USA State Privacy Bill Developments: What You Need To Know
February 12, 2021
2021 started with several States introducing or reintroducing bills following developments in California through the CCPA and CPRA.
Virginia's Consumer Data Protection Act ('CDPA') would establish various definitions including for precise geolocation data, profiling, targeted advertising, and the sale of personal data.
It would apply to persons that conduct business in the Commonwealth of Virginia or produce products or services that are targeted to residents of the Commonwealth and that meet one or both of the following requirements:
- during a calendar year, control or process personal data of at least 100,000 consumers; or
- control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Virginia's Consumer Data Protection Act would also confer data subjects with industry recognised rights including access, correction, deletion, portability, and opt-out rights. It would establish obligations on controllers and processors including rules regarding Data Protection Impact Assessments and the processing of de-identified data, and would also mandate enforcement by the Attorney General with civil penalties for non-compliance at $7,500 credited into a newly established Consumer Privacy Fund.
Washington Privacy Act and People's Privacy Act
Senate Bill 5062 for the Washington Privacy Act was reintroduced on 5 January 2021. The bill was first introduced on 17 January 2018 to the Washington State Senate, and has now been reintroduced for a third time. It would apply to companies handling the data of over 100,000 Washington residents or which process or control personal data of 25,000 consumers or more and derive over 25% of their gross revenue from the sale of personal information. The bill would establish four key consumer rights, namely the right to access personal data, to update and correct data, the right to data portability, and to object to the use of data. It would also require privacy assessments for certain processing activities such as processing for the purposes of targeted advertising, for the purposes of the sale of personal data, and where the processing involves sensitive personal data.
House Bill 1433 for the People's Privacy Act was introduced on 1 February 2021. The bill would seek to implement a requirement for covered entities to provide clear and accessible data privacy policies and for affirmative, opt-in consent for the collection and use of personal information. Additionally, it would provide individuals with rights such as the right to access, information, rectification and withdrawal of consent, and would allow the enforcement of rights through a private right of action.
New York Privacy Act
The New York Privacy Act was reintroduced on 6 January 2021. Among its provisions, the bill would require the express and documented consent of consumers for their personal data to be used, processed, or transferred to a third party. Legal entities or affiliates of such entities, and every controller and data broker to which the bill applies must reasonably secure personal data from unauthorised access. It would detail what qualifies as a privacy risk and would require that consumers be promptly informed of any breach of duty with respect to their personal data. The bill would also ensure rights, such as the right to be informed, to correct or delete personal information, to opt-out of the processing of their personal data, and provisions with respect to automated decision-making.