Data Privacy - State Regulatory Agencies

US Policy Map

You are tracking 0 US-Federal Bills and 0 US-Federal Regulations. You're also following state data as detailed below.

US Policy 51 Bills, 0 Regulations
CA AB 1628

Title: Social media platforms: electronic content management: controlled substances.

Current Status: Passed

Introduction Date: January 11, 2022

Last Action Date: Chaptered by Secretary of State - Chapter 432, Statutes of 2022.. September 19, 2022

Summary: This bill would, until January 1, 2028, and subject to specified exceptions, require a social media platform, as defined, that operates in the state to create and publicly post a policy statement that includes, among other things, the social media platform’s policy on the use of the social media platform to illegally distribute a controlled substance, and a link to the social media platform’s reporting mechanism for illegal or harmful content or behavior if one exists. The bill would require a person or entity operating the social media platform to update the policy statement as necessary and consider consulting with specified entities to assist in developing and supporting the policy statement.

Description: AB 1628, Ramos. Social media platforms: electronic content management: controlled substances. Existing law requires an operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service to conspicuously post its privacy policy on its internet website. Existing law also limits advertising by an operator of an internet website, online service, online application, or mobile application directed to minors.This bill would, until January 1, 2028, and subject to specified exceptions, require a social media platform, as defined, that operates in the state to create and publicly post a policy statement that includes, among other things, the social media platform’s policy on the use of the social media platform to illegally distribute a controlled substance, as defined, and a link to the ....

Location: US-CA

CA AB 1711

Title: Privacy: breach.

Current Status: Failed

Introduction Date: January 26, 2022

Last Action Date: Vetoed by Governor.. September 23, 2022

Summary: This bill would require an agency to post a notice on the agency’s internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system. It further outlines what information, at minimum, must be provided in the breach notification, such as the name and contact information of the reporting agency subject to this section, a list of the types of personal information that were or are reasonably believed to have been the subject of a breach, the date and time of the breach, etc. If the agency demonstrates that the cost of providing notice would $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information, a substitute notice must consist of an email notice when the agency has an email address for the subject persons, conspicuous posting, for a minimum of 30 days, of the notice on the agency’s internet website, if the agency maintains one, or notification to major statewide media and the Office of Information Security within the Department of Technology.

Description: AB 1711, Seyarto. Privacy: breach. Existing law requires an agency or a person or business that conducts business in California that owns or licenses computerized data that includes personal information to disclose a breach of security of the system following discovery or notification of the breach in the security data to certain residents of California, as specified.This bill would require an agency to post a notice on the agency’s internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system pursuant to the above-described provisions, as specified.This bill would incorporate additional changes to Section 1798.29 of the Civil Code proposed by AB 2958 to be operative only if this bill and AB 2958 are enacted and this bill is enacted last.

Location: US-CA

CA SB 1454

Title: California Privacy Rights Act of 2020: exemptions.

Current Status: Failed

Introduction Date: February 18, 2022

Last Action Date: From committee without further action.. November 30, 2022

Summary: The California Privacy Rights Act of 2020 (CPRA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to require the business to delete personal information about the consumer. The CPRA, until January 1, 2023, exempts from certain provisions of the act personal information reflecting a communication or a transaction between the business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service. The CPRA, until January 1, 2023, also exempts from certain provisions of the act personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business. This bill would extend those above-described exemptions indefinitely.

Description: SB 1454, as amended, Archuleta. California Privacy Rights Act of 2020: exemptions. Existing law, the California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require the business to delete personal information about the consumer, as specified.The CPRA, until January 1, 2023, exempts from certain provisions of the act personal information reflecting a communication or a transaction between the business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service. The CPRA, until January 1, 2023, also exempts from certain provisions of the act personal information that is collect....

Location: US-CA

CA AB 2891

Title: California Consumer Privacy Act: exemptions.

Current Status: Failed

Introduction Date: February 18, 2022

Last Action Date: From committee without further action.. November 30, 2022

Summary: Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require the business to delete personal information about the consumer, as specified. Existing law provides that the obligations the CCPA imposes on businesses shall not restrict a business’ ability to, among other things, comply with state law. Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election (Proposition 24), amended, added to, and reenacted the CCPA. The CCPA, as amended by Proposition 24, provides that certain exemptions to obligations imposed on businesses by specified provisions of the CCPA would expire on January 1, 2023. Existing law, until January 1, 2023, exempts from certain provisions of the CCPA personal information reflecting a communication or a transaction between the business and a company, partnership, sole proprietorship, nonprofit, or government agency that occur solely within the context of the business conducting due diligence or providing or receiving a product or service. Existing law also exempts personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business. This bill would extend those above-described exemptions until January 1, 2026. This bill would declare that its provisions further the purposes and intent of Proposition 24.

