Skip to main content

Summary 2023 Consumer Data Privacy Legislation

customer adding credit card information for an online purchase, data protected
Updated February 15, 2023 | Heather Morton
Related Topics: Financial Services Technology
 
2023 Consumer Data Privacy Legislation

State

Bill Number | Status

Bill Summary

Category

Alabama

None

 

 

Alaska

None

 

 

Arizona

SB 1238 
Pending

Establishes statutory requirements for a private entity in possession of biometric identifiers or biometric information relating to the collection, retention and destruction of biomarker identifiers and information.

Biometrics or Facial Recognition

Arizona

SB 1503 
Pending

Requires an individual or a commercial entity that publishes or distributes explicit sexual material on the internet from a website that contains a substantial portion of explicit sexual material to require a user of the website to provide a government-issued identification to verify that the user is at least 18 years of age before being granted access to the website. Prohibits the individual or commercial entity performing the required age verification from retaining any identifying information of the user of the website after access has been granted to the explicit sexual material.

Other Consumer Privacy

Arkansas

None

 

 

California

SB 362 
Pending

Existing law requires a data broker, as defined, to register with the attorney general, pay a registration fee, and provide specified information on or before Jan. 31 following each year in which a business meets the definition of a data broker. This bill changes that date to Feb. 15.

Information Brokers

California

SCR 9 
Pending

This measure would designate the week of Jan. 22, 2023, through Jan. 28, 2023, as Data Privacy Week and Jan. 28, 2023, as Data Privacy Day.

Other Consumer Privacy

Colorado

None

 

 

Connecticut

HB 5429 
Pending

Prohibits the collection and commercial use of digital consumer data and personally identifying information concerning minors.

Children’s Online Privacy

Connecticut

HB 6253 
Pending

Establishes an age-appropriate design code requiring businesses that provide online products and services likely to be accessed by children under 18 years of age to adopt privacy and safety measures, including, but not limited to, default privacy settings that offer the maximum level of privacy and clearly and concisely worded privacy policies and terms of service.

Children’s Online Privacy

Connecticut

HB 6393 
Pending

Imposes additional consumer protections concerning businesses that provide online services, products and features that are likely to be accessed by minors; requires online platforms to include safeguards that protect the health, safety and privacy of minors, and establish default settings for minors that provide the maximum degree of privacy protection; allows consumers to opt out of the collection and use of any minor's personal information for the purposes of targeted advertising; and imposes a fiduciary duty on online platforms that collect information from minors that prioritizes the interests of minors over those of such platforms.

Children’s Online Privacy

Connecticut

SB 730 
Pending

Requires that any person using facial recognition technology to identify customers and guests in a public space post a clear disclosure of such use.

Biometrics or Facial Recognition

Delaware

None

 

 

District of Columbia

None

 

 

Florida

None

 

 

Georgia

None

 

 

Guam

None

 

 

Hawaii

HB 1497 
Pending 
SB 1110 
Pending

Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce. Authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.

Comprehensive

Hawaii

SB 21 
Pending

Proposes an amendment to the Hawaii state constitution establishing the right to own one's own data.

 

Hawaii

SB 974 
Pending

Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes penalties. Establishes a new consumer privacy special fund. Appropriates moneys.

Comprehensive

Hawaii

SB 1085 
Pending

Establishes standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities.

Biometrics or Facial Recognition

Hawaii

SB 1180 
Pending

Prohibits the sale of geolocation information and internet browser information without consent.

Location Privacy 

Idaho

None

 

 

Illinois

HB 223 
Pending

Amends the Biometric Information Privacy Act. Makes a technical change in a section concerning the short title.

Biometrics or Facial Recognition

Illinois

HB 252 
Pending

Amends the Biometric Information Privacy Act. Makes a technical change in a section concerning the short title.

Biometrics or Facial Recognition

Illinois

HB 1230 
Pending

Amends the Biometric Information Privacy Act. Provides that nothing in the act shall be construed to apply to any health care employer that (1) hires an employee under the Health Care Worker Background Check Act and the employee has submitted to a fingerprint-based criminal history records check, (2) uses and stores biometric information or biometric identifiers exclusively for employment, human resources, compliance, payroll, identification, authentication, safety, security, or fraud prevention purposes, (3) does not sell, lease, or trade the biometric information or biometric identifiers collected, and (4) maintains and follows a documented process to delete any biometric information or biometric identifier.

