Senate Bill 1614 for an Act Amending Title 18, Arizona Revised Statutes, By Adding Chapter 7: Relating to Personal Data was introduced, on 5 February 2020, to the Arizona State Senate.

House Bill for an Act Amending Title 18, Chapter 5, Arizona Revised Statutes, By Adding Article 5: Relating to Personal Data was introduced, on 10 February 2020, to the Arizona House of Representatives.

A consumer has the right of access to their personal data (Section 1 of HB 2729).

A consumer has the right to request for their personal data to be deleted (Section 1 of HB 2729 and SB 1614).

The Attorney General of Arizona may bring an action against violators (Section 1 of HB 2729).

House Bill 1943 for an Act to Amend the Personal Data Protection Act was signed into law, on 15 April 2019, by the Arkansas Governor, Asa Hutchinson. In addition, please note that the Personal Information Protection Act 2005 applies.

The California Consumer Privacy Act of 2018 (as amended) ('CCPA') was signed into law, on 28 June 2018, and entered into force on 1 January 2020.

The California Office of the Administrative Law approved, on 14 August 2020, the final version of the Regulations under the CCPA.

Finally, the California Privacy Rights Act ('CPRA') was approved, on 3 November 2020, at the California General Election.

A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following (§1798.110(a) of the CPRA): (1) the categories of personal information it has collected about that consumer; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about that consumer. 

A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer (§1798.105 of the CPRA)

A consumer shall have the right, at any time, to direct a business that sells or shares personal Information about the consumer to third parties not to sell or share the consumer's personal information.  (§1798.120 of the CPRA).

A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal Information from unauthorized or illegal access, destruction, use, modification, or disclosure (§1798.100(e) of the CPRA)

A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business  purpose shall enter into an agreement with such third party, service provider, or contractor (§1798.100(d) of the CPRA)

A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers as to: (1) the categories of personal information to be collected and the purposes for which the categories of personal Information are collected or used shall and whether such information is sold or shared (2) if the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal Information are collected or used and whether such Information is sold or shared (3) the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period (§1798.100(a) of the CPRA)

The CPRA establishes the California Privacy Protection Agency which is vested with full administrative power, authority, and jurisdiction to implement and enforce the CPRA (§1798.199.100 of the CPRA)

Substitute Senate Bill 1108 for an Act Establishing a Task Force Concerning Consumer Privacy was signed, on 9 June 2019, into law by the Governor of Connecticut, Ned Lamont.

Senate Bill 2451 for an Act Relating to Personal Information was referred, on 23 January 2020, to the Hawaii Senate Committee on Commerce, Consumer Protection, and Health and the Senate Committee on Technology, following its introduction to the Hawaii Senate on 17 January 2020.

House Bill 2572 HD2 for an Act Relating to Privacy was transmitted, on 3 March 2020, to the Hawaiian Senate, following its introduction to the Hawaii House of Representatives on 23 January 2020.

A consumer can request to opt-out from havung thier personal data sold to third parties (Section 1 of SB2451).

Senate Bill 2330 for the Data Transparency and Privacy Act was introduced, on 14 January 2020 to the Illinois State Senate and was assigned, on 27 February 2020, to the Judiciary Committee. 

Consumers have the right to know and request from businesses certain information (Section 20 of the Bill).

Consumers have the right to request that a business delete personal information about the consumer (Section 25(3) of the Bill).

Consumers have the right to request to opt out of the disclosure, sale and processing of personal information by the business, third parties and affiliates (Section 25(1) of the Bill). 

Businesses, affiliates, and third parties must take reasonable measures to protect consumers personal information from unauthorised, use, disclosure, or access (Section 35(k) of the Bill). 

A service provider is the natural or legal person that processes personal information on behalf of the business (Section 10 of the Bill).

Businesses that process personal or deidentified information must provide a notice to the consumer (Section 15 of the Bill).

The Illinois Attorney General has the authority to enforce the Bill as a violation of the Consumer Fraud and Deceptive Business Practices Act (Section 40 (3) of the Bill). In addition, consumers, whose personal information was subject to a breach have a private right of action against businesses (Section 40(a)(1) of the Bill). 

House Bill 617 Which Provides Relative to the Protection of Personally Identifiable Information was introduced, 28 February 2020, to the Louisiana House of Representatives and was referred, on 9 March 2020, to the Committee on Commerce.

Not applicable.

A consumer may submit a verified request through a designated request address to an operator directing it not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 844.91(B)(2) of the Bill)

Operators must make available, in a manner that is accessible to consumers whose covered information they collect, a notice that provides certain information regarding their data practices (Section 844.91(C) of the Bill)

The Office of the Louisiana Attorney General may institute appropriate legal proceeding against operators that violate sections of the Bill (Section 844.91(F) of the Bill).

Legislative Document 946 for An Act To Protect the Privacy of Online Customer Information was signed into law, on 6 June 2019, and will enter into force on 1 July 2020. 