Description: AB 2891, as introduced, Low. California Consumer Privacy Act: exemptions. Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require the business to delete personal information about the consumer, as specified. Existing law provides that the obligations the CCPA imposes on businesses shall not restrict a business’ ability to, among other things, comply with state law.Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election (Proposition 24), amended, added to, and reenacted the CCPA. The CCPA, as amended by Proposition 24, provides that certain exemptions to obligations imposed on businesses by specified provisions of the CCPA would expire on January 1, 2023.Existing law, until January 1, 2023, ex....

Location: US-CA

CA AB 2677

Title: Information Practices Act of 1977.

Current Status: Failed

Introduction Date: February 18, 2022

Last Action Date: Vetoed by Governor.. September 19, 2022

Summary: This bill updates existing law related to the Information Practices Act of 1977 which prescribes a set of requirements, prohibitions, and remedies applicable to agencies, as defined, with regard to their collection, storage, and disclosure of personal information, as defined. This bill would include, among other things, genetic information, IP address, online browsing history, and location information, if these pieces of data can reasonably identify or describe an individual, within the definition of “personal information,” and revise the definition of “regulatory agency” to include the Financial Industry Regulatory Authority, for the act’s purposes. Further, this bill would prohibit an agency from using records containing personal information for any purpose or purposes other than the purpose for which that personal information was collected except as required by state or federal law. This bill further revises the circumstances that may allow the disclosure of personal information in a manner that links the information disclosed to the individual to whom it pertains. .

Description: AB 2677, Gabriel. Information Practices Act of 1977. Existing law, the Information Practices Act of 1977, prescribes a set of requirements, prohibitions, and remedies applicable to agencies, as defined, with regard to their collection, storage, and disclosure of personal information, as defined. Existing law exempts from the provisions of the act counties, cities, any city and county, school districts, municipal corporations, districts, political subdivisions, and other local public agencies, as specified.This bill would, beginning January 1, 2025, recast those provisions to include, among other things, genetic information, IP address, online browsing history, and location information, if reasonably capable of identifying or describing an individual, within the definition of “personal information,” and revise the definition of “regulatory agency” to include the Financial Industry Regulatory Authority, for the act’s purposes. The bill would make other techn....

Location: US-CA

CA AB 2958

Title: State Bar of California.

Current Status: Passed

Introduction Date: March 08, 2022

Last Action Date: Chaptered by Secretary of State - Chapter 419, Statutes of 2022.. September 18, 2022

Summary: Under existing provisions, any agency that maintains computerized data that includes personal information that the agency does not own is also required to notify the owner or licensee of the information of any breach of the security of the data following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Existing law sets forth requirements for the format and contents of the security breach notification. This bill would require the State Bar to comply with these disclosure requirements.

Description: AB 2958, Committee on Judiciary. State Bar of California. (1) Existing law, the State Bar Act, provides for the licensure and regulation of attorneys by the State Bar of California, a public corporation. Existing law creates within the State Bar a Governance in the Public Interest Task Force, which is required to prepare and submit a report every 3 years that includes recommendations for enhancing the protection of the public and ensuring that protection of the public is the highest priority in the licensing, regulation, and discipline of attorneys, as specified.This bill would repeal those provisions establishing and imposing duties on the Governance in the Public Interest Task Force.(2) The State Bar is governed by a board of trustees. Existing law requires the board to consist of 13 members appointed by certain authorities for a term of 4 years, requires appointing authorities to fill vacancies, and limits the reappointment of certain members, as specified.....

Location: US-CA

HI SB 974

Title: Relating To Consumer Data Protection.

Current Status: Introduced

Introduction Date: January 20, 2023

Last Action Date: The committee(s) on CPN has scheduled a public hearing on 02-10-23 9:40AM; Conference Room 229 & Videoconference.. February 03, 2023

Summary: This bill establishes a framework to regulate controllers and processors with access to personal consumer data. It also establishes penalties and establishes a new consumer privacy special fund.

Description: Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes penalties. Establishes a new consumer privacy special fund. Appropriates moneys.

Location: US-HI

HI SB 1110

Title: Relating To Consumer Data Protection.

Current Status: Introduced

Introduction Date: January 20, 2023

Last Action Date: Referred to CPN/JDC, WAM.. January 27, 2023

Summary: This bill establishes a framework to regulate controllers and processors with access to personal consumer data. It establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce. It also authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.

Description: Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce. Authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.

Location: US-HI

HI HB 1497

Title: Relating To Consumer Data Protection.

Current Status: Introduced

Introduction Date: January 25, 2023

Last Action Date: Reported from HET (Stand. Com. Rep. No. 61) as amended in HD 1, recommending passage on Second Reading and referral to CPC.. February 06, 2023

Summary: This bill establishes a framework to regulate controllers and processors with access to personal consumer data. It establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce and authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.

