Data Privacy

What is included in the report:

This report includes legislation pertaining to data privacy and cybersecurity. 


US Policy Map

You are tracking 0 US-Federal Bills and 0 US-Federal Regulations. You're also following state data as detailed below.

US Policy 104 Bills, 0 Regulations

Title: SB396 - TO CREATE THE SOCIAL MEDIA SAFETY ACT; TO REQUIRE AGE VERIFICATION FOR USE OF SOCIAL MEDIA; AND TO CLARIFY LIABILITY FOR FAILURE TO PERFORM AGE VERIFICATION FOR USE OF SOCIAL MEDIA AND ILLEGAL RETENTION OF DATA.

Current Status: Passed

Introduction Date: March 09, 2023

Last Action Date: Notification that SB396 is now Act 689. April 11, 2023

Summary: This bill states that a commercial entity or third-party vendor will not retain any identifying information of an individual after access to the social media platform has been granted. A commercial entity that is found to have knowingly retained identifying information of an individual after access to the material is granted is liable to the individual for damages resulting from the retention of the identifying information, including court costs and reasonable attorney's fees as ordered by the court.

Location: US-AR

Title: Social media platforms: electronic content management: controlled substances.

Current Status: Passed

Introduction Date: January 11, 2022

Last Action Date: Chaptered by Secretary of State - Chapter 432, Statutes of 2022.. September 19, 2022

Summary: This bill would, until January 1, 2028, and subject to specified exceptions, require a social media platform, as defined, that operates in the state to create and publicly post a policy statement that includes, among other things, the social media platform’s policy on the use of the social media platform to illegally distribute a controlled substance, and a link to the social media platform’s reporting mechanism for illegal or harmful content or behavior if one exists. The bill would require a person or entity operating the social media platform to update the policy statement as necessary and consider consulting with specified entities to assist in developing and supporting the policy statement.

Description: AB 1628, Ramos. Social media platforms: electronic content management: controlled substances. Existing law requires an operator of a commercial internet website or online service that collects personally identifiable information through the internet about individual consumers residing in California who use or visit its commercial internet website or online service to conspicuously post its privacy policy on its internet website. Existing law also limits advertising by an operator of an internet website, online service, online application, or mobile application directed to minors.This bill would, until January 1, 2028, and subject to specified exceptions, require a social media platform, as defined, that operates in the state to create and publicly post a policy statement that includes, among other things, the social media platform’s policy on the use of the social media platform to illegally distribute a controlled substance, as defined, and a link to the ....

Location: US-CA

Title: Privacy: breach.

Current Status: Failed

Introduction Date: January 26, 2022

Last Action Date: Vetoed by Governor.. September 23, 2022

Summary: This bill would require an agency to post a notice on the agency’s internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system. It further outlines what information, at minimum, must be provided in the breach notification, such as the name and contact information of the reporting agency subject to this section, a list of the types of personal information that were or are reasonably believed to have been the subject of a breach, the date and time of the breach, etc. If the agency demonstrates that the cost of providing notice would $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the agency does not have sufficient contact information, a substitute notice must consist of an email notice when the agency has an email address for the subject persons, conspicuous posting, for a minimum of 30 days, of the notice on the agency’s internet website, if the agency maintains one, or notification to major statewide media and the Office of Information Security within the Department of Technology.

Description: AB 1711, Seyarto. Privacy: breach. Existing law requires an agency or a person or business that conducts business in California that owns or licenses computerized data that includes personal information to disclose a breach of security of the system following discovery or notification of the breach in the security data to certain residents of California, as specified.This bill would require an agency to post a notice on the agency’s internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system pursuant to the above-described provisions, as specified.This bill would incorporate additional changes to Section 1798.29 of the Civil Code proposed by AB 2958 to be operative only if this bill and AB 2958 are enacted and this bill is enacted last.

Location: US-CA

Title: California Privacy Rights Act of 2020: exemptions.

Current Status: Failed

Introduction Date: February 18, 2022

Last Action Date: From committee without further action.. November 30, 2022

Summary: The California Privacy Rights Act of 2020 (CPRA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to require the business to delete personal information about the consumer. The CPRA, until January 1, 2023, exempts from certain provisions of the act personal information reflecting a communication or a transaction between the business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service. The CPRA, until January 1, 2023, also exempts from certain provisions of the act personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business. This bill would extend those above-described exemptions indefinitely.

Description: SB 1454, as amended, Archuleta. California Privacy Rights Act of 2020: exemptions. Existing law, the California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require the business to delete personal information about the consumer, as specified.The CPRA, until January 1, 2023, exempts from certain provisions of the act personal information reflecting a communication or a transaction between the business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service. The CPRA, until January 1, 2023, also exempts from certain provisions of the act personal information that is collect....

Location: US-CA

Title: California Consumer Privacy Act: exemptions.

Current Status: Failed

Introduction Date: February 18, 2022

Last Action Date: From committee without further action.. November 30, 2022

Summary: Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require the business to delete personal information about the consumer, as specified. Existing law provides that the obligations the CCPA imposes on businesses shall not restrict a business’ ability to, among other things, comply with state law. Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election (Proposition 24), amended, added to, and reenacted the CCPA. The CCPA, as amended by Proposition 24, provides that certain exemptions to obligations imposed on businesses by specified provisions of the CCPA would expire on January 1, 2023. Existing law, until January 1, 2023, exempts from certain provisions of the CCPA personal information reflecting a communication or a transaction between the business and a company, partnership, sole proprietorship, nonprofit, or government agency that occur solely within the context of the business conducting due diligence or providing or receiving a product or service. Existing law also exempts personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business. This bill would extend those above-described exemptions until January 1, 2026. This bill would declare that its provisions further the purposes and intent of Proposition 24.

Description: AB 2891, as introduced, Low. California Consumer Privacy Act: exemptions. Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require the business to delete personal information about the consumer, as specified. Existing law provides that the obligations the CCPA imposes on businesses shall not restrict a business’ ability to, among other things, comply with state law.Existing law, the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election (Proposition 24), amended, added to, and reenacted the CCPA. The CCPA, as amended by Proposition 24, provides that certain exemptions to obligations imposed on businesses by specified provisions of the CCPA would expire on January 1, 2023.Existing law, until January 1, 2023, ex....

Location: US-CA

Title: Information Practices Act of 1977.

Current Status: Failed

Introduction Date: February 18, 2022

Last Action Date: Vetoed by Governor.. September 19, 2022

Summary: This bill updates existing law related to the Information Practices Act of 1977 which prescribes a set of requirements, prohibitions, and remedies applicable to agencies, as defined, with regard to their collection, storage, and disclosure of personal information, as defined. This bill would include, among other things, genetic information, IP address, online browsing history, and location information, if these pieces of data can reasonably identify or describe an individual, within the definition of “personal information,” and revise the definition of “regulatory agency” to include the Financial Industry Regulatory Authority, for the act’s purposes. Further, this bill would prohibit an agency from using records containing personal information for any purpose or purposes other than the purpose for which that personal information was collected except as required by state or federal law. This bill further revises the circumstances that may allow the disclosure of personal information in a manner that links the information disclosed to the individual to whom it pertains. .

Description: AB 2677, Gabriel. Information Practices Act of 1977. Existing law, the Information Practices Act of 1977, prescribes a set of requirements, prohibitions, and remedies applicable to agencies, as defined, with regard to their collection, storage, and disclosure of personal information, as defined. Existing law exempts from the provisions of the act counties, cities, any city and county, school districts, municipal corporations, districts, political subdivisions, and other local public agencies, as specified.This bill would, beginning January 1, 2025, recast those provisions to include, among other things, genetic information, IP address, online browsing history, and location information, if reasonably capable of identifying or describing an individual, within the definition of “personal information,” and revise the definition of “regulatory agency” to include the Financial Industry Regulatory Authority, for the act’s purposes. The bill would make other techn....

Location: US-CA

Title: State Bar of California.

Current Status: Passed

Introduction Date: March 08, 2022

Last Action Date: Chaptered by Secretary of State - Chapter 419, Statutes of 2022.. September 18, 2022

Summary: Under existing provisions, any agency that maintains computerized data that includes personal information that the agency does not own is also required to notify the owner or licensee of the information of any breach of the security of the data following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Existing law sets forth requirements for the format and contents of the security breach notification. This bill would require the State Bar to comply with these disclosure requirements.

