July 30, 2021

Volume XI, Number 211

Advertisement

July 30, 2021

Subscribe to Latest Legal News and Analysis

July 29, 2021

Subscribe to Latest Legal News and Analysis

July 28, 2021

Subscribe to Latest Legal News and Analysis

July 27, 2021

Subscribe to Latest Legal News and Analysis

US State Privacy Law Check-In

In a previous update, we provided a comprehensive round-up of several notable pending US state privacy laws.  We are checking-in on the progression of some of those laws in this further update.   The next installment will update the remaining state laws in progress.

New Laws

Virginia 

The Virginia Consumer Data Protection Act (“CDPA”) was signed into law on March 2, 2021, making Virginia the second US state after California to pass a comprehensive data privacy law.   Those familiar with the European Union General Data Protection Regulation (“GDPR”) will recognize terminology throughout the CDPA, mimicking many GDPR-defined terms, such as “controller”, “processor” and “personal data.”  While not quite as expansive as the GDPR in every respect, the CDPA is a broad-based privacy law that is on par with the California Consumer Privacy Act (“CCPA”).  For our summary of the CDPA, please see our overview of the Virginia Consumer Data Protection Act. The CDPA becomes effective on January 1, 2023.

Utah 

While much narrower in scope than other new and pending privacy legislation, Utah’s Cybersecurity Affirmative Defense Act was signed into law on March 11, 2021.  The law creates an affirmative defense (“safe harbor”) for companies in Utah’s data breach notification if they have a written information security program that meets certain requirements as specified in the law.

The Movers

Florida 

Florida’s proposed privacy law, House Bill 969, shows promise of making it to law and contains some potentially game-changing provisions. HB969 is sweeping privacy legislation that shares many similarities with the CCPA, imposing a broad set of requirements on businesses, and providing a number of rights to consumers with respect to their personal information. Additionally, similar to the CCPA, the bill also contains a private right of action in the event of certain data breaches. The bill overwhelmingly passed the Florida House of Representative 118 votes to 1 and has now moved to the Florida Senate.  HB 969 also has the support of Florida Governor Ron DeSantis. The Florida Senate just yesterday (April 29th) passed its own privacy legislation – Senate Bill 1734 – which has some key differences from HB 969 and is headed back to the House for reconciliation.  The 2021 Florida Legislative Session ends today, April 30, 2021 and we will update on the status of this important development following the close of the session. If passed, the bill would become effective on July 1, 2022.

UPDATE – At the time of the original post (April 30), it appeared reasonably certain that the Florida House and Senate would reconcile differences between the two privacy bills and join California and Virginia with comprehensive state data privacy laws.  We always say “watch this space,” when it comes to legislative action … because it failed to happen.   The gating item was the inclusion of a private right of action, which had been removed by the Florida Senate in its version, setting up the last minute reconciliation scenario.  Reports say that the House intended to add the private right of action back in, which would have required a vote in House and Senate on the last day of the session to pass the bill.

Connecticut

Senate Bill 893 is a comprehensive privacy law similar to the CCPA that would require transparency from companies with respect to their data collection and use, and would provide consumers with a variety of privacy rights.  SB893 continues to move through the Connecticut legislature and was referred by the Connecticut Senate to the Committee on Judiciary on April 28.

Dead for Now

Washington

Most notably, The Washington Privacy Act of 2021 (SB 5062) failed to pass for a third year in a row.  The Washington Privacy Act was a comprehensive privacy bill similar to the GDPR, giving consumers broad privacy rights with respect to their personal data.  As with years past, contention over the bill primarily focused on whether the bill should include a private right of action to allow residents to directly bring claims for violation of the law.  While the bill showed promise this year when it passed in the Senate, the House version (which contained a private right of action), did not advance by the April 25 close of the legislative session.

Oklahoma

Although it did not garner the level of national attention that the Washington Privacy Act generated, the Oklahoma Computer Data Privacy Act (HB1602) was also a comprehensive privacy bill that borrowed many concepts from the CCPA, and included a private right of action.  If passed, HB1602 would have been a trendsetter in US privacy law – requiring that consumers opt-in prior to collection of their personal information (something we have not seen before in US privacy law).  The bill had bipartisan support, passed in the Oklahoma House, but failed to advance out of the Oklahoma Senate Judiciary Committee before the April 8 deadline.  Much of the opposition to the bill focused on the opt-in requirement, and there was a strong lobbying push from industry to oppose it.  

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 120
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Christopher Buontempo Corporate Lawyer Mintz
Associate

Chris is a corporate attorney and a Certified Information Privacy Professional (CIPP). He has significant experience handling legal and business issues relating to technology, data privacy and security, brand protection, contract negotiation, licensing, and product development. 

Chris has held several leadership positions at technology, consumer product, and e-commerce companies. Prior to joining Mintz, he was Director of Legal Affairs and Privacy Officer at The Predictive Index, a high-growth, SaaS-based personnel assessment and technology company with an expansive international...

617-239-8322
Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Advertisement
Advertisement