Consumer Data Privacy Legislation

10/14/2019

Digital lock

Overview

Online commerce sites, social media, and mobile devices and applications are becoming an integral part of consumers’ lives. They improve consumer access to information and make shopping and purchases faster and easier. Smart home speakers, intelligent personal assistants and other connected devices extend computer networks to everyday items.

These applications and devices have the capability to collect and share personal information to an extent not possible previously, and sometimes in ways that are not apparent to consumers. Concerns about privacy are heightened when breaches, cyberattacks and unauthorized sharing of personal information are reported in the media. 

2018 Sets the Stage

A bellwether year for comprehensive consumer data privacy legislation took place in 2018:

  • Europe’s General Data Protection Regulation (GDPR) took effect in May 2018, extending European Union (EU) jurisdiction beyond those countries. Any global business that sells to or has EU customers is subject to the GDPR, regardless of where that business is based. The GDPR sets forth rules about how companies treat the personal data of EU citizens, including those purchasing U.S. products or services or living in the U.S.
  • The California Consumer Privacy Act of 2018 (CCPA) was enacted in June 2018 and amended in September, and will become effective Jan. 1, 2020 (with likely additional amendments in 2019).The CCPA is one of the broadest online privacy laws in the U.S., affecting companies across the country that do business with California residents.
  • Vermont in 2018 enacted a law that requires data brokers (businesses that collect and sell or license personal information to third parties) to disclose to individuals which data is being collected and to permit them to opt out of the collection. 

 

2019 State Legislation Related to Consumer Data Privacy

The year 2019 began with a significant increase in bill introductions addressing various aspects of data privacy, compared to previous years. The legislation identified below is limited to the regulation of privacy practices of commercial entities, online services or commercial websites, covering legislation related to the privacy of consumer data, including bills related to online privacy, collection of consumers' biometric data, data broker regulation and other miscellaneous consumer privacy issues. Legislation related to data breaches is not included here, and some additional types of privacy laws and legislation are covered separately in other NCSL resources

Summary: Bills or bill drafts have been introduced/filed in at least 25 states and in Puerto Rico. See NCSL's blog post on States Break New Ground on Consumer Privacy Regulation.

2019 State Legislation Related to Consumer Data Privacy

Bill

Status

Summary

ARIZONA (Regular session adjourned)

AZ HB 2259

Failed

Requires a commercial website that collects personal information from more than 500 users to establish a secure personal information portal that allows a person to access their own information and correct any errors.

AZ HB 2478

Failed

Relates to biological characteristics, relates to biometric identifiers. Provides that a person may not enroll an individual’s biometric identifier in a database for a commercial purpose unless the person provides a mechanism to prevent the subsequent use of the identifier for a commercial purpose without consent.  

AZ HB 2524

Failed

Requires a developer of a website or software application that uses the microphone or camera functionality of a device to collect audio or image data to disclose the data that is being collected and the reason it is being collected to the user.

CALIFORNIA

CA AB 25

Signed by Governor

Excludes from the definition of consumer in the state Consumer Privacy Act a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant to, an employee of, a contractor of, or an agent on behalf of, the business, to the extent the person's personal information is collected and used solely for purposes compatible with the context of that person's role as a job applicant, employee, contractor, or agent of the business.

CA AB 288

Pending--carryover

Requires a social networking service to provide users that close their accounts the option to have the user's personally identifiable information permanently removed from the company's database and records and to prohibit the service from selling that information to, or exchanging that information with, a third party in the future, subject to specified exceptions. Requires a social media company to honor such a request within a commercially reasonable time.

CA AB 523

Pending--carryover

Prescribes the circumstances under which telephone and telegraph corporations may release specified information, including customer proprietary network information, regarding noncommercial subscribers without their written consent. Specifically includes geolocation information in the information that may only be released with a noncommercial subscriber's written consent.

CA AB 846

Pending--carryover

Amends the Consumer Privacy Act. Authorizes a business to enter a consumer into a financial incentive program only if the consumer affirmatively consents to the material terms of the incentive program. Prohibits a business from using a financial incentive practice that is unjust, unreasonable, coercive or usurious in nature. Prohibits a business from discriminating against the consumer, by charging higher prices or providing a lower level of goods or services, for exercising any of the consumer's rights.

CA AB 873

Pending--carryover

Revises the definition of deidentified information for purposes of the Consumer Privacy Act to mean information that does not identify, and is not linkable, directly or indirectly, to a particular consumer. Specifies that personal information includes specified information that, among other things, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.