Description: AB 2958, Committee on Judiciary. State Bar of California. (1) Existing law, the State Bar Act, provides for the licensure and regulation of attorneys by the State Bar of California, a public corporation. Existing law creates within the State Bar a Governance in the Public Interest Task Force, which is required to prepare and submit a report every 3 years that includes recommendations for enhancing the protection of the public and ensuring that protection of the public is the highest priority in the licensing, regulation, and discipline of attorneys, as specified.This bill would repeal those provisions establishing and imposing duties on the Governance in the Public Interest Task Force.(2) The State Bar is governed by a board of trustees. Existing law requires the board to consist of 13 members appointed by certain authorities for a term of 4 years, requires appointing authorities to fill vacancies, and limits the reappointment of certain members, as specified.....

Location: US-CA

Title: Data broker registration: accessible deletion mechanism.

Current Status: Passed

Introduction Date: February 08, 2023

Last Action Date: Chaptered by Secretary of State. Chapter 709, Statutes of 2023.. October 10, 2023

Summary: This bill would require a data broker to register with, pay a registration fee to, and provide information to, the agency instead of the Attorney General, and would require the agency to maintain the informational internet website described above. The bill would require a data broker to compile and disclose specified information relating to requests received under the California Consumer Protection Act (CCPA). The bill would make a data broker that fails to register as required by the provisions described above liable for administrative fines and costs in an administrative action brought by the agency, as specified, and would require the agency to stay an administrative action or investigation upon request by the Attorney General, as specified. This bill would require the agency to establish an accessible deletion mechanism that, among other things, allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The bill would specify requirements for this accessible deletion mechanism, and would, beginning August 1, 2025, require a data broker to access the mechanism at least once every 31 days and, among other things, process all pending deletion requests, except as specified. The bill would, beginning July 1, 2025, prohibit a data broker from collecting, retaining, selling, or sharing personal information on a consumer who has submitted a deletion request pursuant to these provisions unless the data collection is requested by the consumer. The bill would, beginning January 1, 2027, and every 3 years thereafter, require a data broker to undergo an audit by an independent third party to determine compliance with these provisions and would require the data broker to submit an audit report to the agency, as specified. The bill would authorize the agency to charge a fee to data brokers for accessing the accessible deletion mechanism, as specified. The bill would provide that a data broker that fails to comply with the requirements pertaining to the accessible deletion mechanism described above is liable for civil penalties, administrative fines, fees, and costs, as specified, and would raise the amount of the existing civil penalty provisions described above. The bill would require that civil penalties, administrative fines, fees, and costs recovered under these provisions be deposited in the Data Brokers’ Registry Fund instead of the Consumer Privacy Fund, and would expand the specified uses of money in the Data Brokers’ Registry Fund to include the costs incurred by the state courts and the Attorney General in connection with enforcing these provisions and the costs of establishing, maintaining, and providing access to the accessible deletion mechanism described above.

Description: SB 362, Becker. Data broker registration: accessible deletion mechanism. The California Consumer Privacy Act of 2018 (CCPA) grants a consumer various rights with respect to personal information that is collected or sold by a business, including the right to request that a business disclose specified information that has been collected about the consumer, to request that a business delete personal information about the consumer that the business has collected from the consumer, and to direct a business not to sell or share the consumer’s personal information, as specified. The CCPA defines various terms for these purposes. The California Privacy Rights Act of 2020 (CPRA), approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA and establishes the California Privacy Protection Agency (agency) and vests the agency with full administrative power, authority, and jurisdiction to enforce ....

Location: US-CA

Title: California Consumer Privacy Act of 2018: sensitive personal information.

Current Status: Passed

Introduction Date: February 14, 2023

Last Action Date: Chaptered by Secretary of State - Chapter 551, Statutes of 2023.. October 08, 2023

Summary: The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to request that a business delete personal information about the consumer that the business has collected from the consumer. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA establishes the California Privacy Protection Agency and vests it with full administrative power, authority, and jurisdiction to implement and enforce the CCPA. The CCPA requires the agency to be governed by a 5-member board appointed, as specified, from among Californians with expertise in the areas of privacy, technology, and consumer rights. The CCPA requires members of the board to have qualifications, experience, and skills, in particular in the areas of privacy and technology, required to perform the duties of the agency and exercise its powers.This bill would require members of the board to additionally have qualifications, experience, and skills in consumer rights.The California Privacy Rights Act of 2020 authorizes the Legislature to amend the act to further the purposes and intent of the act by a majority vote of both houses of the Legislature, as specified.This bill would declare that its provisions further the purposes and intent of the California Privacy Rights Act of 2020.

Description: AB 947, Gabriel. California Consumer Privacy Act of 2018: sensitive personal information. The California Consumer Privacy Act of 2018 (CCPA) grants to a consumer various rights with respect to personal information, as defined, that is collected by a business, as defined, including the right to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform certain other services, and as authorized by certain regulations. The CCPA defines “sensitive personal information to mean personal information that reveals, among other things, a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the....

Location: US-CA

Title: AN ACT CONCERNING ARTIFICIAL INTELLIGENCE, AUTOMATED DECISION-MAKING AND PERSONAL DATA PRIVACY.

Current Status: Passed

Introduction Date: February 23, 2023

Last Action Date: Signed by the Governor. June 07, 2023

Summary: This bill establishes an Office of Artificial Intelligence and exempt air carriers from certain provisions concerning data privacy. This bill provides that a controller will not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, or wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age and establishes a task force to study artificial intelligence and develop an artificial intelligence bill of rights.

Description: To: (1) Establish an Office of Artificial Intelligence; (2) exempt air carriers from certain provisions concerning data privacy; (3) provide that a controller shall not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, or wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age; and (4) establish a task force to (A) study artificial intelligence, and (B) develop an artificial intelligence bill of rights.

Location: US-CT

Title: Sunshine in Litigation Act of 2023

Current Status: Introduced

Introduction Date: July 13, 2023

Last Action Date: Referred to Committee on Judiciary and Public Safety. September 19, 2023

Summary: The "Sunshine in Litigation Act of 2023" is a bill by the Council of the District of Columbia. It prohibits the use of confidentiality agreements and protective orders in civil actions involving defective products or environmental conditions that pose significant harm. Any provision in a settlement agreement that restricts the disclosure of factual information related to the action is considered void and unenforceable. The court is also prohibited from entering any order that restricts public disclosure of a public hazard in such cases. However, certain information, such as personal medical or financial information, settlement amounts, and trade secrets, may still be restricted. Any person can challenge a provision or order violating the act, and the court may award costs and attorneys' fees to the prevailing party. The act defines "covered civil action" as a civil action involving a public hazard that has caused or is likely to cause significant bodily injury, illness, or death. There is a presumption in favor of public disclosure of public hazards, except for the specified exceptions. The act will take effect following approval by the Mayor, congressional review, and publication.

Description: BILL SUMMARY - As introduced Bill 25-429 would prohibit confidentiality agreements and protective orders in civil actions involving defective products or environmental conditions that are likely to cause significant harm, and to allow members of the public to challenge agreements and orders that violate this act.

Location: US-DC

Title: AN ACT TO AMEND TITLE 6 OF THE DELAWARE CODE RELATING TO PERSONAL DATA PRIVACY AND CONSUMER PROTECTION.

Current Status: Passed

Introduction Date: May 12, 2023

Last Action Date: Signed by Governor. September 11, 2023

Summary: This bill establishes regulations regarding the protection of consumer personal data. It applies to businesses operating in the state or targeting residents of the state and sets criteria based on the amount of consumer data processed or revenue derived from the sale of personal data. Certain entities such as government bodies, financial institutions subject to specific regulations, and data covered under specific federal acts are exempt. The bill grants consumers rights including access, correction, deletion, and portability of their personal data, as well as the ability to opt out of targeted advertising and certain profiling activities. Controllers must respond to consumer requests within specified timeframes and provide an appeal process, with the option for consumers to file complaints with the Department of Justice.

