee on February 16, 2022. The status of the bill was changed to “informally passed”.
On February 22, 2022, the bill was re-referred to the Rules and Reference Committee. The Ohio legislative session lasts all year.
In Massachusetts, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity passed an amended version of H.142 / S. 46 out of committee on February 1, 2022.
The bill is now filed under S.2687 (the Massachusetts Information Privacy and Security Act).
On February 14, 2022, the bill was referred to the Senate Ways and Means Committee. The Massachusetts formal legislative session ends on July 31.
In New York, Senate Bill S6701A (New York Privacy Act) was passed out of the Consumer Protection Committee on February 8, 2022. It is now in the Internet And Technology Committee. The New York legislature meets all year.
The states with the best chance of passing something this year are Wisconsin, Oklahoma, Ohio, Massachusetts, and New York. Just exactly what will pass is still an open question.
What changes can you expect?
States are looking to the many provisions in the CPRA (California Privacy Rights Act), the VCDPA (Virginia Consumer Data Protection Act), the CPA (Colorado Privacy Act) and the EU GDPR (General Data Protection Regulation).
What they choose is not uniform, but there seem to be some consistencies. For example, restricting the scope of the laws is a popular option. Unlike the GDPR, which applies to every organization in the EU, most US laws only apply to organizations that have revenue over $25,000,000 and process information on more than 100,000 individuals.
Meanwhile, rights of private action are not favored, and most statutes leave enforcement to the state attorney general.
Likewise, opt-out requirements are preferred, and privacy policies are very popular.
What is clear is that the recent increase in data protection and data privacy legislation is not limited to the GDPR and the CPRA. Individuals and legislators across the country have recognized the importance of information security, and sooner rather than later, every state will have a privacy statute.
If you want to know what you should be doing to protect your sensitive data and keep ahead of your compliance requirements, IT Governance USA is here to help.
Our Privacy as a Service solution offers advice, guidance, and more from specialist lawyers and data protection and cybersecurity experts, who will guide you through the process of bolstering your data privacy processes and technologies.
You’ll receive help with compliance monitoring, breach notification processes, and data privacy management.