In the weeks since our last update, we have seen continued progress in several state legislatures on comprehensive privacy legislation. Most notably, legislative chambers in West Virginia, Kentucky, and Georgia have passed comprehensive privacy bills. Meanwhile, new proposals continue to enter the fray — in addition to the aforementioned West Virginia bill (which went from introduction to chamber passage in less than a week), new bills have also been introduced in Missouri and Rhode Island (the latter's first comprehensive privacy bill of the year). By our count, at least 11 states have now introduced new comprehensive privacy legislation in the 2024 legislative session.

NEW PROPOSALS

As noted above, comprehensive privacy bills have recently been introduced in West Virginia, Rhode Island, and Missouri. Of these, West Virginia's Consumer Data Protection Act (HB 5698) is the one most important for privacy watchers to be aware of, as it has already passed the West Virginia House, rapidly progressing from a February 26 introduction to February 28 chamber passage. Notably, this bill contains very similar language and requirements to Virginia's Consumer Data Protection Act, including limiting the definition of "sale" to the "exchange of personal data for monetary consideration" (i.e. not expanding the definition to include non-monetary consideration), prohibiting the processing of sensitive data without a consumer's consent, requiring data protection assessments for certain processing activities that pose a higher risk of harm to consumers, and relying solely on Attorney General (AG) enforcement.

The Rhode Island and Missouri bills, however, are not entirely without unique provisions. The Rhode Island bill, for example, is notable primarily for its broad applicability. Unlike most comprehensive privacy bills, this proposal does not include information-processing or revenue thresholds that restrict the population of businesses to which the law would apply; rather, it applies broadly to all data controllers (though it does include a fairly standard set of exemptions for various types of entities and information). Meanwhile, though the Missouri bill is a relatively limited piece of legislation focused primarily on online services' collection of consumer personal information (and associated disclosures and consumer data rights), it includes a provision that would require online services to compensate consumers whose personal information they sell by paying these consumers 60% of the payment the service receives for such sales.

In the following sections, we provide summaries of each of the three bills noted above.

West Virginia

1. Bill Title: Consumer Data Protection Act (HB 5698)

2. Date of Introduction: February 26, 2024

3. Current Status: As of March 5, HB 5698 had been passed by the House on February 28 and referred to the Senate Judiciary Committee on February 29.

4. Key Provisions:

  • Applies to persons that (1) conduct business in West Virginia or target products or services to West Virginia residents and (2) in a calendar year, control or process the personal data of at least 100,000 West Virginia residents; or control or process data of at least 25,000 West Virginia residents and derive more than 50% of gross revenue from the sale of personal data; or have an annual gross revenue generated in West Virginia that exceeds $25,000,000.
  • Exempts various entities and data types, including: state and local government entities; financial institutions or data subject to the GLBA; insurance companies; covered entities, business associates, and protected health information governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA, the Driver's Privacy Protection Act (DPPA), FERPA, the Farm Credit Act, and the Controlled Substances Act Section on the Regulation of Listed Chemicals; and certain employment-related information.
    • Entities that comply with COPPA's verifiable parental consent requirements are deemed to comply with the Act's parental consent requirements.
  • Exempts individuals "acting in a commercial or employment context" from its definition of "consumer."
  • Defines "sale of personal data" to include only the "exchange of personal data for monetary consideration" by the controller to any third party (i.e., exchanges for non-monetary consideration do not constitute "sales").
  • Creates rights for consumers, including: the right to confirm whether a controller is processing a consumer's personal information; the right to access that personal information; the right to correct inaccurate personal information; the right to delete personal information; the right to data portability; and the right to opt-out of the processing of personal information for purposes of sale of personal information, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • Prohibits controllers from processing sensitive data without a consumer's consent.
  • Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared.
    • If the controller sells personal data or processes personal data for targeted advertising, it must "clearly and conspicuously disclose such processing" as well as how a consumer may exercise the right to opt out.
  • Imposes requirements on processors, such as requiring that a contract govern the processor's execution of data processing activities on behalf of the controller.
  • Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a "heightened risk of harm to consumers."
  • Imposes the same requirements and scope limitations for controllers in possession of de-identified data or pseudonymous data as Virginia's Consumer Data Protection Act.
  • Does not create a private right of action; rather, grants exclusive enforcement authority to the West Virginia AG.
  • Grants the AG limited rulemaking authority in relation to specific requirements related to assisting consumers in exercising their data rights.
  • Requires the AG to provide an entity with a 30-day cure period before initiating an enforcement action.
  • AG may seek civil penalties of up to $7,500 for each violation. All civil penalties will be deposited in the Consumer Privacy Fund created by the Act.
  • Would take effect on January 1, 2025.

Rhode Island

1. Bill Title: Rhode Island Data Transparency and Privacy Protection Act (HB 7787)

2. Date of Introduction: February 29, 2024

3. Current Status: As of March 5, HB 7787 had been referred to House Innovation, Internet, and Technology Committee (2/29/24).

