2021 Consumer Data Privacy Legislation

9/17/2021

digital security image

Introduction

States have long been involved in passing privacy-related laws directed at specific sectors or services, and several states have constitutional  privacy provisions that give citizens greater privacy protections than the U.S. Constitution. In recent years, however, information privacy has gained momentum as a significant issue in state legislatures.

Online commerce sites, social media, and mobile devices and apps are becoming an integral part of consumers’ lives. They improve consumer access to information and make shopping and purchases faster and easier. Smart speakers, intelligent personal assistants and other connected devices extend computer networks to everyday items.

These applications and devices have the capability to collect and share personal information to an extent not possible previously, and sometimes in ways that are not apparent to consumers. Concerns about privacy are heightened with frequent breaches, cyberattacks and unauthorized online sharing of personal information.

Not surprisingly, legislatures are focused increasingly on online privacy, and several states have enacted laws to require online privacy policies and notices or to give increased protections to children's online privacy, among other initiatives. Legislatures also are looking into third party sales of information, requiring information brokers to register with the state or to disclose specified information to consumers.

More recently, however, an increasing number of state legislatures have been considering a more comprehensive approach to privacy regulation. The California Consumer Privacy Act (CCPA), passed in 2018, and the California Privacy Rights and Enforcement Act (CPRA) passed by California voters in Nov. 2020 (California Proposition 24), were likely among the factors prompting an increase in state privacy bills. The CCPA is one of the broadest online privacy laws in the U.S., affecting companies across the country that do business with California residents. Since the passage of the CCPA, an increasing number of states are introducing similar comprehensive privacy legislation, as well as other more narrowly-tailored consumer privacy legislation. Below are summaries of legislation considered and enacted in 2021. Legislation related to data breaches and some additional types of privacy laws and legislation are covered separately in other NCSL resources

2021 Overview

At least 38 states introduced more than160 consumer privacy related bills in 2021 (compared to 30 states in 2020 and 25 in 2019). Comprehensive privacy legislation was the most common type of bill, introduced in at least 25 states. Comprehensive legislative is defined here as similar to the CCPA, i.e., broadly regulating the collection, use and disclosure of personal information and providing an express set of consumer rights with regard to collected data, such as the right to access, correct and delete personal information collected by businesses. 

The legislation listed below covers the regulation of privacy practices of commercial entities, online services or commercial websites, including bills related to online privacy, collection of consumers' biometric or genetic data, ISP and information broker regulation and other miscellaneous consumer privacy issues.

Trends and Enactments

Overall, at least 17 states enacted consumer data privacy bills in 2021. As noted previously, comprehensive privacy legislation was introduced in at least 25 states, and two states, Colorado and Virginia, followed in California's footsteps by enacting similar comprehensive consumer data privacy legislation, though each varies in certain provisions, such as exemptions, opt out rights and other aspects. 

Legislation aimed at information brokers was introduced in 11 states. California, Nevada and Vermont had previously enacted laws, and Nevada in 2021 enacted legislation expanding its law, but no other bills passed.

Another area of active legislation relates to commercial entities that use facial recognition tools or that collect biometrics from consumers. Legislation to regulate biometrics was introduced in 24 states, but again, no bills passed.

Although only six states introduced legislation aimed at protecting consumer genetic information this year, all six bills passed. Direct-to-consumer genetic testing is becoming widely available, but some consumers have raised concerns about whether test results could be used or shared in unanticipated ways. Some of the common provisions in these bills include requiring notice about a company’s policies and procedures for using and disclosing genetic data and obtaining a consumer’s consent before collecting or transferring genetic data, or using the data in ways other than the primary purpose for which it was collected. 

A complete list of 2021 consumer data privacy legislation follows. Use CTRL-F to search for categories; use the search box to find states. An explanation of the categories of consumer privacy bills in 2021 are described here

State

Bill | Status

Summary

Category

Alabama

AL H.B. 216

Failed - Adjourned

Relates to consumer protection, creates the Alabama Consumer Privacy Act, allows a consumer to request a business to disclose personal information it collects about the consumer and to require a business to make those disclosures under certain conditions, allows a consumer to request deletion of certain personal information, requires a business to delete certain personal information under certain conditions, allows a consumer to request a business to disclose the sale of certain personal information.

Comprehensive

Alaska

AK H.B. 159

Pending - Carryover

Establishes the Consumer Data Privacy Act, establishes data broker registration requirements, makes a violation of the Consumer Data Privacy Act an unfair or deceptive trade practice.

Comprehensive, Information Brokers

AK S.B. 116

Pending - Carryover

Establishes the Consumer Data Privacy Act, establishes data broker registration requirements, makes a violation of the Consumer Data Privacy Act an unfair or deceptive trade practice.

Comprehensive, Information Brokers

Arizona

AZ H.B. 2069

Enacted

Relates to genetic testing, provides list of requirements, relates to data, requires a valid legal process for disclosing genetic data to law enforcement.

Consumer Genetic Privacy

AZ H.B. 2865

Failed - Adjourned

Relates to personal data, relates to processing, relates to security standards.

Comprehensive, Information Brokers

Arkansas

AR H.B. 1514

Enacted

Provides that a data company shall not sell, disclose, or otherwise use data from a public entity for any purpose other than storage services or software services without express authorization from the public entity unless the data is considered open; or released in the public domain by the public entity.