Biometrics or Facial Recognition

Illinois

HB 1381 
Pending

Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the act. Provides that any waiver of the provisions of the act or any agreement that does not comply with the applicable provisions of the act shall be void and unenforceable. Provides that no provision of the act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with state or local government. Provides findings and purpose. Defines terms.

Website Privacy

Illinois

HB 2252 
Pending

Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent." Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes.

Biometrics or Facial Recognition

Illinois

SB 1365 
Pending

Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the act. Provides that any waiver of the provisions of the act or any agreement that does not comply with the applicable provisions of the act shall be void and unenforceable. Provides that no provision of the act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with state or local government. Provides findings and purpose. Defines terms.

Website Privacy

Illinois

SB 1506 
Pending

Amends the Biometric Information Privacy Act. Changes the definitions of "biometric identifier" and “written release.” Defines "biometric lock," "biometric time clock," "electronic signature," "in writing," and "security purpose." Provides that if the biometric identifier or biometric information is collected or captured for the same repeated process, the private entity is only required to inform the subject or receive consent during the initial collection. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Provides that nothing in the act shall be construed to apply to information captured by a biometric time clock or biometric lock that converts a person's biometric identifier or biometric information to a mathematical representation. Requires the department of labor to provide information for employers regarding the requirements of the act on its website. Amends the Workers' Compensation Act. Provides that nothing in the act limits, prevents, or preempts a recovery by an employee under the Biometric Information Privacy Act.

Biometrics or Facial Recognition

Illinois

SB 1511 
Pending

Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.

Biometrics or Facial Recognition

Indiana

HB 1554 
Pending

Establishes in the Indiana Code a new article concerning consumer data protection, to take effect Jan. 1, 2024. Sets forth the following within the new article: (1) Definitions of terms that apply throughout the article. (2) Exemptions for certain: (A) persons; and (B) types of information and data; from the bill's requirements concerning the personal data of Indiana consumers (consumers). (3) The rights of a consumer with respect to personal data relating to the consumer. (4) The responsibilities of controllers of consumers' personal data (controllers). (5) The roles of: (A) controllers; and (B) processors of consumers' personal data (processors); with respect to a consumer's personal data. (6) Requirements for data protection assessments by controllers. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The establishment, maintenance, and publication by the attorney general's consumer protection division of a quarterly listing of electronic mail addresses of consumers who request that their personal data not be sold. (10) Requirements for brokers of consumers' personal information (data brokers) to: (A) provide notification of security breaches; and (B) register annually with the attorney general. (11) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (12) The establishment of the consumer privacy account within the state general fund to support the work of the attorney general in enforcing the new article. (13) The authority of the attorney general to: (A) to adopt rules to administer the new article; and (B) issue opinion letters and interpretive guidance to develop an operational framework for persons subject to the new article. (14) The preemption of local rules, regulation, and laws regarding the processing of personal data.

Comprehensive

Indiana

SB 5 
Pending

Establishes a new article in the Indiana Code concerning consumer data protection, to take effect Jan. 1, 2026. Sets forth the following within the new article: (1) Definitions of various terms that apply throughout the article. (2) Exemptions from the bill's requirements concerning the responsibilities of controllers of consumers' personal data. (3) The rights of an Indiana consumer to do the following: (A) Confirm whether or not a controller is processing the consumer's personal data. (B) Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller. (C) Delete the consumer's personal data held by a controller. (D) Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller. (E) Opt-out of the processing of the consumer's personal data for certain purposes. (4) The responsibilities of controllers of consumers' personal data. (5) The roles of controllers and processors with respect to a consumer's personal data. (6) Requirements for data protection impact assessments by controllers of consumers' personal data. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (10) The preemption of local rules, regulations, and laws regarding the processing of personal data.

Comprehensive

Iowa

None

 

 

Kansas

None

 

 

Kentucky

SB 15 
Pending

Defines various consumer rights related to data collection; requires a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumers data and providing the consumer access to his or her data, deleting his or her personal data, and providing a copy of the consumers data that he or she previously provided in a portable and usable format; provides for opting out.

