Dec 24th 2019

Proposed Data Privacy Laws by State: It’s Not Just About California

Following is a brief update on the status of other data protection laws in the United States.

Federal: U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., introduced a federal statute, The Online Privacy Act of 2019, H.R. 4978, patterned after the CCPA. The federal bill would establish the same fundamental rights to data privacy contained in the CCPA on a national level. The proposed federal law is an "opt-in" statute and includes a new fundamental right to have a human decision of any automated act. Enforcement would include a new federal administrative agency titled the United States Digital Privacy Agency. More details are available in this quick summary of the bill.

Nevada: Nevada recently amended its data privacy law in Senate Bill (S.B.) 220 to add an "opt-out" provision similar to the CCPA. The prior Nevada data privacy law applied to "operators," who were defined as websites or online services collecting data for commercial purposes on Nevada residents. Existing Nevada law already provided for transparency by requiring these "operators" to disclose to consumers both the nature and scope of the data that they collect. The recent amendment, S.B. 220, took effect Oct. 1, 2019, and now also requires these "operators" to allow consumers to prevent the sale of their data to third parties through an "opt-out" procedure patterned after the CCPA's.

Maine: Maine's new law, Act to Protect the Privacy of Online Customer Information, takes effect July 1, 2020. This statute was designed to specifically protect the privacy of broadband internet consumers. Similar to the CCPA, it requires covered internet service providers to obtain "opt-in" consent from consumers before using, disclosing, or selling their personal information.

New York: The New York Stop Hacks and Improve Electronic Security Data Act (SHIELD Act) takes effect on March 21, 2020. The SHIELD law amends the current New York breach notification statute and increases data security protections. The act greatly expands the types of protected personal and private information and data that trigger the New York breach notification legal requirements when lost. The SHIELD Act also requires data collectors to develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information. The safeguards mentioned within the act closely mirror the National Institute of Standards and Technology's Cyber Security Framework. Most noteworthy, however, is the New York law's expansive application to any person or business that owns or licenses computerized data that includes private information of New York residents, even if that person or business does not conduct business in New York. This statute suggests that the state law applies to any data collector possessing or transacting the data of New York residents regardless of location.

Proposed legislation pending in other states: Several other states have proposed data privacy statutes that are pending and awaiting potential passage. Examples are Massachusetts's S.D. 341, and Maryland's Online Consumer Protection Act, S.B. 613/H.B. 901, both allowing consumers to "opt out" of the disclosure of their data to third parties and the right to prevent the sale of their data, similar to the CCPA. 

Kerry Myers, J.D., CFE

More Resources

More Information