Monthly State Privacy Legislative Updates: March 2021

Apr 15, 2021

Reading Time : 8 min

By: Taylor Daly, Rebecca Kocsis (Legal Project Analyst)

Throughout the month of March, states continued to introduce new privacy laws of their own as Congress focused on enacting President Biden’s $1.9 trillion COVID-19 relief plan—H.R. 1319, the American Rescue Plan Act of 2021—which President Biden signed into law on March 11.

The last month notably featured several key developments in California, as the state announced the establishment of the five-member inaugural board for the California Privacy Protection Agency (CPPA), a new administrative agency created by the California Privacy Rights Act (CPRA) and charged with implementing and enforcing the state’s privacy laws. Further, the state has approved additional California Consumer Privacy Act (CCPA) regulations, which went into effect on March 15. As clients look to navigate the changing privacy landscape in California, Akin Gump has published a new report looking back at the first year of civil litigation related to the CCPA and previewing what to expect throughout the remainder of 2021 and beyond. To read the report in its entirety, please click here.

Below, please find a high-level overview of states’ recent legislative efforts in this space.

Arizona

The House has passed Senate Bill 1279, which would revise rules on the disclosure of student information. The measure would direct Arizona’s Department of Education to develop and publish policies and procedures to comply with the Family Educational Rights and Privacy Act (FERPA) and other relevant privacy laws and policies, including policies that manage access to personally identifiable information, to be implemented by the Department of Education, county school superintendents, the state board of education and the state board for charter schools.

California

On March 17, Governor Gavin Newsom, Attorney General Xavier Becerra and Senate and Assembly leadership announced the establishment of the five-member inaugural board for the CPPA, a new administrative agency created by the CPRA and charged with implementing and enforcing the CCPA and the CPRA. The board will appoint the agency’s executive director, officers, counsel and employees, and the agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The Attorney General will retain civil enforcement authority over the CCPA and the CPRA. The board’s full membership is available here.

Further, on March 15 the Office of Administrative Law approved additional CCPA regulations effective March 15, 2021. The newly-approved regulations affect certain sections of the regulations that went into effect on August 14, 2020, and includes several clarifying modifications, including additional guidance on a business’s methods for submitting requests to opt-out. A copy of the Final Regulation Text can be found here.

The Assembly Privacy and Consumer Protection Committee has scheduled a hearing for April 8 to consider a number of privacy-related bills, including Assembly Bill 814, which would prohibit data collected, received or prepared for purposes of contact tracing from being used for any other purpose. The Committee will also consider Assembly Bill 1490, which would require board members of the CPPA, established under the CPRA, to also have qualification and experience in consumer rights. Further, the Committee will consider Assembly Bill 1545, which would prohibit platform operators offering products or services directed to children from incorporating features on the platform that disproportionately encourage users to engage with the platform, among other things.

Colorado

Sens. Robert Rodriguez and Paul Lundeen have introduced Senate Bill 21-190, the Protect Personal Data Privacy Act. The legislation would allow consumers the rights to access, correction, deletion and data portability, as well as the right to opt out of the processing of their personal data. The measure covers entities processing data of more than 100,000 individuals or selling data of more than 25,000. The bill does not include a private right of action and may be enforced only by the attorney general or district attorneys.

Florida

On March 23, House Bill 969 was approved by the House Civil Justice and Property Rights Subcommittee on a 17-0 vote. The legislation, effective January 1, 2022, would require businesses to provide notice to consumers about data collection and selling practices and provide consumers the rights to deletion, correction and to opt-in or opt-out of sale or sharing of their data. The bill would be enforceable by the Florida Department of Legal Affairs and allows for a private right of action. Further, the Senate Commerce and Tourism Committee has approved the Senate version of the bill, Senate Bill 1734, on a 10–1 vote.

Hawaii

The House is considering House Bill 125, the Uniform Employee and Student Online Privacy Protection Act (UESOPPA). The measure was approved in March by the House Consumer Protection and Commerce Committee and would establish new definitions for educational institutions, employees and employers. The measure also establishes certain obligations for educational institutions in relation to access to employee and student personal accounts. With respect to enforcement, the bill provides the Attorney General with the power to bring a civil action against employers or educational institutions with penalties of $1,000 per violation. If passed, the bill will take effect on December 25, 2040. 

