House Bill 2865 for an Act Amending Title 18, Chapter 5, Arizona Revised Statutes, By Adding Article 5: Relating to Personal Data ('HB 2865') was introduced, on 11 February 2021, to the Arizona House of Representatives

A consumer has the right of access to their personal data (Section 1 of HB 2865).

A consumer has the right to request for their personal data to be deleted (Section 1 of HB 2865).

The Attorney General of Arizona may bring an action against violators (Section 1 of HB 2865).

House Bill 1943 for an Act to Amend the Personal Data Protection Act was signed into law, on 15 April 2019, by the Arkansas Governor, Asa Hutchinson. In addition, please note that the Personal Information Protection Act 2005 applies.

The California Consumer Privacy Act of 2018 (as amended) ('CCPA') was signed into law, on 28 June 2018, and entered into force on 1 January 2020.

The California Office of the Administrative Law approved, on 14 August 2020, the final version of the Regulations under the CCPA.

Finally, the California Privacy Rights Act ('CPRA') was approved, on 3 November 2020, at the California General Election.

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following (§1798.110(a) of the CPRA): (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about that consumer. 

A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer (§1798.105 of the CPRA)

A consumer shall have the right, at any time, to direct a business that sells or shares personal Information about the consumer to third parties not to sell or share the consumer's personal information.  (§1798.120 of the CPRA).

A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure (§1798.100(e) of the CPRA)

A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business  purpose shall enter into an agreement with such third party, service provider, or contractor (§1798.100(d) of the CPRA)

A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers as to: (1) the categories of personal information to be collected and the purposes for which the categories of personal Information are collected or used shall and whether such information is sold or shared (2) if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal Information are collected or used and whether such Information is sold or shared (3) the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period (§1798.100(a) of the CPRA)

The CPRA establishes the California Privacy Protection Agency which is vested with full administrative power, authority, and jurisdiction to implement and enforce the CPRA (§1798.199.100 of the CPRA)

Senate Bill ('SB') 21-190 for an Act concerning additional protection of data relating to personal privacy was introduced, on 19 March 2021, to the Colorado State Senate

A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data (§6-1-1306(b) of SB 21-190).

A consumer has the right to delete personal data concerning the consumer (§6-1-1306(d) of SB 21-190).

When exercising the right of access, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance (§6-1-1306(e) of SB 21-190).

A consumer has the right to opt out of the processing of personal data concerning the consumer (§6-1-1306(a) of SB 21-190).

A controller shall take reasonable measures to secure personal data during both storage and use from unauthorised acquisition (§6-1-1308(5) of SB 21-190).

Processing by a processor must be governed by a binding contract between the controller and the processor that sets out the processing instructions to which the processor is bound (§6-1-1305(3) of SB 21-190).

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice outlining, among others, the categories of personal data collected and purposes of processing. (§6-1-1308(1) of SB 21-190).

SB 21-190 may be enforced only by the attorney general or district attorneys who can impose penalties where violations occur, and to prevent future violations (§6-1-1302(c)of SB 21-190).

Senate Bill ('SB') 893 for an Act Concerning Consumer Privacy was tabled for the calendar, on 8 April 2021, in the Senate

Substitute Senate Bill 1108 for an Act Establishing a Task Force Concerning Consumer Privacy was signed, on 9 June 2019, into law by the Governor of Connecticut, Ned Lamont.

A consumer has the right to access their personal data held by a controller (§4(1) of SB 893)

A consumer has the right to delete personal data provided by, or obtained about, the consumer (§4(3) of SB 893).

A consumer has the right to obtain a copy of the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means (§4(4) of SB 893).

A consumer has the right to opt-out from targeted advertising, sale of personal data, and profiling (§4(5) of SB 893).

The consumer has the right to opt out of the processing of the personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (§4(5)(C) of SB 893).

A controller is required to establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data (§5(3) of SB 893).

SB 893 requires processors to adhere to the controller’s rules under SB 893 and assist the controller in meeting its obligations under the bill with a contract in place between controller and processor (§6 of SB 893).

SB 893 requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice (§5(B) of SB 893).

House Bill 969 for the Act Relating to Consumer Data Privacy was introduced, on 15 February 2021.

A consumer has the right to request that a business that collects personal information about the consumer disclose the personal information that has been collected by the business (Article 3(a) of the Bill).

A consumer has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer (Article 4(a) of the Bill).

 A consumer has the right at any time to direct a business that sells or shares personal information about the consumer to third parties to not sell or share the consumer's personal information. This right may be referred to as the right to opt-out Article 6(a) of the Bill).

A business that collects personal information about consumers shall maintain an online privacy policy, make such policy available on its Internet website, and update the information at least once every 12 months (Article 2(a) of the Bill).

