State
|
Bill Number | Status
|
Bill Summary
|
Category
|
Alabama
|
None
|
|
|
Alaska
|
None
|
|
|
Arizona
|
SB 1238 Pending
|
Establishes statutory requirements for a private entity in possession of biometric identifiers or biometric information relating to the collection, retention and destruction of biomarker identifiers and information.
|
Biometrics or Facial Recognition
|
Arizona
|
SB 1503 Pending
|
Requires an individual or a commercial entity that publishes or distributes explicit sexual material on the internet from a website that contains a substantial portion of explicit sexual material to require a user of the website to provide a government-issued identification to verify that the user is at least 18 years of age before being granted access to the website. Prohibits the individual or commercial entity performing the required age verification from retaining any identifying information of the user of the website after access has been granted to the explicit sexual material.
|
Other Consumer Privacy
|
Arkansas
|
None
|
|
|
California
|
SB 362 Pending
|
Existing law requires a data broker, as defined, to register with the attorney general, pay a registration fee, and provide specified information on or before Jan. 31 following each year in which a business meets the definition of a data broker. This bill changes that date to Feb. 15.
|
Information Brokers
|
California
|
SCR 9 Pending
|
This measure would designate the week of Jan. 22, 2023, through Jan. 28, 2023, as Data Privacy Week and Jan. 28, 2023, as Data Privacy Day.
|
Other Consumer Privacy
|
Colorado
|
None
|
|
|
Connecticut
|
HB 5429 Pending
|
Prohibits the collection and commercial use of digital consumer data and personally identifying information concerning minors.
|
Children’s Online Privacy
|
Connecticut
|
HB 6253 Pending
|
Establishes an age-appropriate design code requiring businesses that provide online products and services likely to be accessed by children under 18 years of age to adopt privacy and safety measures, including, but not limited to, default privacy settings that offer the maximum level of privacy and clearly and concisely worded privacy policies and terms of service.
|
Children’s Online Privacy
|
Connecticut
|
HB 6393 Pending
|
Imposes additional consumer protections concerning businesses that provide online services, products and features that are likely to be accessed by minors; requires online platforms to include safeguards that protect the health, safety and privacy of minors, and establish default settings for minors that provide the maximum degree of privacy protection; allows consumers to opt out of the collection and use of any minor's personal information for the purposes of targeted advertising; and imposes a fiduciary duty on online platforms that collect information from minors that prioritizes the interests of minors over those of such platforms.
|
Children’s Online Privacy
|
Connecticut
|
SB 730 Pending
|
Requires that any person using facial recognition technology to identify customers and guests in a public space post a clear disclosure of such use.
|
Biometrics or Facial Recognition
|
Delaware
|
None
|
|
|
District of Columbia
|
None
|
|
|
Florida
|
None
|
|
|
Georgia
|
None
|
|
|
Guam
|
None
|
|
|
Hawaii
|
HB 1497 Pending SB 1110 Pending
|
Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce. Authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.
|
Comprehensive
|
Hawaii
|
SB 21 Pending
|
Proposes an amendment to the Hawaii state constitution establishing the right to own one's own data.
|
|
Hawaii
|
SB 974 Pending
|
Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes penalties. Establishes a new consumer privacy special fund. Appropriates moneys.
|
Comprehensive
|
Hawaii
|
SB 1085 Pending
|
Establishes standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities.
|
Biometrics or Facial Recognition
|
Hawaii
|
SB 1180 Pending
|
Prohibits the sale of geolocation information and internet browser information without consent.
|
Location Privacy
|
Idaho
|
None
|
|
|
Illinois
|
HB 223 Pending
|
Amends the Biometric Information Privacy Act. Makes a technical change in a section concerning the short title.
|
Biometrics or Facial Recognition
|
Illinois
|
HB 252 Pending
|
Amends the Biometric Information Privacy Act. Makes a technical change in a section concerning the short title.