CA AB 874

Signed by Governor

Defines publicly available information for the California Consumer Privacy Act to mean information that is lawfully made available from federal, state, or local records. Provides that personal information does not include de-identified or aggregate consumer information.

CA AB 950

Pending-carryover

Requires a business that conducts business in California, and that collects a California resident's consumer data, to disclose to the consumer the monetary value to the business of their consumer data by posting the average monetary value to the business of a consumer's data, including that information in its privacy policy posted on its internet website, and also including in its privacy policy disclosure of any use of a consumer's data that is not directly related to the service.

CA AB 981

Pending--carrover

Eliminates a consumer's right to request a business to delete or not sell the consumer's personal information under the Consumer Privacy Act, if it is necessary to retain or share the consumer's personal information to complete an insurance transaction requested by the consumer.

CA AB 1138

Pending--carryover

Prohibits a person or business that conducts business in the state, and that operates a social media website or application, from allowing a person under a specified age to create an account with the website or application, unless the website or application obtains the consent of the person's parent or guardian before creating the account using a method that includes reasonable measures to ensure that the person giving their consent is the parent or legal guardian of the person younger than 13 years of age.

CA AB 1146

Signed by Governor

Exempts from the Consumer Privacy Act vehicle information shared between a new motor vehicle dealer and the vehicle's manufacturer, if the information is retained or shared pursuant to, or in anticipation of, a vehicle repair relating to warranty work or a recall.

CA AB 1202

Signed by Governor

Requires data brokers to register with and provide certain information to the attorney general. Defines a data broker as a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship, subject to specified exceptions.

CA AB 1281

Pending--carryover

Requires a business in California that uses facial recognition technology to disclose that usage in a physical sign that is clear and conspicuous at the entrance of every location that uses facial recognition technology. Makes a business that violates these provisions liable for specified civil penalties.

CA AB 1355

Signed by Governor

Excludes consumer information that is de-identified or aggregate consumer information from the definition of personal information under the State Consumer Privacy Act of 2018. Prohibits a business from discriminating against the consumer for exercising any of the consumer's rights under the act, except if the differential treatment is reasonably related to value provided to the business by the consumer's data.

CA AB 1395

Pending--carryover

Prohibits a person or entity from providing the operation of a voice recognition feature within the state without prominently informing the user during the initial setup or installation of the other connected device with a voice recognition feature. Prohibits any actual recordings of spoken word collected through the operation of a voice recognition feature from being used for any advertising purpose or being shared with or sold to a third party, unless the consumer provides written consent.

CA AB 1416

Pending--carryover

Specifies that the State Consumer Privacy Act does not restrict a business's ability to comply with any rules or regulations adopted pursuant to and in furtherance of state or federal laws. Establishes an exception to the act for a business that provides a consumer's personal information to a government agency solely for the purposes of carrying out a government program, if specified requirements are met.

CA AB 1469

Pending--carryover

Requires the Bureau of Household Goods and Services, in consultation with stakeholders, to conduct a review of its accepted trade standards for good and workmanlike repair to determine whether additional regulations need to be adopted concerning privacy and security implications of connected devices.

CA AB 1564

Signed by Governor

Requires a business, to make available to consumers a toll free telephone number, or an email address and a physical address for submitting requests for information required to be disclosed. Requires that a business that operates exclusively online only be required to provide an email address for submitting requests for information required to be disclosed.

CA AB 1665

Pending--carryover

Prohibits a person or business that conducts business in California, that operates an internet website or application that requires opt-in consent before selling a minor's personal information, to obtain consent to sell the minor's personal information in a manner that is separate from the social media internet website or application's general terms and conditions.

CA AB 1758

Pending--carryover

Makes a nonsubstantive change to the Consumer Privacy Act.

CA AB 1760

Pending--carryover

Creates the Privacy for All Act. Prohibits a business from sharing a consumer's personal information unless the consumer has authorized that sharing. Prescribes various business requirements in connection with this new right to opt-in consent. Prohibits discrimination against a consumer based on the exercise of this right. Provides that any violation is an injury and authorizes a consumer to bring suit on this basis.