Description: This bill creates the Delaware Personal Data Privacy Act. The Act delineates a consumer’s personal data rights and provides that residents of this State will have the right to know what information is being collected about them, see the information, correct any inaccuracies, or request deletion of their personal data that is being maintained by entities or people. This Act is modeled after existing frameworks for data privacy in other jurisdictions. This Act will apply to entities that conduct business in the State of Delaware who controlled or processed the personal data of not less than 35,000 consumers or controlled or processed the personal data of not less than 10,000 consumers and derived more than 20 percent of their gross revenue from the sale of personal data. This Act requires Delaware Department of Justice to engage in public outreach to educate consumers and the business community about the Act beginning at least 6 months prior to the effective date of the Act.

Location: US-DE

Title: Technology Transparency

Current Status: Passed

Introduction Date: March 03, 2023

Last Action Date: Chapter No. 2023-201, companion bill(s) passed, see CS/CS/SB 1648 (Ch. 2023-262). June 07, 2023

Summary: This bill prohibits a data controller from collecting certain consumer information without the consumer’s authorization. Specifically, a controller may not collect, without the consumer’s authorization, a consumer’s precise geolocation data or personal information through the operation of a voice recognition feature. They must also maintain an up-to-date privacy policy. Consumers must be informed of the kind of information that will be collected and for what purpose, their right to request information be deleted or modified, and their right to opt out of the sale or sharing of said data to third parties, among other items. Controllers that collect personal information are further required to implement reasonable security procedures and practices to protect such information.

Description: Prohibiting officers or salaried employees of governmental entities from using their positions or state resources to make certain requests of social media platforms; prohibiting certain conduct by an online platform that provides online services, products, games, or features likely to be predominantly accessed by children; creating the “Florida Digital Bill of Rights”; providing that a consumer may submit requests to controllers to exercise specified rights; requiring controllers to limit the collection of personal data according to certain parameters, etc.

Location: US-FL

Title: Technology Transparency

Current Status: Failed

Introduction Date: March 06, 2023

Last Action Date: Laid on Table; companion bill(s) passed, see CS/CS/SB 262 (Ch. 2023-201), CS/CS/SB 1648 (Ch. 2023-262). May 02, 2023

Summary: This bill prohibits officers or salaried employees of governmental entities from using their positions or state resources to make certain requests of social media platforms and prohibits governmental entities from initiating or maintaining certain agreements or working relationships with social media platforms. Additionally, this bill providing exceptions, prohibits controller from collecting certain consumer information, requires collectors to provide notice to consumers about data collection, sharing, & selling practices, and provides consumers right to request data be disclosed, deleted, or corrected & to opt-in or opt-out of sale or sharing of data. This bill provides social media protections for children and provides nondiscrimination measures, methods for requesting data & opting-in or opting-out of sale or sharing of data, private cause of action, & enforcement. This bill preempts regulation of consumer date collection, sharing, & selling to the state and requires certain money to be deposited in Legal Affairs Revolving Trust Fund.

Description: Prohibits officers or salaried employees of governmental entities from using their positions or state resources to make certain requests of social media platforms; prohibits governmental entities from initiating or maintaining certain agreements or working relationships with social media platforms; providing exceptions; prohibits controller from collecting certain consumer information; requires collectors to provide notice to consumers about data collection, sharing, & selling practices; provides consumers right to request data be disclosed, deleted, or corrected & to opt-in or opt-out of sale or sharing of data; provides social media protections for children; provides nondiscrimination measures, methods for requesting data & opting-in or opting-out of sale or sharing of data, private cause of action, & enforcement; preempts regulation of consumer date collection, sharing, & selling to the state; requires certain moneys to be deposited in Legal Affairs Revolving Trust Fund.

Location: US-FL

Title: Proposing An Amendment To The Hawaii State Constitution Establishing The Right To Own One'S Own Data.

Current Status: Failed

Introduction Date: January 18, 2023

Last Action Date: Carried over to 2024 Regular Session.. December 11, 2023

Description: Proposes to amend Article I of the Hawaii State Constitution by establishing the right of each person to own and have an exclusive property right in the data they generate on the Internet.

Location: US-HI

Title: Relating To Consumer Data Protection.

Current Status: Failed

Introduction Date: January 20, 2023

Last Action Date: Carried over to 2024 Regular Session.. December 11, 2023

Summary: This bill establishes a framework to regulate controllers and processors with access to personal consumer data. It also establishes penalties and establishes a new consumer privacy special fund.

Description: Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes penalties. Establishes a new consumer privacy special fund. Appropriates moneys. Effective 7/1/2050. (SD2)

Location: US-HI

Title: Relating To Consumer Data Protection.

Current Status: Failed

Introduction Date: January 20, 2023

Last Action Date: Carried over to 2024 Regular Session.. December 11, 2023

Summary: This bill establishes a framework to regulate controllers and processors with access to personal consumer data. It establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce. It also authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.

Description: Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce. Authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.

Location: US-HI

Title: Relating To Consumer Data Protection.

Current Status: Failed

Introduction Date: January 25, 2023

Last Action Date: Carried over to 2024 Regular Session.. December 11, 2023

Summary: This bill establishes a framework to regulate controllers and processors with access to personal consumer data. It establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce and authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.

Description: Establishes a framework to regulate controllers and processors with access to personal consumer data. Provides that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce. Provides for a written notice and thirty-day opportunity to cure a violation without any action being brought or penalties being incurred. Effective 6/30/3000. (HD1)

Location: US-HI

Title: A bill for an act relating to consumer data protection, providing civil penalties, and including effective date provisions.(See HF 346.)

Current Status: Failed

Introduction Date: January 12, 2023

Last Action Date: Committee report approving bill, renumbered as HF 346.. February 20, 2023

Summary: This bill provides that persons conducting business in the state or producing products or services targeted to Iowans that annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50 percent of gross revenue derived from the sale of the personal data will be subject to the provisions of the bill. The bill provides consumers have personal data rights that may be invoked at any time. The controller must comply with such requests, within 45 days, to confirm or deny whether the controller is processing the personal data, to provide the consumer with a copy of their personal data, and to remove the consumer or child from personal data processing. The bill provides that controllers must disclose to the consumer the types of data being collected and obtain consent from the consumers regarding the collection of personal data and sensitive personal data processing.

Location: US-IA

Title: A bill for an act relating to consumer data protection, providing civil penalties, and including effective date provisions.(See SF 262.)

Current Status: Failed

Introduction Date: January 23, 2023

Last Action Date: Committee report approving bill, renumbered as SF 262.. February 13, 2023

Summary: The bill provides that persons conducting business in the state or producing products or services targeted to Iowans that annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50 percent of gross revenue derived from the sale of the personal data will be subject to the provisions of the bill. The state and political subdivisions of the state, financial institutions or data subject to the federal Gramm-Leach-Bliley Act of 1999, certain organizations governed by rules by the department of health and human services, certain federal governance laws, and the federal Health Insurance Portability and Accountability Act, nonprofit organizations, higher learning institutions, and certain protected information and personal data collected under state or federal laws are exempt from provisions in the bill. The bill provides consumers have personal data rights that may be invoked at any time. The controller must comply with such requests to confirm or deny whether the controller is processing the personal data, to provide the consumer with a copy of their personal data, and to remove the consumer or child from personal data processing. The bill provides that controllers must disclose to the consumer the types of data being collected and obtain consent from the consumers regarding the collection of personal data and sensitive personal data processing. Controllers must give consumers reasonably accessible and clear privacy notices that inform consumers of the information regarding personal data transfers. The bill takes effect January 1, 2025.

Location: US-IA

Title: A bill for an act relating to consumer data protection, providing civil penalties, and including effective date provisions. (Formerly SSB 1071.) Effective date: 01/01/2025.

Current Status: Passed

Introduction Date: February 13, 2023

Last Action Date: Signed by Governor.. March 28, 2023

Summary: This bill relates to consumer data protection. The bill provides that persons conducting business in the state or producing products or services targeted to Iowans that annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50 percent of gross revenue derived from the sale of the personal data will be subject to the provisions of the bill. The bill provides consumers have personal data rights that may be invoked at any time. The bill requires that controllers provide responses to defined personal data requests within 90 days of a consumer initiating a request. Responses to personal data requests will be provided to a consumer free of charge up to twice per year. This bill provides that controllers must disclose to the consumer the types of data being collected and obtain consent from the consumers regarding the collection of personal data and sensitive personal data processing. The bill provides that controllers give consumers reasonably accessible and clear privacy notices that inform consumers of the information regarding personal data transfer and purposes and the methods for consumers to exercise rights. This is a similar bill to the IA House version.

