Updated June 5, 2019
Shortly after the EU implemented the General Data Protection Regulation (GDPR), California passed its own privacy legislation – the California Consumer Privacy Act (CCPA). This act is slated to go into effect in January 2020 and is causing a national shift in the data privacy landscape of the United States. Recently, 11 states have introduced privacy regulations modeled after the CCPA.
If passed, these state laws will impose new privacy obligations on businesses to provide consumers with adequate transparency and control over their personal information. So far, many state legislators have embraced the structure and language found in the CCPA, and included similar individual rights. Like the CCPA, these laws broaden the definition of "consumer" and expand consumer rights through private right of action.
While all these laws seek to provide more data protection to consumers, their approaches vary. Six follow the full model established by the CCPA, two only tackle a handful of issues addressed in the CCPA, while one is shaped more by the GDPR. In this post, we’ll take a look at the requirements of these 11 bills, how they compare to the CCPA, and what these new regulations mean for the future of data privacy in the United States.
Overview of the 11 Proposed State Laws
Below are the highlights of the 11 state legislation proposals. More specific details on these bills can be found in our free guide, which also compares these requirements to the CCPA.
1. Hawaii: SB 418, Relating to Privacy
Hawaii’s bill is modeled after the CCPA, but has a broader reach since it does not define a business. Thus, the law can potentially extend to all businesses, regardless of size, that operate in Hawaii and collect the personal information of an individual. This proposed law does not have a private right of action clause, nor does it specify any penalties for violations. However, it does state that the Office of Consumer Protection will serve as the enforcement body and will be responsible for issuing penalties, which have not been defined at this point. Current Status: In Senate
Effective Date: Upon Approval
2. Maryland: SB 613, Online Consumer Protection Act
The Maryland bill is modeled after the CCPA, especially when it comes to consumer rights, but there are some departures in execution. Maryland’s right to opt-out is more expansive than the CCPA because it applies to any kind of disclosure of personal information to third parties, rather than just the sale of such data. The disclosure of information of minors under the age of 18 is prohibited with no exceptions. However, this bill did not receive a vote in the Senate Finance Committee during the 2019 General Assembly session and has been postponed indefinitely.
Current Status: Postponed Indefinitely
Proposed Effective Date: January 1, 2021
3. Massachusetts: S. 120, An Act Relative to Consumer Data Privacy
Massachusetts’ bill is quite similar to the CCPA. It is directed at protecting consumers, and it would require detailed notice to consumers about the collection of their data. While this bill does not expand the definition of personal information to include a consumer’s household, it does cover a broader scope for biometric information (i.e., data related to sleep and exercise) than the CCPA. Massachusetts’ right to opt-out is also more expansive than the CCPA, applying to any disclosure of personal information to third parties. The disclosure of information of minors under the age of 18 is also prohibited with no exceptions. Furthermore, there is a private right of action for any violation of this proposed law.
Current Status: In Senate
Effective Date: January 1, 2023
4. Mississippi: HS 1253, Mississippi Consumer Privacy Act
Mississippi’s proposed bill was essentially a replica of the CCPA, copying its consumer rights and personal information obligations, but it died in committee in February 2019. Unlike the CCPA, the bill’s private right of action was not limited to just data covered by the breach notification law, but to any unauthorized access of any personal information. The data that constitutes personal information also varied from the CCPA (e.g., probabilistic identifiers were not included).
Current Status: Dead
5. Nevada: SB 220, An Act Relating to Internet Privacy
In February, Nevada proposed amendments (SB 220) to its online privacy notice law (NRS 603A.300-360), which focuses on Internet privacy. While these changes were just recently proposed, they were quickly passed into law at the end of May. SB 220 amends the state’s existing requirements for owners and operators of Internet websites or online commercial service providers. Under this new law, a consumer can submit a notice to an operator to opt-out of the sale of their information to third parties (same as with the CCPA). (However, that provision is not enforceable through a private right of action.) This law also updates the definition of “sale” and provides five exceptions to that definition. The law will go into effect in October 2019, giving organizations less than 5 months to be compliant.
Current Status: Passed Into Law on May 29, 2019
Effective Date: October 1, 2019
6. New Jersey: A-4902, An Act Concerning Commercial Internet Websites, Online Services, and Personally Identifiable Information
New Jersey’s proposed bill was introduced in July 2018, right around the time the CCPA was passed. It was updated and introduced by the House in January 2019 and referred to the Assembly Appropriations Committee, but it has not moved since then. This bill shares many of the core features of the CCPA, like the right to opt-out of the sale of personal information, but its right to access focuses on the disclosure of personal identifiable information (PII) to third parties. This proposed bill also places notification requirements on commercial Internet websites and online service providers regarding the collection and disclosure of PII.
Current Status: In Assembly
Effective Date: Upon Approval
7. New Mexico: SB 176, Consumer Information Privacy Act
The New Mexico bill is modeled after the CCPA, but has more limited disclosure obligations about privacy practices that businesses must make in order to increase their transparency. While the language of the law differs from the CCPA, the key components remain. The proposed law is likely to be broader in scope than the CCPA because it has short, general definitions of the terms “business,” “consumer,” and “minor.” Although there isn’t a penalty limit for every type of violation, there is a cap set for $10,000 per intentional violation.
