The NCSL Blog


By Pam Greenberg

Consumer data privacy legislation was introduced or considered in more than half the states in 2019, a substantial increase compared to previous years. (That doesn’t include other types of related legislation, such as security breach notification and cybersecurity bills.)

So far this year, two states, Nevada and Maine, have followed in California’s 2018 footsteps by passing new privacy protections for consumers. At the same time, companies are struggling to meet the requirements of the California law.

California Works to Clarify CCPA

In California alone this year, 23 bills relating to consumer data privacy were introduced; most of them aimed at amending the state’s sweeping Consumer Privacy Act of 2018 (CCPA) (already amended last fall). The CCPA will become effective Jan. 1, 2020.

The CCPA gives California consumers the right to know about the categories of personal information that a business collects, sells or discloses about them and the right to opt out of the sale of personal information to third parties, among other provisions.

Many of the pending California bills would clarify or limit the scope of the CCPA, and a few would expand it. For example, one bill would exempt employers from requirements of the CCPA and another would broaden the private right of action to allow lawsuits for any violation of the law, not just data breaches.

Nevada, Maine Carve New Paths on Privacy 

Most of the states with privacy legislation ended their sessions this year without enacting broad consumer privacy legislation. Several have passed or sent to the governor bills that would create task forces or studies on the issue, including Connecticut, Hawaii, Louisiana, North Dakota and Texas.

Nevada and Maine, however, enacted consumer privacy protections similar to California’s, but also broke new ground with their legislation this year.

Nevada’s new law, effective Oct. 1 this year, adds to its existing law requiring websites and online services to post a privacy notice. Now, operators of Internet websites and online services will be prohibited from selling personal data if Nevada consumers request it not be sold. And although the law has some similarities to the CCPA, the Nevada law varies in several ways and is more limited. For example, it does not provide for a private right of action against operators.

Maine enacted legislation that prohibits broadband internet service providers from using, disclosing, selling, or permitting access to customer personal information unless the customer expressly consents (i.e., opts-in, instead of opting out, as in California), with some exceptions. It also prohibits a provider from refusing to serve a customer, charging a customer a penalty, or offering a customer a discount if the customer has not opted in.

The law is to go into effect July 1, 2020, but opponents of the law, called the strictest in the nation, say it may be in conflict with federal law and will be the subject of legal action.

Bills are still pending in California and other states, including in Massachusetts, New Jersey and New York.

Meanwhile, as states lead the way in privacy, federal data privacy action remains uncertain.

Find more information about consumer data privacy legislation and state internet privacy laws on the NCSL website.

Pam Greenberg tracks privacy, cybersecurity and other technology issues for NCSL.

Posted in: Technology
Actions: E-mail | Permalink |

Subscribe to the NCSL Blog

Click on the RSS feed at left to add the NCSL Blog to your favorite RSS reader. 

About the NCSL Blog

This blog offers updates on the National Conference of State Legislatures' research and training, the latest on federalism and the state legislative institution, and posts about state legislators and legislative staff. The blog is edited by NCSL staff and written primarily by NCSL's experts on public policy and the state legislative institution.