Description: Establishes a framework to regulate controllers and processors with access to personal consumer data. Provides that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce. Provides for a written notice and thirty-day opportunity to cure a violation without any action being brought or penalties being incurred. Effective 6/30/3000. (HD1)

Location: US-HI

IA HSB 12

Title: A bill for an act relating to consumer data protection, providing civil penalties, and including effective date provisions.

Current Status: Introduced

Introduction Date: January 12, 2023

Last Action Date: Subcommittee recommends passage. Vote Total: 3-0.. January 23, 2023

Summary: This bill provides that persons conducting business in the state or producing products or services targeted to Iowans that annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50 percent of gross revenue derived from the sale of the personal data will be subject to the provisions of the bill. The bill provides consumers have personal data rights that may be invoked at any time. The controller must comply with such requests, within 45 days, to confirm or deny whether the controller is processing the personal data, to provide the consumer with a copy of their personal data, and to remove the consumer or child from personal data processing. The bill provides that controllers must disclose to the consumer the types of data being collected and obtain consent from the consumers regarding the collection of personal data and sensitive personal data processing.

Location: US-IA

IA SSB 1071

Title: A bill for an act relating to consumer data protection, providing civil penalties, and including effective date provisions.

Current Status: Introduced

Introduction Date: January 23, 2023

Last Action Date: Subcommittee recommends amendment and passage. [].. January 31, 2023

Summary: The bill provides that persons conducting business in the state or producing products or services targeted to Iowans that annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50 percent of gross revenue derived from the sale of the personal data will be subject to the provisions of the bill. The state and political subdivisions of the state, financial institutions or data subject to the federal Gramm-Leach-Bliley Act of 1999, certain organizations governed by rules by the department of health and human services, certain federal governance laws, and the federal Health Insurance Portability and Accountability Act, nonprofit organizations, higher learning institutions, and certain protected information and personal data collected under state or federal laws are exempt from provisions in the bill. The bill provides consumers have personal data rights that may be invoked at any time. The controller must comply with such requests to confirm or deny whether the controller is processing the personal data, to provide the consumer with a copy of their personal data, and to remove the consumer or child from personal data processing. The bill provides that controllers must disclose to the consumer the types of data being collected and obtain consent from the consumers regarding the collection of personal data and sensitive personal data processing. Controllers must give consumers reasonably accessible and clear privacy notices that inform consumers of the information regarding personal data transfers. The bill takes effect January 1, 2025.

Location: US-IA

IL HB 1381

Title: Right To Know Act

Current Status: Introduced

Introduction Date: January 24, 2023

Last Action Date: Referred to Rules Committee. January 31, 2023

Summary: This bill creates the Right to Know Act. It provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. It further requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information and provides for a data protection safety plan. This bill provides for a right of action to customers whose rights are violated under the Act, provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act will be void and unenforceable and provides that no provision of the Act will be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government.

Description: Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be con....

Location: US-IL

IN SB 5

Title: Consumer data protection.

Current Status: Introduced

Introduction Date: January 09, 2023

Last Action Date: Senator Bassler added as coauthor. February 02, 2023

Summary: This bill establishes a new article in the Indiana Code concerning consumer data protection, to take effect January 1, 2026. It sets forth the following within the new article: (1) Definitions of various terms that apply throughout the article. (2) Exemptions from the bill's requirements concerning the responsibilities of controllers of consumers' personal data. (3) The rights of an Indiana consumer to do the following: (A) Confirm whether or not a controller is processing the consumer's personal data. (B) Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller. (C) Delete the consumer's personal data held by a controller. (D) Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller. (E) Opt out of the processing of the consumer's personal data for certain purposes. (4) The responsibilities of controllers of consumers' personal data. (5) The roles of controllers and processors with respect to a consumer's personal data. (6) Requirements for data protection impact assessments by controllers of consumers' personal data. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (10) The preemption of local rules, regulations, and laws regarding the processing of personal data.

Description: Establishes a new article in the Indiana Code concerning consumer data protection, to take effect January 1, 2026. Sets forth the following within the new article: (1) Definitions of various terms that apply throughout the article. (2) Exemptions from the bill's requirements concerning the responsibilities of controllers of consumers' personal data. (3) The rights of an Indiana consumer to do the following: (A) Confirm whether or not a controller is processing the consumer's personal data. (B) Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller. (C) Delete the consumer's personal data held by a controller. (D) Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller. (E) Opt out of the processing of the consumer's personal data for certain purposes. (4) The responsibilities of controllers of consumers' personal data. (5) The roles of controllers and processors w....

Location: US-IN

IN HB 1554

Title: Consumer data protection.

