We are a little more than two weeks into the new year and we’ve already seen several states introduce comprehensive privacy legislation on the heels of California’s Consumer Privacy Act (CCPA). It is no easy task to stay on top of (potentially) 50 different privacy requirements, each with differing applicability standards, definitions, requirements, obligations, and enforcement mechanisms. Cue this series of articles — meant to address developments at the state and (dare we say with fingers crossed) federal level.
Because these bills are coming fast and furious, we are going to focus on the five states that were first “out of the gate” to file their consumer privacy bills in the first two weeks of the new year: Illinois, Nebraska, New Hampshire, Virginia and Washington. We will continue to monitor additional legislation, so please check back for updates and developments.
Overview and General Terms of State Privacy Legislation
Each of the states to propose comprehensive privacy legislation has taken a page (or two) from CCPA’s approach. At the same time, each one adds its own distinct obligations. For example, Nebraska’s proposed legislation is applicable to companies with an annual revenue as low as $10 million (versus $25 million for CCPA), while Virginia increases its threshold resident data collection count to 100,000 (versus 50,000 under CCPA). The majority of the proposed laws would allow for a private right of action for data breaches, while Virginia provides a private right of action for any violation of the proposed legislation. Washington and Nebraska do not provide a private right of action.
Below is a breakdown of each state’s proposed legislation.
Illinois Data Transparency and Privacy Act (SB 2330)
- Introduced: January 8, 2020
- Applicability: Any for-profit business (legal entity) that collects or discloses personal information of 50,000 or more Illinois persons or households OR derives 50% or more of its annual revenue from selling consumer’s personal information (broadly defined and similar to CCPA).
- Privacy Rights Afforded Under Proposed Legislation:
- Right to Know – including specific pieces of personal information, categories of sources, and name and contact information for each third-party affiliate to whom personal information is sold or disclosed.
- Right to Opt-Out – of disclosure of personal information to third parties and affiliates (excludes service providers subject to contractual prohibitions), sale (more narrowly defined than CCPA) of personal information, and processing of personal information by the business, third parties and affiliates.
- Right to Correction – of personal information.
- Right to Deletion – of personal information.
- Exemptions: GLBA, HIPAA, FCRA, HR/Employee personal information
- Requires Updates to Privacy Policy and Disclosures?:
- Yes, similar to CCPA.
- Enforcement: The law would be enforced by the Illinois attorney general, with a private right of action for data breaches.
- Proposed Effective Date: July 1, 2021
Nebraska Consumer Data Privacy Act Legislative Bill 746
- Introduced: January 8, 2020
- Applicability: Any for-profit legal entity that does business in Nebraska and satisfies one or more of the following: (a) has annual gross revenue of more than $10 million, (b) buys, receives, sells or shares the personal information of 50,000 or more Nebraska persons or households, OR (c) derives 50% or more of its annual revenue from selling consumers’ personal information (broadly defined and similar to CCPA).
- Privacy Rights Afforded Under Proposed Legislation:
- Right to Know – what personal information is collected, including specific pieces of personal information, categories of sources, business and commercial purpose for collection, and name and contact information for each third-party affiliate to whom personal information is sold or disclosed.
- Right to Decline or Opt-Out – of disclosure of personal information to third parties and affiliates. (“Do Not Sell” homepage link required like CCPA).
- Right to Access – personal information that has been collected.
- Right to Deletion – of personal information (exclusion similar to CCPA).
- Exemptions: GLBA, HIPAA, FCRA, HITECH, Uniform Motor Vehicle Records Disclosure Act.
- Requires Updates to Privacy Policy and Disclosures?:
- Requires disclosures similar to the CCPA but does not explicitly require updates every 12 months.
- Enforcement: The law would be enforced by the Nebraska attorney general, with potential for civil penalties of up to $7,500 per violation. No private right of action.
- Proposed Effective Date: Not specified in proposed legislation.
