In a previous update, we provided a comprehensive round-up of several notable pending US state privacy laws. We are checking-in on the progression of some of those laws in this further update. The next installment will update the remaining state laws in progress.
The Virginia Consumer Data Protection Act (“CDPA”) was signed into law on March 2, 2021, making Virginia the second US state after California to pass a comprehensive data privacy law. Those familiar with the European Union General Data Protection Regulation (“GDPR”) will recognize terminology throughout the CDPA, mimicking many GDPR-defined terms, such as “controller”, “processor” and “personal data.” While not quite as expansive as the GDPR in every respect, the CDPA is a broad-based privacy law that is on par with the California Consumer Privacy Act (“CCPA”). For our summary of the CDPA, please see our overview of the Virginia Consumer Data Protection Act. The CDPA becomes effective on January 1, 2023.
While much narrower in scope than other new and pending privacy legislation, Utah’s Cybersecurity Affirmative Defense Act was signed into law on March 11, 2021. The law creates an affirmative defense (“safe harbor”) for companies in Utah’s data breach notification if they have a written information security program that meets certain requirements as specified in the law.
Florida’s proposed privacy law, House Bill 969, shows promise of making it to law and contains some potentially game-changing provisions. HB969 is sweeping privacy legislation that shares many similarities with the CCPA, imposing a broad set of requirements on businesses, and providing a number of rights to consumers with respect to their personal information. Additionally, similar to the CCPA, the bill also contains a private right of action in the event of certain data breaches. The bill overwhelmingly passed the Florida House of Representative 118 votes to 1 and has now moved to the Florida Senate. HB 969 also has the support of Florida Governor Ron DeSantis. The Florida Senate just yesterday (April 29th) passed its own privacy legislation – Senate Bill 1734 – which has some key differences from HB 969 and is headed back to the House for reconciliation. The 2021 Florida Legislative Session ends today, April 30, 2021 and we will update on the status of this important development following the close of the session. If passed, the bill would become effective on July 1, 2022.
UPDATE – At the time of the original post (April 30), it appeared reasonably certain that the Florida House and Senate would reconcile differences between the two privacy bills and join California and Virginia with comprehensive state data privacy laws. We always say “watch this space,” when it comes to legislative action … because it failed to happen. The gating item was the inclusion of a private right of action, which had been removed by the Florida Senate in its version, setting up the last minute reconciliation scenario. Reports say that the House intended to add the private right of action back in, which would have required a vote in House and Senate on the last day of the session to pass the bill.
Senate Bill 893 is a comprehensive privacy law similar to the CCPA that would require transparency from companies with respect to their data collection and use, and would provide consumers with a variety of privacy rights. SB893 continues to move through the Connecticut legislature and was referred by the Connecticut Senate to the Committee on Judiciary on April 28.
Dead for Now
Most notably, The Washington Privacy Act of 2021 (SB 5062) failed to pass for a third year in a row. The Washington Privacy Act was a comprehensive privacy bill similar to the GDPR, giving consumers broad privacy rights with respect to their personal data. As with years past, contention over the bill primarily focused on whether the bill should include a private right of action to allow residents to directly bring claims for violation of the law. While the bill showed promise this year when it passed in the Senate, the House version (which contained a private right of action), did not advance by the April 25 close of the legislative session.
Although it did not garner the level of national attention that the Washington Privacy Act generated, the Oklahoma Computer Data Privacy Act (HB1602) was also a comprehensive privacy bill that borrowed many concepts from the CCPA, and included a private right of action. If passed, HB1602 would have been a trendsetter in US privacy law – requiring that consumers opt-in prior to collection of their personal information (something we have not seen before in US privacy law). The bill had bipartisan support, passed in the Oklahoma House, but failed to advance out of the Oklahoma Senate Judiciary Committee before the April 8 deadline. Much of the opposition to the bill focused on the opt-in requirement, and there was a strong lobbying push from industry to oppose it.