|
Biometrics or Facial Recognition
|
Illinois
|
HB 1230 Pending
|
Amends the Biometric Information Privacy Act. Provides that nothing in the act shall be construed to apply to any health care employer that (1) hires an employee under the Health Care Worker Background Check Act and the employee has submitted to a fingerprint-based criminal history records check, (2) uses and stores biometric information or biometric identifiers exclusively for employment, human resources, compliance, payroll, identification, authentication, safety, security, or fraud prevention purposes, (3) does not sell, lease, or trade the biometric information or biometric identifiers collected, and (4) maintains and follows a documented process to delete any biometric information or biometric identifier.
|
Biometrics or Facial Recognition
|
Illinois
|
HB 1381 Pending
|
Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the act. Provides that any waiver of the provisions of the act or any agreement that does not comply with the applicable provisions of the act shall be void and unenforceable. Provides that no provision of the act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with state or local government. Provides findings and purpose. Defines terms.
|
Website Privacy
|
Illinois
|
HB 2252 Pending
|
Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent." Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes.
|
Biometrics or Facial Recognition
|
Illinois
|
SB 1365 Pending
|
Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the act. Provides that any waiver of the provisions of the act or any agreement that does not comply with the applicable provisions of the act shall be void and unenforceable. Provides that no provision of the act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with state or local government. Provides findings and purpose. Defines terms.
|
Website Privacy
|
Illinois
|
SB 1506 Pending
|
Amends the Biometric Information Privacy Act. Changes the definitions of "biometric identifier" and “written release.” Defines "biometric lock," "biometric time clock," "electronic signature," "in writing," and "security purpose." Provides that if the biometric identifier or biometric information is collected or captured for the same repeated process, the private entity is only required to inform the subject or receive consent during the initial collection. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Provides that nothing in the act shall be construed to apply to information captured by a biometric time clock or biometric lock that converts a person's biometric identifier or biometric information to a mathematical representation. Requires the department of labor to provide information for employers regarding the requirements of the act on its website. Amends the Workers' Compensation Act. Provides that nothing in the act limits, prevents, or preempts a recovery by an employee under the Biometric Information Privacy Act.
|
Biometrics or Facial Recognition
|
Illinois
|
SB 1511 Pending
|
Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.
|
Biometrics or Facial Recognition
|
Indiana
|
HB 1554 Pending
|
Establishes in the Indiana Code a new article concerning consumer data protection, to take effect Jan. 1, 2024. Sets forth the following within the new article: (1) Definitions of terms that apply throughout the article. (2) Exemptions for certain: (A) persons; and (B) types of information and data; from the bill's requirements concerning the personal data of Indiana consumers (consumers). (3) The rights of a consumer with respect to personal data relating to the consumer. (4) The responsibilities of controllers of consumers' personal data (controllers). (5) The roles of: (A) controllers; and (B) processors of consumers' personal data (processors); with respect to a consumer's personal data. (6) Requirements for data protection assessments by controllers. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The establishment, maintenance, and publication by the attorney general's consumer protection division of a quarterly listing of electronic mail addresses of consumers who request that their personal data not be sold. (10) Requirements for brokers of consumers' personal information (data brokers) to: (A) provide notification of security breaches; and (B) register annually with the attorney general. (11) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (12) The establishment of the consumer privacy account within the state general fund to support the work of the attorney general in enforcing the new article. (13) The authority of the attorney general to: (A) to adopt rules to administer the new article; and (B) issue opinion letters and interpretive guidance to develop an operational framework for persons subject to the new article. (14) The preemption of local rules, regulation, and laws regarding the processing of personal data.
|
Comprehensive
|
Indiana
|
SB 5 Pending
|
Establishes a new article in the Indiana Code concerning consumer data protection, to take effect Jan. 1, 2026. Sets forth the following within the new article: (1) Definitions of various terms that apply throughout the article. (2) Exemptions from the bill's requirements concerning the responsibilities of controllers of consumers' personal data. (3) The rights of an Indiana consumer to do the following: (A) Confirm whether or not a controller is processing the consumer's personal data. (B) Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller. (C) Delete the consumer's personal data held by a controller. (D) Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller. (E) Opt-out of the processing of the consumer's personal data for certain purposes. (4) The responsibilities of controllers of consumers' personal data. (5) The roles of controllers and processors with respect to a consumer's personal data. (6) Requirements for data protection impact assessments by controllers of consumers' personal data. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (10) The preemption of local rules, regulations, and laws regarding the processing of personal data.