Other Consumer Privacy

California

CA A.B. 825

To Governor

Specifies that personal information includes genetic information, and would define genetic data to mean any data, regardless of its format, that results from the analysis of a biological sample of an individual, or other source, and concerns genetic material, as specified.

Consumer Genetic Privacy

CA A.B. 1262

Pending

Relates to existing law which prohibits a person or entity from providing the operation of a voice recognition feature of a connected television within the state without prominently informing the specified user of the connected television during the initial setup or installation. Includes smart speaker devices within the scope of those provisions. Prohibits any actual recordings or transcriptions collected or retained through the operation of a voice recognition feature by the manufacturer.

Biometrics, Connected Devices

CA A.B. 1490

Pending

Requires appointments to the board which governs the California Privacy Protection Agency to be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.

Studies, Task Forces, Comms.

CA S.B. 41

To Governor

Establishes the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company to provide a consumer with certain information regarding the company's Notice/Policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data.

Consumer Genetic Privacy

CA S.B. 346

Pending

Requires a manufacturer of a new motor vehicle that is equipped with one or more in-vehicle cameras to disclose that fact. Prohibits a person or entity from providing for the sale or lease of a new motor vehicle with one or more in-vehicle cameras in this state without prominently informing the user or the person designated by the user to purchase the vehicle.

Other Consumer Privacy

CA S.B. 746

Pending

Grants a consumer the right to request that a business disclose to the consumer whether or not the business uses personal information collected about the consumer for a political purpose. Requires a business that collects and uses such information to disclose specified information upon receipt of a request from the consumer. Requires a business with gross revenue exceeding a certain amount that does not engage in such activities to submit a certain statement to the State Privacy Protection Agency.

Other Consumer Privacy

Colorado

CO H.B. 1244

Failed - Adjourned

Concerns restrictions on the collection and use of biometric information.

Biometrics|Facial Recognition

CO S.B. 190

Enacted

Concerns additional protection of data relating to personal privacy.

Comprehensive

Connecticut

CT H.B. 5044

Failed

Concerns children and digital privacy, prohibits the collection and commercial use of certain digital information concerning minors.

Children’s Online Privacy

CT H.B. 5661

Failed

Protects the rights of consumer commercial data. Provides that consumers be notified and given the opportunity to grant knowing consent prior to the sale or use for commercial purposes of such consumers' data when collected by an entity engaged in Internet commerce.

Other Consumer Privacy

CT H.B. 6169

Failed

Establishes a task force to study the state's data privacy laws.

Studies, Task Forces, Comms.

CT S.B. 156

Failed

Concerns consumer privacy, protects consumer data privacy from unwanted sale and dissemination. Provides that businesses must disclose the proposed use of any personal information, (2) give consumers the right to discover what personal information such business possesses and to opt out of the sale of such information, and (3) create a cause of action and penalties for violations of such requirements.

Other Consumer Privacy

CT S.B. 893

Failed - Adjourned

Concerns consumer privacy, establishes a framework for controlling and processing personal data, to establish responsibilities and privacy protection standards for data controllers and processors, grants consumers the right to access, correct, delete and obtain a copy of personal data and to opt out of the processing of personal data for the purposes of targeted advertising.

Comprehensive

Delaware

DE H.B. 262

Pending - Carryover

Provide consumers with critical information about how their personal information is being used by Third-Party Sale of Data, requires Third-Party Sale of Data to register with the Consumer Protection Unit of the Department of Justice and answer questions regarding their use of personal information that would be published online to inform consumers.

Information Brokers

Florida

FL H.B. 969

Failed

Relates to consumer data privacy, requires certain businesses to provide notice to consumers about data collection and selling practices, provides consumers right to request that certain data be disclosed, deleted, or corrected and to opt-in or opt-out of sale or sharing of such data, provides nondiscrimination measures, methods for requesting data and opting-in or opting-out of sale or sharing of such data, exemptions, applicability, contracts, and private cause of action.

Comprehensive

FL S.B. 1734

Failed

Relates to consumer data privacy, cites this act as the State Privacy Protection Act, provides that consumers have the right to direct certain businesses not to sell their personal information, prohibits businesses from selling the personal information of consumers younger than a specified age without express authorization from the consumer or the consumers parent or guardian under certain circumstances.

Comprehensive

Hawaii

HI S.B. 1009

Pending - Carryover

Amends the definition of "personal information" for the purpose of applying modern security breach of personal information law, prohibits the sale of geolocation information and internet browser information without consent, amends provisions relating to electronic eavesdropping law, prohibits certain manipulated images of individuals.

Website Privacy, Location Privacy

Illinois

IL H.B. 2404

Pending

Creates the Right to Know Act, provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices.

Website Privacy

IL H.B. 3453

Pending

Creates the Geolocation Privacy Protection Act, provides that a private entity that owns, operates, or controls a location-based application on a user's device may not disclose geolocation information from a location-based application to a third party unless the private entity first receives the user's affirmative express consent after providing a specified notice to the user, sets forth the purposes for which disclosure may be made, provides that a violation of the act constitutes an unlawful practice.

Location Privacy

IL H.B. 3785

Pending

Amends the Consumer Fraud and Deceptive Business Practices Act, provides that a business that Sells or shares a consumer's contact information to or with another must send written notice through the U.S. mail to the consumer whose information is being sold or shared and give the consumer the opportunity to opt out of the sale or sharing of the information after receiving the notice, provides that a business that fails to comply with those requirements commits an unlawful practice.