CA SB 299

Pending--carryover

Prohibits an operator of an internet website, online service, online application, or mobile application directed to minors from using the personal information of a minor to direct content to the minor, or a group of individuals who are similar, based upon the minor's actual or perceived race, ethnicity, religion, physical or mental disability, medical condition, gender identity, gender expression, sexual orientation, sex, or socioeconomic background, or any other factor used to identify those traits.

CA SB 561

Pending--carryover

Expands a consumer's rights to bring a civil action for damages to apply to other violations under the California Consumer Privacy Act of 2018. Specifies that the Attorney General may publish materials that provide businesses and others with general guidance on how to comply with the act.

CA SB 753

Pending--carryover

Provides that, for purposes of the act, a business does not sell personal information if the business, pursuant to a written contract, shares, discloses, or otherwise communicates to another business or third party a unique identifier only to the extent necessary to serve or audit a specific advertisement to the consumer.

CONNECTICUT (Regular session adjourned)

CT HB 5333

Failed

Prohibits retailers from using facial recognition software for marketing purposes, protects the privacy of retail customers.

CT HB 6041

Failed

Concerns social media sites; protects a consumer from having his or her personal contacts accessed by a social media site in order to generate unsolicited marketing to the consumer's contact

CT HB 6544

Failed

Prohibits consumer genetic testing companies from sharing genetic data with health or life insurance companies, relates to naturopathy, provides definitions, makes technical corrections.

CT HB 6601

Failed

Concerns data privacy and minors, requires Internet social media platforms to remove content created by individuals under the age of eighteen at such individuals request, prohibits such platforms and Internet web sites that primarily engage minors from advertising products or services that are illegal for minors to purchase, and if such advertising is targeted toward a minor based on personal information collected regarding such minor.

CT SB 6

Failed

Requires Internet service providers to register and pay registration fees and require the Public Utilities Regulatory Authority to apply net neutrality principles to Internet service providers and enforce such principles with civil penalties and to prohibit certain telecommunications companies, certified telecommunications providers, certified competitive video service providers and Internet service providers from collecting personal information.

CT SB 432

Failed

Expands unfair trade practices to include sale of a customer's global positioning system (GPS) location by mobile phone providers, protects the privacy of mobile telephone users.

CT SB 1108

Enacted, Chap. 19-24

Establishes a task force to examine what information businesses in the state should be required to disclose to consumers concerning consumers' personal information that is retained or sold by such businesses; provides for the membership of the task force.

FLORIDA (Regular session adjourned)

FL HB 1153

Failed

Relates to biometric information privacy, provides a short title, provides definitions, establishes requirements and restrictions on private entities as to the use, collection, and maintenance of biometric identifiers and biometric information, creates a private cause of action for relief for violations of the act, provides for construction.

FL SB 1270

Failed

Relates to biometric information privacy, provides a short title, provides definitions, establishes requirements and restrictions on private entities as to the use, collection, and maintenance of biometric identifiers and biometric information, creates a private cause of action for relief for violations of the act, provides for construction.

HAWAII  (Regular session adjourned)

HI HB 761

Pending—Carryover

Specifies that retailers may provide proof of purchase in electronic form to a member of a frequent shopper program, requires retailers who offer electronic proof of purchase to have reasonable safeguards to protect members' personal information.

HI HCR 225

Adopted

Convenes a task force to examine and recommend laws and regulations to update privacy law.

HI HR 200

Failed—Adjourned

Convenes a task force to examine and recommend laws and regulations to update privacy law.

HI SB 418

Pending—Carryover

Requires a business to disclose the categories and specific pieces of identifying information collected about a consumer upon verifiable request from the consumer, discloses the identity of third parties to which the business has sold or transferred identifying information about a consumer upon verifiable request from the consumer.

HI HB 702

Vetoed by Governor

Prohibits the sale or offering for sale of location data collected using satellite navigation technology without the explicit consent of the individual who is the primary user of the satellite navigation technology equipped device.

HI SB 1534

Pending—Carryover

Requires an event operator to disclose the number of tickets available for sale to the general public for an event, prohibits a place of entertainment that is funded by donations, public funds, or is tax exempt from entering into exclusive ticketing contracts, prohibits ticket sellers from disclosing ticket purchasers' personally identifiable information.

ILLINOIS

IL HB 1426

Pending

Amends the Citizen Privacy Protection Act, makes a technical change in a section concerning the short title.