|
Comprehensive
|
Iowa
|
None
|
|
|
Kansas
|
None
|
|
|
Kentucky
|
SB 15 Pending
|
Defines various consumer rights related to data collection; requires a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumers data and providing the consumer access to his or her data, deleting his or her personal data, and providing a copy of the consumers data that he or she previously provided in a portable and usable format; provides for opting out.
|
Comprehensive
|
Louisiana
|
None
|
|
|
Maine
|
Me. Rev. Stat. Ann. tit. X, §
|
|
|
Maryland
|
HB 33 Pending SB 169 Pending
|
Regulates the use of biometric data by private entities, including by requiring certain private entities in possession of biometric data to develop a policy, made available to the public, establishing a retention schedule and destruction guidelines for biometric data; authorizes an individual alleging a violation of this Act to bring a civil action against the offending private entity under certain circumstances; makes a violation of this Act an unfair, abusive, or deceptive trade practice that is subject to enforcement and penalties under the Maryland Consumer Protection Act; and generally relates to biometric data privacy.
|
Biometrics or Facial Recognition
|
Maryland
|
HB 807 Pending SB 698 Pending
|
Establishes generally the manner in which a controller or a processor may process a consumer's personal data; authorizes a consumer to exercise certain rights regarding the consumer's personal data; requires a controller of personal data to establish a method for a consumer to exercise certain rights in regards to the consumer's personal data; regulates the use of biometric data by a controller; etc.
|
Biometrics or Facial Recognition
|
Maryland
|
HB 901 Pending SB 844 Pending
|
Requires a business that offers an online product likely to be accessed by children to complete a certain data protection impact assessment under certain circumstances; prohibits a business from offering a certain online product before completing a data protection impact assessment; requires businesses to document certain risks associated with certain online products; requires certain privacy protections for certain online products; prohibits certain data collection and sharing practices; provides certain exemptions; etc.
|
Children’s Online Privacy
|
Maryland
|
SB 861 Pending
|
Prohibits a person from using a scanning device to scan or swipe an identification card or a driver's license of an individual to obtain personal information of the individual; prohibits a person from taking certain actions regarding information collected by scanning or swiping an individual's identification card or driver's license under certain circumstances; provides that a violation of the act is an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act and subject to certain penalties; etc.
|
Other Consumer Privacy
|
Massachusetts
|
None
|
|
|
Michigan
|
None
|
|
|
Minnesota
|
HF 846 Pending SF 943 Pending
|
Prohibits geolocation and smartphone monitoring of another in certain circumstances; provides a cause of action to individuals when geolocation information and other smartphone data has been recorded or shared.
|
Location Privacy
|
Minnesota
|
HF 1367 Pending
|
Relates to consumer data privacy; gives various rights to consumers regarding personal data; places data transparency obligations on businesses; creates a private right of action; provides for enforcement by the attorney general; proposes coding for new law as Minnesota Statutes, chapter 325O.
|
Comprehensive
|
Minnesota
|
SF 950 Pending
|
Requires a consumer's consent prior to collecting personal information.
|
Consumer Data Privacy
|
Minnesota
|
SF 954 Pending
|
Establishes standards for biometric privacy; establishes a right of action.
|
Biometrics or Facial Recognition
|
Minnesota
|
SF 1110 Pending
|
Relates to data privacy; establishes neurodata rights; modifies certain crimes to add neurodata elements; provides civil and criminal penalties; amends Minnesota Statutes 2022, sections 13.04, by adding a subdivision; 609.88, subdivision 2; 609.891, subdivision 3; proposes coding for new law in Minnesota Statutes, chapter 325E.
|
Other Consumer Privacy
|
Minnesota
|
SF 1138 Pending
|
Requires direct-to-consumer genetic testing companies to provide disclosure notices and obtain consent; proposes coding for new law in Minnesota Statutes, chapter 325F.
