[co-authors: Taylor Daly, Senior Public Policy Specialist and Rebecca Kocsis, Legal Project Analyst]

Throughout the month of March, states continued to introduce new privacy laws of their own as Congress focused on enacting President Biden’s $1.9 trillion COVID-19 relief plan—H.R. 1319, the American Rescue Plan Act of 2021—which President Biden signed into law on March 11.

The last month notably featured several key developments in California, as the state announced the establishment of the five-member inaugural board for the California Privacy Protection Agency (CPPA), a new administrative agency created by the California Privacy Rights Act (CPRA) and charged with implementing and enforcing the state’s privacy laws. Further, the state has approved additional California Consumer Privacy Act (CCPA) regulations, which went into effect on March 15. As clients look to navigate the changing privacy landscape in California, Akin Gump has published a new report looking back at the first year of civil litigation related to the CCPA and previewing what to expect throughout the remainder of 2021 and beyond. To read the report in its entirety, please click here.

Below, please find a high-level overview of states’ recent legislative efforts in this space.

Arizona

The House has passed Senate Bill 1279, which would revise rules on the disclosure of student information. The measure would direct Arizona’s Department of Education to develop and publish policies and procedures to comply with the Family Educational Rights and Privacy Act (FERPA) and other relevant privacy laws and policies, including policies that manage access to personally identifiable information, to be implemented by the Department of Education, county school superintendents, the state board of education and the state board for charter schools.

California

On March 17, Governor Gavin Newsom, Attorney General Xavier Becerra and Senate and Assembly leadership announced the establishment of the five-member inaugural board for the CPPA, a new administrative agency created by the CPRA and charged with implementing and enforcing the CCPA and the CPRA. The board will appoint the agency’s executive director, officers, counsel and employees, and the agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The Attorney General will retain civil enforcement authority over the CCPA and the CPRA. The board’s full membership is available here.

Further, on March 15 the Office of Administrative Law approved additional CCPA regulations effective March 15, 2021. The newly-approved regulations affect certain sections of the regulations that went into effect on August 14, 2020, and includes several clarifying modifications, including additional guidance on a business’s methods for submitting requests to opt-out. A copy of the Final Regulation Text can be found here.

The Assembly Privacy and Consumer Protection Committee has scheduled a hearing for April 8 to consider a number of privacy-related bills, including Assembly Bill 814, which would prohibit data collected, received or prepared for purposes of contact tracing from being used for any other purpose. The Committee will also consider Assembly Bill 1490, which would require board members of the CPPA, established under the CPRA, to also have qualification and experience in consumer rights. Further, the Committee will consider Assembly Bill 1545, which would prohibit platform operators offering products or services directed to children from incorporating features on the platform that disproportionately encourage users to engage with the platform, among other things.

Colorado

Sens. Robert Rodriguez and Paul Lundeen have introduced Senate Bill 21-190, the Protect Personal Data Privacy Act. The legislation would allow consumers the rights to access, correction, deletion and data portability, as well as the right to opt out of the processing of their personal data. The measure covers entities processing data of more than 100,000 individuals or selling data of more than 25,000. The bill does not include a private right of action and may be enforced only by the attorney general or district attorneys.

Florida

On March 23, House Bill 969 was approved by the House Civil Justice and Property Rights Subcommittee on a 17-0 vote. The legislation, effective January 1, 2022, would require businesses to provide notice to consumers about data collection and selling practices and provide consumers the rights to deletion, correction and to opt-in or opt-out of sale or sharing of their data. The bill would be enforceable by the Florida Department of Legal Affairs and allows for a private right of action. Further, the Senate Commerce and Tourism Committee has approved the Senate version of the bill, Senate Bill 1734, on a 10–1 vote.

Hawaii

The House is considering House Bill 125, the Uniform Employee and Student Online Privacy Protection Act (UESOPPA). The measure was approved in March by the House Consumer Protection and Commerce Committee and would establish new definitions for educational institutions, employees and employers. The measure also establishes certain obligations for educational institutions in relation to access to employee and student personal accounts. With respect to enforcement, the bill provides the Attorney General with the power to bring a civil action against employers or educational institutions with penalties of $1,000 per violation. If passed, the bill will take effect on December 25, 2040.