Comprehensive

Louisiana

None

 

 

Maine

Me. Rev. Stat. Ann. tit. X, §

 

 

Maryland

HB 33 
Pending 
SB 169 
Pending

Regulates the use of biometric data by private entities, including by requiring certain private entities in possession of biometric data to develop a policy, made available to the public, establishing a retention schedule and destruction guidelines for biometric data; authorizes an individual alleging a violation of this Act to bring a civil action against the offending private entity under certain circumstances; makes a violation of this Act an unfair, abusive, or deceptive trade practice that is subject to enforcement and penalties under the Maryland Consumer Protection Act; and generally relates to biometric data privacy.

Biometrics or Facial Recognition

Maryland

HB 807 
Pending 
SB 698 
Pending

Establishes generally the manner in which a controller or a processor may process a consumer's personal data; authorizes a consumer to exercise certain rights regarding the consumer's personal data; requires a controller of personal data to establish a method for a consumer to exercise certain rights in regards to the consumer's personal data; regulates the use of biometric data by a controller; etc.

Biometrics or Facial Recognition

Maryland

HB 901 
Pending 
SB 844 
Pending

Requires a business that offers an online product likely to be accessed by children to complete a certain data protection impact assessment under certain circumstances; prohibits a business from offering a certain online product before completing a data protection impact assessment; requires businesses to document certain risks associated with certain online products; requires certain privacy protections for certain online products; prohibits certain data collection and sharing practices; provides certain exemptions; etc.

Children’s Online Privacy

Maryland

SB 861 
Pending

Prohibits a person from using a scanning device to scan or swipe an identification card or a driver's license of an individual to obtain personal information of the individual; prohibits a person from taking certain actions regarding information collected by scanning or swiping an individual's identification card or driver's license under certain circumstances; provides that a violation of the act is an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act and subject to certain penalties; etc.

Other Consumer Privacy

Massachusetts

None

 

 

Michigan

None

 

 

Minnesota

HF 846 
Pending 
SF 943 
Pending

Prohibits geolocation and smartphone monitoring of another in certain circumstances; provides a cause of action to individuals when geolocation information and other smartphone data has been recorded or shared.

Location Privacy

Minnesota

HF 1367 
Pending

Relates to consumer data privacy; gives various rights to consumers regarding personal data; places data transparency obligations on businesses; creates a private right of action; provides for enforcement by the attorney general; proposes coding for new law as Minnesota Statutes, chapter 325O.

Comprehensive

Minnesota

SF 950 
Pending

Requires a consumer's consent prior to collecting personal information.

Consumer Data Privacy

Minnesota

SF 954 
Pending

Establishes standards for biometric privacy; establishes a right of action.

Biometrics or Facial Recognition

Minnesota

SF 1110 
Pending

Relates to data privacy; establishes neurodata rights; modifies certain crimes to add neurodata elements; provides civil and criminal penalties; amends Minnesota Statutes 2022, sections 13.04, by adding a subdivision; 609.88, subdivision 2; 609.891, subdivision 3; proposes coding for new law in Minnesota Statutes, chapter 325E.

Other Consumer Privacy

Minnesota

SF 1138 
Pending

Requires direct-to-consumer genetic testing companies to provide disclosure notices and obtain consent; proposes coding for new law in Minnesota Statutes, chapter 325F.

Consumer Genetic Privacy

Minnesota

SF 1442 
Pending

Relates to data privacy; requires consent before providers share audio or video data with third parties; proposes coding for new law in Minnesota Statutes, chapter 325E.

Other Consumer Privacy

Mississippi

HB 467 
Failed

Creates the "Biometric Identifiers Privacy Act;" provides legislative findings; defines terms relating to biometric identifiers; requires private entities in possession of biometric identifiers to develop a policy that establishes a retention schedule and guidelines for destroying the biometric identifiers of individuals; provides certain requirements and restrictions for private entities that collect biometric identifiers; provides that upon the request of an individual, a private entity that collects biometric identifiers shall disclose to the individual his or her biometric identifier and information related to the use of such biometric identifier; provides for a right of action for individuals alleging a violation of this act; provides that the attorney general may bring an action against a private entity who violates the provisions of this act; and for related purposes.