Current Status: Introduced

Introduction Date: January 19, 2023

Last Action Date: First reading: referred to Committee on Commerce, Small Business and Economic Development. January 19, 2023

Summary: This bill establishes in the Indiana Code a new article concerning consumer data protection, to take effect January 1, 2024. It sets forth the following within the new article: (1) Definitions of terms that apply throughout the article. (2) Exemptions for certain: (A) persons; and (B) types of information and data; from the bill's requirements concerning the personal data of Indiana consumers (consumers). (3) The rights of a consumer with respect to personal data relating to the consumer. (4) The responsibilities of controllers of consumers' personal data (controllers). (5) The roles of: (A) controllers; and (B) processors of consumers' personal data (processors); with respect to a consumer's personal data. (6) Requirements for data protection assessments by controllers. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The establishment, maintenance, and publication by the attorney general's consumer protection division of a quarterly listing of electronic mail addresses of consumers who request that their personal data not be sold. (10) Requirements for brokers of consumers' personal information (data brokers) to: (A) provide notification of security breaches; and (B) register annually with the attorney general. (11) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (12) The establishment of the consumer privacy account within the state general fund to support the work of the attorney general in enforcing the new article. (13) The authority of the attorney general to: (A) to adopt rules to administer the new article; and (B) issue opinion letters and interpretive guidance to develop an operational framework for persons subject to the new article. (14) The preemption of local rules, regulation, and laws regarding the processing of personal data.

Description: Establishes in the Indiana Code a new article concerning consumer data protection, to take effect January 1, 2024. Sets forth the following within the new article: (1) Definitions of terms that apply throughout the article. (2) Exemptions for certain: (A) persons; and (B) types of information and data; from the bill's requirements concerning the personal data of Indiana consumers (consumers). (3) The rights of a consumer with respect to personal data relating to the consumer. (4) The responsibilities of controllers of consumers' personal data (controllers). (5) The roles of: (A) controllers; and (B) processors of consumers' personal data (processors); with respect to a consumer's personal data. (6) Requirements for data protection assessments by controllers. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The establishment, maintenance, and publication by the attorney general's consumer protection division....

Location: US-IN

KY SB 15

Title: AN ACT relating to consumer data privacy.

Current Status: Introduced

Introduction Date: January 03, 2023

Last Action Date: to Economic Development, Tourism, & Labor (S). January 05, 2023

Summary: This bill requires a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumer's data and providing the consumer access to his or her data, deleting his or her personal data, providing a copy of the consumer's data that he or she previously provided in a portable and usable format, opting out of targeted advertising, opting out of tracking, and opting out of the sale or sharing of his or her personal data. It also requires controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right; set forth requirements for persons or entities that control or process personal data. The bill requires persons who control data to conduct data protection impact assessments, and establishes that the Attorney General has exclusive authority to enforce, with the exception of a private right of action by which consumers can seek injunctive relief for specific violations if the data controller or processor received written notice of violation from the Attorney General and failed to cure the violation within 30 days.

Description: Create new sections of KRS Chapter 367 to define terms; set the parameters for applicability of this Act; define various consumer rights related to data collection; require a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumer's data and providing the consumer access to his or her data, deleting his or her personal data, providing a copy of the consumer's data that he or she previously provided in a portable and usable format, opting out of targeted advertising, opting out of tracking, and opting out of the sale or sharing of his or her personal data; require controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right; set forth requirements for persons or entities that control or process personal data; require persons who control data to conduct data protection impact assessments; establish that the Attorney Genera....

Location: US-KY

MA SD 745

Title: An Act establishing the Massachusetts Data Privacy Protection Act

Current Status: Introduced

Location: US-MA

MA HD 1702

Title: An Act relative to internet service provider data

Current Status: Introduced

Location: US-MA

MA SD 1971

Title: An Act establishing the Massachusetts Information Privacy and Security Act

Current Status: Introduced

Summary: This bill provides that data controllers can only collect personal information that is reasonably necessary and only after an individual has given consent. Controllers must also provide a privacy notice to consumers describing the categories of personal information processed, the purpose of collecting the information, and if the controller sells personal information to third parties. Additionally, the bill establishes a consumer's right to opt-out of the processing of their personal information; revoke consent; and request to access, delete, or correct any of their personal information that has been processed. Controllers must respond to a consumer's request within 45 days. Personal information processed in compliance with the federal Gramm-Leach-Bliley 367 Act is exempt from this bill.

Location: US-MA

MA HD 3263

Title: An Act establishing the Massachusetts information privacy and security act

Current Status: Introduced

Location: US-MA

MA HD 3195

Title: An Act relative to online advertising

Current Status: Introduced

Location: US-MA

MA HD 2281

Title: An Act to establish the Massachusetts data privacy protection act

Current Status: Introduced

Summary: This bill establishes various data privacy laws that aim to protect individuals and their privacy. It requires covered entities and service providers to make publicly available, in a clear, conspicuous, not misleading, a reasonably understandable privacy policy that provides a detailed and accurate representation of the data collection, processing, and transfer activities of the covered entity. A covered entity must provide an individual, after receiving a verified request from the individual, with the right to access their data and other information outlined in this bill.

