The California Consumer Privacy Act (CCPA) inspired legislators in several other states to attempt to pass similar legislation aimed at protecting the privacy rights of consumers. As the legislative calendars for most of those states have wound to a close before the recent election, this Alert reviews those bills as a preview to what we should expect in the next legislative session, particularly as several states will be returning a more progressive assembly.

Currently, only Nevada has passed a bill inspired by, but substantially narrower than, the CCPA. Unlike the CCPA, the Nevada law does not provide rights to access or erase personal information, and it provides opt-out rights to a significantly narrower set of disclosures of personal information. Of the currently outstanding bills, only Massachusetts, New Jersey, and Pennsylvania remain. Other bills in Connecticut, North Dakota, and Texas were passed only after they were amended to remove the CCPA-like provisions and replace them with clauses establishing commissions to study the privacy laws of other states. Even among the bills that did not pass this legislative session, many of these proposals may reemerge next year. We take a look at the contents of the proposed legislation in each of those states and discuss where each bill stands in the legislative process.

Passed Legislation: Nevada

Of all the states that proposed legislation similar to the CCPA, only Nevada managed to pass the bill through to enactment during this legislative term. The Nevada bill, SB 220, came into effect before the CCPA, on October 1, 2019. The act requires operators of commercial websites or online services (not all businesses) to allow Nevada resident consumers the opportunity to opt-out of the “sale” of personal information about them. The Nevada statute defines “sale” more narrowly than the CCPA’s broad definition. Under SB 220, “sale” only encompasses the exchange of information for “monetary consideration.” Financial institutions subject to GLBA and entities subject to HIPAA are excluded from coverage by the Nevada statute.

CCPA Inspired Bills That Are Still Outstanding: Illinois, Massachusetts, New Jersey, and Pennsylvania

For four states—Illinois, Massachusetts, New Jersey, and Pennsylvania—there is still a possibility of legislation related to the CCPA this term. The legislative sessions for Illinois, New Jersey, and Pennsylvania will remain open through the end of the year, while the Massachusetts formal legislative session will remain open through November (an informal session will continue through the end of the year, but only unanimous bills will pass).

Illinois’ proposed legislation, HB 3358, largely tracks the CCPA, especially with regard to the rights provided to consumers. After passing the House, the bill was amended to allow for class-action enforcement. After this amendment, the bill stalled and has not seen any developments since July. The legislature remains in session through December.

The proposed Massachusetts legislation, SD 341, covers most of the same rights that are covered by the CCPA, with one significant addition—while the CCPA creates a private right of action with statutory damages only for data breaches, SD 341 adds a private right of action for any violation of its terms. In addition to civil penalties of up to $7,500 for each intentional violation enforced by the Massachusetts Attorney General, the Massachusetts bill would allow consumers to recover up to $750 for each violation of the act, without any requirement that they show loss or injury. The Massachusetts bill has not seen any activity since it was referred to the Senate committee on Consumer Protection and Professional Licensure.

New Jersey’s proposed legislation, SB 2834, would impose new obligations on businesses that operate commercial websites and online services (“operators”). In addition to transparency requirements and other CCPA-inspired rights, discussed below, the proposed law requires any website that merely collects personal information from New Jersey residents to post a link labeled, “Do Not Sell My Personal Information,” which would allow users to opt out, not only from “sales” of personal information, but from any disclosure to third parties not satisfying certain exceptions. In that sense, the opt-out right is arguably broader than the opt-out right under the CCPA. In addition, operators would be required to notify state resident consumers about collection and disclosure of their personally identifiable information, including by posting a conspicuous privacy notice online that provides consumers with information about the business’s collection and sharing of consumers’ personal information. The bill also requires that the privacy notice include a full description of consumers’ rights, which would include the right to access their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information. The New Jersey bill has not seen any activity since it was introduced in the New Jersey Senate, but as the New Jersey legislature meets throughout the year, there is still a chance that it could be brought to a vote later this year.

Pennsylvania’s proposed legislation, HB 1049, includes disclosure obligations as well as rights to access and delete information and a right to opt out of “sales” of data, all similar to the CCPA. Pennsylvania also limits the application of the proposed legislation to for-profit businesses that are over a size threshold, like the CCPA. The Pennsylvania legislature is currently in summer recess, which goes through September 17, 2019, but will resume meeting through the end of the year.