Biometrics or Facial Recognition

Mississippi

SB 2080 
Failed

Creates the "Mississippi Consumer Data Privacy Act;" authorizes consumers to request that businesses disclose certain information; authorizes consumers to request that businesses delete personal information collected by businesses; requires businesses to disclose certain information to consumers, to inform consumers of their right to request that personal information be deleted, and to delete personal information collected about consumers upon request; authorizes consumers to instruct businesses to not sell the consumers' personal information; authorizes consumers to bring civil actions against businesses that violate this act; authorizes the attorney general to bring civil actions against businesses that violate this act; requires the attorney general to adopt regulations to further the purposes of this act; and for related purposes.

Comprehensive

Missouri

HB 1047 
Pending

Establishes the Biometric Information Privacy Act.

Biometrics or Facial Recognition

Montana

None

 

 

Nebraska

LB 308 
Pending

Adopts the Genetic Information Privacy Act.

Consumer Genetic Privacy

Nebraska

LR 20CA 
Pending

Proposes a constitutional amendment to protect the right of individual privacy.

Other Consumer Privacy

Nevada

Nev. Rev. Stat. §

 

 

New Hampshire

SB 255 
Pending

This bill creates a new chapter detailing a consumer expectation of privacy.

Comprehensive

New Jersey

AB 505 
Pending

Enacts the “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA);” establishes certain requirements for disclosure and processing of personally identifiable information; establishes the office of data protection and responsible use in the division of consumer affairs.

Comprehensive

New Jersey

AB 525 
Pending

Makes DNA samples and genetic information resulting from DNA analysis property of the person sampled or analyzed.

Consumer Genetic Privacy

New Jersey

AB 1399 
Pending

Requires internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes internet service provider in writing to disclose information.

ISP Privacy

New Jersey

AB 1544 
Pending 
SB 2953 
Pending

Prohibits providers of commercial mobile service and developers of mobile application from disclosing customer’s global position system data to third parties under certain circumstances.

Location Privacy

New Jersey

AB 1954 
Pending

Requires internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing or email to disclose information; prohibits subscriber penalty.

ISP Privacy

New Jersey

AB 1971 
Pending 
SB 332 
Pending

Requires commercial internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

Website Privacy

New Jersey

AB 2029 
Pending

Requires internet service providers to keep confidential and prohibit any disclosure, sale, or unauthorized access to subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.

ISP Privacy

New Jersey

AB 2951 
Pending

Enacts the “Microphone-Enabled Devices Act;” requires user consent before enabling device microphone.

Connected Devices

New Jersey

AB 4723 
Pending 
SB 2740 
Pending

Requires motor vehicle dealer to delete personal information from motor vehicle computer system prior to resale or lease.

Other Consumer Privacy

New Jersey

AB 4811 
Pending

Establishes data broker registry.

Information Brokers

New Jersey

AB 4919 
Pending 
SB 3493 
Pending

Concerns social media privacy and data management for children and establishes New Jersey Children’s Data Protection Commission.

Children’s Online Privacy

New Jersey

AB 5075 
Pending

Prohibits acquisition or disclosure of certain personal health information without consent.

Biometrics or Facial Recognition

New Jersey

SB 1262 
Pending

Prohibits retail mercantile establishments from requiring certain consumer identification for return of merchandise.

Other Consumer Privacy

New Jersey

SB 3499 
Pending

Prohibits use of facial recognition technology on consumer except for legitimate safety purpose.

Biometrics or Facial Recognition

New Mexico

None

 

 

New York

AB 48 
Pending 
SB 2078 
Pending

Relates to limitations on the use of electronic or computerized entry systems; restricts information that may be gathered on lessees, tenants, owners or guests.

Biometrics or Facial Recognition, Other Consumer Privacy

New York

AB 322 
Pending 
SB 2478 
Pending

Prohibits the use of a facial recognition system by a landlord on any residential premises.

Biometrics or Facial Recognition, Other Consumer Privacy

New York

AB 417 
Pending 
SB 3163 
Pending

Restricts the disclosure of personal information by businesses; provides that a business that retains a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business.

