Updated March 16, 2020

Shortly after the EU implemented the General Data Protection Regulation (GDPR), California passed its own privacy legislation – the California Consumer Privacy Act (CCPA). This act went into effect in January 2020 (enforcement is slated for July) and is causing a national shift in the data privacy landscape of the United States. Recently, 14 states have introduced privacy regulations modeled after the CCPA.

If passed, these state laws will impose new privacy obligations on businesses to provide consumers with adequate transparency and control over their personal information. So far, many state legislators have embraced the structure and language found in the CCPA, and included similar individual rights. Like the CCPA, these laws broaden the definition of "consumer" and expand consumer rights through private right of action.

While all these laws seek to provide more data protection to consumers, their approaches vary. Six follow the full model established by the CCPA, two only tackle a handful of issues addressed in the CCPA, while one is shaped more by the GDPR. In this post, we’ll take a look at the requirements of these 14 bills, how they compare to the CCPA, and what these new regulations mean for the future of data privacy in the United States.

Overview of the 14 Proposed State Laws

Below are the highlights of the 14 state legislation proposals. More specific details on these bills can be found in our free guide, which also compares these requirements to the CCPA.

1. Hawaii: SB 418, Relating to Privacy 

Hawaii’s bill  is modeled after the CCPA, but has a broader reach since it does not define a business. Thus, the law can potentially extend to all businesses, regardless of size, that operate in Hawaii and collect the personal information of an individual. This proposed law does not have a private right of action clause, nor does it specify any penalties for violations. However, it does state that the Office of Consumer Protection will serve as the enforcement body and will be responsible for issuing penalties, which have not been defined at this point. Current Status: In Senate
Effective Date: Upon Approval 

2. Illinois: 740 ILCS 14, Biometric Information Privacy Act

BIPA, in effect since 2008, regulates the privacy and protection of biometric information, which includes fingerprints, retina scans, facial geometry scans, or scans of the hands or face geometry. Businesses must also receive written consent from individuals before obtaining biometric data and disclose their policies for usage and retention. Currently BIPA is the only state that allows private individuals to bring suit and recover damages, and a January 2019 Supreme Court case ruled the law does not require individuals to show they suffered harm other than a violation of the law to bring a suit forward. Although the CCPA covers similar biometric information, it is a lot broader and includes only a limited private right of action for violations.                                                  Current Status: Passed into Law on October 3, 2008
Effective Date: October 3, 2008

3. Maine: LD 946, An Act to Protect the Privacy of Online Consumer Information

Maine’s proposed bill was introduced in February 2019, and provides tough measures for internet service providers (ISPs). Passed in June 2019, this new law will require broadband ISPs in Maine to obtain express content from a customer before selling or sharing their data with a third party. So, while the CCPA gives customers the right to opt-out, this new law prohibits ISPs from utilizing customer data unless the customer opts in. This law will go into effect July 1, 2020, and will only regulate approximately 80 broadband ISPs in Maine, and only apply to the ISPs serving customers that are physically located and billed for services in the state.
Current Status: Passed into Law on June 6, 2019
Effective Date: July 1, 2020

4. Maryland: SB 613, Online Consumer Protection Act

The Maryland bill  is modeled after the CCPA, especially when it comes to consumer rights, but there are some departures in execution. Maryland’s right to opt-out is more expansive than the CCPA because it applies to any kind of disclosure of personal information to third parties, rather than just the sale of such data. The disclosure of information of minors under the age of 18 is prohibited with no exceptions. However, this bill did not receive a vote in the Senate Finance Committee during the 2019 General Assembly session and has been postponed indefinitely.
Current Status: Postponed Indefinitely
Effective Date: January 1, 2021

5. Massachusetts: S. 120, An Act Relative to Consumer Data Privacy 

Massachusetts’ bill is quite similar to the CCPA. It is directed at protecting consumers, and it would require detailed notice to consumers about the collection of their data. While this bill does not expand the definition of personal information to include a consumer’s household, it does cover a broader scope for biometric information (i.e., data related to sleep and exercise) than the CCPA. Massachusetts’ right to opt-out is also more expansive than the CCPA, applying to any disclosure of personal information to third parties. The disclosure of information of minors under the age of 18 is also prohibited with no exceptions. Furthermore, there is a private right of action for any violation of this proposed law.
Current Status: In Senate
Effective Date: January 1, 2023

