TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | US state comprehensive privacy law comparison Related reading: The state Senate version of the Washington Privacy Act: A summary

rss_feed

PrivacyTraining_ad300x250.Promo1-01
GDPR-Ready_300x250-Ad
19
Editor's Note:

The updated version of this tool, including a new state law tracker map, now exists on the IAPP Resource Center, which you can find here. While the text on this page will not be updated going forward, the chart below will be up-to-date.

State-level momentum for comprehensive privacy bills is at an all-time high. After the California Consumer Privacy Act passed in 2018, multiple states proposed similar legislation to protect consumers in their states. The IAPP Westin Research Center compiled the below list of proposed comprehensive privacy bills from across the country to aid our members' efforts to stay abreast of the changing state-privacy landscape.

Although many of the bills included in the table will fail to become law, comparing the key provisions in each bill can be helpful in understanding how privacy is developing in the United States. Bills that are voted down or die in committee will not be immediately removed because their inclusion helps illustrate how states are thinking about privacy. We identified 17 provisions that commonly appear in comprehensive privacy statutes and placed an "x" in the corresponding column if a particular bill is included the provision. The 17 common privacy provisions are broken into two categories — consumer rights and business obligations — and are described below the table.

The table includes only bills intended to be comprehensive approaches to governing the use of personal information in a state — industry specific, type of information specific, and narrowly scoped bills (e.g., data security bills) are not included unless they have a companion piece of legislation that collectively creates a comprehensive structure.

The Westin Research Center will periodically update this table. If you are aware of a proposed state bill (with formally introduced language) that is absent from our list, please share it with our Westin fellow, Mitchell Noordyke, at mnoordyke@iapp.org.

Click image to see the full table on mobile:

Last updated June 26, 2019: Maine LD 946 was added; Nevada SB 220 and Chapter 603A rows were consolidated into one row because SB 220 amends Chapter 603A; New York bills SB S224 and SB S8641, which adds a private right of action for security violations under S224, were removed because some version of S224 has been proposed in consecutive legislative sessions since 2013-14 and New York introduce a new comprehensive bill, SB S5642.

June 11, 2019 update: New York SB S5642 was added to the chart as well as a new business obligations column to accommodate the bill's fiduciary duty provision; Minnesota HF 2917/SF 2912 was updated to recognize a consumer's right to access personal information shared and the previously recognized purpose limitation was changed to a processing limitation.

June 4, 2019 update: Louisiana HB 465 and Minnesota HF 2917/SF 2912 were added and Nevada SB 220 passed to become law without a private right of action, its row was updated to reflect the final version of the law.

May 29, 2019 update: Pennsylvania HB 1049 was added and a strict age-based opt-in for Rhode Island S0234, errantly omitted, was added.

May 1, 2019 update: Bills from Illinois and Rhode Island were added and a right to opt-out in the Washington Privacy Act, which was originally omitted due to the broad exceptions included in the right, is now recognized.

Click here to download as pdf

The 16 common privacy provisions include the following:

  • The right of access to personal information collected — The right for a consumer to access from a business/data controller the information collected or categories of information collected about the consumer; right may only exist if a business sells information to a third party.
  • The right of access to personal information shared with a third party — The right for a consumer to access personal information shared with third parties.
  • The right to rectification — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
  • The right to deletion — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
  • The right to restriction of processing — The right for a consumer to restrict a business' ability to process personal information about the consumer.
  • The right to data portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
  • The right to opt out of the sale of personal information — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
  • The right against solely automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
  • A consumer private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.
  • A strict opt-in for the sale of personal information of a consumer less than a certain age — A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
  • Notice/transparency requirements — An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
  • Data breach notification — An obligation placed on a business to notify consumers and/or enforcement authorities about a privacy or security breach.
  • Mandated risk assessment — An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
  • A prohibition on discrimination against a consumer for exercising a right — A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
  • A purpose limitation — An EU General Data Protection Regulation–style restrictive structure that prohibits the collection of personal information except for a specific purpose.
  • A processing limitation — A GDPR-style restrictive structure that prohibits the processing of personal information except for a specific purpose.

Top photo courtesy of @joey_csunyo via Unsplash

3 Comments

If you want to comment on this post, you need to login.

  • comment David Holtzman • Apr 18, 2019
    Very helpful. A number of states have passed or are considering the NAIC Model Law for Cybersecurity that includes requirements which address requirements for confidentiality, risk assessment and breach notification. See Mississippi Senate Bill 2831 signed into law earlier this month.  https://legiscan.com/MS/text/SB2831/id/1899113 . I believe similar legislation has been introduced in CT and NH.
  • comment Mitchell Noordyke • Apr 19, 2019
    Thanks for sharing, David! Mississippi also introduced a CCPA-copycat law this legislative session, HB 1253, but it died so quickly in committee that I did not include it in the comparison. There may be an interesting narrative about the influence and organization of certain industries in the states playing out. Here, for example, we see an industry-backed cybersecurity law pass while a privacy bill, presumably not backed by industry, fails. And in Washington, a privacy bill, SB 5376, with support from the tech industry seemed to be moving through the legislative process well, but now looks likely to fail. Does this demonstrate an advantage for the maturity and organization of the insurance industry's participation in the legislative process over the tech industry's? Is there more consensus on cybersecurity legislation than privacy legislation (most certainly, yes)? The activity at the state level is fascinating.
  • comment Teresa Schoch • May 16, 2019
    Excellent share and comments. Thank you for the clarifications.