IL HB 2189

Enacted

Amends the Genetic Information Privacy Act, Provides that "genetic testing" includes direct-to-consumer commercial genetic testing, provides that a company providing direct-to-consumer commercial genetic testing is prohibited from sharing any genetic test information or other personally identifiable information about a consumer with any health or life insurance company without written consent from the consumer.

IL HB 2736

Pending

Creates the Right to Know Act, provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices.

IL HB 2785

Pending

Creates the Geolocation Privacy Protection Act, defines geolocation information, location-based application, private entity, and user, provides that a private entity may not collect, use, store, or disclose geolocation information from a location-based application on a user's device unless the private entity first receives the person's affirmative express consent after complying with specified notice requirements, provides exceptions, provides that a violation of the act constitutes an unlawful practice.

IL HB 2871

Pending

Creates the Data Broker Registration Act, requires a data broker to annually register with the secretary of state, defines data broker as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.

IL HB 3051

Pending

Creates the App Privacy Protection Act, requires an entity that owns, controls, or operates a web site, online service or software application to identify in its customer agreements or applicable terms whether third parties collect electronic information directly from the digital devices of individuals in who use or visit its web site, online service or software application, requires the disclosure of the names of those third parties and the categories of information collected.

IL HB 3130

Pending

Amends the Genetic Information Privacy Act, includes direct to consumer commercial genetic testing in the definition of genetic testing.

IL HB 3357

Pending

Creates the Data Privacy Act, provides only a short title.

IL HB 3358

Pending

Creates the Data Transparency and Privacy Act, finds that individuals have a right to privacy and a personal property interest in information pertaining to the individual, provides that an entity that collects through the Internet personal information about individual consumers must make disclosures to the individual regarding the collection of the information, establishes that a consumer has a right to opt out of the sale of the consumer's information, creates certain exemptions.

IL SB 413

Pending

Amends the Citizen Privacy Protection Act, makes a technical change in a section concerning the short title.

IL SB 907

Pending

Amends the Citizen Privacy Protection Act, makes a technical change in a section concerning the short title.

IL SB 2134

Pending

Amends the Biometric Information Privacy Act, deletes language creating a private right of action, provides instead that any violation that results from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes is subject to the enforcement authority of the Department of Labor, provides that an employee or former employee may file a complaint with the Department alleging a violation.

IL SB 2149

Pending

Creates the Right to Know Data Transparency and Privacy Act, provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices, requires an operator to make available certain specified information upon disclosing.

IL SB 2263

Pending

Creates the Data Privacy Act; provides for the regulation of the use and sale of data; defines terms; establishes consumer rights to copies of information held by persons who control and process data; provides for the correction of inaccurate data; provides for restrictions on the use of personal data; provides for the enforcement of the Act by the Attorney General; provides civil penalties; preempts home rule.

KENTUCKY (Regular session adjourned)

KY SB 240

Failed—Adjourned

Creates a new felony of disseminating personally identifying information on the internet about a minor.

KY SB 243

Failed—Adjourned

Creates a new section of KRS.B. Chapter 365 prohibiting telecommunications companies from disclosing or transmitting to a third party any location data derived from a cellular phone without the consent of the customer.

LOUISIANA   (Regular session adjourned)

LA HB 465

Failed

Creates the Internet and Social Media Data Privacy and Protection Act to protect consumer's private confidential information that is obtained by internet, broadband, and social media companies.

LA HR 249

Adopted

Requests the Louisiana Public Service Commission to establish a task force to study the effects of the sale of consumer personal information by an internet access service provider, social media company, or search engine.

MAINE  (Regular session adjourned)
LR 1673 Failed--adjourned Enhances online privacy and protection
ME SB 275 Enacted Prohibits a provider of broadband Internet access service from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents to such, provides other exceptions under which a provider may use, disclose, sell, or permit access to customer personal information, prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount. 
MASSACHUSETTS    

MA HB 349

Pending

Regulates advertising on the internet.

MA HB 350

Pending

Relates to the online collection of personal information from children and minors.

MA HB 382

Pending

Relates to the collection, use, disclosure or dissemination of personal information from customers of telecommunications or internet service providers.

MA HB 1403

Pending

Relates to the online privacy of minors.

MA SB 120

Pending

Relates to consumer data privacy.

MA SB 1936

Pending

Promotes net neutrality and consumer protection. Provides customers with a mechanism to easily opt-out of third-party access to customer proprietary information for purposes other than the provision of broadband internet access service from which that customer proprietary information was derived.