Location: US-MA

MD SB 169

Title: Commercial Law – Consumer Protection – Biometric Data Privacy

Current Status: Introduced

Introduction Date: January 20, 2023

Last Action Date: Hearing 2/08 at 1:00 p.m.. January 21, 2023

Summary: This bill regulates the use of biometric data by private entities, including by requiring certain private entities in possession of biometric data to develop a written policy, made available to the public, establishing a retention schedule and guidelines for the permanent destruction of biometric data. It also authorizes an individual alleging a violation of the Act to bring a civil action against the offending private entity and makes a violation of the Act an unfair, abusive, or deceptive trade practice.

Description: Regulating the use of biometric data by private entities, including by requiring certain private entities in possession of biometric data to develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanent destruction of biometric data; authorizing an individual alleging a violation of the Act to bring a civil action against the offending private entity; and making a violation of the Act an unfair, abusive, or deceptive trade practice.

Location: US-MD

MI SB 1182

Title: Consumer protection: privacy; internet privacy act; create. Creates new act.

Current Status: Failed

Introduction Date: September 27, 2022

Last Action Date: REFERRED TO COMMITTEE ON ENERGY AND TECHNOLOGY. September 27, 2022

Summary: This bill establishes the privacy rights of consumers to require certain persons to provide certain notices to consumers regarding the processing and sale of personal data. It outlines data broker registration in responsibilities. It also prohibits certain acts and practices concerning the processing and sale of personal data. The bill also establishes standards and practices regarding the processing and sale of personal data and provides for the powers and duties of certain state governmental officers and entities. It also creates certain funds and remedies for violations of this act.

Location: US-MI

MN SF 950

Title: Consumer's consent prior to collecting personal information requirement

Current Status: Introduced

Introduction Date: January 30, 2023

Last Action Date: Referred to Commerce and Consumer Protection. January 30, 2023

Summary: This bill states that a business must not collect, use, or disclose a consumer's personal information without the consumer's consent. In order to receive the consumer's consent, the business must, at or before the point of collection of the consumer's personal information, notify the consumer of the categories of personal information the business collects about the consumer, the categories of sources from which the business collects the personal information, for each category of personal information, the purpose for collecting the personal information, and for each category of personal information, the categories of persons to which the personal information may be disclosed and the purpose for the disclosure. A business must not collect additional categories of personal information, use personal information collected for additional purposes, or disclose additional personal information without notifying the consumer consistent with paragraph (b) and receiving the consumer's consent consistent with paragraph (a) regarding the additional categories, purposes, or disclosures. This bill also adds enforcement provisions for the implementation of this bill.

Location: US-MN

MT LC 130

Title: Generally revise data privacy laws

Current Status: Introduced

Introduction Date: July 26, 2022

Last Action Date: (C) Draft On Hold. December 07, 2022

Location: US-MT

MT SB 50

Title: Generally revise laws related to data breach notification

Current Status: Considering

Introduction Date: January 02, 2023

Last Action Date: (S) Transmitted to House. January 24, 2023

Location: US-MT

MT LC 809

Title: Generally revise laws relating to digital privacy

Current Status: Introduced

Introduction Date: October 24, 2022

Last Action Date: (C) Draft On Hold. December 07, 2022

Location: US-MT

NH SB 255

Title: relative to the expectation of privacy.

Current Status: Introduced

Introduction Date: January 24, 2023

Last Action Date: Introduced 01/19/2023 and Referred to Judiciary; SJ 5. January 24, 2023

Summary: This bill states that a consumer will have the right to confirm whether or not a controller is processing the consumer's personal data and access such personal data unless such confirmation or access would require the controller to reveal a trade secret, correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data, delete personal data provided by, or obtained about, the consumer, obtain a copy of the consumer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller will not be required to reveal any trade secret, and opt-out of the processing of the personal data for purposes of targeted advertising, or the sale of personal data. A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A controller must respond to a consumer in a reasonable time frame, and if a controller declines to take action regarding the consumer's request, the controller will inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

Location: US-NH

NJ S 332

Title: Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

Current Status: Considering

Introduction Date: January 11, 2022

Last Action Date: Passed by the Senate (27-11). February 02, 2023

Summary: This bill requires a commercial Internet website and online service operator to notify consumers of the collection and disclosure of “personally identifiable information,” as that term is defined in the bill, to third parties. An operator that collects through the Internet the personally identifiable information of a consumer is to provide on its Internet website or online service notification to a consumer of multiple provisions outlined in this bill. This bill requires that an operator that discloses a consumer’s personally identifiable information to a third party is to make the following information available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address: the consumer’s personally identifiable information that was disclosed; and the names and contact information of the third parties that received the consumer’s personally identifiable information. An operator that receives a request from a consumer is to provide a response to the consumer within 60 days of its verification and is to provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

Location: US-NJ

NJ A 1971

Title: Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

Current Status: Introduced

Introduction Date: January 11, 2022

Last Action Date: Introduced, Referred to Assembly Science, Innovation and Technology Committee. January 11, 2022

Location: US-NJ

NJ A 505

Title: "New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

Current Status: Introduced

Introduction Date: January 11, 2022

Last Action Date: Introduced, Referred to Assembly Science, Innovation and Technology Committee. January 11, 2022

Location: US-NJ

NJ A 4811

Title: Establishes data broker registry.

