Monthly State Privacy Legislative Updates: February 2021

Mar 5, 2021

Reading Time : 6 min

By: Natasha G. Kohne, Taylor Daly, Rebecca Kocsis (Legal Project Analyst)

Alabama

Sen. Arthur Orr has introduced a bill prohibiting law enforcement from using facial recognition technology for ongoing surveillance and using results as the sole basis for arrest or establishing probable cause.

California

A number of privacy-focused bills were introduced at the end of February, including Senate Bill 746, which would grant a consumer the right to request that a business disclose whether or not it uses personal information collected about the consumer for a political purpose.

Further, Assembly Bill 1490 has been introduced. The California Privacy Rights Act of 2020 (CPRA) notably established the California Privacy Protection Agency (CPPA) as an “independent watchdog” to enforce the measure, further stipulating that members of the board must have qualifications, experience, and skills in the areas of privacy and technology. AB 1490 would require members of the board to additionally have qualification, experience, and skills in consumer rights.

With respect to contact tracing, Assemblymember Marc Levine in mid-February introduced Assembly Bill 814, which would prohibit data collected, received, or prepared for purposes of contact tracing from being used, maintained, or disclosed for any other purpose than facilitating contact tracing efforts. The bill would prohibit law enforcement from engaging in contact tracing.

Assembly Bill 1262 was also introduced, and the bill would include smart speakers within the scope of existing law prohibiting a person or entity from providing the operation of a voice recognition feature of a connected television without prominently informing the user during the initial setup or installation, among other things.

Florida

In mid-February, Governor Ron DeSantis and House Speaker Chris Sprowls held a press conference to announce their support for House Bill 969, which aims to increase data privacy and security regulation and create new rights for Florida consumers with respect to their personal information (PI), including the right to opt out of third-party disclosure of personal information. The measure, introduced by Rep. Fiona McFarland, would apply to any for-profit business that collects PI about Florida residents and has annual revenue over $25 million, collects 50 percent or more of its revenue from selling or sharing PI, or sells or shares the PI of 50,000 or more consumers or devices. The bill also provides for a limited private right of action. If passed, it would will take effect Jan. 1, 2022.

Illinois

Rep. Michelle Mussman on February 22 introduced House Bill 3910, the Consumer Privacy Act, in the House. The measure would require businesses to inform consumers about the categories of personal information that will be collected and the purposes, as well as provide notice when collecting additional categories of personal information or using personal information for additional purposes, among other things.

Further, Rep. Kambium Buckner also recently introduced House Bill 2404, the Right to Know Act, which would require operators of commercial websites or online services to notify customers of certain specified information pertaining to its personal information sharing practices. The bill also provides for a private right of action.

Maryland

Maryland Sen. Charles Sydnor has introduced Senate Bill 587, the Facial Recognition Privacy Protection Act, to regulate government use of facial recognition services. The proposed bill would require accountability reports on the use of facial recognition services, prohibit facial recognition use for certain purposes, and require disclosure of its use.

Massachusetts

Sen. Cynthia Stone Creem has introduced Senate Bill 1726, the Massachusetts Information Privacy Act, which would provide for data subject rights and provisions to protect biometric and location data. With respect to enforcement, the measure would establish a state information privacy commission and includes a private right of action.

Minnesota

On February 22, Reps. Steve Elkins and Mohamud Noor introduced House Bill 1492, the Minnesota Consumer Data Privacy Act, which is largely based on the 2021 version of the proposed Washington Privacy Act and shares several similarities to the Virginia CDPA. The measure would apply to companies processing the personal data of at least 100,000 consumers, or those generating more than 25 percent of their gross revenue from the sale of personal data while also processing the personal data of at least 25,000 Minnesota consumers. The measure provides consumers the rights to access, verification, correction, deletion, and opt-out of processing of their personal data. With respect to enforcement, the bill does not currently include a private right of action.

Montana

On February 16, Sen. Ken Bogner introduced Senate Bill 203, which would submit a constitutional amendment to Montana voters at the November 2022 general election aimed at protecting the privacy of their electronic data and communications. The measure would add Montanans’ electronic data and communications to a list of places and items that cannot be searched or seized by the government without a warrant based on probable cause.

New York

On February 22, Sen. Liz Krueger, chair of the New York Senate Finance Committee, introduced Senate Bill 4959, which would apply an excise tax on collection of consumer data by companies for targeted advertising and other economic benefits. The tax would apply to businesses collecting data on more than one million New Yorkers a month, and the graduated schedule would start at 5 cents an individual per month, with a ceiling of 50 cents.

North Dakota

On February 9, the House of Representatives' Committee on Industry, Business and Labor voted 12–1 with one abstention against advancing House Bill 1330, which would have required companies to obtain opt-in consent before selling user data. A coalition of advertising industry groups previously called on North Dakota lawmakers to revise the measure, which would have only applied to companies that offer broadband access, as opposed to search engines, social networking platform and other “edge” providers, requesting that the bill be amended to create an opt-out system and prohibit consumers from bringing private lawsuits.

Oklahoma

The House of Representatives' Committee on Technology voted 6–0 on February 10 to advance House Bill 1602, the Oklahoma Computer Data Privacy Act, for reading on the House floor. The measure would require opt-in consent for the collection and sale of data and was co-authored by more than 40 members of the state Legislature. The bill follows the introduction of House Bill 1130 last month, which would require companies to obtain opt-in consent to collect and sell consumers’ data. Multiple state senators have indicated support for the legislation and a willingness to advance it in the chamber.

Utah

The Senate on February 25 passed Senate Bill 200, the Consumer Privacy Act, after the bill was unanimously approved by the Committee on Transportation, Public Utilities, Energy, and Technology. The bill would provide consumers the rights to access, correction, deletion, and opt-out of collection and use personal information for certain purposes. The measure would also establish annual data protection assessments. With respect to enforcement, the bill does not provide for a private right of action.

Virginia

On March 2, Virginia become the second state to enact comprehensive privacy legislation after companion bills were passed in both chambers. The Virginia House of Delegates voted to pass the state’s privacy bill, Senate Bill 1392, the CDPA, after it passed the Senate, sending the measure to the governor’s desk. Governor Ralph Northam subsequently signed the bill into law on March 2. The law will allow Virginia residents the rights to access, correction, deletion, and portability, and residents would also be able to opt out of the processing of personal data for purposes of targeted advertising and the sale of personal data. The measure will apply to all businesses that control or process the personal data 100,000 or more consumers, obtain more than 50 percent gross revenue from the sale of personal data, or process the personal data of 25,000 or more users. A working group is to be established to make recommendations by November 2021, and the law is slated to go into effect in 2023.

Washington

Rep. Shelley Kloba has introduced House Bill 1433, the People's Privacy Act (WPPA). The bill, which includes a private right of action, would require companies to provide transparent privacy notices, obtain opt-in consent for data collection, and prohibit organizations from refusing to serve individuals who do not want to share their data. The WPPA, which is supported by the Washington American Civil Liberties Union (ACLU), is a competing bill to the Washington Privacy Act (WPA) introduced by Sen. Reuven Carlyle.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.