Alabama
Sen. Arthur Orr has introduced a bill prohibiting law enforcement from using facial recognition technology for ongoing surveillance and using results as the sole basis for arrest or establishing probable cause.
California
A number of privacy-focused bills were introduced at the end of February, including Senate Bill 746, which would grant a consumer the right to request that a business disclose whether or not it uses personal information collected about the consumer for a political purpose.
Further, Assembly Bill 1490 has been introduced. The California Privacy Rights Act of 2020 (CPRA) notably established the California Privacy Protection Agency (CPPA) as an “independent watchdog” to enforce the measure, further stipulating that members of the board must have qualifications, experience, and skills in the areas of privacy and technology. AB 1490 would require members of the board to additionally have qualification, experience, and skills in consumer rights.
With respect to contact tracing, Assemblymember Marc Levine in mid-February introduced Assembly Bill 814, which would prohibit data collected, received, or prepared for purposes of contact tracing from being used, maintained, or disclosed for any other purpose than facilitating contact tracing efforts. The bill would prohibit law enforcement from engaging in contact tracing.
Assembly Bill 1262 was also introduced, and the bill would include smart speakers within the scope of existing law prohibiting a person or entity from providing the operation of a voice recognition feature of a connected television without prominently informing the user during the initial setup or installation, among other things.
Florida
In mid-February, Governor Ron DeSantis and House Speaker Chris Sprowls held a press conference to announce their support for House Bill 969, which aims to increase data privacy and security regulation and create new rights for Florida consumers with respect to their personal information (PI), including the right to opt out of third-party disclosure of personal information. The measure, introduced by Rep. Fiona McFarland, would apply to any for-profit business that collects PI about Florida residents and has annual revenue over $25 million, collects 50 percent or more of its revenue from selling or sharing PI, or sells or shares the PI of 50,000 or more consumers or devices. The bill also provides for a limited private right of action. If passed, it would will take effect Jan. 1, 2022.
Illinois
Rep. Michelle Mussman on February 22 introduced House Bill 3910, the Consumer Privacy Act, in the House. The measure would require businesses to inform consumers about the categories of personal information that will be collected and the purposes, as well as provide notice when collecting additional categories of personal information or using personal information for additional purposes, among other things.
Further, Rep. Kambium Buckner also recently introduced House Bill 2404, the Right to Know Act, which would require operators of commercial websites or online services to notify customers of certain specified information pertaining to its personal information sharing practices. The bill also provides for a private right of action.
Maryland
Maryland Sen. Charles Sydnor has introduced Senate Bill 587, the Facial Recognition Privacy Protection Act, to regulate government use of facial recognition services. The proposed bill would require accountability reports on the use of facial recognition services, prohibit facial recognition use for certain purposes, and require disclosure of its use.
Massachusetts
Sen. Cynthia Stone Creem has introduced Senate Bill 1726, the Massachusetts Information Privacy Act, which would provide for data subject rights and provisions to protect biometric and location data. With respect to enforcement, the measure would establish a state information privacy commission and includes a private right of action.
Minnesota
On February 22, Reps. Steve Elkins and Mohamud Noor introduced House Bill 1492, the Minnesota Consumer Data Privacy Act, which is largely based on the 2021 version of the proposed Washington Privacy Act and shares several similarities to the Virginia CDPA. The measure would apply to companies processing the personal data of at least 100,000 consumers, or those generating more than 25 percent of their gross revenue from the sale of personal data while also processing the personal data of at least 25,000 Minnesota consumers. The measure provides consumers the rights to access, verification, correction, deletion, and opt-out of processing of their personal data. With respect to enforcement, the bill does not currently include a private right of action.
Montana
On February 16, Sen. Ken Bogner introduced Senate Bill 203, which would submit a constitutional amendment to Montana voters at the November 2022 general election aimed at protecting the privacy of their electronic data and communications. The measure would add Montanans’ electronic data and communications to a list of places and items that cannot be searched or seized by the government without a warrant based on probable cause.
New York
On February 22, Sen. Liz Krueger, chair of the New York Senate Finance Committee, introduced Senate Bill 4959, which would apply an excise tax on collection of consumer data by companies for targeted advertising and other economic benefits. The tax would apply to businesses collecting data on more than one million New Yorkers a month, and the graduated schedule would start at 5 cents an individual per month, with a ceiling of 50 cents.
North Dakota
On February 9, the House of Representatives' Committee on Industry, Business and Labor voted 12–1 with one abstention against advancing House Bill 1330, which would have required companies to obtain opt-in consent before selling user data. A coalition of advertising industry groups previously called on North Dakota lawmakers to revise the measure, which would have only applied to companies that offer broadband access, as opposed to search engines, social networking platform and other “edge” providers, requesting that the bill be amended to create an opt-out system and prohibit consumers from bringing private lawsuits.
Oklahoma
The House of Representatives' Committee on Technology voted 6–0 on February 10 to advance House Bill 1602, the Oklahoma Computer Data Privacy Act, for reading on the House floor. The measure would require opt-in consent for the collection and sale of data and was co-authored by more than 40 members of the state Legislature. The bill follows the introduction of House Bill 1130 last month, which would require companies to obtain opt-in consent to collect and sell consumers’ data. Multiple state senators have indicated support for the legislation and a willingness to advance it in the chamber.
Utah
The Senate on February 25 passed Senate Bill 200, the Consumer Privacy Act, after the bill was unanimously approved by the Committee on Transportation, Public Utilities, Energy, and Technology. The bill would provide consumers the rights to access, correction, deletion, and opt-out of collection and use personal information for certain purposes. The measure would also establish annual data protection assessments. With respect to enforcement, the bill does not provide for a private right of action.
Virginia
On March 2, Virginia become the second state to enact comprehensive privacy legislation after companion bills were passed in both chambers. The Virginia House of Delegates voted to pass the state’s privacy bill, Senate Bill 1392, the CDPA, after it passed the Senate, sending the measure to the governor’s desk. Governor Ralph Northam subsequently signed the bill into law on March 2. The law will allow Virginia residents the rights to access, correction, deletion, and portability, and residents would also be able to opt out of the processing of personal data for purposes of targeted advertising and the sale of personal data. The measure will apply to all businesses that control or process the personal data 100,000 or more consumers, obtain more than 50 percent gross revenue from the sale of personal data, or process the personal data of 25,000 or more users. A working group is to be established to make recommendations by November 2021, and the law is slated to go into effect in 2023.
Washington
Rep. Shelley Kloba has introduced House Bill 1433, the People's Privacy Act (WPPA). The bill, which includes a private right of action, would require companies to provide transparent privacy notices, obtain opt-in consent for data collection, and prohibit organizations from refusing to serve individuals who do not want to share their data. The WPPA, which is supported by the Washington American Civil Liberties Union (ACLU), is a competing bill to the Washington Privacy Act (WPA) introduced by Sen. Reuven Carlyle.