Location: US-IA

Title: A bill for an act relating to consumer data protection, providing civil penalties, and including effective date provisions.(Formerly HSB 12.)

Current Status: Failed

Introduction Date: February 20, 2023

Last Action Date: Withdrawn.. March 15, 2023

Summary: This bill relates to consumer data protection. The bill provides that persons conducting business in the state or producing products or services targeted to Iowans that annually control or process personal data of over 99,999 consumers or control or process personal data of 25,000 consumers with 50 percent of gross revenue derived from the sale of the personal data shall be subject to the provisions of the bill. The state and political subdivisions of the state, financial institutions or data subject to the federal Gramm-Leach-Bliley Act of 1999, certain organizations governed by rules by the department of health and human services, certain federal governance laws and the federal Health Insurance Portability and Accountability Act, nonprofit organizations, higher learning institutions, and certain protected information and personal data collected under state or federal laws are exempt from provisions in the bill. The bill provides consumers have personal data rights that may be invoked at any time. The controller will comply with such requests to confirm or deny whether the controller is processing the personal data, to provide the consumer with a copy of their personal data, and to remove the consumer or child from personal data processing. The bill requires that controllers provide responses to defined personal data requests within 90 days of a consumer initiating a request and at no charge up to twice per year. This bill provides that controllers must disclose to the consumer the types of data being collected and obtain consent from the consumers regarding the collection of personal data and sensitive personal data processing. The bill includes personal data processing exemptions, including pseudonymous data and de-identified data as defined by the bill and provides that the bill shall not restrict controller or processor abilities to improve business of function.

Location: US-IA

Title: Right To Know Act

Current Status: Introduced

Introduction Date: January 24, 2023

Last Action Date: Rule 19(a) / Re-referred to Rules Committee. March 10, 2023

Summary: This bill creates the Right to Know Act. It provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. It further requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information and provides for a data protection safety plan. This bill provides for a right of action to customers whose rights are violated under the Act, provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act will be void and unenforceable and provides that no provision of the Act will be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government.

Description: Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be con....

Location: US-IL

Title: Right To Know Act

Current Status: Introduced

Introduction Date: February 06, 2023

Last Action Date: Rule 3-9(a) / Re-referred to Assignments. March 10, 2023

Summary: Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the act. Provides that any waiver of the provisions of the act or any agreement that does not comply with the applicable provisions of the act shall be void and unenforceable. Provides that no provision of the act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with state or local government. Provides findings and purpose. Defines terms.

Description: Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be con....

Location: US-IL

Title: Consumer data protection.

Current Status: Passed

Introduction Date: January 09, 2023

Last Action Date: Signed by the Governor. May 01, 2023

Summary: This bill establishes a new article in the Indiana Code concerning consumer data protection, to take effect January 1, 2026. It sets forth the following within the new article: (1) Definitions of various terms that apply throughout the article. (2) Exemptions from the bill's requirements concerning the responsibilities of controllers of consumers' personal data. (3) The rights of an Indiana consumer to do the following: (A) Confirm whether or not a controller is processing the consumer's personal data. (B) Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller. (C) Delete the consumer's personal data held by a controller. (D) Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller. (E) Opt out of the processing of the consumer's personal data for certain purposes. (4) The responsibilities of controllers of consumers' personal data. (5) The roles of controllers and processors with respect to a consumer's personal data. (6) Requirements for data protection impact assessments by controllers of consumers' personal data. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (10) The preemption of local rules, regulations, and laws regarding the processing of personal data.

Description: Establishes a new article in the Indiana Code concerning consumer data protection, to take effect January 1, 2026. Sets forth the following within the new article: (1) Definitions of various terms that apply throughout the article. (2) Exemptions from the bill's requirements concerning the responsibilities of controllers of consumers' personal data. (3) The rights of an Indiana consumer to do the following: (A) Confirm whether or not a controller is processing the consumer's personal data. (B) Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller. (C) Delete the consumer's personal data held by a controller. (D) Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller. (E) Opt out of the processing of the consumer's personal data for certain purposes. (4) The responsibilities of controllers of consumers' personal data. (5) The roles of controllers and processors w....

Location: US-IN

Title: Consumer data protection.

Current Status: Failed

Introduction Date: January 19, 2023

Last Action Date: First reading: referred to Committee on Commerce, Small Business and Economic Development. January 19, 2023

Summary: This bill establishes in the Indiana Code a new article concerning consumer data protection, to take effect January 1, 2024. It sets forth the following within the new article: (1) Definitions of terms that apply throughout the article. (2) Exemptions for certain: (A) persons; and (B) types of information and data; from the bill's requirements concerning the personal data of Indiana consumers (consumers). (3) The rights of a consumer with respect to personal data relating to the consumer. (4) The responsibilities of controllers of consumers' personal data (controllers). (5) The roles of: (A) controllers; and (B) processors of consumers' personal data (processors); with respect to a consumer's personal data. (6) Requirements for data protection assessments by controllers. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The establishment, maintenance, and publication by the attorney general's consumer protection division of a quarterly listing of electronic mail addresses of consumers who request that their personal data not be sold. (10) Requirements for brokers of consumers' personal information (data brokers) to: (A) provide notification of security breaches; and (B) register annually with the attorney general. (11) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (12) The establishment of the consumer privacy account within the state general fund to support the work of the attorney general in enforcing the new article. (13) The authority of the attorney general to: (A) to adopt rules to administer the new article; and (B) issue opinion letters and interpretive guidance to develop an operational framework for persons subject to the new article. (14) The preemption of local rules, regulation, and laws regarding the processing of personal data.

Description: Establishes in the Indiana Code a new article concerning consumer data protection, to take effect January 1, 2024. Sets forth the following within the new article: (1) Definitions of terms that apply throughout the article. (2) Exemptions for certain: (A) persons; and (B) types of information and data; from the bill's requirements concerning the personal data of Indiana consumers (consumers). (3) The rights of a consumer with respect to personal data relating to the consumer. (4) The responsibilities of controllers of consumers' personal data (controllers). (5) The roles of: (A) controllers; and (B) processors of consumers' personal data (processors); with respect to a consumer's personal data. (6) Requirements for data protection assessments by controllers. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The establishment, maintenance, and publication by the attorney general's consumer protection division....

Location: US-IN

Title: AN ACT relating to consumer data privacy.

Current Status: Failed

Introduction Date: January 03, 2023

Last Action Date: returned to Committee on Committees (H). March 16, 2023

Summary: This bill requires a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumer's data and providing the consumer access to his or her data, deleting his or her personal data, providing a copy of the consumer's data that he or she previously provided in a portable and usable format, opting out of targeted advertising, opting out of tracking, and opting out of the sale or sharing of his or her personal data. It also requires controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right; set forth requirements for persons or entities that control or process personal data. The bill requires persons who control data to conduct data protection impact assessments, and establishes that the Attorney General has exclusive authority to enforce, with the exception of a private right of action by which consumers can seek injunctive relief for specific violations if the data controller or processor received written notice of violation from the Attorney General and failed to cure the violation within 30 days.

Description: Create new sections of KRS Chapter 367 to define terms; set the parameters for applicability of this Act; define various consumer rights related to data collection; require a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumer's data and providing the consumer access to his or her data, deleting his or her personal data, providing a copy of the consumer's data that he or she previously provided in a portable and usable format, opting out of targeted advertising, opting out of tracking, and opting out of the sale or sharing of his or her personal data; require controllers to establish a process for consumers to appeal a controller's refusal to act on a consumer's request to exercise a right; set forth requirements for persons or entities that control or process personal data; require persons who control data to conduct data protection impact assessments; establish that the Attorney Genera....

Location: US-KY

Title: AN ACT relating to consumer data privacy.