MARYLAND (Regular session adjourned)

MD HB 141

Failed—Adjourned

Specifies the circumstances under which a broadband internet access service provider may handle certain customer personal information, establishes a mechanism through which a broadband Internet access service provider may obtain customer consent to have certain personal information handled in a certain manner.

MD HB 901

Failed—Adjourned

Requires certain businesses that collect a consumer's personal information to provide certain notices to the consumer at or before the point of collection, authorizes a consumer to submit a certain request for information to a certain business that collects the consumer's personal information, requires a certain business to comply with a certain request for information in a certain manner and within 45 days after receiving a verifiable consumer request.

MD SB 490

Failed

Prohibits a person from using a scanning device to scan or swipe an identification card or a driver's license of an individual to obtain the personal information of the individual, prohibits a person from retaining, selling, or transferring to another person any information collected from scanning or swiping an individual's identification card or driver's license under certain circumstances, provides that a violation of the act constitutes an unfair or deceptive trade practice under the State Consumer.

MD SB 613

Failed—Adjourned

Requires certain businesses that collect a consumer's personal information to provide certain notices to the consumer at or before the point of collection, authorizes a consumer to submit a certain request for information to a certain business that collects the consumer's personal information, requires a certain business to comply with a certain request for information in a certain manner and within 45 days after receiving a verifiable consumer request.

MINNESOTA  (Regular session adjourned)

MN HB 1030

Pending-carryover

Relates to telecommunications and data privacy, prohibits the collection of personal information absent a customer's express written approval.

MN HB 2917

Pending-carryover

Relates to data privacy; requires controllers to provide, correct, or restrict processing of personal data upon a consumer's request; requires controllers to provide a privacy notice and document risk assessment; provides for liability and civil penalties; provides the attorney general with enforcement authority.

MN SB 433

Pending-carryover

Relates to telecommunications, data privacy, prohibits collection of personal information absent customers express written approval.

MN SB 1553

Pending-carryover

Relates to commerce, requires telecommunications service providers to comply with Internet privacy requirements, defines terms and modifying definitions, requires express approval of disclosure of personally identifiable information, increases civil liability threshold.

MN SB 2912

Pending-carryover

Relates to data privacy; requires controllers to provide, correct, or restrict processing of personal data upon a consumer's request; requires controllers to provide a privacy notice and document risk assessment; provides for liability and civil penalties; provides the attorney general with enforcement authority.

MISSISSIPPI (Regular session adjourned)

MS HB 1253

Failed

Creates the Mississippi Consumer Privacy Act, authorizes a consumer to request that a business disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

MONTANA (Regular session adjourned)

MT D 1243

Failed

Restricts companies from selling data without the express consent of user, relates to privacy.

MT D 1531

Failed—Adjourned

Revises privacy laws, relates to privacy.

MT D 2086

Failed

Enhances online personal privacy and information protection, relates to information technology, relates to privacy.

MT D 2087

Failed

Establishes online personal information protection act, relates to information technology, relates to privacy.

MT D 2850

Failed

Revises laws to protect privacy on the internet, relates to information technology, relates to privacy.

MT HB 457

Failed—Adjourned

Protects the privacy of internet access service customers, requires prior affirmative consent before an internet access service provider may use a customer's personal information, provides definitions and exceptions, provides for enforcement and penalties, authorizes rulemaking.

MT HB 645

Failed

Establishes the Montana Biometric Information Privacy Act; prohibits a private entity from collecting, storing, and using a person's biometric identifier without the person's consent; establishes procedures and requirements for the sale, disclosure, protection, and disposal of biometric identifiers; provides exemptions; provides definitions; allows the Attorney General to enforce the provisions of the act; relates to consumer protection; relates to privacy; relates to state revenue.

NORTH DAKOTA (Regular session adjourned)

ND HB 1485

Enacted

Provides for a legislative management study of consumer personal data disclosures.

ND HB 1524

Failed

Relates to the regulation of data brokers, provides a penalty.

NEVADA  (Regular session adjourned)

NV SB 220

Enacted, Chap. 211

Revises provisions relating to Internet privacy.

NEW HAMPSHIRE (Regular session adjourned)

   

NH H 536

Pending

Prohibits businesses from using, disclosing, or retaining biometric information about an individual.

NEW JERSEY

NJ AB 206

Pending

Requires commercial Internet website and online service operators to notify customers of collection and disclosure of personally identifiable information to third parties.