Current Status: Introduced

Introduction Date: October 20, 2022

Last Action Date: Introduced, Referred to Assembly Science, Innovation and Technology Committee. October 20, 2022

Summary: This bill establishes the data broker registry. It states what qualifies as “Brokered personal information” and who is considered a "data broker." The Division of Consumer Affairs in the Department of Law and Public Safety will establish and maintain an up-to-date and public registry of data brokers doing business in this State. The registry will include, the name of the data broker, the data broker’s physical address, a general email address to gain further information about the data broker’s privacy policies and data collection, a website address, a website address specific to the data broker’s privacy policy, and any relevant opt-out information. Further, each data broker must pay a registration fee of $100 to the division, along with other information the broker must submit to the division. The bill provides that if a data broker does not comply with the registration requirements, then it is subject to a civil penalty of $50 per day, not to exceed $10,000 per year for each year it fails to register.

Location: US-NJ

NJ S 3315

Title: Prohibits information from Statewide voter registration system from being published on Internet.

Current Status: Introduced

Introduction Date: November 07, 2022

Last Action Date: Introduced in the Senate, Referred to Senate State Government, Wagering, Tourism & Historic Preservation Committee. November 07, 2022

Summary: This bill prohibits voter registration information from the Statewide voter registration system from being published on the Internet. Under current law, the Statewide voter registration system is accessible by State and County entities and offices, and voter registration lists are also provided to the chairmen of the county committees of each political party and are accessible by voters who apply and pay for a copy of the list. This bill specifically prohibits any information from the system from being published on the Internet, in order to further protect the privacy of registered voters in New Jersey.

Location: US-NJ

NJ A 4919

Title: Concerns social media privacy and data management for children and establishes New Jersey Children's Data Protection Commission.

Current Status: Introduced

Introduction Date: December 05, 2022

Last Action Date: Introduced, Referred to Assembly Science, Innovation and Technology Committee. December 05, 2022

Summary: This bill establishes social media privacy and data management requirements for children and also establishes the New Jersey Children’s Data Protection Commission. The bill requires that before any new online service, product, or feature is offered to users residing in New Jersey, a social media platform is required to take certain actions as described in the bill, including completing a data protection impact assessment on children. The data protection impact assessment will address various factors to assess whether a product or feature will directly or indirectly harm a child in any way. The bill further prohibits social media platforms from using the personal information of any child in a way that is detrimental to the physical health, mental health, or well-being of a child, profiling a child by default, unless certain criteria apply, or from collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature, unless the social media platform can demonstrate a compelling reason to do otherwise. There are penalties for social media platforms that fail to comply with the provisions of this bill.

Location: US-NJ

NM SB 280

Title: CYBERSECURITY ACT

Current Status: Introduced

Introduction Date: January 30, 2023

Last Action Date: Sent to SRC - Referrals: SRC/SFC. January 30, 2023

Summary: This bill establishes the "cybersecurity office" and is administratively attached to the department of information technology. The office will be managed by the security officer. The cybersecurity office is responsible for all cybersecurity and information security-related functions for agencies and will establish security standards and policies to protect agency information technology systems and infrastructure, provide appropriate governance and application of the standards and policies across information technology resources used by agencies and ensure the availability, confidentiality and integrity of the information processed, transacted or stored by agencies in the state's information technology infrastructure and systems. The office will also develop cybersecurity protocols for managing and protecting information technology assets and infrastructure for all entities that are connected to an agency-operated or -owned telecommunications network or that receive funding from agencies used to operate or own information technology, as well as, detect, and mitigate and monitor security incidents consistent with information security standards and policies.

Location: US-NM

NY S 365

Title: Relates to enacting the NY privacy act

Current Status: Introduced

Introduction Date: January 04, 2023

Last Action Date: REFERRED TO CONSUMER PROTECTION. January 04, 2023

Description: Enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Location: US-NY

NY S 2277

Title: Enacts the "digital fairness act"

Current Status: Introduced

Introduction Date: January 19, 2023

Last Action Date: REFERRED TO INTERNET AND TECHNOLOGY. January 19, 2023

Description: Enacts the "digital fairness act"; requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.