|
Consumer Genetic Privacy
|
Minnesota
|
SF 1442 Pending
|
Relates to data privacy; requires consent before providers share audio or video data with third parties; proposes coding for new law in Minnesota Statutes, chapter 325E.
|
Other Consumer Privacy
|
Mississippi
|
HB 467 Failed
|
Creates the "Biometric Identifiers Privacy Act;" provides legislative findings; defines terms relating to biometric identifiers; requires private entities in possession of biometric identifiers to develop a policy that establishes a retention schedule and guidelines for destroying the biometric identifiers of individuals; provides certain requirements and restrictions for private entities that collect biometric identifiers; provides that upon the request of an individual, a private entity that collects biometric identifiers shall disclose to the individual his or her biometric identifier and information related to the use of such biometric identifier; provides for a right of action for individuals alleging a violation of this act; provides that the attorney general may bring an action against a private entity who violates the provisions of this act; and for related purposes.
|
Biometrics or Facial Recognition
|
Mississippi
|
SB 2080 Failed
|
Creates the "Mississippi Consumer Data Privacy Act;" authorizes consumers to request that businesses disclose certain information; authorizes consumers to request that businesses delete personal information collected by businesses; requires businesses to disclose certain information to consumers, to inform consumers of their right to request that personal information be deleted, and to delete personal information collected about consumers upon request; authorizes consumers to instruct businesses to not sell the consumers' personal information; authorizes consumers to bring civil actions against businesses that violate this act; authorizes the attorney general to bring civil actions against businesses that violate this act; requires the attorney general to adopt regulations to further the purposes of this act; and for related purposes.
|
Comprehensive
|
Missouri
|
HB 1047 Pending
|
Establishes the Biometric Information Privacy Act.
|
Biometrics or Facial Recognition
|
Montana
|
None
|
|
|
Nebraska
|
LB 308 Pending
|
Adopts the Genetic Information Privacy Act.
|
Consumer Genetic Privacy
|
Nebraska
|
LR 20CA Pending
|
Proposes a constitutional amendment to protect the right of individual privacy.
|
Other Consumer Privacy
|
Nevada
|
Nev. Rev. Stat. §
|
|
|
New Hampshire
|
SB 255 Pending
|
This bill creates a new chapter detailing a consumer expectation of privacy.
|
Comprehensive
|
New Jersey
|
AB 505 Pending
|
Enacts the “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA);” establishes certain requirements for disclosure and processing of personally identifiable information; establishes the office of data protection and responsible use in the division of consumer affairs.
|
Comprehensive
|
New Jersey
|
AB 525 Pending
|
Makes DNA samples and genetic information resulting from DNA analysis property of the person sampled or analyzed.
|
Consumer Genetic Privacy
|
New Jersey
|
AB 1399 Pending
|
Requires internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes internet service provider in writing to disclose information.
|
ISP Privacy
|
New Jersey
|
AB 1544 Pending SB 2953 Pending
|
Prohibits providers of commercial mobile service and developers of mobile application from disclosing customer’s global position system data to third parties under certain circumstances.
|
Location Privacy
|
New Jersey
|
AB 1954 Pending
|
Requires internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing or email to disclose information; prohibits subscriber penalty.
|
ISP Privacy
|
New Jersey
|
AB 1971 Pending SB 332 Pending
|
Requires commercial internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.
|
Website Privacy
|
New Jersey
|
AB 2029 Pending
|
Requires internet service providers to keep confidential and prohibit any disclosure, sale, or unauthorized access to subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.
|
ISP Privacy
|
New Jersey
|
AB 2951 Pending
|
Enacts the “Microphone-Enabled Devices Act;” requires user consent before enabling device microphone.
|
Connected Devices
|
New Jersey
|
AB 4723 Pending SB 2740 Pending
|
Requires motor vehicle dealer to delete personal information from motor vehicle computer system prior to resale or lease.