If the department has reason to believe that any business, service provider, or other person or entity is in violation of this section and that proceedings would be in the public interest, the department may bring an action against such business, service provider, or other person or entity and may seek a civil penalty of not more than $2,500 for each unintentional violation or $7,500 for each intentional violation. Such fines may be tripled if the violation involves a consumer who is 16 years of age or younger (Article 13 (a) of the Bill).

Senate Bill 2451 for an Act Relating to Personal Information was referred, on 23 January 2020, to the Hawaii Senate Committee on Commerce, Consumer Protection, and Health and the Senate Committee on Technology, following its introduction to the Hawaii Senate on 17 January 2020.

House Bill 2572 HD2 for an Act Relating to Privacy was transmitted, on 3 March 2020, to the Hawaiian Senate, following its introduction to the Hawaii House of Representatives on 23 January 2020.

A consumer can request to opt-out from having their personal data sold to third parties (Section 1 of SB2451).

Senate Bill 2330 for the Data Transparency and Privacy Act was introduced, on 14 January 2020 to the Illinois State Senate and was assigned, on 27 February 2020, to the Judiciary Committee. 

Consumers have the right to know and request from businesses certain information (Section 20 of the Bill).

Consumers have the right to request that a business delete personal information about the consumer (Section 25(3) of the Bill).

Consumers have the right to request to opt out of the disclosure, sale and processing of personal information by the business, third parties and affiliates (Section 25(1) of the Bill). 

Businesses, affiliates, and third parties must take reasonable measures to protect consumers personal information from unauthorised, use, disclosure, or access (Section 35(k) of the Bill). 

A service provider is the natural or legal person that processes personal information on behalf of the business (Section 10 of the Bill).

Businesses that process personal or deidentified information must provide a notice to the consumer (Section 15 of the Bill).

The Illinois Attorney General has the authority to enforce the Bill as a violation of the Consumer Fraud and Deceptive Business Practices Act (Section 40 (3) of the Bill). In addition, consumers, whose personal information was subject to a breach have a private right of action against businesses (Section 40(a)(1) of the Bill). 

House Bill 617 Which Provides Relative to the Protection of Personally Identifiable Information was introduced, 28 February 2020, to the Louisiana House of Representatives and was referred, on 9 March 2020, to the Committee on Commerce.

Not applicable.

A consumer may submit a verified request through a designated request address to an operator directing it not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 844.91(B)(2) of the Bill)

Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 844.91(C) of the Bill)

The Office of the Louisiana Attorney General may institute appropriate legal proceeding against operators that violate sections of the Bill (Section 844.91(F) of the Bill).

Legislative Document 946 for An Act To Protect the Privacy of Online Customer Information was signed into law, on 6 June 2019, and will enter into force on 1 July 2020. 

A provider is required to take reasonable measures to protect customer personal information from unauthorised use, disclosure or access (§9301(5) of the Law).

The Law applies only to service providers.

A provider is required to provide to their customers a clear, conspicious, and nondeceptive notice outlining the customer's rights and the provider's obligations during the sale and on the provider's website (§9301(6) of the Law).

House Bill 784 for an Act concerning the Maryland Online Consumer Protection – Online Privacy - Study passed, on 15 March 2020, the Maryland House of Delegates and was sent to the Maryland State Senate on 16 March 2020.

The Finance Committee of the Maryland State Senate gave the Bill an unfavourable report on 17 March 2020

House File Bill for the Minnesota Consumer Data Privacy Act, was introduced, on 2 March 2020, to the Minnesota House of Representatives, and its companion bill, Senate Bill 4247, was introduced, on 11 March 2020, to the Minnesota State Senate. House Bill 36 for the Minnesota Consumer Data Privacy Act was introduced in the House, on 7 January 2021 and referred to the Commerce Finance and Policy Committee. House Bill for the Minnesota Consumer Data Privacy Act, was introduced, on 22 February 2021, to the Minnesota House of Representatives.

 A consumer has the right to confirm whether or not a controller is processing persona data concerning the consumer and access the categories of personal data the controller is processing (Section 5(b) of the Bill).

A consumer has the right to delete personal data concerning the consumer (Section 5(d) of the Bill).

 A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means (Section 5(e) of the Bill).

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer (Section 5(f) of the Bill).

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer (Section 5(f) of the Bill).

Taking into account the context of processing, the controller and the processor shall implement  appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement such measures (Section 4(d) of the Bill).

Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet its obligations under the Bill (Section 4(ab of the Bill).

Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice. (Section 7(a) of the Bill).

The attorney general may bring an action to enforce a provision of this chapter in accordance with section 8.31. If the state prevails in an action to enforce this chapter, the state, in addition to penalties provided by paragraph (b) or other remedies provided by law, may be allowed an amount determined by the court to be the reasonable value of all or part of the state's litigation expenses incurred. Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation (Section 10(b) - (c) of the Bill).