A provider is required to take reasonable measures to protect customer personal information from unauthorised use, disclosure or access (§9301(5) of the Law).

The Law applies only to service providers.

A provider is required to provide to their customers a clear, conspicious, and nondeceptive notice outlining the customer's rights and the provider's obligations during the sale and on the provider's website (§9301(6) of the Law).

House Bill 784 for an Act concerning the Maryland Online Consumer Protection – Online Privacy - Study passed, on 15 March 2020, the Maryland House of Delegates and was sent to the Maryland State Senate on 16 March 2020.

The Finance Committee of the Maryland State Senate gave the Bill an unfavourable report on 17 March 2020

Bill SD 341 for An Act Relative to Consumer Data Privacy ('the Bill') was referred, on 22 January 2019, to the Massachusetts Senate Committee on Consumer Protection and Professional Licensure, following its introduction to the General Court of the Commonwealth of Massachusetts on 11 January 2019. 

A consumer shall have the right to request from a business the specific pieces and source of personal information collected and the third parties to whom the personal information has been disclosed (Section 3 of the Bill). 

Consumers have a right to deletion (Section 5 of the Bill).

Consumers can opt-out of having their data shared with third parties (Section 1(u)(2) of the Bill).

Service providers process information on behalf of a business, who disclose a consumer's personal information pursuant to a written contract (Section 1(s) of the Bill).

A business shall provide notification to the consumer at or before collection (Section 2 of the Bill).

The Massachusetts Attorney General has been granted powers to enforce the Bill (Section 10 of the Bill).

House File 3936 for the Minnesota Consumer Data Privacy Act, was introduced, on 2 March 2020, to the Minnesota House of Representatives, and its companion bill, Senate File 4247, was introduced, on 11 March 2020, to the Minnesota State Senate.

A consumer has the right to request access to their personal data (Section 5(1) of the Bill).

A consumer has the right to delete personal data concerning the consumer (Section 5(3) of the Bill).

A consumer has the right to obtain their personal information in a form that can be transferred to another data controller (Section 5(4) of the Bill).

A consumer has the right to opt-out of the processing of their personal information when it is being used for specifc purposes (Section 5(5) of the Bill).

A controller must have reasonable administrative, technical, and physical data security practices to protect personal data (Section 2(d) of the Bill).

Processors have various reponsibilities such as working under the instructions of the data controller and assisting data controllers with their compliance with the Bill (Section 4 of the Bill).

Data controllers are required to provide a privacy notice (Section 7 of the Bill).

The Attorney General of Minnesota may bring an action to enforce the Bill (Section 11(2) of the Bill).

A consumer has the right to access personal information that has been collected about them (Section 4 of the Bill).

Upon receipt of a verifiable request, a business must delete the consumer's personal informationand instruct any service providers to do the same. 

A consumer has the right to decline or opt-out of the sale of their personal information (Section 7 of the Bill).

Not applicable.

A business that sells consumers' personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt
out (Section 7(2) of the Bill).

Consumers and the Mississippi Attorney General may initiate actions against businesses that violate provisions of the Bill (Section 12 of the Bill).

Senate Bill 220 for an Act Relating to Internet Privacy entered into force on 1 October 2019.

A consumer may, at any time, submit a verified request through a designated request address to an operator directing the operator not to make any sale of any covered information the operator has collected or will collect about the consumer (Section 2.2. of the Bill)

The Nevada Attorney General may bring enforcement actions for violations of the Bill's provisions (Section 7 of the Bill)

House Bill 1680 for the Act Relative to the Collection of Personal Information by Businesses was reintroduced, on 8 January 2020, to the New Hampshire House of Representatives and referred, on 8 January 2020, to the Committee on Commerce and Consumer Affairs.

A consumer has the right of access to their personal data (Section 1 of the Bill).

A consumer can request for their personal data to be deleted (Section 1 of the Bill).

A consumer can opt-out from the sale of their personal data (Section 1 of the Bill).

A service provider is the natural or legal person that processes personal information on behalf of the business (Section 1 of the Bill).

Business are required to provide a privacy notice (Section1 of the Bill).

The New Hampshire Attorney General has the right to bring an action against violators and a private right of action does exsist (Section 1 of the Bill).

A2188 for an Act Concerning Commercial Internet Websites, Online Services, and Personally Identifiable Information and Supplementing 3 P.L.1960, c.39 ('Bill A2188') was introduced, on 14 January 2020, to the New Jersey General Assembly. 

A3255 for an Act Concerning Certain Businesses and Personally Identifiable Information and Supplementing Title 56 of the Revised Statutes ('Bill A3255') was introduced, on 25 February 2020, to the New Jersey General Assembly.

A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

A consumer can access their personal identifiable information (Section 2(e) of Bill A3255).

A consumer can opt-out from the sale of their personally identifiable information (Section 1 of Bill A3255).

Service Providers can process personal information on behalf of a business under a written contract (Section 1 of Bill A3255).