|
Other Consumer Privacy
|
New Jersey
|
AB 4811 Pending
|
Establishes data broker registry.
|
Information Brokers
|
New Jersey
|
AB 4919 Pending SB 3493 Pending
|
Concerns social media privacy and data management for children and establishes New Jersey Children’s Data Protection Commission.
|
Children’s Online Privacy
|
New Jersey
|
AB 5075 Pending
|
Prohibits acquisition or disclosure of certain personal health information without consent.
|
Biometrics or Facial Recognition
|
New Jersey
|
SB 1262 Pending
|
Prohibits retail mercantile establishments from requiring certain consumer identification for return of merchandise.
|
Other Consumer Privacy
|
New Jersey
|
SB 3499 Pending
|
Prohibits use of facial recognition technology on consumer except for legitimate safety purpose.
|
Biometrics or Facial Recognition
|
New Mexico
|
None
|
|
|
New York
|
AB 48 Pending SB 2078 Pending
|
Relates to limitations on the use of electronic or computerized entry systems; restricts information that may be gathered on lessees, tenants, owners or guests.
|
Biometrics or Facial Recognition, Other Consumer Privacy
|
New York
|
AB 322 Pending SB 2478 Pending
|
Prohibits the use of a facial recognition system by a landlord on any residential premises.
|
Biometrics or Facial Recognition, Other Consumer Privacy
|
New York
|
AB 417 Pending SB 3163 Pending
|
Restricts the disclosure of personal information by businesses; provides that a business that retains a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business.
|
Comprehensive
|
New York
|
AB 711 Pending
|
Requires express and affirmative consent prior to collection, storage or transmittal of any personal information obtained from the installation or use of a smart home connected system by certain persons.
|
Connected Devices
|
New York
|
AB 936 Pending SB 2324 Pending
|
Discloses to a parent the personal information and content about a minor collected by an operator of an internet platform when a parent requests such information.
|
Children’s Online Privacy, Website Privacy
|
New York
|
AB 1362 Pending SB 4457 Pending
|
Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.
|
Biometrics or Facial Recognition
|
New York
|
AB 1366 Pending SB 2998 Pending
|
Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.
|
Website Privacy
|
New York
|
AB 1484 Pending SB 4367 Pending
|
Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.
|
ISP Privacy
|
New York
|
AB 1731 Pending
|
Restricts insurers from demanding intrusive personal, financial and tax information from insureds as a standard practice in processing ordinary theft claims where no special circumstances warranting a demand for such information exists.
|
Other Consumer Privacy
|
New York
|
AB 1766 Pending SB 2404 Pending
|
Requires retailers to post warning signs of the tracking of customers through cell phones or other electronic devices; provides for civil penalties.
|
Other Consumer Privacy
|
New York
|
AB 2529 Pending
|
Establishes a commission to study the European Union's general protection data regulation and the current state of cyber security in the state.
|
Studies, Task Forces or Commissions
|
New York
|
AB 2587 Pending SB 4201 Pending
|
Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.
|
Comprehensive
|
New York
|
AB 2621 Pending
|
Relates to the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products; authorizes a licensee, its agent or employee to determine a person's age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device; establishes where the use of the device indicates that the person is under the age of 21, the attempted purchase of the alcoholic beverage shall be denied.
|
Biometrics or Facial Recognition
|
New York
|
AB 2642 Pending
|
Enacts the "Facial Recognition Technology Study Act" to study privacy concerns and potential regulatory approaches to the development of facial recognition technology.
|
Biometrics or Facial Recognition; Studies, Task Forces or Commissions
|
New York
|
AB 3308 Pending SB 2277 Pending
|
Enacts the "Digital Fairness Act;" requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.
|
Comprehensive
|
New York
|
AB 3593 Pending
|
Enacts the NY Privacy Act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
|
Comprehensive
|
New York
|
AB 3959 Pending SB 2012 Pending
|
Creates an excise tax on the collection of consumer data by commercial data collectors.
|
Other Consumer Privacy
|
New York
|
SB 158 Pending
|
Creates privacy standards for electronic health products and services and permissible data brokering; requires consent to be given for the collection and/or sharing of personal health information or other personal data.