Information Brokers

IL H.B. 3910

Pending

Creates the Consumer Privacy Act, provides that a consumer has the right to request that a business that collects the consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected, requires a business to, at or before the point of collection, inform a consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.

Comprehensive

IL S.B. 485

Pending

Creates the Protecting Household Privacy Act, provides that a law enforcement agency shall not obtain household electronic data or direct the acquisition of household electronic data from a private third party, unless the law enforcement agency obtains a court order based upon probable cause, or the owner of the household electronic device consents to voluntarily provide the desired household electronic data.

Connected Devices

IL S.B. 731

Pending

Amends the Code of Civil Procedure, makes a technical change in the short title section. See amendments.

Information Brokers

IL S.B. 2080

Pending

Creates the Automatic Listening Exploitation Act, defines terms, provides that it is unlawful for a person who provides any smart service through a proprietary smart speaker to: store or make a recording or transcript of any speech or sound captured by a smart speaker or to use any storage or recording or transcript of any voice interaction by a user with the voice-user interface, or transmit such a recording or transcript to a third party, for any purpose, without obtaining express informed consent.

Connected Devices

IL S.B. 2082

Pending

Creates the Keep Internet Devices Safe Act, includes a statement of legislative intent and defines terms, provides that a private entity may turn on or enable, cause to be turned on or enabled, or otherwise use a digital device's microphone to listen for or collect information, including spoken words or other audible or inaudible sounds, if the private entity makes specified disclosures in its customer agreement or other incorporated addendum.

Connected Devices

Kentucky

KY H.B. 408

Failed - Adjourned

Defines business, collects, consumer, personal information, sale, and verified request, requires notices to be accessible to consumers, establishes notice requirements, establishes the ability to remedy a failure to comply, provides consumers the right to opt out via a verified request and the process of fulfilling the verified request, requires Web sites and online services to provide an opt-out notice to consumers and establishes the requirements for this notice.

Comprehensive

KY S.B. 96

Failed - Adjourned

Creates a Class A.B. misdemeanor for disseminating personally identifying information on the Internet about a minor, establishes increased criminal penalties for injury, death, and levels of monetary loss, creates a civil cause of action arising from violations, limits the liability of service providers.

Children’s Online Privacy

KY S.B. 190

Failed - Adjourned

Defines connected device, cookies, express consent, first-party operator, and third-party operator, prohibits first and third-party Web site operators from collecting, using, storing, or sharing the data obtained from a connected device without the Web site user's express consent, creates a penalty enforceable by the Attorney General.

Website Privacy, Connected Devices

KY S.B. 278

Failed - Adjourned

Defines terms, requires private entities to develop and comply with a retention and destruction schedule for biometric identifiers and information, prohibits private entities' collection, trade, and disclosure of biometric information with exception, creates a standard of care for private entities collecting biometric information, creates a civil cause of action for violations.

Biometrics|Facial Recognition

KY S.B. 280

Failed - Adjourned

Creates a cause of action for subcutaneous implantation of an identification device, restricts use of facial recognition technology and biometric identifiers, creates a cause of action for use of facial recognition technology or biometric identifiers, creates new section of KRS Chapter 455 to prohibit use of facial recognition technology as evidence.

Biometrics|Facial Recognition

Louisiana

LA SR 188

Adopted

Requests the Joint Legislative Committee on Technology and Cybersecurity to study the impacts of the buying, selling, and usage of consumer data transactions.

Studies, Task Forces, Comms.

Maine

ME H.B. 669

Pending - Carryover

Enacts the Data Collection Protection Act, creates the Maine Data Collection Protection Act, which prohibits data collectors from collecting and aggregating, selling or using specific types of public documents or information from those documents for the purpose of determining a consumer's eligibility for consumer credit, employment or residential housing.

Information Brokers

ME H.B. 1054 a

Failed

Proposes an amendment to the constitution of Maine to declare the natural, inherent and unalienable right of enjoying personal privacy.

Constitutional Amendment

ME H.B. 1133 a

Pending - Carryover

Proposes to amend the Constitution of Maine, creates a natural and inherent right to privacy in which a person's personal life and affairs are free from governmental and private intrusion and not diminished by a person's interaction with an Internet, communication or other electronic data service.

Constitutional Amendment

ME H.B. 1226 a

Failed

Creates a data broker registry and improve consumer protections, requires Third-Party Sale of Data, which are businesses that obtain and sell or license to 3rd parties or allow 3rd parties to access the personal information of a consumer with whom the business does not have a direct relationship, to register with the Secretary of State to protect a consumer's personal information through various security requirements.

Information Brokers

ME H.B. 1275 a

Failed

(Concept Draft) Protects the privacy of personal information of Maine residents, amends the law regarding privacy of personal information to protect the personal information of consumers.

Other Consumer Privacy

ME S.B. 535 a

Failed - Adjourned

Protects the private information of State residents, establishes the State Consumer Privacy Act, applies to the collection and sale of all personal information collected by a business from consumers, provides that the new act covers internet service providers, entities on equal footing, allowing consumers to opt out of the sale of personal information.

Comprehensive, Information Brokers

Maryland

MD H.B. 218

Failed

Relates to consumer protection.

Biometrics|Facial Recognition

MD H.B. 240

Enacted

Relates to Forensic Genetic Genealogical.