Comprehensive

New York

AB 711 
Pending

Requires express and affirmative consent prior to collection, storage or transmittal of any personal information obtained from the installation or use of a smart home connected system by certain persons.

Connected Devices

New York

AB 936 
Pending 
SB 2324 
Pending

Discloses to a parent the personal information and content about a minor collected by an operator of an internet platform when a parent requests such information.

Children’s Online Privacy, Website Privacy

New York

AB 1362 
Pending 
SB 4457 
Pending

Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.

Biometrics or Facial Recognition

New York

AB 1366 
Pending 
SB 2998 
Pending

Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.

Website Privacy

New York

AB 1484 
Pending 
SB 4367 
Pending

Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.

ISP Privacy

New York

AB 1731 
Pending

Restricts insurers from demanding intrusive personal, financial and tax information from insureds as a standard practice in processing ordinary theft claims where no special circumstances warranting a demand for such information exists.

Other Consumer Privacy

New York

AB 1766 
Pending 
SB 2404 
Pending

Requires retailers to post warning signs of the tracking of customers through cell phones or other electronic devices; provides for civil penalties.

Other Consumer Privacy

New York

AB 2529 
Pending

Establishes a commission to study the European Union's general protection data regulation and the current state of cyber security in the state.

Studies, Task Forces or Commissions

New York

AB 2587 
Pending 
SB 4201 
Pending

Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.

Comprehensive

New York

AB 2621 
Pending

Relates to the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products; authorizes a licensee, its agent or employee to determine a person's age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device; establishes where the use of the device indicates that the person is under the age of 21, the attempted purchase of the alcoholic beverage shall be denied.

Biometrics or Facial Recognition

New York

AB 2642 
Pending

Enacts the "Facial Recognition Technology Study Act" to study privacy concerns and potential regulatory approaches to the development of facial recognition technology.

Biometrics or Facial Recognition; Studies, Task Forces or Commissions

New York

AB 3308 
Pending 
SB 2277 
Pending

Enacts the "Digital Fairness Act;" requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.

Comprehensive

New York

AB 3593 
Pending

Enacts the NY Privacy Act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Comprehensive

New York

AB 3959 
Pending 
SB 2012 
Pending

Creates an excise tax on the collection of consumer data by commercial data collectors.

Other Consumer Privacy

New York

SB 158 
Pending

Creates privacy standards for electronic health products and services and permissible data brokering; requires consent to be given for the collection and/or sharing of personal health information or other personal data.

Information Brokers, Other Consumer Privacy

New York

SB 365 
Pending

Enacts the New York Privacy Act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Comprehensive

New York

SB 1298 
Pending

Relates to the use of voice recognition features on certain products.

Connected Devices

New York

SB 2390 
Pending

Prohibits private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.

Biometrics or Facial Recognition

New York

SB 3162 
Pending

Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Comprehensive

New York

SB 3281 
Pending

Enacts the New York Child Data Privacy Protection Act to prevent the exploitation of children's data; requires data controllers to assess the impact of its products on children for review by the bureau of internet and technology; bans certain data collection and targeted advertising.

Children’s Online Privacy

New York

SB 4377 
Pending

Relates to privacy protection policies on internet websites, online services, online applications and mobile applications that collect social security numbers.

Website Privacy

North Carolina

None

 

 

North Dakota

None

 

 

N. Mariana Islands

Not available

 

 

Ohio

None

 

 

Oklahoma

HB 1030 
Pending

Relates to privacy of computer data; enacts the State Computer Data Privacy Act; defines terms; provides for applicability of act to certain businesses that collect consumers' personal information; provides exemptions; prescribes compliance with other laws and legal proceedings; requires act to be liberally construed to align its effects with other laws relating to privacy and protection of personal information; provides for controlling effect of federal law.

Comprehensive

Oregon

HB 2052 
Pending

Provides that a data broker may not collect, sell or license brokered personal data within this state unless data broker first registers with the department of consumer and business services. Specifies the form, method and contents of the application. Specifies exemptions. Provides a civil penalty in an amount not to exceed $500 for each violation of Act or, for continuing violation, for each day in which a violation continues. Caps the amount of the civil penalty at $10,000 in calendar year.

