As state legislatures begin their 2020 sessions, proposals for stronger privacy laws are at the top of the agenda across the country. Carrying forward the story we told in reports in February, April, and July of last year, this report describes more than a dozen bills that have been introduced in state legislatures in the last month or carried over from the previous legislative session.

Omnibus bills have been introduced in at least seven states, including Washington, where a similar bill narrowly failed to pass in 2019. We describe these bills in Section A.

At least eight bills with more targeted requirements have also been introduced, including bills in Florida, Hawaii, and Maryland that would provide some version of a consumer right to opt out from sale similar to the one in the California Consumer Privacy Act (CCPA). We provide overviews of these bills in Section B.

Throughout the year, WilmerHale's Privacy and Cybersecurity Group will be tracking and reporting on the progress of these and other proposals for enhanced privacy protections in state law.

SECTION A. OMNIBUS PRIVACY BILLS

1. Illinois – Data Privacy Act (S.B. 2263)

Current status: Introduced in May 2019 and referred to the Senate Assignments Committee. It did not come to a vote in 2019. It has been carried over to the 2020 session.

Key provisions:

  • Draws its terminology primarily from the EU's General Data Protection Regulation (GDPR) and is similar to the Virginia Privacy Act described below
  • Would apply to businesses that (i) control or process the personal data of 100,000 or more Illinois residents or (ii) derive over 50% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Illinois residents
  • Contains exemptions for individuals acting in an employment or commercial context, as well as for information subject to Health Insurance Portability and Accountability Act (HIPAA), Fair Credit Reporting Act (FCRA), or Gramm-Leach-Bliley Act (GLBA)
  • Consumers would have rights, upon request, to access (in a portable form), correct, delete, and object to processing. The right to object to processing includes a right to object to the use of personal data for targeted advertising
  • Controllers would be required to disclose the categories of personal information they collect, the purposes for which personal data is used, the categories of personal data shared with third parties, and the categories of third parties with whom it is shared
  • Controllers would be required to conduct risk assessments of their processing activities and provide them to the attorney general upon request
  • Would not create a private right of action; the attorney general would be empowered to seek civil penalties of $2,500 per violation or $7,500 per intentional violation

2. Nebraska – Nebraska Privacy Act (L.B. 746)

Current status: Introduced in January 2020 and referred to the Unicameral Committee on Transportation and Telecommunications. Hearing scheduled for February 4, 2020.

Key provisions:

  • Largely mirrors the CCPA
  • Would apply to businesses that collect personal information from Nebraska residents, determine the purposes and means of processing that personal information and meet one of the following thresholds:
    • annual gross revenue in excess of $10 million;
    • alone, or in combination, annually buy, receive for the business's commercial purposes, sell, or share the personal information of 50,000 or more consumers; or
    • derive 50 percent or more of annual revenue from selling consumer personal information
  • Like the CCPA, contains exemptions for information subject to HIPAA, FCRA, or GLBA; unlike the CCPA, also has an entity-level exemption for financial institutions or their affiliates that are regulated by the GLBA
  • Consumers would have rights, upon request, to access, delete, and opt out of the sale of their personal information; businesses may not discriminate against consumers for exercising their rights
  • Upon request from a consumer, businesses would be required to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared
  • Businesses would have to make certain disclosures in their online privacy policy
  • Businesses that sell personal information would be required to place a "Do Not Sell My Personal Information" link on their homepage, in their privacy policy, and in any Nebraska-specific description of consumer rights
  • No private right of action; enforceable by the attorney general, with fines up to $7,500 per violation

3. New Hampshire – H.B. 1680-FN

Current status: Introduced in December 2019 and referred to the House Committee on Commerce and Consumer Affairs. Hearing held on January 23, 2020.

Key provisions:

  • Largely mirrors the CCPA
  • Would apply to businesses that collect personal information from New Hampshire residents, determine the purposes and means of processing that personal information, and meet one of the following thresholds:
    • annual gross revenue in excess of $25 million;
    • alone, or in combination, annually buy, receive for the business's commercial purposes, sell, or share the personal information of 50,000 or more consumers; or
    • derive 50 percent or more of their annual revenue from selling consumer personal information
  • Like the CCPA, contains exemptions for information subject to HIPAA, FCRA, or GLBA
  • Consumers would have rights, upon request, to access, delete, and opt out of the sale of their personal information; businesses may not discriminate against consumers for exercising their rights
  • Upon request from a consumer, businesses would be required to disclose the categories of personal information they collect, the business or commercial purposes for which the information is collected, the categories of sources from which the information is collected, the specific pieces of personal information collected, and the categories of third parties with whom it is shared
  • Would require businesses to provide data subjects with the data retention period of the data processing, as well as the right to access the data
  • Like the CCPA, would create a private right of action only for data breaches, with fines as high as $750 per violation

Read the latest alert.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.