Consumer Genetic Privacy

MD S.B. 16

Failed - Adjourned

Relates to biometric identifiers and biometric information privacy.

Biometrics|Facial Recognition

MD S.B. 187

Enacted

Relates to forensic genetic genealogical DNA Analysis.

Consumer Genetic Privacy

MD S.B. 930

Failed - Adjourned

Relates to Maryland Online Consumer Protection Act.

Comprehensive

Massachusetts

MA H.B. 136

Pending

Relates to data privacy.

Information Brokers, Facial Recognition

MA H.B. 142

Pending

Relates to consumer data privacy.

Comprehensive, Information Brokers

MA H.B. 521

Pending

Relates to the collection, use, disclosure or dissemination of personal information from customers of telecommunications or internet service providers.

ISP Privacy

MA H.B. 4029

Relates to algorithmic accountability and bias prevention in the protection of consumers.

Other Consumer Privacy

MA S.B. 46

Pending

Establishes the Massachusetts Information Privacy Act.

Comprehensive

MA S.B. 50

Pending

Relates to data security and privacy.

Information Brokers

MA S.B. 220

Pending

Protects personal biometric data.

Facial Recognition

Massachusetts

MA S.B. 2146

Pending

Promotes net neutrality and consumer protection.

ISP Privacy

Minnesota

MN H.B. 36

Pending - Carryover

Relates to consumer data privacy, gives various rights to consumers regarding personal data, places data transparency obligations on businesses, creates a private right of action, provides for enforcement by the attorney general.

Comprehensive

MN H.B. 421

Pending - Carryover

Relates to data privacy, requires consent before providers share audio or video data with third parties.

Website Privacy

MN H.B. 1492

Pending - Carryover

Relates to consumer data privacy, gives various rights to consumers regarding personal data, places obligations on certain businesses regarding consumer data, provides for enforcement by the attorney general.

Comprehensive

MN S.B. 1408

Pending - Carryover

Relates to consumer data privacy, gives various rights to consumers regarding personal data, places obligations on certain businesses regarding consumer data, provides for enforcement by the attorney general.

Comprehensive

Minnesota

MN H.B. 67 a

Failed - Adjourned

Relates to consumer data privacy, requires a consumer's consent prior to collecting personal information.

Other Consumer Privacy

Mississippi

MS S.B. 2612

Failed

Creates the Mississippi Consumer Data Privacy Act, authorizes consumers to request that businesses disclose certain information, authorizes consumers to request that businesses delete personal information collected by businesses, requires businesses to disclose certain information to consumers, to inform consumers of their right to request that personal information be deleted, and to delete personal information collected about consumers upon request.

Comprehensive

Montana

MT D 1070

Failed - Adjourned

Revises laws related to third party data privacy, relates to information technology.

Information Brokers

MT D 1252

Failed

Revises laws related to facial recognition technology, relates to information technology.

Facial Recognition

MT D 1312

Failed - Adjourned

Prohibits transfer or sale of consumer GPS data without permission, relates to privacy.

Location Privacy

MT D 1364

Failed

Enhances online personal privacy and information protection, relates to communications, relates to consumer protection, relates to privacy.

Other Consumer Privacy

MT D 2892

Failed - Adjourned

Revises privacy laws pertaining to genetic information, relates to privacy.

Consumer Genetic Privacy

MT H.B. 602

Enacted

Requires warrant for search of consumer DNA database, relates to evidence, relates to law enforcement, relates to privacy.

Consumer Genetic Privacy

MT S.B. 242

Failed - Adjourned

Prohibits the sale, share, or transfer of location data on satellite navigation technology-equipped devices, provides an opt-in option.

Location Privacy

Nevada

NV A.B. 323

Failed

Relates to Internet privacy, prohibits a data broker from making any sale of certain information collected about a consumer in this state if so directed by the consumer, revises provisions relating to the sale of certain information collected about a consumer in this state, revises the circumstances under which operators of certain Internet websites or online services are authorized to remedy a failure to comply with certain requirements relating to the collection and sale of certain information.

Information Brokers

NV S.B. 260

Enacted

Relates to Internet privacy, exempts certain persons and information collected about a consumer in this state from requirements imposed on operators, third-party sale of data and covered information, prohibits a data broker from making any sale of certain information collected about a consumer in this state if so directed by the consumer, revises provisions relating to the sale of certain information collected about a consumer in this state.

Information Brokers, Website Privacy

New Hampshire

NH H.B. 597

Pending

Establishes a cause of action for violations of an individual's expectation of privacy in personal information. Provides that an individual shall have an expectation of privacy in personal information, including content and usage, given or available to third-party providers of information and services, including cellular and land-line telephone, electric, water, and other utility services, Internet service providers, cable television providers, streaming services, social media providers, email service providers, banks and financial institutions, insurance companies, and credit card companies.  No municipal, county, state, or federal department, agency, employee, elected official, or contractor shall acquire, collect, retain, or use the personal information described in paragraph I, directly or indirectly, related to customers of third-party providers of information and services located in New Hampshire except pursuant to a warrant signed by a judge and based on probable cause or pursuant to a judicially-recognized exception to the warrant requirement.

