There are currently over 40 comprehensive consumer data privacy bills pending in the states as we enter the third month (for most states) of the legislative sessions.
Although the dread of the often-referenced “patchwork” of dissimilar state privacy laws still looms, the good news is that the majority of the bills are not moving, moving slowly, or dead. Nevertheless, there are some that are working their way toward the finish line, and a few that appear to have come back from the dead, as explained below.
The following chart shows how various privacy legislation components included in 47 bills measure up:
You can download a chart here that provides details about each of the 47 bills and their current legislative status.
WHAT WAS NEW IN FEBRUARY
Arizona HB 2790 was introduced Feb. 8, but apparently did not make it past the committee deadline of Feb. 18.
Florida HB 9 was amended by committee substitute and reported favorably out of the House Commerce Committee on Feb. 10, and out of the House Judiciary Committee on Feb. 23.
[article_ad]
Indiana SB 358 was amended in the Senate, passed, and voted favorably out of the House committee on Feb. 17. Notably, the amendment removed the private right of action contained in the original version.
Iowa House Study Bill 674 passed in committee and was refiled on Feb. 23, as HF 2506 and SF 2208.
Massachusetts H 136, S 46, S 50, and S 220, all carryovers from 2021, morphed into S 2687 on Feb. 14.
Mississippi SB 2330died in committee Feb. 1.
Ohio HB 376 was amended by committee substitute on Feb. 9. Among other changes, the legislation now provides a consumer the right to request correction of inaccurate data. This chart explains the numerous other differences between the introduced bill and the substitute.
Oklahoma HB 2969, the Oklahoma Computer Data Privacy Act, was introduced on Feb. 7, and amended by committee substitute on Feb. 21. The substitute adds a prohibition against selling a consumer’s personal information to a third party without the consumer’s consent, i.e., “opt in.”
Utah SB 227 is a fast-moving bill that was introduced Feb. 17 and passed in the Senate and transmitted to the House on Feb. 25. The original bill provided a consumer the right to: 1) confirm processing of their personal data; 2) obtain information regarding the categories of personal data collected; 3) correct inaccurate data; 4) delete personal data provided by the consumer; 5) obtain a copy of the personal data provided by the consumer; and 6) opt-out of processing if for targeted advertising or the sale of the personal data. In part, the first and second bill substitutes deleted the second and third rights and added the right to access the personal data. The Utah legislative session is scheduled to conclude March 4.
Washington HB 1433 has had no movement and is presumed dead.
On Feb. 17, SB 5062 was placed in the “Senate Rules ‘X’ file,” which is described as where bills go “if they are no longer eligible for consideration.” However, on Feb. 24, it was moved to the “Rules White Sheet,” which is described as “where bills are sent immediately after being passed out of a standing committee,” and “is, more or less, a review calendar.”
HB 1850 was assigned to the Committee on Civil Rights & Judiciary which voted it out on Feb. 2 as amended by a committee substitute. It then was referred to the Committee on Appropriations (avoiding a deadline faced by the CRJ Committee). On Feb. 28, Appropriations adopted a second substitute that, in part:
- Strikes all provisions relating to consumer rights;
- Retains provisions relating to the Consumer Data Privacy Commission;
- Removes requirements that the Commission conduct data protection audits of controllers and processors;
- Provides a private right of action only if: a) the Commission has determined in an administrative hearing that a violation occurred; and b) the consumer suffered demonstrable economic loss or physical harm.
Notably, the second substitute provides that the act does not become effective unless the engrossed second substitute for SB 5062 becomes law by July 1, 2022.
Wisconsin AB 957 was introduced Feb. 3, SB 957 and SB 977 were introduced Feb. 9, and AB 1050 was introduced Feb. 17. Of the four, only AB 957 is moving, having passed as amended by the Assembly on Feb. 23 and referred to committee in the Senate.
WHAT’S AHEAD IN MARCH
Of the states with pending privacy legislation, six have crossover deadlines in March, and others have various committee and floor deadlines. There are a handful of bills that are now in the second chamber or poised to be there soon, so it is possible that March could bring the passage of another comprehensive state data privacy law.