NJ AB 1527

Pending

Requires internet service providers to keep confidential and prohibit any disclosure, sale, or unauthorized access to subscriber's personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.

NJ AB 1927

Pending

Requires Internet service providers to keep confidential subscriber's personally identifiable information unless subscriber authorizes Internet service provider in writing or email to disclose information, prohibits subscriber penalty.

NJ AB 2163

Pending

Enacts the Reader Privacy Act, provides definitions.

NJ AB 2232

Pending

Prohibits television voice recognition features from collecting or recording users without notice, prohibits the use or sale of recordings for advertising purposes.

NJ AB 2958

Pending

Directs Board of Public Utilities to undertake public awareness campaign concerning telecommunications carriers, including mobile and Voice over Internet Protocol service providers, and disclosure of customer information.

NJ AB 3711

Pending

Requires internet service providers to keep confidential subscriber's personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.

NJ AB 4640

Pending

Requires certain businesses to notify data subjects of the collection of personally identifiable information and establishes certain security standards.

NJ AB 4902

Pending

Requires commercial Internet websites and online services to notify customers of the collection and disclosure of personally identifiable information and allow customers to opt out.

NJ AB 5259

Pending

Prohibits commercial mobile service providers from disclosing a customer's global positioning system data to third parties.

NJ SB 1175

Pending

Establishes the Reader Privacy Act.

NJ SB 2641

Pending

Requires Internet service providers to keep confidential and prohibit any disclosure, sale, or unauthorized access to subscriber's personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.

NJ SB 2834

Pending

Requires commercial Internet websites and online services to notify customers of collection and disclosure of personally identifiable information and allows customers to opt out.

NJ SB 3732

Pending

Prohibits commercial mobile service providers from disclosing customer's global positioning system data to third parties.

NEW MEXICO (Regular session adjourned)

NM SB 176

Failed—Adjourned

Relates to consumer protection, enacts the consumer information privacy act, provides definitions, establishes consumer rights, establishes obligations for businesses that collect or use personal consumer information, provides for promulgation of rules, establishes civil causes of action, provides penalties, establishes the consumer privacy fund, provides for distributions.

NEW YORK

NY AB 235

Pending

Relates to prohibiting private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.

NY AB 1911

Pending

Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.

NY AB 2420

Pending

Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.

NY AB 2775

Pending

Prohibits any person from disclosing health care information or personal information to a person who engages in the business of accessing and compiling information for commercial purposes or whose use of such information will be in connection with the marketing of a product or service without the explicit written authorization of the data subject.

NY AB 3308

Pending

Regulates the collection, disclosure and dissemination of personal information acquired by a provider of online computer services in order to ensure the privacy of subscriber information and wage patterns.

NY AB 3612

Pending

Requires internet service providers to provide customers with a copy of their privacy policy and to obtain written and explicit permission from a customer prior to sharing, using, selling or providing to a third party any sensitive information of such customer.

NY AB 3739

Pending

Amends the General Business Law, restricts the disclosure of personal information by businesses.

NY AB 3818

Pending

Relates to establishing the Online Consumer Protection Act, defines terms, provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities, makes related provisions.

NY AB 5306

Pending

Relates to the use of voice recognition feature on certain products.

NY AB 6351

Pending

Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

NY AB 7736

Pending

Establishes the "It's Your Data Act" for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.

NY AB 8402

Pending

Enacts the facial recognition technology study act to study privacy concerns and potential regulatory approaches to the development of facial recognition technology.

NY AB 8113

Pending

Requires manufacturers of smart speakers to obtain signed written permission from users before storing voice recordings.

NY SB 224

Pending

Amends the General Business Law, restricts the disclosure of personal information by businesses.

NY SB 518

Pending

Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.

NY SB 1180

Pending

Prohibits internet service providers from disclosing personally identifiable information where a consumer requests that his or her information not be disseminated, defines terms, makes exceptions, imposes a civil penalty.

NY SB 1203 Pending Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.

NY SB 1204

Pending

Relates to the use of voice recognition feature on certain products.

NY SB 1464

Pending

Requires that internet service provider requirements keep all customer information confidential unless written consent is provided by the customer.

NY SB 2323

Pending

Relates to establishing the online consumer protection act, defines terms, provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities, makes related provisions.

NY SB 2500

Pending

Relates to prohibiting private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.