 Illinois

On March 9, the House Judiciary Committee advanced House Bill 559 to revisit the state’s Biometric Information Privacy Act (BIPA). The legislation was introduced by House Minority Leader Rep. Jim Durkin, who argued the language in the current bill is outdated and has created a “cottage industry for a select group of lawyers to file class action lawsuits against big and small employers and nonprofit agencies.” Under the legislation, the “aggrieved party” must provide a 30-day written notice of a violation to the business or employer and the entity in violation must “cure” the violation within 30 days.

Nevada

Reps. Glen Leavitt and Joseph Hardy have introduced Assembly Bill 323, which would amend Nevada’s opt-out law to add a data broker category and expand the definition of “sale.” The Senate version of the bill, Senate Bill 260, was introduced by Sen. Nicole Cannizzaro.

New Hampshire

The House is currently considering House Bill 499, which would ban government and law enforcement’s use of facial recognition. Two versions of the bill are currently under debate—the introduced version and a new version rewritten by the House Executive Departments and Administration Committee. While the initial language would allow for certain circumstances where the state could engage in ongoing surveillance using facial recognition, the rewritten version stipulates that law enforcement may only use the technology if they obtain a search warrant. The House Executive Departments and Administration Committee recently voted 17-1 to advance HB 499 as amended, and the full House will vote on this recommendation when they next meet in April.

Oklahoma

The House has approved House Bill 1602, the Computer Data Privacy Act, by an 85-11 vote. The bill, which has been revised since its initial introduction to remove a provision providing for a private right of action, now awaits action in the Senate.

Rhode Island

House lawmakers have unveiled House Bill 5959, the Rhode Island Transparency and Privacy Protection Act. The measure would require online entities to disclose the personal information they collect and “to what third parties they sell the information.” The bill also outlines penalties for violations of its provisions and provides enforcement authority to the office of the Attorney General.

Utah

The Utah State Legislature has approved House Bill 243, which would create a privacy officer for government practices and the Personal Privacy Oversight Commission. The officer position would audit state agencies’ data practices, and the commission would be charged with devising privacy guidelines for best practices agencies can adopt while also conducting reviews on government technology uses related to personal privacy and data security.

Virginia

On March 2, Virginia Governor Ralph Northam signed into law House Bill 2307, the Virginia Consumer Data Protection Act (CDPA), which goes into effect on January 1, 2023. The law applies only to businesses with large amounts of consumer data and does not apply to employee or business-to-business (B2B) data. The CDPA also provides broad exemptions, including for financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). Broad in scope, the CDPA incorporates aspects of the CCPA, the CPRA and the EU General Data Protection Regulation (GDPR). For additional detail on the measure, please see our client alert.

In response to Virginia’s enactment of the measure, Rep. Suzan DelBene (D-WA) released a statement calling for a national consumer data privacy standard, noting that lack of a national standard creates “confusion for consumers and an unworkable environment for small businesses.” She subsequently reintroduced H.R. 2013, the Information Transparency and Personal Data Control Act, which would require companies to allow users to opt in before using their personal information, grant the Federal Trade Commission (FTC) targeted rulemaking authority and empower states attorney generals to also pursue violations. On the industry side, Facebook also used the opportunity to call on Congress to pass a comprehensive federal privacy law.

Further, Virginia lawmakers voted unanimously to approve House Bill 2031, which prohibits local law enforcement agencies and campus police departments from purchasing or using facial recognition technology unless expressly permitted by the General Assembly. The bill then headed to Governor Northam, where he proposed an amendment in order to correct a technical error and ensure airports are exempt from the bill’s provisions.

Washington

The Senate has passed Senate Bill 5062, the Washington Privacy Act, by a 48-1 vote, sending the bill to the House. Under the measure, legal entities that meet specified thresholds must provide consumers with the rights of access, deletion, correction, data portability and opt-out of processing for the purposes of targeted advertising and the sale of personal data. The Washington Attorney General has sole enforcement of the measure, and the bill would preempt local regulations. A summary of the bill is available here, and a comparison of the measure and the CPRA is available here.

West Virginia

West Virginia lawmakers introduced House Bill 3159, which would establish consumer rights to access, correction and deletion, as well as the right to opt-out of the sale or sharing of personal information to third parties. The bill, which has been referred to the House Judiciary Committee, would also allow for a private cause of action and would empower the West Virginia Division of Consumer Protection to establish enforcement rules and sue for violations.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.