Other Consumer Privacy, ISP Privacy

New Jersey

NJ A.B. 989

Pending

Requires the Attorney General to arrange for certain testing of facial recognition systems. The Attorney General must arrange for independent, third-party testing and auditing of the accuracy of the five most commonly available facial recognition systems by market share, under operational conditions. The testing and auditing is required to determine whether there is a statistically significant variation in the accuracy of the facial recognition systems on the basis of race, skin tone, ethnicity, gender, or age of the individuals portrayed in the images, whether or not those categories are applied individually or in combination.

Facial Recognition, Studies, Task Forces, Comms.

NJ A.B. 1181

Pending

Requires commercial Internet website and online service operators to conspicuously post their privacy policy.

Website Privacy

NJ A.B. 2188

Pending

Requires commercial Internet websites and online services to notify customers of the collection and disclosure of personally identifiable information and allow customers to opt out.

Website Privacy

NJ A.B. 2340

Pending

Prohibits commercial mobile service providers from disclosing customer's geolocation data to third parties.

Location Privacy

NJ A.B. 2390

Pending

Enacts the Reader Privacy Act.

Other Consumer Privacy

NJ A.B. 2489

Pending

Prohibits commercial mobile service providers and mobile application developers from disclosing customer's location data to third parties.

ISP Privacy, Location Privacy

NJ A.B. 3072

Pending

Concerns the Consumer Electronic Voice Recognition Information Act, prohibits operation of voice recognition feature on connected device before informing user of voice recognition feature during initial setup or installation of connected device.

Biometrics, Connected Devices

NJ A.B. 3255

Pending

Requires certain businesses to notify customers of certain information concerning the collection and sale of personally identifiable information and to allow customers to opt-in to collection and sale.

Comprehensive, Information Brokers

NJ A.B. 3283

Pending

Relates to state Disclosure and Accountability Transparency Act (DATA), establishes certain requirements for disclosure and processing of personally identifiable information, establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

Comprehensive

NJ A.B. 3525

Pending

Requires consumer reporting agencies to increase protection of consumers' personal information.

Other Consumer Privacy

NJ A.B. 5448

Pending

Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

Website Privacy

NJ S.B. 236

Failed

Requires commercial Internet websites and online services to notify customers of collection and disclosure of personally identifiable information and allows customers to opt out.

Website Privacy

NJ S.B. 269

Pending

Requires certain businesses to notify data subjects of collection of personally identifiable information, establishes certain security standards.

Comprehensive

NJ S.B. 1223

Pending

Prohibits retail sales establishment from storing certain magnetic-stripe data, requires reimbursement for costs incurred by financial institution due to breach of security.

Other Consumer Privacy

New Jersey

NJ S.B. 1257

Pending

Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information, allows consumers to opt out.

Website Privacy

NJ S.B. 1317

Pending

Requires consumer reporting agencies to increase protection of consumers' personal information.

Other Consumer Privacy

NJ S.B. 1657

Pending

Prohibits commercial mobile service providers and mobile application developers from disclosing customer's location data to third parties.

ISP Privacy

NJ S.B. 2040

Pending

Enacts the Reader Privacy Act.

Other Consumer Privacy

New York

NY A.B. 27

Pending

Establishes the biometric privacy act.

Biometrics|Facial Recognition

NY A.B. 400

Pending

Restricts the disclosure of personal information by businesses.

Information Brokers

NY A.B. 405

Pending

This act establishes provisions to allow consumers the ability to simply opt-out of being monitored on the internet. Such protections, akin to the do not call registry, are a fair, sensible and common-sense way to give consumers a clear choice with respect to being monitored.

Other Consumer Privacy

NY A.B. 589

Pending

Requires retailers to post warning signs of the tracking of customers through cell phones or other electronic devices, provides for civil penalties.

Other Consumer Privacy

NY A.B. 674

Pending

Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.

ISP Privacy

NY A.B. 680

Pending

Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the Names of all entities with whom their information is shared, creates a special account to fund a new office of privacy and data protection.

Comprehensive, Information Brokers

NY A.B. 706

Pending

Relates to the use of electronic or computerized entry systems and the information that may be gathered from such systems.

Facial Recognition|Biometrics

NY A.B. 733

Pending

Requires express and affirmative consent prior to collection, storage or transmittal of any personal information obtained from the installation or use of a smart home connected system by certain persons.

Connected Devices

NY A.B. 3586

Pending

Establishes the "It's Your Data Act" for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.

Comprehensive

NY A.B. 3709

Pending

Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Comprehensive

NY A.B. 3759

Pending

Enacts the Facial Recognition Technology Study Act to study privacy concerns and potential regulatory approaches to the development of facial recognition technology.

Facial Recognition, Studies, Task Forces, Comms.

NY A.B. 3900

Pending

Establishes a commission to study the European Union's general protection data regulation and the current state of cybersecurity in the state.

Studies, Task Forces, Comms.

NY A.B. 4137

Pending

Requires manufacturers of smart speakers to obtain signed written permission from users before storing voice recordings.

Connected Devices

NY A.B. 4352

Pending

Prohibits the use of a facial recognition system by a landlord on any residential premises.

Biometrics|Facial Recognition

NY A.B. 6042

Pending

Enacts the "digital fairness act".

Comprehensive

NY S.B. 73

Pending

Prohibits the use of a facial recognition system by a landlord on any residential premises.

Biometrics|Facial Recognition

New York

NY S.B. 567

Pending

Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, includes the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Comprehensive

NY S.B. 1349

Pending

Restricts the disclosure of personal information by businesses.

