In the wake of the California voters’ approval of Proposition 24, or the California Privacy Rights Act of 2020 (CPRA), a ballot initiative that expanded data privacy obligations for businesses beyond those in the California Consumer Privacy Act (CCPA), several states promptly introduced new privacy laws of their own at the outset of 2021. Lawmakers in Washington state have notably revamped the Washington Privacy Act (WPA), while the landmark New York Privacy Act (NYPA) has also been reintroduced. Other state lawmakers continue to introduce measures to enhance their states’ data privacy and cybersecurity efforts. Below, please find a high-level overview of states’ new legislative efforts in this space.

California

CPRA notably established the California Privacy Protection Agency (CPPA) as an “independent watchdog” whose mission is both to “vigorously enforce” the measure and “ensure that businesses and consumers are well‐informed about their rights and obligations.” On January 14, privacy groups, including the Electronic Frontier Foundation (EFF) and Consumer Reports, sent a letter to Assembly Speaker Anthony Rendon urging him to appoint members to the CPPA who have a demonstrated history of working on behalf of consumers and a background in civil rights and ending discrimination. The groups assert that doing so is “critical to creating an effective agency” that will ensure consumers can exercise their rights under the CCPA.

Further, a number of privacy and cyber-related bills are making their way through the Assembly, including AB 13, which would require businesses in California that utilize automated decision systems (ADSs) to “take affirmative steps to ensure that there are processes in place to continually test for biases during the development and usage of the ADS.” Further, Assembly member Ed Chau also introduced AB 35, which would require operators to disclose whether they have a policy or mechanism in place to address the spread of misinformation.

New York

Assembly member Linda Rosenthal has introduced A 680, the Assembly version of the NY Privacy Act, for the 2021-2022 legislative session. The measure would require companies to disclose de-identification methods, establish safeguards around data sharing and create an office dedicated to privacy and data protection. The legislation would establish a preemptive standard which would be enforceable by the Attorney General, and it would also allow for a private right of action. The bill was previously introduced in the past two legislative sessions and was unable to move out of committee due to lack of industry support. However, Senate Consumer Protection Committee Chair Kevin Thomas, who sponsored the bill in the Senate last year, has been working with industry to incorporate changes into the Senate version of the bill based on stakeholder feedback, and stakeholders await his introduction of the revised Senate version.

In addition, a group of bipartisan New York lawmakers have introduced AB 27, the Biometric Privacy Act, which would require private entities in possession of biometric information to develop written policies outlining data retention and deletion schedules, as well as obtain consent before sharing any data. The bill would also prohibit organizations from selling, leasing, trading and profiting from biometric data they retain. The measure carves out a Gramm-Leach-Bliley Act (GLBA) exemption and also provides for a private right of action.

Outside of the New York State Legislature, Gov. Andrew Cuomo, as part of the “2021 State of the State,” vowed to propose a comprehensive privacy law. Gov. Cuomo’s 2022 budget provides proposed legislative language to establish the New York Data Accountability and Transparency Act, which would mandate that companies collecting information on large numbers of New Yorkers disclose the purposes of any data collection and collect only data needed for those purposes. The measure would expressly protect sensitive categories of information, including health, biometric and location data, and establish a Consumer Data Privacy Bill of Rights guaranteeing residents the rights to access, control and deletion; the right to nondiscrimination; and the right to equal access to services. The measure would be enforceable by the secretary of state and take effect two years after enactment. With Democratic supermajorities in both houses of the state legislature, measures such as this one which are championed by key Democrats could quickly gain traction.

North Dakota

On January 13, a group of Republican lawmakers introduced HB 1330, which would require companies that offer broadband access to obtain opt-in consent before selling user data. The measure would not, however, apply to search engines, social networking platforms and other “edge” providers.

A coalition of advertising industry groups has called on the lawmakers to revise the legislation in a letter. Specifically, the Association of National Advertisers, American Association of Advertising Agencies, Interactive Advertising Bureau, Network Advertising Initiative and American Advertising Federation argue that the bill would create the “most restrictive privacy law in the U.S.” and harm small businesses. The groups have particularly requested that the bill be amended to create an opt-out system and prohibit consumers from bringing private lawsuits.

Oklahoma

Rep. Logan Phillips introduced HB 1130 at the outset of February. The bill would require businesses to post privacy policies with information regarding their data collection and privacy practices. However, it would not provide Oklahoma residents with any privacy rights regarding their personal information. The bill would be enforced by the Oklahoma Attorney General. If passed, it would go into effect on November 1, 2021.

Texas

On January 27, Sen. Jane Nelson filed an omnibus bill to improve public data privacy and enhance the state’s cybersecurity efforts. The measure, SB 475, would, among other things, prevent state agencies from acquiring, retaining or disseminating data used to identify an individual without written consent, or from using bio markers, GPS or other technology to gather data about citizens without consent.

Utah

House Majority Leader Francis Gibson has introduced H.B. 243, which would create a statewide “privacy officer” to assess how state and local governments use technology and whether or not individuals’ personal information is protected. The data privacy officer would be tasked with developing standards for best practices with respect to government privacy policy, technology uses, and data security and implementing a process to respond to requests from individuals to review a government entity’s use of technology that implicates the privacy of individuals’ data, among other things.

Further, the Utah Senate Government Operations and Political Subdivisions Committee recently approved S.B. 34, which would regulate government use of facial recognition technology currently used to scan photos in the Driver License Division’s database. The measure aims to ensure individuals have fair notice and notification that they are subject to facial recognition searches when getting a driver’s license, and it now heads to the full Senate for further consideration.

Virginia

The Consumer Data Protection Act is poised to be signed into law in the coming weeks. The measure would allow Virginia residents the rights to access, correction, deletion and portability. Residents would also be able to opt out of the processing of personal data for purposes of targeted advertising and the sale of personal data. The law would be enforced by the Virginia Attorney General and would go into effect on January 1, 2023.

On January 29, the Virginia House of Delegates passed HB 2307, the House version of the legislation, on an 89-9 vote. Its Senate companion bill, SB 1392, was subsequently passed by the Senate by a unanimous vote the following week. The measure is expected to be sent to the Governor’s desk within the next couple of weeks after the chambers have reconciled the bills.

Washington

The Washington state legislature, which reconvened on January 11, will once again consider the WPA. Sens. Reuven Carlyle and Joe Nguyen pre-filed the 2021 version of the legislation (SB 5062) on January 5. On January 14, the Washington Senate Committee on Environment, Energy and Technology held a public hearing on the legislation. Under the measure, legal entities that meet specified thresholds must provide consumers with the rights of access, deletion, correction, data portability, and opt-out of processing for the purposes of targeted advertising and the sale of personal data. The Washington Attorney General has sole enforcement of the measure, and the bill would preempt local regulations.

While versions of the measure have passed the Senate in the past two years, the bill has had some difficulty gaining traction in the Assembly. In 2020, an amended version of the bill passed the chamber, but the Assembly and the Senate were ultimately unable to reach a compromise agreement with respect to enforcement. It remains to be seen whether an agreement can be reached during the 2021 legislative session.