Current Status: Failed

Introduction Date: February 15, 2023

Last Action Date: to Small Business & Information Technology (H). February 17, 2023

Summary: This bill creates new sections of KRS Chapter 367 to establish consumer rights relating to personal data, including the rights to confirm whether data is being processed, to delete personal data provided by the consumer, to obtain a copy of the consumer's personal data that was previously provided, and to opt out of targeted advertising and the sale of data. It defines terms, sets the types of data and the persons or entities to which the statutory provisions do and do not apply, sets forth requirements for persons or entities that control and process consumer data, establishes that the Attorney General has exclusive authority to enforce the consumer data privacy rights, and creates a consumer privacy fund in the State Treasury to be administered by the Office of the Attorney General.

Description: Creates new sections of KRS Chapter 367 to establish consumer rights relating to personal data, including the rights to confirm whether data is being processed, to delete personal data provided by the consumer, to obtain a copy of the consumer's personal data that was previously provided, and to opt out of targeted advertising and the sale of data; define terms; set forth the types of data and the persons or entities to which the statutory provisions do and do not apply; set forth requirements for persons or entities that control and process consumer data; establish that the Attorney General has exclusive authority to enforce the consumer data privacy rights; create a consumer privacy fund in the State Treasury to be administered by the Office of the Attorney General; EFFECTIVE January 1, 2025.

Location: US-KY

Title: ELECTION CODE: Prohibits the disclosure of certain information regarding the active duty or dependent status of certain voters

Current Status: Passed

Introduction Date: March 23, 2023

Last Action Date: Effective date: 08/01/2023.. June 08, 2023

Summary: The bill prohibits individuals handling voter registration information from disclosing the active duty or dependent status and physical mailing address of a voter who requested an absentee ballot under the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA).

Location: US-LA

Title: CONSUMERS/PROTECTION: Provides relative to the protection of data. (2/3-CA7s2.1(A)) (8/1/23)

Current Status: Failed

Introduction Date: March 31, 2023

Last Action Date: Introduced in the Senate; read by title. Rules suspended. Read second time and referred to the Committee on Commerce, Consumer Protection and International Affairs.. April 10, 2023

Summary: This bill, which creates the Louisiana Consumer Privacy Act, applies to controllers and processors conducting business or targeting their products to residents of the state who have an annual revenue of at least $25,000,000. It allows consumers to confirm whether their data is being processed, access and obtain a copy of their data, correct inaccuracies, delete their data, and opt-out of targeted advertising or the sale of personal data. Controllers must comply with these requests and notify the consumer within 45 days of receipt. The act also requires controllers to maintain reasonable data security practices, disclose information about their data processing, and prohibits discrimination against consumers for exercising their rights. It exempts certain entities and activities and defers to federal law in certain situations.

Location: US-LA

Title: An Act establishing the Massachusetts Data Privacy Protection Act

Current Status: Introduced

Introduction Date: February 16, 2023

Last Action Date: House concurred. February 16, 2023

Description: By Ms. Creem, a petition (accompanied by bill, Senate, No. 25) of Cynthia Stone Creem and Jason M. Lewis for legislation to establish the Massachusetts Data Privacy Protection Act. Advanced Information Technology, the Internet and Cybersecurity.

Location: US-MA

Title: An Act relative to internet service provider data

Current Status: Introduced

Introduction Date: February 16, 2023

Last Action Date: Senate concurred. February 16, 2023

Description: By Representative Jones of North Reading, a petition (accompanied by bill, House, No. 3179) of Bradley H. Jones, Jr., and others relative to internet service provider data. Telecommunications, Utilities and Energy.

Location: US-MA

Title: An Act establishing the Massachusetts Information Privacy and Security Act

Current Status: Introduced

Introduction Date: February 16, 2023

Last Action Date: Accompanied a new draft, see H4632. May 13, 2024

Summary: This bill provides that data controllers can only collect personal information that is reasonably necessary and only after an individual has given consent. Controllers must also provide a privacy notice to consumers describing the categories of personal information processed, the purpose of collecting the information, and if the controller sells personal information to third parties. Additionally, the bill establishes a consumer's right to opt-out of the processing of their personal information; revoke consent; and request to access, delete, or correct any of their personal information that has been processed. Controllers must respond to a consumer's request within 45 days. Personal information processed in compliance with the federal Gramm-Leach-Bliley 367 Act is exempt from this bill.

Description: By Mr. Finegold, a petition (accompanied by bill, Senate, No. 227) of Barry R. Finegold for legislation to establish the Massachusetts Information Privacy and Security Act. Economic Development and Emerging Technologies.

Location: US-MA

Title: An Act establishing the Massachusetts information privacy and security act

Current Status: Introduced

Introduction Date: February 16, 2023

Last Action Date: Accompanied a new draft, see H4632. May 13, 2024

Description: By Representative Carey of Easthampton, a petition (accompanied by bill, House, No. 60) of Daniel R. Carey and Mindy Domb relative to the security and the protection of personal information by establishing the Massachusetts information privacy and security act. Advanced Information Technology, the Internet and Cybersecurity.

Location: US-MA

Title: An Act relative to online advertising

Current Status: Introduced

Introduction Date: February 16, 2023

Last Action Date: Hearing scheduled for 02/06/2024 from 01:00 PM-03:00 PM in A-1. February 01, 2024

Summary: This bill, The Online Advertising Act, is proposed as a new law to regulate online advertising practices. It defines key terms such as "consumer," "non-personally identifiable information," "online preference marketing," "personally identifiable information," "publisher," and "third-party advertising network." The Act requires third-party advertising networks to provide clear and conspicuous notice on their websites regarding data collection and usage practices, including information about online preference marketing and procedures for opting out. Consent is required for sensitive data use and the merging of non-personally identifiable information with personally identifiable information. Third-party advertising networks must make efforts to protect collected data and provide consumers with access to their personally identifiable information. Violations of the Act may result in penalties imposed by the Attorney General. The duration for retention of non-personally identifiable information is limited to twenty-four months.

Description: By Representative Straus of Mattapoisett, a petition (accompanied by bill, House, No. 395) of William M. Straus for legislation to further regulate advertising on the Internet. Consumer Protection and Professional Licensure.

Location: US-MA

Title: An Act to establish the Massachusetts data privacy protection act

Current Status: Introduced

Introduction Date: February 16, 2023

Last Action Date: Accompanied a new draft, see H4632. May 13, 2024

Summary: This bill establishes various data privacy laws that aim to protect individuals and their privacy. It requires covered entities and service providers to make publicly available, in a clear, conspicuous, not misleading, a reasonably understandable privacy policy that provides a detailed and accurate representation of the data collection, processing, and transfer activities of the covered entity. A covered entity must provide an individual, after receiving a verified request from the individual, with the right to access their data and other information outlined in this bill.

Description: By Representatives Vargas of Haverhill and Rogers of Cambridge, a petition (accompanied by bill, House, No. 83) of Andres X. Vargas, David M. Rogers and Carmine Lawrence Gentile for legislation to establish the Massachusetts data privacy protection act. Advanced Information Technology, the Internet and Cybersecurity.

Location: US-MA

Title: Commercial Law – Consumer Protection – Biometric Data Privacy

Current Status: Failed

Introduction Date: January 20, 2023

Last Action Date: Hearing 2/08 at 1:00 p.m.. January 21, 2023

Summary: This bill regulates the use of biometric data by private entities, including by requiring certain private entities in possession of biometric data to develop a written policy, made available to the public, establishing a retention schedule and guidelines for the permanent destruction of biometric data. It also authorizes an individual alleging a violation of the Act to bring a civil action against the offending private entity and makes a violation of the Act an unfair, abusive, or deceptive trade practice.

Description: Regulating the use of biometric data by private entities, including by requiring certain private entities in possession of biometric data to develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanent destruction of biometric data; authorizing an individual alleging a violation of the Act to bring a civil action against the offending private entity; and making a violation of the Act an unfair, abusive, or deceptive trade practice.

Location: US-MD

Title: Consumer Protection - Online and Biometric Data Privacy

Current Status: Failed

Introduction Date: February 06, 2023

Last Action Date: Hearing 3/08 at 1:00 p.m.. February 07, 2023

Summary: This bill establishes the manner in which a controller or a processor may process a consumer's personal data and authorizes a consumer to exercise certain outlined rights in regard to their personal data. This bill further requires a controller of personal data to establish a method for a consumer to exercise certain rights in regard to the consumer's personal data and regulates the use of biometric data by a controller.