Information Brokers

Oregon

HB 2370 
Pending

Requires the attorney general to study privacy. Directs the attorney general to submit findings to interim committees of the legislative assembly related to consumer protection not later than Sept. 15, 2024.

Studies, Task Forces or Commissions

Oregon

SB 196 
Pending

Requires a business that provides an online product, service or feature that a child is reasonably likely to access to identify, evaluate and mitigate risks to child from online product, service or feature. Restricts the manner in which a business may collect or use the personal information of a child. Requires a business that provides an online product, service or feature that a child is reasonably likely to access to complete and retain a data protection impact assessment. Requires a business to provide upon request the completed assessment to the attorney general. Authorizes the attorney general to bring an action for injunctive relief, civil penalties or attorney fees and enforcement costs and disbursements against a business for violations. Establishes a task force on age-appropriate design. Requires the task force to study how children access, use and are affected by online products, services and features and the methods for mitigating risks. Provides that the requirements and restrictions become operative July 1, 2024. Sunsets the task force on Jan. 2, 2025.

Children’s Online Privacy; Studies, Task Forces or Commissions

Oregon

SB 619 
Pending

Permits consumers to obtain from a controller that processes consumer personal data confirmation as to whether the controller is processing the consumer’s personal data and categories of personal data the controller is processing, a list of specific third parties to which the controller has disclosed the consumer’s personal data and a copy of all of the consumer’s personal data that the controller has processed or is processing. Permits a consumer to require a controller to correct inaccuracies in personal data about the consumer, require the controller to delete personal data about the consumer or opt out from the controller’s processing of the consumer’s personal data under certain circumstances. Requires a controller to provide to consumers reasonably accessible, clear and meaningful privacy notice that lists categories of personal data the controller processes, describes the controller’s purpose for processing personal data, describes how a consumer may exercise the consumer’s rights with respect to personal data, lists the categories of personal data that a controller shares with third parties, list all categories of third parties with which the controller shares personal data and provides other information. Specifies duties of, and prohibits specified actions of, a controller and of a processor that acts at the controller’s direction. Permits the attorney general to investigate violations of the act and to bring action to seek a civil penalty of not more than $7,500 for each violation. Permits a consumer or class of consumers to bring action after a specified date for ascertainable loss of money or property resulting from violation of act.

Comprehensive

Pennsylvania

None

 

 

Puerto Rico

HB 129 
Pending

Establishes the Charter of Digital Rights of Puerto Rico in order to safeguard the human rights of people in the digital sphere.

 

Puerto Rico

HB 262 
Pending

Creates the Law for the Protection of Cyber Privacy of Our Children and Young People in order to prohibit any operator, employee or agent of an internet page classified as a social network, as defined herein, from publishing and or disclosing personal information of underage users residing in Puerto Rico, beyond the name and city where they reside, without the express consent of these and that of the father, mother or guardian with parental authority.

Children’s Online Privacy

Puerto Rico

HB 655 
Pending

Establishes the Electronic Information Privacy Law in order to protect the right to privacy of individuals regarding information stored on an electronic device or transmitted to a remote computer service provider.

ISP Privacy

Puerto Rico

HB 1548 
Pending

Relates to the law for the protection of data and information of the consumer, in order that the consumer must give his informed consent on the collection, use and access of the information that he provides, by virtue of a request by any resident individual of Puerto Rico who establishes a business, legal entity incorporated or organized under the laws of Puerto Rico or of any jurisdiction of the United States, or a foreign corporation that has an office or other fixed location and that operates.

 

Puerto Rico

SB 882 
Pending

Relates to law for the protection of digital privacy; protects the personal information of consumers and guarantee the right to privacy in the digital age.

 

Rhode Island

HB 5354 
Pending

This bill requires online service providers and commercial websites that collect, store and sell personally identifiable information to disclose what categories of personally identifiable information they collect and to what third parties they sell the information. This bill would not prohibit the collection or sale of personally identifiable information and would not require the retention or disclosure of personally identifiable information by online service providers or commercial websites. Any intentional disclosure of personal information in violation of the provisions of this act would be punishable by a fine of not less than $100 nor more than $500 per disclosure with sole enforcement of its provisions vested in the department of the attorney general. This act would take effect on Jan. 1, 2024.