Information Brokers

NY S.B. 1933

Pending

Establishes the biometric privacy act, requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.

Biometrics|Facial Recognition

NY S.B. 2505

Pending

Requires an entity to provide a clear and conspicuous link on the covered entity's internet homepages, titled "Do Not Sell or Share My Personal Information", to an internet web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer's personal information.  Provide a clear and conspicuous link on the covered entity's internet homepages, titled "Limit the Use and Collection of My Personal Information", that enables a consumer, or a person authorized by the consumer, to limit the collection, use or disclosure of the consumer's personal information to those uses authorized by subdivision three of this section. At the covered entity's discretion, utilize a single, clearly labeled link on the covered entity's internet homepages, in lieu of complying with subparagraphs (i) and (ii) of this paragraph, if that link easily allows a consumer to opt-out of the sale or sharing of the consumer's personal information and to limit the use, collection or disclosure of the consumer's information.

Other Consumer Privacy

NY S.B. 2886

Pending

Relates to Establishing the Online Consumer Protection Act, defines terms, provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities, makes related provisions.

Website Privacy

NY S.B. 3234

Pending

Enacts the Facial Recognition Technology Study Act to study privacy concerns and potential regulatory approaches to the development of facial recognition technology.

Facial Recognition, Studies, Task Forces, Comms.

NY S.B. 3885

Pending

Relates to the sale of personal information by an internet service provider.

ISP Privacy

NY S.B. 4021

Pending

Establishes the "It's Your Data Act" for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.

Comprehensive

NY S.B. 4830

Pending

Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.

ISP Privacy

NY S.B. 4959

Pending

Creates an excise tax on the collection of consumer data by commercial data collectors.

Other Consumer Privacy

NY S.B. 5003

Pending

Provides that the inherent right of each person to personal privacy shall not be infringed.

Constitutional Amendment

NY S.B. 6463

Pending

Amends the multiple dwelling law and the multiple residence law in relation to the use of electronic or computerized entry systems and the information that may be gathered from such systems.

Biometrics|Facial Recognition

NY S.B. 6701

Pending

Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Comprehensive, Information Brokers

NY S.B. 6727

Pending

Enacts the "Data Economy Labor Compensation and Accountability Act", establishes the Office of Consumer Data Protection for the purpose of properly safeguarding personal data, imposes a tax on data controllers and data processors required to register with such office.

Information Brokers

North Carolina

NC S.B. 569

Pending

Protects consumers by enacting the Consumer Privacy Act.

Comprehensive

North Dakota

ND H.B. 1330

Failed

Relates to prohibiting covered entities from selling users' protected data without consent, provides a penalty.

Comprehensive, Information Brokers

Ohio

OH H.B. 376

Pending

Enacts the Ohio Personal Privacy Act.

Comprehensive

Oklahoma

OK H.B. 1602

Pending - Carryover

Relates to privacy of computer data, enacts the Oklahoma Computer Data Privacy Act, defines terms, provides that this act applies to certain businesses that collect consumers' personal information, provides exemptions, prescribes compliance with other laws and legal proceedings, requires this act to be liberally construed to align its effects with other laws relating to privacy and protection of personal information.

Comprehensive, Information Brokers

Oregon

OR H.B. 2392

Failed

Imposes tax on privilege of engaging in business of selling personal information at retail in this state.

Other Consumer Privacy

OR H.B. 3284

Enacted

Prohibits a covered organization from collecting, using or disclosing personal health data about a resident individual who has not given affirmative express consent, unless in the context of an employment relationship, to comply with legal obligation, unless personal health data was lawfully available to the public, unless data was collected before an emergency period for reasons other than tracking, monitoring or tracing a resident's exposure to or infection by COVID 19, or if such data is deidentified.

Website Privacy

OR S.B. 310

Failed

Prohibits private entities from using face recognition technology in place of public accommodation.

Facial Recognition

Pennsylvania

PA H.B. 299

Pending

Requires cell phones and devices utilizing Internet protocol-enabled service to obtain authorization by end-use consumers prior to transmitting certain information.

ISP Privacy

PA H.B. 1126

Pending

Provides for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the Attorney General.

Comprehensive

Rhode Island

RI H.B. 5509

Pending

Prohibits the sale for profit of consumer generated internet data by a social media platform without the consent of and compensation paid to the consumer.

Other Consumer Privacy

RI H.B. 5959

Pending

Creates the Transparency and Privacy Protection Act, requires online service providers and commercial websites that collect, store and sell personally identifiable information to disclose what categories of personally identifiable information they collect and to what third parties they sell the information.

Website Privacy

RI H.B. 6043

Adopted

Reinstates the life and extend the reporting and expiration dates of the special legislative commission known as the Online Data Transparency and Privacy Protection Commission.

Studies, Task Forces, Comms.

South Carolina

SC H.B. 3014

Pending - Carryover

Enacts the State Data Privacy Protection Act, defines relevant terms, prohibits a mobile telecommunications provider from selling a customer's personal data to a third party, imposes a penalty, authorizes the attorney general to investigate and enforce alleged violations of this act.

ISP Privacy

SC H.B. 3063

Pending - Carryover

Enacts the South Carolina Biometric Data Privacy Act, provides certain requirements for a business that collects a consumer's biometric information, allows the consumer to request that a business delete the collected biometric information and to prohibit the sale of biometric information, establishes certain standards of care for a business that collects biometric information, establishes a procedure for a consumer to opt out of the sale of biometric information.

