Red Florida may be about to join blue California in passing a tough data privacy law. While bipartisan political consensus is rare in the U.S., suspicion of “Big Tech” and advocacy of consumer data privacy are uniting politicians and spurring a slew of new legislation from Connecticut to Alaska. Here is the current status of data laws in key states.
Gov. Mike Dunleavy introduced bills into the House and Senate earlier this month giving people the right to know when businesses collect their personal data, learn what data businesses have, request deletion of any data collected the past five years and opt out of sale of their data. Parents would have to approve the sale of minors’ data.
The state has not one but two consumer data privacy laws—the already-in-force California Consumer Privacy Act (CCPA) adopted by the legislature and the California Privacy Rights Act (CPRA) passed in November via referendum. CPRA will replace CCPA in January 2023. It aligns California law somewhat more with the European Union’s General Data Protection Regulation. CPRA includes opt-out protections for employee and geolocation data and creates a state enforcement authority just for data privacy. And it expands restrictions on “sale” of data to include sharing of data among companies without formal monetary transactions. California allows private lawsuits over data breaches.
Connecticut, whose legislature is in session through June 9, has an active bill similar to Virginia’s that flew through an initial committee hearing last month.
The Florida House on April 21 overwhelmingly approved a data privacy law opposed by the Association of National Advertisers and many other business groups. The House version would give individuals the right to sue marketers and data brokers for infractions. And while the House doubled to two years the period for which marketers can retain consumer data, the ANA still doesn’t believe that’s enough time for the likes of Disney World, hotels and other travel marketers. The Senate is expected to take up the House version of the bill today. It’s supported by Gov. Ron DeSantis, who hopes to bundle it with other provisions limiting the powers of tech marketers and social media platforms, including penalizing them for removing accounts of public office seekers, according to The Washington Post.
Illinois is considering two bills, one a Right to Know Act that would let consumers know what data marketers have, and a bill similar to the California law. Neither has moved out of committee.
A privacy law that went into effect in October 2019 is similar to CCPA but far narrower. It allows people to opt out of sale of their personal information. Unlike California’s law, Nevada’s requires actual money to change hands for there to be a “sale” of personal information, rather than just data sharing or disclosure. Nevada legislators did last month begin considering bills that would broaden the definition of data “sale” similar to California and regulate a new category of data brokers.
This narrowly crafted consumer data privacy law, which went into full effect last August, applies only to internet service providers, requiring them to get consumer opt-in to sell or share data.
After moving fast through the legislature earlier this year, Oklahoma’s law stalled recently thanks to the Republican state Senate majority leader refusing to allow a hearing. Still, strong bipartisan support still leads law firm Squire Patton & Boggs to believe Oklahoma’s law has a chance of passing this year.
The Virginia Consumer Data Protection Act signed into law last month doesn’t go into effect until January 2023. It allows consumers to opt out of and get disclosure about the existence of a wide variety of information. Virginia goes beyond the California laws by letting people opt out of profiling and ad targeting in addition to just data collection. And it requires that businesses perform data protection assessments to show they’re taking proper safeguards. Enforcement is entirely through the attorney general’s office, with fines up to $7,500 per infraction.