Illinois

On March 9, the House Judiciary Committee advanced House Bill 559 to revisit the state’s Biometric Information Privacy Act (BIPA). The legislation was introduced by House Minority Leader Rep. Jim Durkin, who argued the language in the current bill is outdated and has created a “cottage industry for a select group of lawyers to file class action lawsuits against big and small employers and nonprofit agencies.” Under the legislation, the “aggrieved party” must provide a 30-day written notice of a violation to the business or employer and the entity in violation must “cure” the violation within 30 days.

Nevada

Reps. Glen Leavitt and Joseph Hardy have introduced Assembly Bill 323, which would amend Nevada’s opt-out law to add a data broker category and expand the definition of “sale.” The Senate version of the bill, Senate Bill 260, was introduced by Sen. Nicole Cannizzaro.

New Hampshire

The House is currently considering House Bill 499, which would ban government and law enforcement’s use of facial recognition. Two versions of the bill are currently under debate—the introduced version and a new version rewritten by the House Executive Departments and Administration Committee. While the initial language would allow for certain circumstances where the state could engage in ongoing surveillance using facial recognition, the rewritten version stipulates that law enforcement may only use the technology if they obtain a search warrant. The House Executive Departments and Administration Committee recently voted 17-1 to advance HB 499 as amended, and the full House will vote on this recommendation when they next meet in April.

Oklahoma

The House has approved House Bill 1602, the Computer Data Privacy Act, by an 85-11 vote. The bill, which has been revised since its initial introduction to remove a provision providing for a private right of action, now awaits action in the Senate.

Rhode Island

House lawmakers have unveiled House Bill 5959, the Rhode Island Transparency and Privacy Protection Act. The measure would require online entities to disclose the personal information they collect and “to what third parties they sell the information.” The bill also outlines penalties for violations of its provisions and provides enforcement authority to the office of the Attorney General.

Utah

The Utah State Legislature has approved House Bill 243, which would create a privacy officer for government practices and the Personal Privacy Oversight Commission. The officer position would audit state agencies’ data practices, and the commission would be charged with devising privacy guidelines for best practices agencies can adopt while also conducting reviews on government technology uses related to personal privacy and data security.

Virginia

On March 2, Virginia Governor Ralph Northam signed into law House Bill 2307, the Virginia Consumer Data Protection Act (CDPA), which goes into effect on January 1, 2023. The law applies only to businesses with large amounts of consumer data and does not apply to employee or business-to-business (B2B) data. The CDPA also provides broad exemptions, including for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). Broad in scope, the CDPA incorporates aspects of the CCPA, the CPRA and the EU General Data Protection Regulation (GDPR). For additional detail on the measure, please see our client alert.

In response to Virginia’s enactment of the measure, Rep. Suzan DelBene (D-WA) released a statement calling for a national consumer data privacy standard, noting that lack of a national standard creates “confusion for consumers and an unworkable environment for small businesses.” She subsequently reintroduced H.R. 2013, the Information Transparency and Personal Data Control Act, which would require companies to allow users to opt in before using their personal information, grant the Federal Trade Commission (FTC) targeted rulemaking authority and empower states attorney generals to also pursue violations. On the industry side, Facebook also used the opportunity to call on Congress to pass a comprehensive federal privacy law.

Further, Virginia lawmakers voted unanimously to approve House Bill 2031, which prohibits local law enforcement agencies and campus police departments from purchasing or using facial recognition technology unless expressly permitted by the General Assembly. The bill then headed to Governor Northam, where he proposed an amendment in order to correct a technical error and ensure airports are exempt from the bill’s provisions.

Washington

The Senate has passed Senate Bill 5062, the Washington Privacy Act, by a 48-1 vote, sending the bill to the House. Under the measure, legal entities that meet specified thresholds must provide consumers with the rights of access, deletion, correction, data portability and opt-out of processing for the purposes of targeted advertising and the sale of personal data. The Washington Attorney General has sole enforcement of the measure, and the bill would preempt local regulations. A summary of the bill is available here, and a comparison of the measure and the CPRA is available here.

West Virginia

West Virginia lawmakers introduced House Bill 3159, which would establish consumer rights to access, correction and deletion, as well as the right to opt-out of the sale or sharing of personal information to third parties. The bill, which has been referred to the House Judiciary Committee, would also allow for a private cause of action and would empower the West Virginia Division of Consumer Protection to establish enforcement rules and sue for violations.