The start of 2020 did not just bring us the effective date of the California Consumer Privacy Act (CCPA). It also lead to several state legislators introducing their own versions of potentially ground-breaking privacy and data security laws. Each law has nuances that will likely result in a compliance nightmare, particularly if all or most of the states and territories enact their own law. However, each also appears on its face to riff on either the EU’s General Data Protection Regulation (GDPR) or the CCPA.
The chart below provides a list (current as of April 14, 2020) of proposed state privacy legislation that could still be enacted this session. The purpose of the chart is to provide the broad strokes of each proposed law, show their similarities, and highlight key differences. The question is whether the GDPR and/or CCPA actually provide the most appropriate models to emulate? The CCPA is perceived and touted by many as the first and most comprehensive privacy and data security law of its kind in the US, but we can’t help but wonder: does first necessarily mean best?
States that considered but ultimately chose not to pass proposed privacy legislation in 2020 include: Florida, Maryland, Virginia, Washington, and Wisconsin.
*Hawaii HB2572 – Passed in the House and transmitted to the Senate on March 3, 2020. It was then referred to the Senate CPH/TEC committee. A hearing was scheduled but is postponed until further notice. This bill largely restricts the sale (for monetary or other valuable consideration) of geolocation data and internet browser information (e.g., web browsing history, application usage history, and origin and destination internet protocol addresses, device identifiers, and content of communications in internet activity).
**Minnesota HF3936– Controllers must create an internal appeal process for any consumer rights requests refused. If an appeal is denied, consumers have the right to have that decision submitted to the AG. Includes specific obligations/restrictions on facial recognition software.
***New York A8526 and SB5642 – Controllers have fiduciary duty of care, loyalty, confidentiality, and to put the privacy rights of consumers before that of the company.