Description: Establishing generally the manner in which a controller or a processor may process a consumer's personal data; authorizing a consumer to exercise certain rights in regards to the consumer's personal data; requiring a controller of personal data to establish a method for a consumer to exercise certain rights in regards to the consumer's personal data; regulating the use of biometric data by a controller; etc.

Location: US-MD

Title: Consumer Protection - Online and Biometric Data Privacy

Current Status: Failed

Introduction Date: February 08, 2023

Last Action Date: Hearing 2/22 at 1:00 p.m.. February 08, 2023

Summary: This bill establishes the manner in which a controller or a processor may process a consumer's personal data and further authorizes a consumer to exercise certain rights in regard to the consumer's personal data. This bill also requires a controller of personal data to establish a method for a consumer to exercise certain rights in regard to their personal data and regulates the use of biometric data by a controller. This is a similar bill to the MD senate version of the same title.

Description: Establishing generally the manner in which a controller or a processor may process a consumer's personal data; authorizing a consumer to exercise certain rights in regards to the consumer's personal data; requiring a controller of personal data to establish a method for a consumer to exercise certain rights in regards to the consumer's personal data; regulating the use of biometric data by a controller; etc.

Location: US-MD

Title: An Act to Enact the Maine Consumer Privacy Act

Current Status: Failed

Introduction Date: May 18, 2023

Last Action Date: Placed in the Legislative Files. (DEAD). April 17, 2024

Summary: This bill, which enacts the Maine Consumer Privacy Act, establishes provisions regarding the processing and protection of personal data. It applies to individuals or businesses operating in the state that handle the personal data of a significant number of consumers. Consumers have the right to confirm whether their personal data is being processed, access and correct their data, delete their data, and obtain a copy of their data in a portable format. Controllers must obtain consumer consent for targeted advertising or sale of personal data and establish mechanisms for consumers to exercise their rights. The bill also outlines responsibilities for processors and controllers and requires contractual agreements between them.

Location: US-ME

Title: An Act to Enact the Maine Data Privacy and Protection Act

Current Status: Failed

Introduction Date: May 23, 2023

Last Action Date: Placed in Legislative Files (DEAD). April 17, 2024

Summary: The bill establishes the right for an individual to access, correct, or delete their data. It also requires covered entities to provide a publically available privacy notice detailing the data collection, processing, and transfer activities of the covered entity. Further, a covered entity must provide an opportunity for an individual to object to a data transfer through an opt-out mechanism. This bill prohibits covered entities from collecting, processing, or transferring covered data unless it is limited to what is reasonably necessary; transferring an individual's sensitive data to a third party without affirmative consent; engaging in deceptive advertising or marketing; processing sensitive data for targeted advertising; and retaliating against individuals for exercising their rights regarding their data. Additionally, a covered entity that is not a small business and uses a covered algorithm that poses a risk to individuals and is used for data collection or transfers must annually conduct an impact assessment.

Location: US-ME

Title: Consumer protection: privacy; internet privacy act; create. Creates new act.

Current Status: Failed

Introduction Date: September 27, 2022

Last Action Date: REFERRED TO COMMITTEE ON ENERGY AND TECHNOLOGY. September 27, 2022

Summary: This bill establishes the privacy rights of consumers to require certain persons to provide certain notices to consumers regarding the processing and sale of personal data. It outlines data broker registration in responsibilities. It also prohibits certain acts and practices concerning the processing and sale of personal data. The bill also establishes standards and practices regarding the processing and sale of personal data and provides for the powers and duties of certain state governmental officers and entities. It also creates certain funds and remedies for violations of this act.

Location: US-MI

Title: Consumer's consent prior to collecting personal information requirement

Current Status: Introduced

Introduction Date: January 30, 2023

Last Action Date: Referred to Commerce and Consumer Protection. January 30, 2023

Summary: This bill states that a business must not collect, use, or disclose a consumer's personal information without the consumer's consent. In order to receive the consumer's consent, the business must, at or before the point of collection of the consumer's personal information, notify the consumer of the categories of personal information the business collects about the consumer, the categories of sources from which the business collects the personal information, for each category of personal information, the purpose for collecting the personal information, and for each category of personal information, the categories of persons to which the personal information may be disclosed and the purpose for the disclosure. A business must not collect additional categories of personal information, use personal information collected for additional purposes, or disclose additional personal information without notifying the consumer consistent with paragraph (b) and receiving the consumer's consent consistent with paragraph (a) regarding the additional categories, purposes, or disclosures. This bill also adds enforcement provisions for the implementation of this bill.

Location: US-MN

Title: Various rights given to consumers regarding personal data, data transparency obligations placed on businesses, private right of action created, and enforcement by attorney general provided.

Current Status: Introduced

Introduction Date: February 06, 2023

Last Action Date: Author added Hornstein. March 06, 2023

Summary: This bill states that a business that collects personal information about a consumer must, at or before the point of collection, notify the consumer of the categories of personal information the business collects about the consumer, the categories of sources from which the business collects the personal information, for each category of personal information, the business or commercial purpose for collecting the personal information, for each category of personal information, the categories of service providers to which the personal information may be disclosed and the business purpose for the disclosure, the consumer's right to access personal information under section 325O.045, and the consumer's right to deletion of personal information under section 325O.052. A business must not collect additional categories of personal information, use personal information collected for additional purposes, or disclose additional personal information without providing the consumer with notice consistent with paragraph (a). A business must make available to consumers two or more designated methods for submitting a request to either access personal information pursuant to section 325O.045 or to delete personal information pursuant to section 325O.052. This bill outlines duties a business must do at the point of sale of data to third parties. A third party must not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to section 325O.05. ) A consumer may at any time request that a business that collects a consumer's personal information give the consumer access to the consumer's personal information collected by the business for various outlined circumstances. A business that receives a request from a consumer to access personal information will promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by paragraph (a) within 45 days of receiving the consumer request. A business will not be required to provide personal information to a consumer more than twice in a 12-month period. A consumer may, at any time, direct a business that sells personal information about the consumer to a third party not to sell the consumer's personal information. A consumer may request that a business delete any personal information about the consumer which the business has collected from the consumer.

Location: US-MN

Title: Consumer rights provided regarding personal data, obligations placed on businesses regarding consumer data, and enforcement provided by the attorney general.

Current Status: Introduced

Introduction Date: March 01, 2023

Last Action Date: Committee report, to adopt as amended and re-refer to Ways and Means. March 14, 2024

Summary: The bill's provisions apply to entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota and control or process the personal data of 100,000 consumers or derive more than 25 percent of gross revenue from the sale of personal data of 25,000 consumers or more. The bill provides consumers the right to request to access, correct, delete, and obtain their personal data, as well as opt out of the sale of their data or the processing of it for targeted advertising. A controller must comply with the request within 15 days and inform the consumer of any actions taken on a request within 45 days. The bill requires controllers to provide consumers with a privacy notice that includes the categories of personal data processed and the purpose, the categories of personal data sold to third parties, and the categories of the third parties the controller sells or shares the data with. Controllers are also required to limit the collection of personal data to what is reasonably necessary and establish, implement, and maintain reasonable administrative, technical, and physical data security practices.

Location: US-MN

Title: Minnesota Consumer Data Privacy Act

Current Status: Introduced

Introduction Date: March 15, 2023

Last Action Date: Author added Maye Quade. April 08, 2024

Summary: This bill outlines the Minnesota Consumer Data Privacy Act, which gives consumers various rights regarding their personal data and imposes obligations on certain businesses in regard to consumer data, and also includes provisions for the protection and handling of biometric data. It requires controllers to authenticate requests from consumers to exercise their rights and consent to the use of any personal data. It sets restrictions on the sale and disclosure of personal data, and the deidentification and deletion of data.

Location: US-MN

Title: Creates the office of Chief Data Officer

Current Status: Failed

Introduction Date: January 04, 2023

Last Action Date: Formal Calendar S Bills for Perfection. May 12, 2023

Summary: This bill creates the chief data officer position to report to the chief information officer, who is authorized to oversee each state agency's electronic data management to evaluate appropriate management and security practices. The bill also provides that a consumer has a right to confirm whether a controller is processing the consumer's personal data, to access the consumer's personal data, to delete the consumer's personal data that the consumer provided to the controller, to obtain a copy of the consumer's personal data that the consumer previously provided to the controller, to and opt out of the processing of the consumer's personal data for purposes of targeted advertising or personal data sale. If a controller sells a consumer's personal data to one or more third parties or engages in targeted advertising, the controller must clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out. A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect confidentiality, protect data integrity, and reduce harm. A controller may not process sensitive data collected from a consumer without (A) notifying the consumer of their option to opt out; and (B), in the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act. A controller may not discriminate against a consumer for exercising any of these rights. The attorney general will establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of any of the aforementioned provisions.