Location: US-NY

NY S 2998

Title: Relates to establishing the online consumer protection act

Current Status: Introduced

Introduction Date: January 26, 2023

Last Action Date: REFERRED TO CONSUMER PROTECTION. January 26, 2023

Summary: This bill relates to establishing the online consumer protection act and defines related terms. This bill further provides that an advertising network will post a clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities.

Description: Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.

Location: US-NY

NY A 2587

Title: Establishes the New York Data Protection Act

Current Status: Introduced

Introduction Date: January 26, 2023

Last Action Date: REFERRED TO GOVERNMENTAL OPERATIONS. January 26, 2023

Summary: This bill establishes the New York Data Protection Act. It requires government entities and contractors to disclose certain personal information collected about individuals.

Description: Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.

Location: US-NY

NY S 3162

Title: Allows consumers the right to request from businesses the categories of personal information a business has sold or disclosed to third parties

Current Status: Introduced

Introduction Date: January 30, 2023

Last Action Date: REFERRED TO CONSUMER PROTECTION. January 30, 2023

Summary: This bill grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Description: Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Location: US-NY

OK HB 1030

Title: Data privacy; Oklahoma Computer Data Privacy Act; consumer protection; civil penalties; effective date.

Current Status: Introduced

Introduction Date: February 06, 2023

Last Action Date: Authored by Representative West (Josh). February 06, 2023

Location: US-OK

OR SB 619

Title: Relating to protections for the personal data of consumers.

Current Status: Introduced

Introduction Date: January 09, 2023

Last Action Date: Referred to Judiciary, then Ways and Means.. January 13, 2023

Description: Permits consumers to obtain from a controller that processes consumer personal data confirmation as to whether controller is processing consumer's personal data and categories of personal data controller is processing, list of specific third parties to which controller has disclosed consumer's personal data and copy of all of consumer's personal data that controller has processed or is processing. Permits consumer to require controller to correct inaccuracies in personal data about consumer, require controller to delete personal data about consumer or opt out from controller's processing of consumer's personal data under certain circumstances. Requires controller to provide to consumers reasonably accessible, clear and meaningful privacy notice that lists categories of personal data controller processes, describes controller's purpose for processing personal data, describes how consumer may exercise consumer's rights with respect to personal data, lists categories of personal data tha....

Location: US-OR

PA SB 696

Title: An Act amending the act of December 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, further providing for title of act, for definitions and for notification of breach; prohibiting employees of the Commonwealth from using nonsecured Internet connections; providing for data storage policy and for entities subject to the Health Insurance Portability and Accountability Act of 1996; and further providing for notice exemption and for applicability.

Current Status: Passed

Introduction Date: May 24, 2021

Last Action Date: Act No. 151 of 2022. November 03, 2022

Summary: This bill provides for the security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a security system breach of the security system, and further imposes penalties for these breaches. The bill defines what is considered personal data and includes "State agency contractor." These "State Agency Contractors" are required to notify the appropriate authority and the governor's office for data breaches within 3 days of the breach, make appropriate state and state agency-related contract amendments and provisions that deal with data breaches, and required to report who's data was breached through an electronic list if the breach impacts any listed state and county public school or municipalities, or any individual whose account may be accessible through the use of the data that was breached. The bill also makes encryption requirements for state and state agency contractor employees.

Location: US-PA

PA SB 40

Title: An Act amending Title 25 (Elections) of the Pennsylvania Consolidated Statutes, in preliminary provisions, further providing for definitions; in registration system, further providing for departmental responsibilities and for SURE system; in voter registration, further providing for methods of voter registration and for application with driver's license application, providing for Commonwealth agencies and other entities and further providing for preparation and distribution of applications and for approval of registration applications; and providing for privacy and security standards for voter registration in this Commonwealth.

Current Status: Introduced

Introduction Date: January 31, 2023

Last Action Date: Referred to STATE GOVERNMENT. January 31, 2023

Summary: This bill allows for automatic voter registration when applicants apply for use government services. Upon receipt of the registration, the applicant must be notified and allowed to: decline to be registered or adopt a political party affiliation. The bill also adds electronic registration as an additional means of submitting a voter registration application. Additionally, this bill asks the secretary of state to promulgate regulations regarding privacy and security policies specifying who can have authorized access to the Statewide voter registration database and providing for other safeguards to protect the privacy and security of the information on the Statewide voter registration database. The regulations must, for example, prohibit the public disclosure of a voter's personal information, including Social Security number and signature along with whether or not they declined to register to vote or not.

Location: US-PA

SC H 3547

Title: Social Media

Current Status: Introduced

Introduction Date: December 15, 2022

Last Action Date: Member(s) request name added as sponsor: Carter. January 18, 2023

Description: A Bill To Amend The South Carolina Code Of Laws By Adding Section 63-5-380 So As To Prohibit The Collection Of Personal Information From Children By Operators Of Websites, Online Services, And Online Or Mobile Applications And To Establish Penalties.