|
Information Brokers, Other Consumer Privacy
|
New York
|
SB 365 Pending
|
Enacts the New York Privacy Act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
|
Comprehensive
|
New York
|
SB 1298 Pending
|
Relates to the use of voice recognition features on certain products.
|
Connected Devices
|
New York
|
SB 2390 Pending
|
Prohibits private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.
|
Biometrics or Facial Recognition
|
New York
|
SB 3162 Pending
|
Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
|
Comprehensive
|
New York
|
SB 3281 Pending
|
Enacts the New York Child Data Privacy Protection Act to prevent the exploitation of children's data; requires data controllers to assess the impact of its products on children for review by the bureau of internet and technology; bans certain data collection and targeted advertising.
|
Children’s Online Privacy
|
New York
|
SB 4377 Pending
|
Relates to privacy protection policies on internet websites, online services, online applications and mobile applications that collect social security numbers.
|
Website Privacy
|
North Carolina
|
None
|
|
|
North Dakota
|
None
|
|
|
N. Mariana Islands
|
Not available
|
|
|
Ohio
|
None
|
|
|
Oklahoma
|
HB 1030 Pending
|
Relates to privacy of computer data; enacts the State Computer Data Privacy Act; defines terms; provides for applicability of act to certain businesses that collect consumers' personal information; provides exemptions; prescribes compliance with other laws and legal proceedings; requires act to be liberally construed to align its effects with other laws relating to privacy and protection of personal information; provides for controlling effect of federal law.
|
Comprehensive
|
Oregon
|
HB 2052 Pending
|
Provides that a data broker may not collect, sell or license brokered personal data within this state unless data broker first registers with the department of consumer and business services. Specifies the form, method and contents of the application. Specifies exemptions. Provides a civil penalty in an amount not to exceed $500 for each violation of Act or, for continuing violation, for each day in which a violation continues. Caps the amount of the civil penalty at $10,000 in calendar year.
|
Information Brokers
|
Oregon
|
HB 2370 Pending
|
Requires the attorney general to study privacy. Directs the attorney general to submit findings to interim committees of the legislative assembly related to consumer protection not later than Sept. 15, 2024.
|
Studies, Task Forces or Commissions
|
Oregon
|
SB 196 Pending
|
Requires a business that provides an online product, service or feature that a child is reasonably likely to access to identify, evaluate and mitigate risks to child from online product, service or feature. Restricts the manner in which a business may collect or use the personal information of a child. Requires a business that provides an online product, service or feature that a child is reasonably likely to access to complete and retain a data protection impact assessment. Requires a business to provide upon request the completed assessment to the attorney general. Authorizes the attorney general to bring an action for injunctive relief, civil penalties or attorney fees and enforcement costs and disbursements against a business for violations. Establishes a task force on age-appropriate design. Requires the task force to study how children access, use and are affected by online products, services and features and the methods for mitigating risks. Provides that the requirements and restrictions become operative July 1, 2024. Sunsets the task force on Jan. 2, 2025.
|
Children’s Online Privacy; Studies, Task Forces or Commissions
|
Oregon
|
SB 619 Pending
|
Permits consumers to obtain from a controller that processes consumer personal data confirmation as to whether the controller is processing the consumer’s personal data and categories of personal data the controller is processing, a list of specific third parties to which the controller has disclosed the consumer’s personal data and a copy of all of the consumer’s personal data that the controller has processed or is processing. Permits a consumer to require a controller to correct inaccuracies in personal data about the consumer, require the controller to delete personal data about the consumer or opt out from the controller’s processing of the consumer’s personal data under certain circumstances. Requires a controller to provide to consumers reasonably accessible, clear and meaningful privacy notice that lists categories of personal data the controller processes, describes the controller’s purpose for processing personal data, describes how a consumer may exercise the consumer’s rights with respect to personal data, lists the categories of personal data that a controller shares with third parties, list all categories of third parties with which the controller shares personal data and provides other information. Specifies duties of, and prohibits specified actions of, a controller and of a processor that acts at the controller’s direction. Permits the attorney general to investigate violations of the act and to bring action to seek a civil penalty of not more than $7,500 for each violation. Permits a consumer or class of consumers to bring action after a specified date for ascertainable loss of money or property resulting from violation of act.