4. Key Provisions:

  • Applies broadly to all controllers; does not contain revenue or information-processing thresholds typically seen in comprehensive privacy bills.
  • Exempts various entities and information types, including: state or state political subdivision agencies; nonprofit organizations; institutions of higher education; specified securities associations; financial institutions and data subject to GLBA; covered entities, business associates, and protected health information governed by HIPAA; personal information governed by FCRA, the DPPA, FERPA, or the Farm Credit Act; and certain employment-related information.
  • Exempts individuals "acting in a commercial or employment context" from its definition of "customer."
  • Defines "sale of personal data" to include exchanges of personal data "for monetary or other valuable consideration."
  • Requires that controllers provide customers with a privacy notice that includes: categories of personal data collected; categories of third parties with which personal data is shared; description of how customers may exercise their data rights; purposes for processing personal data; categories of personal data shared with third parties; and controller contact information.
    • If the controller sells personal data or processes personal data for purposes of targeted advertising, it must "clearly and conspicuously disclose" that processing, as well as the manner in which the customer may opt-out of such processing.
  • Prohibits controllers from processing sensitive data without obtaining a customer's consent.
  • Creates rights for customers, including: the right to confirm whether the controller is processing the customer's personal data and to access that data; the right to correct inaccurate personal data; the right to delete personal data; the right to data portability; and the right to opt-out of the processing of personal data for purposes of sale of personal data, targeted advertising, or "profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer."
  • Imposes requirements on processors, such as requiring that a contract govern the processor's execution of data processing activities on behalf of the controller.
  • Requires that controllers conduct data protection assessments for certain high-risk processing activities, including targeted advertising, sale of personal data, certain types of profiling, and processing of sensitive data.
  • Does not create a private right of action; rather, Rhode Island AG is granted exclusive enforcement authority.
  • Violation of the Act constitutes "a violation of the general regulatory provisions of commercial law in title 6 [under the Rhode Island statutory code]" and a deceptive trade practice under Rhode Island law.
  • Authorizes civil penalties between $100 to $500 per disclosure for each intentional disclosure of personal information in violation of the Act.
  • Act would take effect on January 1, 2025.

Missouri

1. Bill Title: SB 1501

2. Date of Introduction: February 29, 2024

3. Current Status: As of March 5, SB 1501 had been introduced in the Senate (2/29/24).

4. Key Provisions:

  • Applies to any person or entity that owns or operates an "internet website," defined to include any internet website, online or cloud computing service, online application, or mobile application that offers products or services to consumers in Missouri.
  • Creates rights for consumers, including the rights to delete personal information and to opt-out of the sale or sharing of personal information.
  • Requires that internet website operators provide consumers with a privacy notice that includes categories of personal information to be collected; the purpose for collecting such information; whether the personal information will be sold or shared; and the length of retention for such personal information.
    • An operator must post in a conspicuous place and create a form for a consumer to exercise the right to opt-out from the sale or sharing of personal information and the right to delete.
  • Requires that an operator make a payment to the consumer equal to sixty percent of the money received by the operator if the operator sells a consumer's personal information to a third party.
  • Does not create a private right of action; rather, the Missouri AG is granted exclusive authority to bring enforcement actions for violations of the Act.
  • Authorizes civil penalties of up to $2,000 per day of a continuing violation under the Act, as well as attorney fees, actual damages, injunctive relief, and any other relief the court deems appropriate.

UPDATES ON EXISTING PROPOSALS

In addition to the West Virginia bill discussed above, the past two weeks have seen chambers in two other state legislatures pass comprehensive privacy bills: the Georgia Senate passed the Georgia Consumer Privacy Protection Act (SB 473) on February 27, while the Kentucky House passed HB 15 on February 20. Meanwhile, the Minnesota Consumer Data Privacy Act (HF 2309) has continued to move forward in the committee approval process, while Vermont's H. 121 remains under committee review.

Active Bills That Have Cleared Legislative Chamber

  • Wisconsin AB 466, which was passed by the Assembly in November 2023, remains under consideration in the Senate, where it was approved by the Committee on Shared Revenue, Elections and Consumer Protection on February 15.

Recent Chamber Passages

  • The Georgia Senate passed the Georgia Consumer Privacy Protection Act (SB 473) on February 27.
  • The Kentucky House passed HB 15 on February 20. The bill was subsequently approved by the Senate Economic Development, Tourism, and Labor Committee on February 29 and referred to the Senate Rules Committee on March 1.
  • The West Virginia House passed HB 5338 on February 28, and the bill was subsequently approved by the Senate Finance Committee on March 5.
    • However, the bill was substituted prior to passage by the House. The committee substitute version of the bill omits all of the original bill's comprehensive privacy law provisions, and now consists solely of provisions outlining an affirmative defense to data breach litigation claims for companies that develop and implement cybersecurity programs consistent with various industry and government standards.

Committee Approvals

  • The Minnesota House Commerce Finance and Policy Committee approved the Minnesota Consumer Data Privacy Act (HF 2309) on February 26. The bill was subsequently referred to the House Judiciary Finance and Civil Law Committee.

Hearings, Meetings, and Work Sessions

  • The Vermont House Commerce and Economic Development Committee held a series of meetings discussing H. 121 on February 27, February 29, and March 1, respectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.