Location: US-SC

TN SB 73

Title: Consumer Protection - As introduced, enacts the "Tennessee Information Protection Act." - Amends TCA Title 4; Title 12; Title 43; Title 45; Title 47; Title 48; Title 50; Title 61; Title 66 and Title 67.

Current Status: Introduced

Introduction Date: January 04, 2023

Last Action Date: Refer to Senate Commerce & Labor Committee. January 20, 2023

Summary: This bill provides a consumer may invoke the consumer right at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A controller must comply with an authenticated consumer request to exercise the right to confirm whether a controller is processing the consumer's personal information and to access the personal information, correct inaccuracies in the consumer's personal information, taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information, and delete personal information provided by or obtained about the consumer. A business is not required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data in the possession of the business is not linked to a specific consumer. A controller will limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer, and not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer unless the controller obtains the consumer's consent.

Location: US-TN

UT HB 303

Title: Elections Record Amendments

Current Status: Introduced

Introduction Date: January 27, 2023

Last Action Date: House/ to standing committee : House Government Operations Committee. February 03, 2023

Summary: This bill provides that, beginning January 1, 2024, a voter registration record classified as a private record before May 12, 2020, will no longer be classified as a private record in its entirety and will, as with all other voter registration records, be subject to the following: certain information in the record will, by default, always be classified as private, certain other information in the record may be classified as private upon request of the voter, and under certain circumstances, the entire record may be classified as private upon request of the voter. It also requires a county clerk to provide to a voter impacted by the change in classification described above: notice of the change and when the change goes into effect and a description of the information in the voter registration record that will be classified as private by default, a description of how a voter may request that additional information be classified as private, and a description of how, and the circumstances under which, a voter may request that the entire record be classified as private. The bill classifies as protected a record that discloses, by name, address, or other identifying information, that a particular voter's ballot has been rejected.

Location: US-UT

VA HB 1688

Title: Consumer Data Protection Act; protections for children.

Current Status: Considering

Introduction Date: January 09, 2023

Last Action Date: House: VOTE: Passage (96-Y 2-N). February 03, 2023

Summary: This bill requires an operator, defined in the bill, to obtain verifiable parental consent prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.

Description: Consumer Data Protection Act; protections for children. Requires an operator, defined in the bill, to obtain verifiable parental consent prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.

Location: US-VA

WA SB 5459

Title: Concerning requests for records containing election information.

Current Status: Introduced

Introduction Date: January 19, 2023

Last Action Date: Scheduled for executive session in the Senate Committee on State Government & Elections at 8:00 AM (Subject to change).. February 10, 2023

Summary: This bill would require requisitions for information from the statewide voter database to be submitted to the secretary of state. It would also exempt the following from disclosure requirements: records regarding the infrastructure of a private entity submitted to elections officials are exempt from disclosure for a period of 25 years after the creation of the record when accompanied by an express statement that the record contains information about the private entity's infrastructure and public disclosure may increase risk to the integrity of election operations or infrastructure; and voted ballots, voted ballot images, copies of voted ballots, photographs of voted ballots, facsimile images of voted ballots, or cast vote records of voted ballots.

Location: US-WA

WA HB 1616

Title: Creating a charter of people's personal data rights.

Current Status: Introduced

Introduction Date: January 26, 2023

Last Action Date: First reading, referred to Civil Rights & Judiciary.. January 26, 2023

Summary: This bill establishes a consumer rights charter to their personal data, including the right to know what personal information a covered entity processes about the individual, including the categories and specific pieces of personal information the covered entity processes. A covered entity must make both a long-form privacy policy and a short-form privacy policy persistently and conspicuously available with certain information enclosed. A covered entity or Washington governmental entity that processes biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for processing such information has been satisfied or within 1 year of the individual's last interaction with the covered entity or Washington governmental entity, whichever occurs first.

Location: US-WA

WY HB 6

Title: Specified election records not subject to disclosure.

Current Status: Introduced

Introduction Date: November 30, 2022

Last Action Date: H07 - Corporations:Do Pass Failed 3-6-0-0-0. January 12, 2023

Summary: This bill adds new records that are to be confidential and added to existing election records that are not subject to disclosure under the Wyoming Public Records Act. Added election records include cast ballots, cast ballot images, cast vote records of individual voters, and other data derived from cast ballots of individual voters. When necessary, members of the county or state canvassing boards may access confidential information but will maintain its confidentiality amongst themselves. This act is effective July 1, 2023.

Description: AN ACT relating to elections; clarifying that specified election records are not subject to disclosure under the Wyoming Public Records Act; and providing for an effective date.

Location: US-WY

Powered by