Website Privacy

Rhode Island

SB 146 
Pending

This bill prohibits the use of facial recognition technology and biometric recognition technology in video-lottery terminals at pari-mutuel licensees in the state or in online betting applications. This bill also prohibits the use of certain other technologies in state gaming operations. The prohibition would not apply to standardized rewards programs.

Biometrics or Facial Recognition

A. Samoa

Not available

 

 

South Carolina

HB 3547 
Pending

Adds section 63-5-380 so as to prohibit the collection of personal information from children by operators of websites, online services, and online or mobile applications and to establish penalties.

Children’s Online Privacy

South Carolina

SB 156 
Pending

Adds section 58-1-70 so as to prohibit natural gas or electric public utilities from disclosing customer information to a third party without the express consent of the customer.

Other Consumer Privacy

South Dakota

SB 192 
Pending

Provides liability for the publishing or distributing of material harmful to minors on the internet and the wrongful retention of individually identifiable information.

Other Consumer Privacy

Tennessee

HB 932 
Pending 
SB 339 
Pending

Enacts the "Consumer Biometric Data Protection Act."

Biometrics or Facial Recognition

Tennessee

HB 965 
Pending 
SB 1379 
Pending

Prohibits a financial institution from releasing or providing the account balance or transaction activity of an account to a person without first obtaining the account holder's express permission or without a warrant issued by a judicial officer located in this state.

Other Consumer Privacy

Tennessee

HB 1181 
Pending 
SB 73 
Pending

Enacts the "Tennessee Information Protection Act."

Comprehensive

Tennessee

HB 1486 
Pending 
SB 1353 
Pending

Prohibits a business entity from retaining a copy, in an electronic or other format, of a person's identification unless the retention of that copy is specifically required by federal or state law, or the business entity obtains the express consent of the holder of that identification; prohibits a business entity from refusing to transact business with a person solely on the basis that the person refuses to provide express consent to the business entity or its agent, employee, or contractor retaining the copy; makes a violation a Class B misdemeanor that constitutes an unfair or deceptive act under the Consumer Protection Act of 1977.

Other Consumer Privacy

Texas

SB 704 
Pending

Relates to the capture and use of an individual's biometric identifiers, specimen, or genetic information by a governmental body or peace officer or by a person for commercial purposes; authorizes civil penalties.

Consumer Genetic Privacy

Texas

SJR 23 
Pending

Proposes a constitutional amendment establishing the right to be free from governmental intrusion or interference into an individual's private life.

Constitutional Amendment

Utah

SB 139 
Pending

Enacts provisions related to motor vehicle consumer data protection.

Other Consumer Privacy

Vermont

HB 121 
Pending

This bill proposes to afford data privacy protections to Vermonters.

Comprehensive

Virginia

HB 1688 
Pending

Requires a controller or processor to obtain verifiable parental consent, defined in the bill, prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.

Children’s Online Privacy

Virginia

SB 419 
Pending

Establishes requirements for direct-to-consumer genetic testing companies, including requirements related to information to be provided to consumers, consent requirements, requirements related to security of and consumer access to genetic information, requirements for contracts between direct-to-consumer genetic testing companies and service providers, and prohibitions on disclosure of genetic information by direct-to-consumer genetic testing companies. The bill also prohibits discrimination against a consumer based on exercise of rights related to genetic information privacy and imposes civil penalties for violations of the provisions of the bill.

Consumer Genetic Privacy

Virginia

SB 1026 
Failed

Requires an operator, defined in the bill, to obtain verifiable parental consent prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.

Children’s Online Privacy

U.S. Virgin Islands

None

 

 

Washington

HB 1616 
Pending 
SB 5643 
Pending

Creates a charter of people's personal data rights.

Comprehensive

Washington

HB 1799 
Pending

Concerns the registration of business entities that qualify as data brokers.

Information Brokers

Washington

HR 4607 
Pending

Recognizes digital privacy day.

