State Consumer Privacy Law Round-Up
Copy-cat CCPA bills sprung up across the country in February, but as state legislatures move toward the lazy hazy days of summer, many of these bills seem to have lost momentum.
Four of the comprehensive privacy bills that were introduced have now been substituted or amended to be study bills:
- North Dakota passed HB 1485 to provide for a legislative management study of consumer personal data disclosures and a report of findings, recommendations, and any legislation needed to implement the recommendations to the next legislative assembly.
- Hawaii resolved that a designated task force would “examine and recommend laws and regulations relating to internet privacy; the collection, transmission, processing, protection, storage, and sale of personal data; hacking; data breaches, and other similar subjects” and provide those findings, recommendations and any associated legislation no later than December 1, 2019. (HCR2019 225.)
- The Texas Senate is reviewing amended bill HR86R that would create a temporary Texas Privacy Protection Advisory Council to study data privacy laws in Texas, other states, and relevant foreign jurisdictions.They would report recommendations on specific statutory changes no later than September 1, 2020. The bill also would update the current breach notification law to require disclosures to be made without unreasonable delay and not later than the 60th day after a breach determination. It would also require notifying the state Attorney General if the breach involves at least 250 Texas residents as well as provide requirements for that notification.
- The Connecticut House is considering the Senate-passed substitute bill (SB1108) to direct a task force “to study the interests consumers have in protecting their privacy and possible methods to achieve such protection in [Connecticut] while not overly burdening the businesses in [the] state.” The task force would examine disclosure requirements for consumers’ personal information retained or sold by businesses and would include, but not be limited to, review of the CCPA. The task force would report its findings no later than January 1, 2020.
Meanwhile in New York and New Jersey, consumer privacy bills have stalled, despite the fact that both state governments are under one-party control. The New York bills, A06351 and S004411, were referred to the legislature’s consumer protection committees upon introduction, but no further action has occurred since early March. New Jersey has seen the introduction of multiple different consumer privacy bills; the one that most resembles the CCPA, A4640, was introduced in October of last year but has been idle in the Homeland Security and State Preparedness Committee since January of this year. Its Senate counterpart, S3153, has followed the same course.
The following chart summarizes the current status of comprehensive consumer privacy reforms that have been introduced at the state level since the passage of the CCPA. This chart details states that are considering broad laws that would apply across industries.