As the year draws to a close, it seems safe to declare that 2020 was not a good year for the enactment of state consumer privacy legislation. Below, we provide status updates on state privacy task force initiatives and studies that were active over the course of the year, along with a brief overview of proposed bills—and a handful of enacted laws—that are poised to change the consumer privacy law landscape in 2021.

California

Unsurprisingly, California was again the vanguard of consumer privacy legislation in the United States. State residents voted "yes" on Proposition 24 in November, adopting the California Privacy Rights and Enforcement Act of 2020 (CPRA). The CPRA, which will go into full effect on January 1, 2023, amends and broadens privacy rights for California residents.

Connecticut

The Connecticut Legislature established a task force in 2019 to examine the appropriate scope of businesses' obligations to disclose their practices concerning the retention and sale of consumers' personal information. The task force failed to submit a report to the legislature by the January 1, 2020, deadline, leaving the future of privacy legislation in Connecticut uncertain.

New Hampshire

Earlier this year, Democratic representatives introduced a comprehensive privacy bill, an Act Relative to the Collection of Personal Information by Businesses (H.B. 1680). The legislation is similar to the original text of the CCPA, providing consumers with the same rights in their personal information and imposing like requirements and obligations on businesses and their service providers.

The bill was reported out of the House of Representatives' Commerce and Consumer Affairs Committee and referred for interim study on March 11, 2020, and was discussed during a Full Committee Work Session on September 2, 2020.

  • Notable distinction: The Act does not include exemptions for personal information collected in the context of employment or business transactions.
  • Enforcement: The bill provides a private right of action for consumers whose unencrypted or unredacted personal information is compromised in a data security breach, providing statutory damages of $100-$750 per incident. The state's attorney general may impose fines of up to $2,500 for each violation or $7,500 for each intentional violation.

New York

Both the New York Senate and Assembly introduced versions of the It's Your Data Act in October, which adopts a CCPA-like approach to regulating the processing of personal information and consumers' rights. These bills, S9073 and A7736 respectively, have been referred to committee.

  • Notable distinctions: The Act would make it a misdemeanor to collect, store, or use "the name, portrait, picture, video, voice, likeness, and all other personal data, biometric data, and location data" of a living person for "the purpose of advertising, trade, data-mining, or generating commercial or economic value" by any business or person without obtaining prior written consent.

    If consent is obtained, a failure to subsequently use reasonable care as bailee of the data would likewise constitute a misdemeanor. Individuals would also be authorized to bring civil actions for injunctive relief and damages against offenders who violate these provisions with respect to their (or their minor child's) covered data.

  • Enforcement: The Act provides a private right of action for statutory damages (the greater of $750 per violation or actual damages) if a business violates certain provisions of the Act, which would encompass everything but the misdemeanor offenses. A consumer "need not suffer monetary or property loss as a result" in order to bring an action.

    The New York Attorney General, a county district attorney, or a city corporation counsel can bring a civil action against any business, service provider or person for a violation of the same provisions and recover up to $2,500 for each unintentional violation and $7,500 for each intentional violation.

In addition, Senate (S5642) and Assembly (A8526) bills to establish the New York Privacy Act, introduced in 2019, were referred to committee in January 2020. No further action has been taken since our prior update in May.

Oregon

The Oregon Attorney General Consumer Privacy Task Force circulated the first draft of the Oregon Privacy Rights Act in October. The Act incorporates a mix of concepts found under the GDPR, CCPA, and the proposed (but unenacted) Washington Privacy Act.

The Act regulates "personal data management" activities—broadly defined to encompass all types of use or processing of personal data—by "principals" (which, subject to threshold business volume criteria as in the CCPA, are similar to controllers under the GDPR) and "information managers" (which are similar to GDPR processors and CCPA service providers).

Opt-in consent for personal data management must be obtained for "sensitive data." Individuals are granted rights of access, deletion, portability, and objection to personal data management for purposes of targeted advertising and sales and sharing and other disclosures that affect the individual's legal rights or duties. The draft bill is expected to be introduced when the legislative session begins in January.

  • Notable distinctions: Absent prior, informed consent by the individual, principals and information managers may engage in personal data management only with respect to "the minimal personal data that is directly relevant to and necessary for accomplishing a specific and 'permissible purpose.'" Permissible purposes are narrowly defined as services or activities the individual has requested and verifying individual requests under the Act.
  • Enforcement: A violation of the Act constitutes an unlawful business or trade practice, subject to enforcement under Oregon's Trade Practices Act. There is a private right of action for "a person that suffers an ascertainable loss of money or property, real or personal," as a result of a violation, which can be brought to recover the greater of $200 or actual damages, punitive damages awarded by a jury, and equitable relief.

    A prosecuting attorney can bring a suit in the name of the state to restrain the offender and obtain any other relief, in addition to recovery of attorneys' fees in the case of a successful prosecution.

Texas

The Texas Legislature established the Texas Privacy Protection Advisory Council in 2019 to study data privacy laws and make recommendations (H.B. 4390). In September 2020, the Council released an interim report that, among other things, highlighted longstanding privacy challenges, such as how technological change is outpacing the development of consumer protection laws, including the inadequacy of privacy notices, difficulties in managing user preferences in regard to data collection, critiques of privacy practices by digital advertisers, and multiple and uneven regulatory and compliance costs.

In the report, the Council recommended that state legislative proposals consider:

  • (1) A "new and appropriate balance between additional consumer privacy protections and data security within a fair regulatory/compliance privacy framework;"
  • (2) The impact to highly regulated data (e.g., health or banking information) and related federal law;
  • (3) Existing state laws to avoid conflict; and
  • (4) Additional recommendations that any legislation be broadly drafted to allow the adoption of new technology and business standards while strengthening the right to know how Texans' personal information is being used.

The report was criticized for failing to advance the discussion in a meaningful way.

Virginia

A bill that would enact the Virginia Privacy Act (H.B. 473) was introduced in January and deferred to 2021. It would grant GDPR-like consumer rights, including the right to correction, to be forgotten, and to restrict processing.

Covered businesses that control the processing of personal information would also have to conduct risk assessments for all personal data processing activities and, in the absence of consent or some other legal authorization, could not engage in processing if the potential risks to the consumer are substantial and outweigh the interests of the controller, consumer, other stakeholders, and the public.

The House voted to continue the bill to the 2021 legislative session, and, during the interim, the Joint Committee on Technology and Science (JCOTS) established a Data Protection & Privacy Advisory Committee to study consumer privacy issues.

  • Notable distinctions: Use of data for targeted advertising is subject to additional requirements and restrictions. Consumers have the right to object to the processing of their personal data for targeted advertising, which includes the sale of their personal data to third parties for such a purpose. The Act does not apply to personal information maintained for "employment records purposes."
  • Enforcement: A violation of the Act would constitute a prohibited practice under Virginia's Consumer Protection Act, which contains a private right of action for any "person who suffers loss as the result of a violation" to recover the greater of $500 or actual damages, or the greater of $1,000 or three times actual damages for a willful violation, in addition to reasonable attorneys' fees and costs.

    The state's attorney general would also be authorized to enforce the Act and recover a maximum fine of $1,000 per violation and of $2,500 per willful violation, as well as costs and reasonable expenses incurred in investigating and preparing the case, and attorneys' fees.

Washington

We reported in October about proposed legislation for the Washington Privacy Act of 2021, after a draft of the bill was circulated by Senator Reuven Carlyle (D) for public review and comment with some changes from the 2020 version. If introduced as planned at the start of the legislative session in January 2021, it will be the third consecutive year that the Washington legislature considers a proposal for a Washington Privacy Act.