Location: US-MO

Title: Mississippi Consumer Data Privacy Act; enact.

Current Status: Failed

Introduction Date: January 09, 2023

Last Action Date: Died In Committee. January 31, 2023

Description: An Act To Create The "Mississippi Consumer Data Privacy Act"; To Authorize Consumers To Request That Businesses Disclose Certain Information; To Authorize Consumers To Request That Businesses Delete Personal Information Collected By Businesses; To Require Businesses To Disclose Certain Information To Consumers, To Inform Consumers Of Their Right To Request That Personal Information Be Deleted, And To Delete Personal Information Collected About Consumers Upon Request; To Authorize Consumers To Instruct Businesses To Not Sell The Consumers' Personal Information; To Authorize Consumers To Bring Civil Actions Against Businesses That Violate This Act; To Authorize The Attorney General To Bring Civil Actions Against Businesses That Violate This Act; To Require The Attorney General To Adopt Regulations To Further The Purposes Of This Act; And For Related Purposes.

Location: US-MS

Title: Generally revise data privacy laws

Current Status: Failed

Introduction Date: July 26, 2022

Last Action Date: (C) Draft Died in Process. May 02, 2023

Location: US-MT

Title: Generally revise laws related to data breach notification

Current Status: Passed

Introduction Date: January 02, 2023

Last Action Date: Chapter Number Assigned. April 24, 2023

Summary: This bill requires a third party that receives personal information from a state agency and maintains that information in a computerized data system to perform a state agency function to notify the state agency immediately following the discovery of a data breach. The third party must also make a reasonable effort to inform any person whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. In addition, third parties that are required to issue a notification of a data breach to an individual under this section must simultaneously submit to the state's chief information security officer at the department of administration and to the attorney general's consumer protection office an electronic copy of the notification and a statement providing the date and method of distribution of the notification.

Location: US-MT

Title: Generally revise laws relating to digital privacy

Current Status: Failed

Introduction Date: October 24, 2022

Last Action Date: (C) Draft Died in Process. May 02, 2023

Location: US-MT

Title: Generally revise consumer privacy laws

Current Status: Passed

Introduction Date: February 17, 2023

Last Action Date: Chapter Number Assigned. May 22, 2023

Summary: This bill states that a consumer must have the right to confirm whether a controller is processing the consumer's personal data and access the consumer's personal data, correct inaccuracies in the consumer's personal data, considering the nature of the personal data and the purposes of the processing of the consumer's personal data, and opt out of the processing of the consumer's personal data for specified purposes. A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice.

Location: US-MT

Title: Safeguard Fair Elections Act.

Current Status: Introduced

Introduction Date: March 14, 2023

Last Action Date: Ref To Com On Rules and Operations of the Senate. March 15, 2023

Location: US-NC

Title: Safeguard Fair Elections Act.

Current Status: Introduced

Introduction Date: March 14, 2023

Last Action Date: Ref To Com On Rules, Calendar, and Operations of the House. March 16, 2023

Location: US-NC

Title: Consumer Privacy Act.

Current Status: Introduced

Introduction Date: April 03, 2023

Last Action Date: Ref To Com On Rules and Operations of the Senate. April 04, 2023

Summary: This bill creates consumer rights relating to data privacy including the right to confirm whether a controller is processing the consumer's personal data and access the consumer's personal data, delete the consumer's personal data that the consumer provided to the controller, obtain a copy of the consumer's personal data that the consumer previously provided to the controller, in a format that to the extent technically feasible, that is readily usable and allows the consumer to transmit the data to another controller without impediment where the processing is carried out by automated means, and opt out of the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data. A consumer may exercise a right by submitting a request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise. Within 45 days after the day on which a controller receives a request to exercise a right, the controller will take action on the consumer's request and inform the consumer of any action taken on the consumer's request. A processor will adhere to the controller's instructions, and taking into account the nature of the processing and information available to the processor, by appropriate technical and organizational measures, insofar as reasonably practicable, assist the controller in meeting the controller's obligations, including obligations related to the security of processing personal data and notification of a breach of the security system.

Location: US-NC

Title: relative to the expectation of privacy.

Current Status: Passed

Introduction Date: January 24, 2023

Last Action Date: Signed by the Governor on 03/06/2024; Chapter 0005; Effective 01/01/2025. March 07, 2024

Summary: This bill states that a consumer will have the right to confirm whether or not a controller is processing the consumer's personal data and access such personal data unless such confirmation or access would require the controller to reveal a trade secret, correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data, delete personal data provided by, or obtained about, the consumer, obtain a copy of the consumer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller will not be required to reveal any trade secret, and opt-out of the processing of the personal data for purposes of targeted advertising, or the sale of personal data. A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A controller must respond to a consumer in a reasonable time frame, and if a controller declines to take action regarding the consumer's request, the controller will inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

Location: US-NH

Title: Requires notification to consumers of collection and disclosure of personal data by certain entities.*

Current Status: Passed

Introduction Date: January 11, 2022

Last Action Date: Approved P.L.2023, c.266.. January 16, 2024

Summary: This bill requires a commercial Internet website and online service operator to notify consumers of the collection and disclosure of “personally identifiable information,” as that term is defined in the bill, to third parties. An operator that collects through the Internet the personally identifiable information of a consumer is to provide on its Internet website or online service notification to a consumer of multiple provisions outlined in this bill. This bill requires that an operator that discloses a consumer’s personally identifiable information to a third party is to make the following information available to the consumer free of charge upon receipt of a verified request from the consumer for this information through a designated request address: the consumer’s personally identifiable information that was disclosed; and the names and contact information of the third parties that received the consumer’s personally identifiable information. An operator that receives a request from a consumer is to provide a response to the consumer within 60 days of its verification and is to provide the information for all disclosures of personally identifiable information that occurred in the prior 12 months.

Location: US-NJ

Title: Requires notification to consumers of collection and disclosure of personal data by certain entities.*

Current Status: Failed

Introduction Date: January 11, 2022

Last Action Date: Substituted by S332 (6R). January 08, 2024

Summary: This bill requires online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt in.

Location: US-NJ

Title: "New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

Current Status: Failed

Introduction Date: January 11, 2022

Last Action Date: Introduced, Referred to Assembly Science, Innovation and Technology Committee. January 11, 2022

Location: US-NJ

Title: Establishes data broker registry.

Current Status: Failed

Introduction Date: October 20, 2022

Last Action Date: Combined with A5254 (ACS). May 11, 2023

Summary: This bill establishes the data broker registry. It states what qualifies as “Brokered personal information” and who is considered a "data broker." The Division of Consumer Affairs in the Department of Law and Public Safety will establish and maintain an up-to-date and public registry of data brokers doing business in this State. The registry will include, the name of the data broker, the data broker’s physical address, a general email address to gain further information about the data broker’s privacy policies and data collection, a website address, a website address specific to the data broker’s privacy policy, and any relevant opt-out information. Further, each data broker must pay a registration fee of $100 to the division, along with other information the broker must submit to the division. The bill provides that if a data broker does not comply with the registration requirements, then it is subject to a civil penalty of $50 per day, not to exceed $10,000 per year for each year it fails to register.

Location: US-NJ

Title: Prohibits information from Statewide voter registration system from being published on Internet.

Current Status: Failed

Introduction Date: November 07, 2022

Last Action Date: Introduced in the Senate, Referred to Senate State Government, Wagering, Tourism & Historic Preservation Committee. November 07, 2022

Summary: This bill prohibits voter registration information from the Statewide voter registration system from being published on the Internet. Under current law, the Statewide voter registration system is accessible by State and County entities and offices, and voter registration lists are also provided to the chairmen of the county committees of each political party and are accessible by voters who apply and pay for a copy of the list. This bill specifically prohibits any information from the system from being published on the Internet, in order to further protect the privacy of registered voters in New Jersey.