A business which violates Bill A3255 will be subject to a monetary penalty of not more than $10,000 for a first offence and not more than $20,000 for a subsequent offence (Statement Section of Bill A3255).

Assembly Bill A680 for the New York Privacy Act ('the Bill') was reintroduced, on 6 January 2021, to the New York State Assembly Committee on Consumer Affairs & Protection.

On request from a consumer, the controller shall provide the 25 consumer any personal data concerning such consumer that such consumer 26 has provided to the controller (Section 1103(5)(a) of the Bill).

On request from a consumer, a controller shall delete the consumer's personal data without undue delay where one of the following grounds under the Section applies (Section 1103(3)(a) of the Bill).

The Bill provides consumers the opportunity to opt in or opt out of the processing of their personal data in such a manner that the consumer must select and clearly indicate their consent or denial of consent (Section 1103 of the Bill).

A consumer shall not be subject to a decision based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer (Section 1103(6) of the Bill).

Processing by a processor shall be governed by a contract between the controller and the processor that is binding on the processor and that sets out the processing instructions to which the processor is bound (Section 1105(3) of the Bill).

Controllers shall be transparent and accountable for their processing of personal data, by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice that is easily understood and which includes (Section 1104(1) of the Bill): the categories of personal data collected by the controller;  the purposes for which the categories of personal data is used and disclosed to third parties, if any; the rights that consumers may exercise pursuant to section 1103 of this article, if any; the categories of personal data that the controller shares with third parties, if any; and (e) the names and categories of third parties, if any, with whom the controller shares personal data.

The attorney general may bring an action in the name of the state, or as parens patriae on behalf of persons residing in the state, to enforce the Bill. In addition, any person who has been injured by reason of a violation of this Bill may bring an action in his or her own name to enjoin such unlawful act, or to recover his or her actual damages, or both such actions.

House Bill 1049 for the Consumer Data Privacy Act ('the Bill') was introduced, on 5 April 2019, to the Pennsylvania House of Representatives and was referred to the House Consumer Affairs Committee on the same day.

A consumer has the right to access personal information collected by a business (Section 4(4)(a) of the Bill).

A consumer has the right to request the deletion of their personal data (Section 4(e)(1) of the Bill).

The consumer has the right to opt out of the sale of their personal information (Section 4(a)(3) of the Bill).

Violators of the Bill shall be liable for a civil penalty in a civil action brought by the Attorney General of up to $7,500 for each violation (Section 4(o) of the Bill).

House Bill 57 for the Electronic Information or Data Privacy Act was signed into law, on 27 March 2019, and entered into force, on 14 May 2019.

Senate Bill 110 for An Act Relating to Data Privacy and Consumer Protection ('the Act') was signed, on 5 March 2020, by the Governor of Vermont, and will come into effect on 1 July 2020.

The operator of an Internet website, online service, online application, or mobile application must implement and maintain reasonable security procedures and practices (Section 4 of the Act).

House Bill 473 for the Virginia Privacy Act was introduced, on 3 January 2020, to the Virginia House of Delegates. Please note the bill has been continued to the 2021 Session.

The controller must provide to the consumer any personal data that the controller maintains in an identifiable form concerning the consumer that such consumer has provided to the controller in a  structured, commonly used, and machine-readable format (Section 59.1-574(5) of the Bill).

Upon a verified request from a consumer, a controller shall delete, without undue delay, the consumer's personal data that the controller maintains in identifiable form (Section 59.1-574(3) of the Bill).

The obligations imposed by the Bill's provisions do not restrict a controller's or processor's ability to prevent, detect, or respond to security incidents, or to preserve the integrity or security of systems (Section 59.1-578. of the Bill).

A processor is a natural or legal person that processes personal data on behalf of a controller (Section 59.1-571. of the Bill).

Controllers shall be transparent and accountable for their processing of personal data by making available in a form that is reasonably accessible to consumers a clear, meaningful privacy notice (Section 59.1-575 of the Bill).

Violations of the Bill would constitute a prohibited practice pursuant and be subject to any and all of the enforcement provisions of  the Virginia Consumer Protection Act (Section 59.1-579 of the Bill)

Consumers have the right to request from a controller to be informed as to whether or not the controller processes the consumer's personal data and to obtain a copy of the personal data and certain information (Section 1(3) of AB 870). 

Controllers must delete, without undue delay, the personal data relating to a consumer if certain conditions apply (Section 1(2) of AB 871). 

A controller may not process personal data unless the processing is conducted to detect security incidents, to protect against malicious, deceptive, fraudulent, or illegal activity, or to prosecute a person responsible for that activity (Section 1(2)(f) of AB 872).

A processor is a person who processes personal data on behalf of a controller, but does not include a law enforcement agency or a unit or instrumentality of the federal government, the state, or a local government(Section 1(1)(h) of AB 872).

When a controller collects personal data from a consumer, certain information must be provided to such consumer (Section 1(2) of AB 870).