6. Mississippi: HS 1253, Mississippi Consumer Privacy Act 

Mississippi’s proposed bill was essentially a replica of the CCPA, copying its consumer rights and personal information obligations, but it died in committee in February 2019. Unlike the CCPA, the bill’s private right of action was not limited to just data covered by the breach notification law, but to any unauthorized access of any personal information. The data that constitutes personal information also varied from the CCPA (e.g., probabilistic identifiers were not included).
Current Status: Dead

7. Nevada: SB 220, An Act Relating to Internet Privacy 

In February, Nevada proposed amendments (SB 220) to its online privacy notice law (NRS 603A.300-360), which focuses on Internet privacy. While these changes were just recently proposed, they were quickly passed into law at the end of May. SB 220 amends the state’s existing requirements for owners and operators of Internet websites or online commercial service providers. Under this new law, a consumer can submit a notice to an operator to opt-out of the sale of their information to third parties (same as with the CCPA). (However, that provision is not enforceable through a private right of action.) This law also updates the definition of “sale” and provides five exceptions to that definition. The law went into effect in October 2019.
Current Status: Passed Into Law on May 29, 2019
Effective Date: October 1, 2019

8. New Jersey: A-4902, An Act Concerning Commercial Internet Websites, Online Services, and Personally Identifiable Information 

New Jersey’s proposed bill was introduced in July 2018, right around the time the CCPA was passed. It was updated and introduced by the House in January 2019 and referred to the Assembly Appropriations Committee, but it has not moved since then. This bill shares many of the core features of the CCPA, like the right to opt-out of the sale of personal information, but its right to access focuses on the disclosure of personal identifiable information (PII) to third parties. This proposed bill also places notification requirements on commercial Internet websites and online service providers regarding the collection and disclosure of PII.
Current Status: In Assembly
Effective Date: Upon Approval

9. New Mexico: SB 176, Consumer Information Privacy Act

The New Mexico bill is modeled after the CCPA, but has more limited disclosure obligations about privacy practices that businesses must make in order to increase their transparency. While the language of the law differs from the CCPA, the key components remain. The proposed law is likely to be broader in scope than the CCPA because it has short, general definitions of the terms “business,” “consumer,” and “minor.” Although there isn’t a penalty limit for every type of violation, there is a cap set for $10,000 per intentional violation.
Current Status: Postponed Indefinitely
Effective Date: July 1, 2020

10. New York: SB S224, An Act to Amend the General Business Law, in Relation to Restricting the Disclosure of Personal Information by Businesses

The New York bill is broader than the CCPA and focuses on transparency regarding the disclosure of personal information to third parties. However, the law does so without granting any of the other consumer rights found in the CCPA. This bill will apply to any person or entity who does business in New York. While the penalties for violations are not specified, a customer of a business, the New York Attorney General, a city attorney or prosecutor, or a district attorney can all bring action. There is also a private right of action.
Current Status: In Senate
Effective Date: Upon approval

11. North Dakota: HB 1485, An Act to Provide for a Legislative Management Study of Consumer Personal Data Disclosures

North Dakota’s proposed bill  differed the most from the CCPA. It did not define a consumer or specify any disclosure notice requirements, but it did prohibit the disclosure of personal information to a third party without express written consent from an individual. However, this proposed law has been replaced in full by a legislative management study of consumer personal data disclosures, which was passed in April 2019. This new legislative management will study protections, enforcements, and remedies regarding the disclosure of consumers’ personal data, review the privacy laws of other states and federal laws, and then report its findings at the sixty-seventh legislative assembly in 2021.
Current Status: In Senate, Legislative Management Study
Effective Date: Not specified