A consumer has the right to access personal information that has been collected about them (Section 4 of the Bill).

Upon receipt of a verifiable request, a business must delete the consumer's personal informationand instruct any service providers to do the same. 

A consumer has the right to decline or opt-out of the sale of their personal information (Section 7 of the Bill).

Not applicable.

A business that sells consumers' personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt
out (Section 7(2) of the Bill).

Consumers and the Mississippi Attorney General may initiate actions against businesses that violate provisions of the Bill (Section 12 of the Bill).

Senate Bill 220 for an Act Relating to Internet Privacy entered into force on 1 October 2019.

A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 2.2. of the Bill)

The Nevada Attorney General may bring enforcement actions for violations of the Bill's provisions (Section 7 of the Bill)

House Bill 1680 for the Act Relative to the Collection of Personal Information by Businesses was reintroduced, on 8 January 2020, to the New Hampshire House of Representatives and referred, on 8 January 2020, to the Committee on Commerce and Consumer Affairs.

A consumer has the right of access to their personal data (Section 1 of the Bill).

A consumer can request for their personal data to be deleted (Section 1 of the Bill).

A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).

A service provider is the natural or legal person that processes personal information on behalf of the business (Section 1 of the Bill).

Business are required to provide a privacy notice (Section1 of the Bill).

The New Hampshire Attorney General has the right to bring an action against violators and a private right of action does exsist (Section 1 of the Bill).

A2188 for an Act Concerning Commercial Internet Websites, Online Services, and Personally Identifiable Information and Supplementing 3 P.L.1960, c.39 ('Bill A2188') was introduced, on 14 January 2020, to the New Jersey General Assembly. 

A3255 for an Act Concerning Certain Businesses and Personally Identifiable Information and Supplementing Title 56 of the Revised Statutes ('Bill A3255') was introduced, on 25 February 2020, to the New Jersey General Assembly.

A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

A consumer can opt-out from the sale of their personally identifiable information (Section 1 of Bill A3255).

Service Providers can process personal information on behalf of a business under a written contract (Section 1 of Bill A3255).

A business which violates Bill A3255 will be subject to a monetary penalty of not more than $10,000 for a first offence and not more than $20,000 for a subsequent offence (Statement Section of Bill A3255).

Assembly Bill A680 for the New York Privacy Act ('the Bill') was reintroduced, on 6 January 2021, to the New York State Assembly Committee on Consumer Affairs & Protection.

On request from a consumer, the controller shall provide the 25 consumer any personal data concerning such consumer that such consumer 26 has provided to the controller (Section 1103(5)(a) of the Bill).

On request from a consumer, a controller shall delete the consumer's personal data without undue delay where one of the following grounds under the Section applies (Section 1103(3)(a) of the Bill).

The Bill provides consumers the opportunity to opt in or opt out of the processing of their personal data in such a manner that the consumer must select and clearly indicate their consent or denial of consent (Section 1103 of the Bill).

A consumer shall not be subject to a decision based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer (Section 1103(6) of the Bill).

Processing by a processor shall be governed by a contract between the controller and the processor that is binding on the processor and that sets out the processing instructions to which the processor is bound (Section 1105(3) of the Bill).

Controllers shall be transparent and accountable for their processing of personal data, by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that is easily understood and which includes (Section 1104(1) of the Bill): the categories of personal data collected by the controller;  the purposes for which the categories of personal data is used and disclosed to third parties, if any; the rights that consumers may exercise pursuant to section 1103 of this article, if any; the categories of personal data that the controller shares with third parties, if any; and (e) the names and categories of third parties, if any, with whom the controller shares personal data.

The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce the Bill. In addition, any person who has been injured by reason of a violation of this Bill may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her actual damages, or both such actions.

House Bill 1602 for the Oklahoma Computer Data Privacy Act ('the Bill') was introduced, on 2 Febuary 2021, in the Oklahoma House of Representatives. The Bill has been approved by the Oklahoma House of Representatives on 4 March 2021 and is now eligable to be heard in the Oklahoma State Senate.

A business or service provider shall implement and maintain reasonable security procedures and practices, including administrative, physical and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used, to protect consumers' personal information from unauthorized use, disclosure, access, destruction or modification, irrespective of whether a customer has opted in or out of a sale of data. (Section 14(G) of the Bill).

The Bill provides for business to provide cosumners with an online privacy policy (Section 18(A) of the Bill).

Violators will be liable to pay $2500 for each violation or $7500 for each violation if, the violation was intentional. In addition, consumers shall have a private right of action against violators of the Bill (Section 27 of the Bill).