Other Consumer Privacy

West Virginia

HB 2460 
Pending

Adds sections 46A-9-1, 46A-9-2, 46A-9-3, 46A-9-4, and 46A-9-5, all relating to online privacy protection for children; defines terms; establishes actions prohibited; creates rulemaking authority; provides safe harbor for operators; and provides for enforcement by the attorney general

Children’s Online Privacy

West Virginia

HB 2964 
Pending

Adds sections 61-3F-1, 61-3F-2, and 61-3F-3, all relating to online privacy protection for children; prohibits the marketing or advertising of certain products or services to minors; specifies prohibited good and services; prohibits the collection of information about minor users for marketing purposes; requires operators of website, online services, or applications to remove personal information about a minor when the information is visible to others; and specifies limited exceptions.

Children’s Online Privacy

West Virginia

HB 3339 
Pending

Adds section 55-7L-1, relating to material harmful to minors; provides for legislative intent; defines terms; provides for liability for the publishing or distribution of material harmful to minors on the internet through a private right of action together with damages, attorney fees and costs; provides for reasonable age verification; provides for liability for unlawful retention of personal identifying information together with liquidated damages, attorney fees and costs; provides for exceptions; provides an effective date; and providing for related matters.

Website Privacy

Wisconsin

None

 

 

Wyoming

SJR 9 
Failed

Provides for the right of individual privacy.

Constitutional Amendment


LexisNexis Terms and Conditions

Explanation of Categories

  • Biometrics or Facial Recognition

    May require private entities to develop a written policy regarding collection or retention of biometric identifiers or may require businesses to allow a consumer to opt out of the sale of biometric information. Some legislation may apply only to a specific type of biometric, e.g., voice recognition or facial recognition, or to all types of biometric information.

  • Children's Online Privacy

    Generally prohibits the collection of information about minor users for marketing purposes and requires operators of website, online services, or applications to remove personal information about a minor. (Does not include legislation that references incorporation of the requirements of the federal Children's Online Privacy Protection Act, 15 USC 6501 et seq.

  • Comprehensive

    Broad legislation that regulates the collection, use and disclosure of personal data by businesses generally. For example, provides specific consumer rights such as the right to access, delete, or correct inaccurate information, among other rights and provisions. The comprehensive nature of these bills may mean they include other categories in this list, even if not noted.

  • Connected Devices

    Regulates smart speakers and connected devices, e.g., may prohibit collecting, using, storing, or sharing the data obtained from a connected device without an owner’s consent.

  • Constitutional Amendment

    Proposes an amendment to the state’s constitution to add a fundamental right to privacy.

  • Genetic Privacy

    Regulates direct-to-consumer genetic testing companies by requiring disclosure of or consent prior to a company's collection, use, and sharing of genetic data. May prohibit insurer use of consumer genetic information. (Does not include legislation prohibiting discrimination based on genetic information collected by health providers.)

  • Information Brokers

    May create a data broker registry and/or regulate third-party data businesses who collect the personal information of a consumer (with whom the business does not have a direct relationship).

  • ISP Privacy

    Legislation to regulate how telecommunications or internet service providers can collect or share consumer data.

  • Location Privacy

    May prohibit the transfer or sale of consumer geolocation or GPS data without permission or prohibit disclosing a customer's geolocation data to third parties.

  • Other Consumer Privacy

    Miscellaneous legislation, e.g., may require disclosures to consumers regarding personal information collected, or relates to privacy protections only for a specific industry or online service, etc.

  • Studies, Task Forces, or Commissions

    Legislation requiring a study of consumer privacy issues or creating a task force, advisory body, commission or other regulatory, advisory or oversight entity.

  • Website Privacy

    Legislation to require an operator of a commercial website or online service that collects personally identifiable information to notify customers about its personal information sharing practices or to require consent before sharing internet browser information.
Loading

  • Contact NCSL

  • For more information on this topic, use this form to reach NCSL staff.

Related Resources

Legislating AI Technology

Join Connecticut State Sen. James Maroney and Texas Rep. Giovanni Capriglione for an engaging conversation on the latest developments in AI legislative initiatives, along with insights on topics such as data privacy, ethics in AI, workforce implications, and the role of state governments in shaping AI policy.

Technology
Video