12. Rhode Island: SB 234, Consumer Privacy Protection

The Rhode Island bill is modeled after the CCPA, but it does not create a role for the Attorney General in enforcement or rulemaking. While there is a private right of action, it does not specify the penalties for violations or any information regarding age of consent for minors. This bill would also impose more stringent requirements on the collection and retention of consumers’ personal information by a business. Unfortunately, in April 2019, the Senate Judiciary Committee recommended this proposed law be held for further study.
Current Status: Held for further study
Effective Date: Upon Approval

13. Texas: HB 4390, Texas Privacy Protection Advisory Council

Following the CCPA, Texas attempted to introduce two privacy bills, both of which failed to pass. In lieu of a comprehensive privacy bill, Texas has established a 15-member council designed to study data protection laws from other states and countries. The council will submit a report of its findings to Texas Legislature by September 1, 2020, which lawmakers will use to create a potential Texas privacy bill by January 2021.
Current Status: Appointing members to the council
Effective Date: Not specified

14. Washington: SB 6281, The Washington Privacy Act

Washington’s proposed law, named the Washington Privacy Act (WaPA), is modeled after many elements of the GDPR, as well as the CCPA. The original version of this bill (SB 5376) failed to pass the House in 2019, but a new, updated version (SB 6281) was introduced in January 2020. While most of the bill remained the same, SB 6281 took a new approach to the areas that stalled the SB 5376 version. One big change is that, unlike the CCPA, the WaPA would preempt local laws, ordinances, and regulations regarding the processing of personal data by controllers, preventing any city in Washington from passing facial-recognition technology restrictions or permissions. Compared to the CCPA, the WaPA remained similar in scope, but omitted the revenue threshold for covered entities. There was also not a private right of action granted for consumers. Unfortunately, in March 2020, Washington’s new Privacy Act failed once more, but state lawmakers were able to pass SB 6280, which addresses public and private facial recognition use.
Current Status: Dead

The Future of Data Protection in the U.S.

The introduction of new data privacy and security bills across the United States has raised major compliance concerns from businesses operating across the U.S. This has led many to call on Congress for a federal privacy legislation. Although many of these laws are still in the approval process, businesses large and small are realizing the massive effort required to comply with potentially 50 distinct laws and the severity of their penalties if found non-compliant.

Large organizations are concerned with the logistical nightmare of tracking and observing each state’s unique consumer privacy legislations. There is also speculation that smaller businesses would move to states with the most relaxed legislation, which could lead some states to intentionally ignore personal data protection in order to fuel their own economy. Smaller businesses would also suffer from the costs of compliance for 50 different regulations. At the same time, there is still apprehension that having a single federal agency regulating these laws could cause nationwide distrust.

Despite the fact, the U.S. House of Representatives and the Senate have already held committees in response to this growing concern over consumer data privacy. But with these two bodies controlled by different parties, it is difficult to predict how this federal data privacy legislation will be shaped or if any progress will be made in this area this year.

The Key Takeaways and Trends

• The definition of "consumer" has greatly expanded in many states. Personal information can be any information that identifies or reasonably identifies a person, including biometric data, internet activity, audio recordings, inferences on preferences, etc.

• States have expanded upon the CCPA’s private right of action, extending it to:
  • Any violation of the privacy law 
  • Any unauthorized disclosure of personal information, regardless of the data and potential risk to consumer.

• Even businesses that only collect information though the Internet must have multiple methods for consumers to submit requests, including a toll-free number and a “Do Not Sell My Personal Information” hyperlink on company websites.

• None of the proposed state laws mention any issues relating to artificial intelligence. Only the Washington Protection Act, based on the GDPR, tries to prevent the discrimination risk linked with automated processing software.

• Businesses should be cognizant of potential federal initiatives aiming to create a standardized federal consumer data protection and privacy law.

To see exactly how these bills stack up against the requirements of the CCPA, download our free guide to compare these regulations.

When California released its groundbreaking CCPA legislation, many other states within the U.S. followed suit. Regardless of whether you have to comply with the CCPA, it is causing a national trend for data protection regulations. Although some of these new state bills are a long way from passing, companies are concerned with how to manage compliance with all these laws and the pressure for Congress to create one federal legislation mounts. 

Get more insights into the latest privacy news.

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.