Current Status: Postponed Indefinitely
Effective Date: July 1, 2020
8. New York: SB S224, An Act to Amend the General Business Law, in Relation to Restricting the Disclosure of Personal Information by Businesses
The New York bill is broader than the CCPA and focuses on transparency regarding the disclosure of personal information to third parties. However, the law does so without granting any of the other consumer rights found in the CCPA. This bill will apply to any person or entity who does business in New York. While the penalties for violations are not specified, a customer of a business, the New York Attorney General, a city attorney or prosecutor, or a district attorney can all bring action. There is also a private right of action.
Current Status: In Senate
Effective Date: Upon approval
9. North Dakota: HB 1485, An Act to Provide for a Legislative Management Study of Consumer Personal Data Disclosures
North Dakota’s proposed bill differed the most from the CCPA. It did not define a consumer or specify any disclosure notice requirements, but it did prohibit the disclosure of personal information to a third party without express written consent from an individual. However, this proposed law has been replaced in full by a legislative management study of consumer personal data disclosures, which was passed in April 2019. This new legislative management will study protections, enforcements, and remedies regarding the disclosure of consumers’ personal data, review the privacy laws of other states and federal laws, and then report its findings at the sixty-seventh legislative assembly in 2021.
Current Status: In Senate, Legislative Management Study
Effective Date: Not specified
10. Rhode Island: SB 234, Consumer Privacy Protection
The Rhode Island bill is modeled after the CCPA, but it does not create a role for the Attorney General in enforcement or rulemaking. While there is a private right of action, it does not specify the penalties for violations or any information regarding age of consent for minors. This bill would also impose more stringent requirements on the collection and retention of consumers’ personal information by a business. Unfortunately, in April 2019, the Senate Judiciary Committee recommended this proposed law be held for further study.
Current Status: Held for further study
Effective Date: Upon Approval
11. Washington: SB 5376, The Washington Privacy Act
Washington’s proposed law is modeled after many elements of the GDPR, as well as the CCPA. Named the Washington Privacy Act, this bill grants consumers the right to access data that companies have about them, the right to deletion, the right to correct inaccurate information, the right to opt-out, and the right to restrict or object to the processing of data. The proposed law grants the Attorney General enforcement authority for violations, with penalties of $2,500 per violation and $7,500 per intentional violation, just like the CCPA. There is not a private right of action granted for consumers, though. Unfortunately, after failing to pass the House before the end of the April legislative session, the bill died. However, it has a chance to be amended in a third reading by the Senate Rules Committee.
Current Status: In Senate for a third reading
Effective Date: July 31, 2021
The Future of Data Protection in the U.S.
The introduction of new data privacy and security bills across the United States has raised major compliance concerns from businesses operating across the U.S. This has led many to call on Congress for a federal privacy legislation. Although many of these laws are still in the approval process, businesses large and small are realizing the massive effort required to comply with potentially 50 distinct laws and the severity of their penalties if found non-compliant.
Large organizations are concerned with the logistical nightmare of tracking and observing each state’s unique consumer privacy legislations. There is also speculation that smaller businesses would move to states with the most relaxed legislation, which could lead some states to intentionally ignore personal data protection in order to fuel their own economy. Smaller businesses would also suffer from the costs of compliance for 50 different regulations. At the same time, there is still apprehension that having a single federal agency regulating these laws could cause nationwide distrust.
Despite the fact, the U.S. House of Representatives and the Senate have already held committees in response to this growing concern over consumer data privacy. But with these two bodies controlled by different parties, it is difficult to predict how this federal data privacy legislation will be shaped or if any progress will be made in this area this year.
The Key Takeaways and Trends
- The definition of "consumer" has greatly expanded in many states. Personal information can be any information that identifies or reasonably identifies a person, including biometric data, internet activity, audio recordings, inferences on preferences, etc.
- States have expanded upon the CCPA’s private right of action, extending it to:
- Any violation of the privacy law
- Any unauthorized disclosure of personal information, regardless of the data and potential risk to consumer.
- Even businesses that only collect information though the Internet must have multiple methods for consumers to submit requests, including a toll-free number and a “Do Not Sell My Personal Information” hyperlink on company websites.
- None of the proposed state laws mention any issues relating to artificial intelligence. Only the Washington Protection Act, based on the GDPR, tries to prevent the discrimination risk linked with automated processing software.
- Businesses should be cognizant of potential federal initiatives aiming to create a standardized federal consumer data protection and privacy law.
To see exactly how these bills stack up against the requirements of the CCPA, download our free guide to these 11 regulations.
When California released its groundbreaking CCPA legislation, many other states within the U.S. followed suit. Regardless of whether you have to comply with the CCPA, it is causing a national trend for data protection regulations. Although these new state bills are a long way from passing, and at least a year from taking effect, companies are concerned with how to manage compliance with all these laws and the pressure for Congress to create one federal legislation mounts.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.