|
Comprehensive
|
Pennsylvania
|
None
|
|
|
Puerto Rico
|
HB 129 Pending
|
Establishes the Charter of Digital Rights of Puerto Rico in order to safeguard the human rights of people in the digital sphere.
|
|
Puerto Rico
|
HB 262 Pending
|
Creates the Law for the Protection of Cyber Privacy of Our Children and Young People in order to prohibit any operator, employee or agent of an internet page classified as a social network, as defined herein, from publishing and or disclosing personal information of underage users residing in Puerto Rico, beyond the name and city where they reside, without the express consent of these and that of the father, mother or guardian with parental authority.
|
Children’s Online Privacy
|
Puerto Rico
|
HB 655 Pending
|
Establishes the Electronic Information Privacy Law in order to protect the right to privacy of individuals regarding information stored on an electronic device or transmitted to a remote computer service provider.
|
ISP Privacy
|
Puerto Rico
|
HB 1548 Pending
|
Relates to the law for the protection of data and information of the consumer, in order that the consumer must give his informed consent on the collection, use and access of the information that he provides, by virtue of a request by any resident individual of Puerto Rico who establishes a business, legal entity incorporated or organized under the laws of Puerto Rico or of any jurisdiction of the United States, or a foreign corporation that has an office or other fixed location and that operates.
|
|
Puerto Rico
|
SB 882 Pending
|
Relates to law for the protection of digital privacy; protects the personal information of consumers and guarantee the right to privacy in the digital age.
|
|
Rhode Island
|
HB 5354 Pending
|
This bill requires online service providers and commercial websites that collect, store and sell personally identifiable information to disclose what categories of personally identifiable information they collect and to what third parties they sell the information. This bill would not prohibit the collection or sale of personally identifiable information and would not require the retention or disclosure of personally identifiable information by online service providers or commercial websites. Any intentional disclosure of personal information in violation of the provisions of this act would be punishable by a fine of not less than $100 nor more than $500 per disclosure with sole enforcement of its provisions vested in the department of the attorney general. This act would take effect on Jan. 1, 2024.
|
Website Privacy
|
Rhode Island
|
SB 146 Pending
|
This bill prohibits the use of facial recognition technology and biometric recognition technology in video-lottery terminals at pari-mutuel licensees in the state or in online betting applications. This bill also prohibits the use of certain other technologies in state gaming operations. The prohibition would not apply to standardized rewards programs.
|
Biometrics or Facial Recognition
|
A. Samoa
|
Not available
|
|
|
South Carolina
|
HB 3547 Pending
|
Adds section 63-5-380 so as to prohibit the collection of personal information from children by operators of websites, online services, and online or mobile applications and to establish penalties.
|
Children’s Online Privacy
|
South Carolina
|
SB 156 Pending
|
Adds section 58-1-70 so as to prohibit natural gas or electric public utilities from disclosing customer information to a third party without the express consent of the customer.
|
Other Consumer Privacy
|
South Dakota
|
SB 192 Pending
|
Provides liability for the publishing or distributing of material harmful to minors on the internet and the wrongful retention of individually identifiable information.
|
Other Consumer Privacy
|
Tennessee
|
HB 932 Pending SB 339 Pending
|
Enacts the "Consumer Biometric Data Protection Act."
|
Biometrics or Facial Recognition
|
Tennessee
|
HB 965 Pending SB 1379 Pending
|
Prohibits a financial institution from releasing or providing the account balance or transaction activity of an account to a person without first obtaining the account holder's express permission or without a warrant issued by a judicial officer located in this state.
|
Other Consumer Privacy
|
Tennessee
|
HB 1181 Pending SB 73 Pending
|
Enacts the "Tennessee Information Protection Act."