House Bill ('HB') 5959 for the Rhode Island Transparency and Privacy Protection Act was introduced, on 26 February 2021, to the Rhode Island House of Representatives.

As part of the consumer agreement, businesses are required to outline information sharing practices to the consumer (Section 6-48.2-4(a) of HB 5959)

HB 5959 sets out penalties for violations of its provisions and provides enforcement authority to the office of the Attorney General (Section 6-48.2-5 of HB 5959)

House Bill 3036 for the South Carolina Data Privacy Act ('the Bill') was introduced, on 12 January 2021, in the South Carolina House of Representatives and has been referred to the Committee on Labor, Commerce and Industry.

A consumer has the right to request that a business that collects a consumer's biometric information disclose the categories and specific pieces of information the business has collected. The business must deliver the information by mail or an easily accessible electronic method. A business may not be required to provide this information more than twice in a twelve month period (§37-31-30 of the Bill).

A consumer may request that a business delete biometric information collected by the business once the initial purpose of the collection of biometric information has been satisfied (Section 37-31-40 of the Bill).

A business that collects a consumer's biometric information shall, at or before the point of collection, inform the consumer of the specific and legitimate purpose for which the biometric information will be used and the consumer must give the business consent before any biometric information may be collected. A business may not collect any form of biometric information or use the information collected for an additional purpose without written consent of the consumer (§37-31-30 of the Bill).

Consumers can pursure a private right of action agaisnt a business and any other official which is responsible for the violation (§37-31-100 of the Bill).

House Bill 57 for the Electronic Information or Data Privacy Act was signed into law, on 27 March 2019, and entered into force, on 14 May 2019.

Senate Bill 110 for An Act Relating to Data Privacy and Consumer Protection ('the Act') was signed, on 5 March 2020, by the Governor of Vermont, and will come into effect on 1 July 2020.

The operator of an Internet website, online service, online application, or mobile application must implement and maintain reasonable security procedures and practices (Section 4 of the Act).

Senate Bill ('SB') 1392 for the Virginia Consumer Data Protection Act, was introduced, on 13 January 2021, to the Virginia State Senate. Both SB 1392 and its companion House of Delegate Bill 2307 have been signed by the Virginia State Governor. The CDPA will enter into effect on 1 January 2023.

The controller must provide to the consumer any personal data that the controller maintains in an identifiable form concerning the consumer that such consumer has provided to the controller in a  structured, commonly used, and machine-readable format (Section 59.1-574(5) of the HB 473).

Upon a verified request from a consumer, a controller shall delete, without undue delay, the consumer's personal data that the controller maintains in identifiable form (Section 59.1-574(3) of the HB 473).

The obligations imposed by the Bill's provisions do not restrict a controller's or processor's ability to prevent, detect, or respond to security incidents, or to preserve the integrity or security of systems (Section 59.1-578. of the HB 473).

A processor is a natural or legal person that processes personal data on behalf of a controller (Section 59.1-571. of the HB 473).

Controllers shall be transparent and accountable for their processing of personal data by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice (Section 59.1-575 of the HB 473).

Violations of the HB 473 would constitute a prohibited practice pursuant and be subject to any and all of the enforcement provisions of the Virginia Consumer Protection Act (Section 59.1-579 of the HB 473)

House Bill ('HB') 3159 on Consumer Data Privacy was introduced, on 15 March 2021, to the West Virginia House of Representatives.

A consumer has the right to request that a business that collects personal information 2 about the consumer disclose the personal information that has been collected by the business (§46A-9-3(a) of HB 3159).

A consumer has the right to request that a business delete any personal information 2 about the consumer which the business has collected from the consumer (§46A-9-4(a) of HB 3159).

A consumer has the right at any time to opt-out when a business a sells or shares the consumer’s personal information to third parties (§46A-9-6(a) of HB 3159)

HB 3159 provides that the West Virginia Division of Consumer Protection may establish rules for enforcement of its provisions and empowers the Division to bring suits for the violation of its provisions (§46A-9-11 of HB 3159).

Consumers have the right to request from a controller to be informed as to whether or not the controller processes the consumer's personal data and to obtain a copy of the personal data and certain information (Section 1(3) of AB 870). 

Controllers must delete, without undue delay, the personal data relating to a consumer if certain conditions apply (Section 1(2) of AB 871). 

A controller may not process personal data unless the processing is conducted to detect security incidents, to protect against malicious, deceptive, fraudulent, or illegal activity, or to prosecute a person responsible for that activity (Section 1(2)(f) of AB 872).

A processor is a person who processes personal data on behalf of a controller, but does not include a law enforcement agency or a unit or instrumentality of the federal government, the state, or a local government(Section 1(1)(h) of AB 872).

When a controller collects personal data from a consumer, certain information must be provided to such consumer (Section 1(2) of AB 870).