Biometrics|Facial Recognition

SC S.B. 510

Enacted

Relates to definitions for the regulation of motor vehicle manufacturers, distributors, and dealers, provides for how a franchisor, manufacturer, distributor, or a third party affiliate must handle consumer data, relates to specific acts deemed unfair methods of competition and unfair or deceptive acts or practices, offers promotions, service contracts, debt cancellation agreements, maintenance agreements, or other similar products, provides for additional violations.

Other Consumer Privacy

South Dakota

SD S.B. 178

Enacted

Prohibits certain insurers from using genetic information.

Consumer Genetic Privacy

Texas

TX H.B. 1743

Failed - Adjourned

Relates to the protection of personal information sold by a state agency to a contractor, authorizes a civil penalty.

Information Brokers

TX H.B. 3741

Failed - Adjourned

Relates to the personal identifying information collected, processed, or maintained by certain businesses, imposes a civil penalty.

Comprehensive

TX H.B. 3742

Failed - Adjourned

Relates to a prohibition on the use of genetic information gathered from direct-to-consumer genetic tests by a long-term care benefit plan issuer or a life insurance company.

Consumer Genetic Privacy

TX H.B. 4164

Failed - Adjourned

Relates to the authority of individuals over the personal identifying information collected, processed, or maintained about the individuals and certain others by certain businesses.

Other Consumer Privacy

TX S.B. 1952

Failed - Adjourned

Relates to the capture and use of an individual's biometric identifiers, specimen, or genetic information by a governmental body or peace officer or by a person for commercial purposes.

Biometrics|Facial Recognition, Consumer Genetic Privacy

Utah

UT S.B. 200

Failed

Enacts the Utah Consumer Privacy Act and Utah Commercial Email Act.

Comprehensive

UT S.B. 227

Enacted

Enacts the Genetic Information Privacy Act.

Consumer Genetic Privacy

Vermont

VT H.B. 75

Pending - Carryover

Relates to promoting consumer protection in data and technology. Provides that with respect to a consumer, a person:  (1) shall not scan the face of a nonuser in a photograph,  (2) shall not use facial or voice recognition technology unless a consumer opts in to the use of the technology,  (3) shall not use facial or voice recognition technology for a purpose other than product development,  (4) shall not use for marketing purposes a listening feature that stores conversations,  (5) shall delete quality enhancement data after 21 days, and  (6) shall disclose the use of facial recognition technology on a clear and conspicuous, physical sign at the entrance of a business location that uses the technology.  (b) A.B. person who violates this section commits an unfair and deceptive act in commerce in violation of section 2453 of this title.  Section 2433. DATA PRIVACY  (a) A.B. business that operates a social networking service:  (1) shall provide to a consumer that closes his or her account the option to permanently delete the consumer's personally identifiable information from the business's databases and records, and  (2) if a consumer exercises the option pursuant to subdivision (1) of this subsection, the business:  (A) shall delete the consumer's personally identifiable information in a commercially reasonable time, and  (B) shall not sell or exchange the consumer's personally identifiable information.  (b) A.B. business that collects data about a consumer:  (1) shall include in its privacy policy, which it shall post on its website:  (A) the average monetary value to the business of a consumer's data, and  (B) how the business uses consumer data that is not directly related to the service the business provides, and  (2) shall not sell or exchange global positioning system data about a consumer that is collected by a mobile telephone service provider.

Biometrics|Facial Recognition, Children’s Online Privacy

VT H.B. 160

Pending - Carryover

Proposes consumer privacy protections to give Vermonters more control over the amount and type of data that personal device manufacturers and service providers collect about them, and adopt other protections provided in the California Consumer Privacy Act.

Other Consumer Privacy

VT H.B. 233

Pending - Carryover

Relates to consumer protection and ensuring confidentiality of genetic information.

Consumer Genetic Privacy

Virginia

VA H.B. 473

Failed - Adjourned

Relates to personal data, relates to Virginia Privacy Act, gives consumers the right to access their data and determine if it has been sold to a data broker, requires a controller, defined in the bill as a person that, alone or jointly with others, determines the purposes and means of the processing of personal data, to facilitate requests to exercise consumer rights regarding access, correction, deletion, restriction of processing, data portability, objection, and profiling.

Comprehensive, Information Brokers

VA H.B. 955

Failed - Adjourned

Relates to children's online privacy protection, prohibits any person who operates a website for commercial purposes and who collects or maintains personal information from or about the users of or visitors to such website or online service from releasing personal information collected from minor for any purpose, except where the personal information is provided to a person other than an operator that provides support for the internal operations of the website, online service, or online application.

Children’s Online Privacy, Website Privacy

VA H.B. 2307

Enacted

Relates to Consumer Data Protection Act, establishes a framework for controlling and processing personal data in the Commonwealth, the bill applies to all persons that conduct business in the Commonwealth and either control or process personal data of at least a certain number of consumers or derive over a certain percent of gross revenue from the sale of personal data and control or process personal data of at least a certain number of consumers.

Comprehensive

VA S.B. 101

Enacted

Prohibits a merchant from retaining any information obtained from a scan of the machine-readable zone of an individual's identification card or driver's license when the purpose for which it was provided and retained under this section has been satisfied.