New Hampshire House Bill 1680
- Introduced: January 8, 2020
- Applicability: A business that: (a) has gross revenues in excess of $25 million; (b) alone or in combination, annually buys, receives for the business’s commercial purposes sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices; or (c) derives 50% or more of its annual revenues from selling consumers’ personal information. (Entities with common branding and control like CCPA).
- Privacy Rights Afforded Under Proposed Legislation:
- Right to Know – what personal information is collected, including specific pieces of personal information, categories of sources, business and commercial purpose for collection, and name and contact information for each third-party affiliate to whom personal information is sold or disclosed.
- Right to Opt-Out – of disclosure of personal information to third parties and affiliates. (“Do Not Sell” homepage link required like CCPA).
- Right to Access – personal information that has been collected.
- Right to Deletion – personal information that has been collected.
- Exemptions: HIPAA, GLBA, FCRA, HITECH, DDPA, New Hampshire Financial Information Privacy Act.
- Requires Updates to Privacy Policy and Disclosures?:
- Yes, similar to CCPA.
- Enforcement: The law would be enforced by the New Hampshire attorney general, with a private right of action for data breaches.
- Proposed Effective Date: January 1, 2021
The Virginia Privacy Act (H 473)
- Introduced: January 8, 2020
- Applicability: Any entity that conducts business in Virginia or targets Virginia intentionally with products and/or services and: (1) controls or processes personal data of 100,000 or more consumers; OR (2) derives over 50 percent of gross revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers.
- Privacy Rights Afforded Under Proposed Legislation:
- Right to Access – a copy of the personal data that the controller maintains in identifiable form.
- Right to Know – including whether personal data is being processed or sold; where personal data is being processed.
- Right to Correct – including the completion of incomplete personal data.
- Right to Delete – personal information.
- Right to Restrict Processing – to specific purposes pursuant to the consumer’s request.
- Right to Object to Processing – including the right to object to targeted advertising.
- Exemptions: HIPAA, FCRA, GLBA, Driver’s Privacy Protection Act (DPPA), HR/Employee personal information
- Requires Updates to Privacy Policy and Disclosures?: Yes, similar to CCPA.
- Enforcement: Controllers have a 30-day cure period, after which consumers may bring a claim under the Virginia Consumer Protection Act (§ 59.1-196 et seq.). Consumers may recover actual damages or $500, whichever is greater. If the violation is found to be willful, actual damages may be trebled (maximum) or increased to $1,000, whichever is greater. The bill specifically provides that joint controllers or processors may be held liable under “according to the principles of comparative fault.”
- Proposed Effective Date: Not specified in proposed legislation.
Washington Privacy Act SB 6281
- Introduced: January 13, 2020
- Applicability: Legal entities that conduct business in Washington or produce products or services targeted to residents of Washington; and (1) control or process data of 100,000 or more customers; or (2) derive over 50% of gross revenue from the sale of personal data (broadly defined like CCPA) and process or control personal data of 25,000 or more customers.
- Exemptions: HIPAA, FERA, GLBA, FERPA, Student Privacy Act, DPPA, HR/Employee Personal Information
- Privacy Rights Afforded:
- Right to Access – right to confirm whether controller is processing personal data concerning consumer and right to access the same.
- Right to Correct – right to correct inaccurate personal information.
- Right to Deletion – of personal information (exclusions similar to CCPA).
- Right to Obtain – personal information in a manner similar to CCPA.
- Right to Opt-Out – of processing of personal information for targeted advertising; the sale of personal information; profiling in furtherance of decisions that produce legal effects concerning a consumer or similar significant effects concerning a consumer.
- Requires Updates to Privacy Policy and Disclosures?:
- Requires disclosures similar to CCPA but does not explicitly require 12-month updates.
- Enforcement: The law would be enforced by the Washington attorney general. There is no private right of action. The attorney general may bring action in the name of the state or as parens patriae on behalf of persons residing in the state. Penalty not more than $7,500 per violation.
- Proposed Effective Date: July 31, 2021