NY SB 3147

Pending

Requires retailers to post warning signs of the tracking of customers through cell phones or other electronic devices; provides for civil penalties.

NY SB 4411

Pending

Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

NY SB 5245

Pending

Relates to the sale of personal information by an internet service provider.

NY SB 5642

Pending

Enacts the NY Privacy Act to require companies to disclose their methods of deidentifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared, creates a special account to fund a new Office of Privacy and Data Protection.

PENNSYLVANIA

PA HB 246

Pending

Regulates electronic mail solicitations, protects privacy of Internet consumers, regulates use of data about Internet users, prescribes penalties.

PA HB 1049

Pending

Provides for consumer data privacy, provides for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the attorney general.

RHODE ISLAND

RI HB 5480

Pending

Establishes that manufacturers of devices capable of connecting to the Internet equip the devices with reasonable security features.

RI HB 5930

Pending

Creates the Consumer Privacy Protection Act, requires businesses that collect, maintain or sell personal information to notify consumers and would disclose the information and the businesses' use of the information, provides that consumers may opt out and have personal information deleted.

RI HB 5945

Pending

Prohibits the collection and retention of biometric identifiers without consent of the person whose information is collected, provides that exceptions would be law enforcement, government use, research, and government security clearance related projects.

RI HB 6135

Pending

Reinstates the life and extends the reporting and expiration dates of the Special Legislative Commission known as the Online Data Transparency and Privacy Protection Commission

RI SB 234

Pending

Creates the Consumer Privacy Protection Act, requires businesses that collect, maintain, or sell personal information to notify consumers, disclose the information and disclose the businesses' use of the information, provides that consumers may opt out and have personal information deleted.

RI SB 537

Pending

Establishes that manufacturers of devices capable of connecting to the Internet equip the devices with reasonable security features.

SOUTH CAROLINA    

SC HB 3339

Pending

Provides that a telecommunications or internet service provider that has entered into a franchise agreement, right of way agreement, or other contract with the state of South Carolina or one of its political subdivisions, or that uses facilities that are subject to those agreements, even if it is not a party to the agreement, may not collect personal information from a customer resulting from the customer's use of the telecommunications.

SC HB 3701

Pending

Enacts the state Cellular Data Privacy Protection Act, defines relevant terms, prohibits a mobile telecommunications provider from selling a customer's personal data to a third party, imposes a penalty, authorizes the attorney general to investigate and enforce alleged violations of this act.

TEXAS (Regular session adjourned)

TX HB 2282

Failed

Relates to the applicability of certain limitations on the capture and use of biometric identifiers to financial institutions.

TX HB 4390

Enacted

Creates the Texas Privacy Protection Advisory Council. Revises provisions relating to security breaches.

TX HB 4518

Failed--adjourned

Relates to the privacy of a consumer's personal information collected by certain businesses, imposes a civil penalty.

UTAH (Regular session adjourned)    

H.B. 490

Failed

Prohibits a broadband Internet access service provider from using, disclosing, selling, or permitting access to a customer's personal information except under certain circumstances; places requirements on broadband Internet access service providers related to providing notice to customers related to the use of customer personal information, maintaining measures to protect customer personal information, and enacts other provisions.

VERMONT  (Regular session adjourned)

VT HB 157

Pending-carryover

Relates to adopting minimum security standards and privacy policies for connected devices.

VT PR 3

Pending-carryover

Amends the Constitution of the State of Vermont specifically to provide that each individual has a right to privacy.

WASHINGTON (Regular session adjourned)

WA HB 1503 Pending-carryover Concerns data sales and governance.

WA HB 1854

Pending-carryover

Protects consumer data.

WA HB 2046

Pending-carryover

Increases consumer data transparency.

WA SB 5376

Pending-carryover

Protects consumer data.

WA SB 5377 Pending-carryover Concerns data sales and governance.

PUERTO RICO

PR HB 300

Pending-carryover

Creates the Law for the Protection of the privacy of our children and young people for the purpose of prohibiting any operator, employee, or agent of an Internet site classified as a Social Network, as here defined, and that can publish personal information from users under the age of residents in Puerto Rico beyond the name and city of residence without the express consent of the father or mother with the power of paternal authority.

PR SB 1231

Pending

Creates the Law for the Protection of Digital Privacy in order to protect the personal information of consumers and guarantee the right to privacy in the digital era.

 

State Net logo

LexisNexis Terms and Conditions

 

Additional Resources