Bills That Were Amended To Establish a Commission: Connecticut, North Dakota, and Texas

Several state legislatures declined to pass CCPA-inspired bills but did amend those proposals to establish commissions to consider potential privacy legislative options. One of these measures, passed in Texas, also includes amendments to its data breach reporting law. Although these measures did not ultimately include CCPA-like provisions, they do suggest continuing legislative interest in privacy laws. These include:

Connecticut bill, RB 1108, which was originally inspired by the CCPA, but was instead replaced by a substitute bill, SB 1108, that establishes a task force to study consumer privacy protection and “possible methods to achieve such protection in this state while not overly burdening the businesses in this state.”

North Dakota bill, HB 1485, which was passed after it was amended to replace its prior substantive terms with a legislative study of “protections, enforcement, and remedies regarding the disclosure of consumers’ personal data.” The original bill would have prohibited covered entities from disclosing an individual’s personal information to anyone other than the individual without the “express written consent” of the individual—a much stricter consent requirement than seen in other legislation.

Finally, a Texas bill, HB 4390, which initially included CCPA-like provisions, was passed after it was amended to revise existing state breach notification requirements and to establish a council tasked with studying and evaluating the laws in Texas, other states, and relevant foreign jurisdictions that govern privacy and making recommendations for statutory changes. Another CCPA-inspired Texas bill, HB 4518, did not pass before the close of the legislative session.

Try Again Next Legislative Session

In the remaining eleven states that saw CCPA-like bills introduced this year, the clock has run out, but interest in privacy issues remains high. Accordingly, nobody will be surprised if these or other similar proposed legislation will be raised next year. In particular, Washington State considered a GDPR-inspired bill that received substantial support and was widely expected to pass before the legislative session expired. The other state bills included:

  • Hawaii (SB 418): The bill largely tracks the CCPA but does not define a “business,” potentially broadening its scope. The pending bill has been carried over to the next legislative term.
  • Louisiana (HB 465): The bill restricts online service providers from disclosing personal information about consumers without the consumers’ consent.
  • Maryland (SB 613): The bill provides rights similar to those provided by the CCPA, while excluding certain exceptions to the Right to Erasure.
  • New Mexico (SB 176): The bill largely tracks the CCPA but action on it was postponed indefinitely prior to the close of the legislative session.
  • New York: Several CCPA-inspired bills were introduced in New York, but stalled before the legislative session ended in June. These include:
    • (S5642): Referred to as the New York Privacy Act, the bill would, among other things, require consent for uses and disclosures of data and create fiduciary duties of care, loyalty, and confidentiality with respect to the privacy of consumer data. The bill would also provide rights similar to those under the CCPA and GDPR.
    • (S4411/A6351): These identical bills incorporate certain CCPA provisions, including rights regarding the “sale” of information.
    • (A7736): Referred to as the “It’s Your Data Act,” the bill would impose misdemeanor liability on companies that use a person’s name or picture to derive economic value without the person’s consent and includes other proposed terms that are even more aggressive than the CCPA.
    • (S224): The bill would provide individual rights to access information retained by a business and other disclosure requirements.
  • Rhode Island (S0234): The bill largely tracks the provisions of the CCPA but was delayed when further study was recommended in committee. It ultimately stalled and was left pending when the legislative session ended in June.
  • Washington (SB 5376): The Washington Privacy Act (WPA) had support from many in Washington’s technology community but did not pass before the close of the legislative session. We may not have seen the last of it, as legislators plan to try again next term. Several parts of the WPA follow the CCPA’s requirements, including provisions requiring businesses to provide consumers with more notice about and opportunities to control the collection and sharing of personal information about them. The WPA also incorporates concepts from the GDPR, including risk assessments where changes in processing materially impact the risks to individuals, categories of “sensitive data” that require special consideration in conducting such assessments, and additional rights like the right to rectification. The pending bill has been carried over to the next legislative term.

Conclusion

Although aside from Nevada, CCPA-inspired legislation has not passed in other states, we expect to see more legislation proposed in the coming year. Two bills that did not pass this session in particular are worth following next year to see if they resurface.

First, as noted, the WPA received significant support from Washington’s technology community, including support from Microsoft. The proposal corrects much of the vague or confusing language of the CCPA and imports additional concepts from the GDPR. The bill was widely expected to pass but stalled at the last moment when additional amendments were proposed.

A second bill of note is the New York Privacy Act. Although it did not receive the same level of support as the Washington bill, the New York bill was the first to introduce the concept of information or data fiduciaries into proposed legislation. Previously discussed primarily in academic circles, the proposal would create new duties of care and loyalty for organizations collecting and using personal information, and it would require organizations conducting business in New York to act in the best interests of the consumer respecting that data, without regard to the interests of the organization. The concept could create substantial uncertainty regarding an organization’s privacy obligations and introduce new areas of risk.

Ropes & Gray will continue to monitor these proposals and other legislative initiatives.