Other Consumer Privacy

VA S.B. 641

Failed - Adjourned

Relates to civil action, relates to sale of personal data, requires a person that disseminates, obtains, maintains, or collects personal data about a consumer for a fee to implement security practices to protect the confidentiality of a consumer's personal data, obtain express consent of a parent of a minor before selling the personal data of such minor, provide access to consumers to their own personal data that is held by the entity, and refrain from maintaining or selling data.

Information Brokers

VA S.B. 1392

Enacted

Relates to Consumer Data Protection Act, establishes a framework for controlling and processing personal data in the Commonwealth, the bill applies to all persons that conduct business in the Commonwealth and either control or process personal data of at least 100,000 consumers or derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers.

Comprehensive

VA SJR 81

Failed

Relates to study, relates to Joint Commission on Technology and Science to study consumer data privacy in the Commonwealth, relates to report.

Studies, Task Forces, Comm.

Washington

WA H.B. 1433

Pending - Carryover

Creates a charter of people's personal data rights.

Comprehensive

WA S.B. 5062

Pending - Carryover

Concerns the management, oversight, and use of data.

Comprehensive

West Virginia

WV H.B. 2064

Failed - Adjourned

Relates to the Biometric Information Privacy Act.

Biometrics|Facial Recognition

WV H.B. 2148

Failed - Adjourned

Imposes a general data mining service tax on commercial data operators.

Information Brokers

WV H.B. 3159

Failed - Adjourned

Relates to consumer data privacy, defining terms, requiring privacy for certain identifying personal information, establishing a consumer right to request copy of personal data collected, establishing a consumer right to have personal information deleted or corrected, establishing a consumer right to request personal data sold or shared, establishing a consumer right to opt-out of the sale or sharing of personal information to third parties, prohibiting discrimination against consumers who exercise their right under this article, establishing procedures for requests for personal information under this article, establish a form to opt-out of sale or sharing of personal information, creating a private cause of action, empowering the West Virginia Division of Consumer Protection to establish rules under this article for enforcement, and empowering the West Virginia Division of Consumer Protection to bring suit for violation of this article.

Comprehensive

WV H.B. 3161

Failed - Adjourned

Relates to online privacy protection for minors. Prohibits the marketing or advertising of certain products or services to minors; specifies prohibited good and services; prohibits the collection of information about minor users for marketing purposes; requires operators of website, online services, or applications to remove personal information about a minor when the information is visible to others; and specifying limited exceptions.

Children’s Online Privacy

WV S.B. 581

Failed - Adjourned

Relates to online privacy protection for minors. Prohibits the marketing or advertising of certain products or services to minors; specifies prohibited good and services; prohibits the collection of information about minor users for marketing purposes; requires operators of website, online services, or applications to remove personal information about a minor when the information is visible to others; and specifying limited exceptions.

Children’s Online Privacy

Text/HTML

Explanation of Categories

Biometrics|Facial Recognition

May require private entities to develop a written policy regarding collection or retention of biometric identifiers or may require businesses to allow a consumer to opt out of the sale of biometric information. Some legislation may apply only to a specific type of biometric, e.g., voice recognition or facial recognition, or to all types of biometric information.

Children's Online Privacy

Generally prohibits the collection of information about minor users for marketing purposes and requires operators of website, online services, or applications to remove personal information about a minor. (Does not include legislation that references incorporation of the requirements of the federal Children's Online Privacy Protection Act, 15 USC 6501 et seq.

Comprehensive

Broad legislation that regulates the collection, use and disclosure of personal data by businesses generally. For example, provides specific consumer rights, such as the right to access, delete, or correct inaccurate information; to opt out or opt in to the sale of data; and provide a right to non-discrimination if a consumer exercises these privacy rights, among other rights and provisions. The comprehensive nature of these bills may mean they include other categories in this list, even if not noted on the chart.

Connected Devices

Regulates smart speakers and connected devices, e.g., may prohibit collecting, using, storing, or sharing the data obtained from a connected device without an owner’s consent.

Constitutional Amendment

Proposes an amendment to the state’s constitution to add a fundamental right to privacy (see also Privacy protections in state constitutions).

Genetic Privacy

Regulates direct-to-consumer genetic testing companies by requiring disclosure of or consent prior to a company's collection, use, and sharing of genetic data. May prohibit insurer use of consumer genetic information. (Does not include legislation prohibiting discrimination based on genetic information collected by health providers.)

Information Brokers

May create a data broker registry and/or regulate third-party data businesses who collect the personal information of a consumer (with whom the business does not have a direct relationship).

ISP Privacy

Legislation to regulate how telecommunications or internet service providers can collect or share consumer data.

Location Privacy

May prohibit the transfer or sale of consumer geolocation or GPS data without permission or prohibit disclosing a customer's geolocation data to third parties.

Other Consumer Privacy

Miscellaneous legislation, e.g., may require disclosures to consumers regarding personal information collected, or relates to privacy protections only for a specific industry or online service, etc.

Studies, Task Forces, or Commissions

Legislation requiring a study of consumer privacy issues or creating a task force, advisory body, commission or other regulatory, advisory or oversight entity.

Website Privacy

Legislation to require an operator of a commercial website or online service that collects personally identifiable information to notify customers about its personal information sharing practices or to require consent before sharing internet browser information.

Additional Resources

NCSL Resources


External Resources
Note: NCSL provides links to other Web sites for informational purposes only; doing so does not necessarily constitute support or endorsement of  or positions taken by the sites.