|
Comprehensive
|
Tennessee
|
HB 1486 Pending SB 1353 Pending
|
Prohibits a business entity from retaining a copy, in an electronic or other format, of a person's identification unless the retention of that copy is specifically required by federal or state law, or the business entity obtains the express consent of the holder of that identification; prohibits a business entity from refusing to transact business with a person solely on the basis that the person refuses to provide express consent to the business entity or its agent, employee, or contractor retaining the copy; makes a violation a Class B misdemeanor that constitutes an unfair or deceptive act under the Consumer Protection Act of 1977.
|
Other Consumer Privacy
|
Texas
|
SB 704 Pending
|
Relates to the capture and use of an individual's biometric identifiers, specimen, or genetic information by a governmental body or peace officer or by a person for commercial purposes; authorizes civil penalties.
|
Consumer Genetic Privacy
|
Texas
|
SJR 23 Pending
|
Proposes a constitutional amendment establishing the right to be free from governmental intrusion or interference into an individual's private life.
|
Constitutional Amendment
|
Utah
|
SB 139 Pending
|
Enacts provisions related to motor vehicle consumer data protection.
|
Other Consumer Privacy
|
Vermont
|
HB 121 Pending
|
This bill proposes to afford data privacy protections to Vermonters.
|
Comprehensive
|
Virginia
|
HB 1688 Pending
|
Requires a controller or processor to obtain verifiable parental consent, defined in the bill, prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.
|
Children’s Online Privacy
|
Virginia
|
SB 419 Pending
|
Establishes requirements for direct-to-consumer genetic testing companies, including requirements related to information to be provided to consumers, consent requirements, requirements related to security of and consumer access to genetic information, requirements for contracts between direct-to-consumer genetic testing companies and service providers, and prohibitions on disclosure of genetic information by direct-to-consumer genetic testing companies. The bill also prohibits discrimination against a consumer based on exercise of rights related to genetic information privacy and imposes civil penalties for violations of the provisions of the bill.
|
Consumer Genetic Privacy
|
Virginia
|
SB 1026 Failed
|
Requires an operator, defined in the bill, to obtain verifiable parental consent prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.
|
Children’s Online Privacy
|
U.S. Virgin Islands
|
None
|
|
|
Washington
|
HB 1616 Pending SB 5643 Pending
|
Creates a charter of people's personal data rights.
|
Comprehensive
|
Washington
|
HB 1799 Pending
|
Concerns the registration of business entities that qualify as data brokers.
|
Information Brokers
|
Washington
|
HR 4607 Pending
|
Recognizes digital privacy day.
|
Other Consumer Privacy
|
West Virginia
|
HB 2460 Pending
|
Adds sections 46A-9-1, 46A-9-2, 46A-9-3, 46A-9-4, and 46A-9-5, all relating to online privacy protection for children; defines terms; establishes actions prohibited; creates rulemaking authority; provides safe harbor for operators; and provides for enforcement by the attorney general
|
Children’s Online Privacy
|
West Virginia
|
HB 2964 Pending
|
Adds sections 61-3F-1, 61-3F-2, and 61-3F-3, all relating to online privacy protection for children; prohibits the marketing or advertising of certain products or services to minors; specifies prohibited good and services; prohibits the collection of information about minor users for marketing purposes; requires operators of website, online services, or applications to remove personal information about a minor when the information is visible to others; and specifies limited exceptions.
|
Children’s Online Privacy
|
West Virginia
|
HB 3339 Pending
|
Adds section 55-7L-1, relating to material harmful to minors; provides for legislative intent; defines terms; provides for liability for the publishing or distribution of material harmful to minors on the internet through a private right of action together with damages, attorney fees and costs; provides for reasonable age verification; provides for liability for unlawful retention of personal identifying information together with liquidated damages, attorney fees and costs; provides for exceptions; provides an effective date; and providing for related matters.
|
Website Privacy
|
Wisconsin
|
None
|
|
|
Wyoming
|
SJR 9 Failed
|
Provides for the right of individual privacy.
|
Constitutional Amendment
|