Location: US-NJ

Title: Concerns social media privacy and data management for children and establishes New Jersey Children's Data Protection Commission.

Current Status: Failed

Introduction Date: December 05, 2022

Last Action Date: Reported out of Assembly Comm. with Amendments, 2nd Reading. June 15, 2023

Summary: This bill establishes social media privacy and data management requirements for children and also establishes the New Jersey Children’s Data Protection Commission. The bill requires that before any new online service, product, or feature is offered to users residing in New Jersey, a social media platform is required to take certain actions as described in the bill, including completing a data protection impact assessment on children. The data protection impact assessment will address various factors to assess whether a product or feature will directly or indirectly harm a child in any way. The bill further prohibits social media platforms from using the personal information of any child in a way that is detrimental to the physical health, mental health, or well-being of a child, profiling a child by default, unless certain criteria apply, or from collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature, unless the social media platform can demonstrate a compelling reason to do otherwise. There are penalties for social media platforms that fail to comply with the provisions of this bill.

Location: US-NJ

Title: "New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)"; establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs.

Current Status: Failed

Introduction Date: March 13, 2023

Last Action Date: Introduced in the Senate, Referred to Senate Commerce Committee. March 13, 2023

Summary: This bill, entitled the “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA),” establishes specific rights for consumers concerning the disclosure and processing of a consumer’s personally identifiable information. A controller, as defined in the bill, is someone that collects the personally identifiable information of a consumer may lawfully process the personally identifiable information pursuant to certain provisions in the bill under certain circumstances. The bill provides that a controller that collects the personally identifiable information of a consumer is to, at the time when personally identifiable information is collected, provide to a consumer information concerning the processing of that personally identifiable information in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in writing, or by other means, including, where appropriate, by electronic means that will include, but not be limited to, certain information listed in the bill. The bill further provides that where the controller intends to process a consumer’s personally identifiable information for a purpose other than that for which the personally identifiable information was collected, the controller is to provide certain disclosures to the consumer prior to that processing.

Location: US-NJ

Title: Makes various changes to process for requesting access to government records.

Current Status: Failed

Introduction Date: June 15, 2023

Last Action Date: Introduced, Referred to Assembly Oversight, Reform and Federal Relations Committee. June 15, 2023

Summary: This bill introduces several provisions related to access to government records. It exempts certain types of data from public access requests, including metadata and information held by third parties that would disclose proprietary information or violate non-disclosure agreements. The bill also requires custodians of government records to redact certain personal information and provide statements of unaltered records. It allows custodians to charge special service fees for record retrieval and permits electronic access to records in certain circumstances. Additionally, the bill outlines the responsibilities of custodians in making certain government records available for public inspection on a searchable website.

Location: US-NJ

Title: CYBERSECURITY ACT

Current Status: Passed

Introduction Date: January 30, 2023

Last Action Date: Signed by Governor - Chapter 115 - Apr. 4. April 04, 2023

Summary: This bill establishes the "cybersecurity office" and is administratively attached to the department of information technology. The office will be managed by the security officer. The cybersecurity office is responsible for all cybersecurity and information security-related functions for agencies and will establish security standards and policies to protect agency information technology systems and infrastructure, provide appropriate governance and application of the standards and policies across information technology resources used by agencies and ensure the availability, confidentiality and integrity of the information processed, transacted or stored by agencies in the state's information technology infrastructure and systems. The office will also develop cybersecurity protocols for managing and protecting information technology assets and infrastructure for all entities that are connected to an agency-operated or -owned telecommunications network or that receive funding from agencies used to operate or own information technology, as well as, detect, and mitigate and monitor security incidents consistent with information security standards and policies.

Location: US-NM

Title: Relates to enacting the NY privacy act

Current Status: Introduced

Introduction Date: January 03, 2024

Last Action Date: REPORTED AND COMMITTED TO INTERNET AND TECHNOLOGY. February 06, 2024

Summary: This bill enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared.

Description: Enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Location: US-NY

Title: Restricts the disclosure of personal information by businesses

Current Status: Introduced

Introduction Date: January 09, 2023

Last Action Date: REFERRED TO CONSUMER AFFAIRS AND PROTECTION. January 03, 2024

Description: Restricts the disclosure of personal information by businesses; provides that a business that retains a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business.

Location: US-NY

Title: Relates to establishing the online consumer protection act

Current Status: Introduced

Introduction Date: January 17, 2023

Last Action Date: REFERRED TO CONSUMER AFFAIRS AND PROTECTION. January 03, 2024

Description: Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.

Location: US-NY

Title: Enacts the "digital fairness act"

Current Status: Introduced

Introduction Date: January 19, 2023

Last Action Date: REFERRED TO INTERNET AND TECHNOLOGY. January 03, 2024

Description: Enacts the "digital fairness act"; requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.

Location: US-NY

Title: Relates to establishing the online consumer protection act

Current Status: Introduced

Introduction Date: January 26, 2023

Last Action Date: REFERRED TO CONSUMER PROTECTION. January 03, 2024

Summary: This bill relates to establishing the online consumer protection act and defines related terms. This bill further provides that an advertising network will post a clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities.

Description: Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.

Location: US-NY

Title: Establishes the New York Data Protection Act

Current Status: Introduced

Introduction Date: January 26, 2023

Last Action Date: REFERRED TO GOVERNMENTAL OPERATIONS. January 03, 2024

Summary: This bill establishes the New York Data Protection Act. It requires government entities and contractors to disclose certain personal information collected about individuals.

Description: Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.

Location: US-NY

Title: Establishes a commission to study cyber security in the state

Current Status: Introduced

Introduction Date: January 26, 2023

Last Action Date: REFERRED TO GOVERNMENTAL OPERATIONS. January 03, 2024

Description: Establishes a commission to study the European Union's general protection data regulation and the current state of cyber security in the state.

Location: US-NY

Title: Restricts the disclosure of personal information by businesses

Current Status: Introduced

Introduction Date: January 30, 2023

Last Action Date: REFERRED TO CONSUMER PROTECTION. January 03, 2024

Description: Restricts the disclosure of personal information by businesses; provides that a business that retains a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business.

Location: US-NY

Title: Allows consumers the right to request from businesses the categories of personal information a business has sold or disclosed to third parties

Current Status: Introduced

Introduction Date: January 30, 2023

Last Action Date: REFERRED TO CONSUMER PROTECTION. January 03, 2024

Summary: This bill grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Description: Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.

Location: US-NY

Title: Enacts the "digital fairness act"

Current Status: Introduced

Introduction Date: February 02, 2023

Last Action Date: REFERRED TO CONSUMER AFFAIRS AND PROTECTION. January 03, 2024

Summary: This bill enacts the "digital fairness act" and requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information. It also establishes unlawful discriminatory practices relating to targeted advertising.

Description: Enacts the "digital fairness act"; requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.

Location: US-NY

Title: Relates to enacting the NY privacy act

Current Status: Introduced

Introduction Date: February 03, 2023

Last Action Date: REFERRED TO CONSUMER AFFAIRS AND PROTECTION. January 03, 2024

Summary: This bill enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Description: Enacts the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Location: US-NY

Title: Establishes the New York Data Protection Act

Current Status: Introduced

Introduction Date: February 06, 2023

Last Action Date: REFERRED TO INVESTIGATIONS AND GOVERNMENT OPERATIONS. January 03, 2024

Summary: This bill amends New York executive law, enacting the New York Data Protection Act and making broad changes to data privacy law. The bill stipulates that any individual has the right to request that a government entity or contractor that collects personal information disclosed to such individual the categories and specific pieces of personal information such government entity or contractor has collected. A government entity that collects an individual's personal information must, at or before the point of collection, inform the individual as to the categories of personal information to be collected and the purposes for which such categories of personal information will be used. This information must be delivered free of charge. These provisions do not, however, require an entity to retain any personal information collected for a single, one-time transaction if such information is not shared or retained by such government entity or contractor, nor does it require an entity to re-identify or otherwise link information that is not maintained in a manner that would be considered personal information. Upon request from an individual to have their personal data deleted, an entity must do so, instructing its associated entities to do the same, unless the data must be kept for legal reasons or other caveats.

Description: Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.

Location: US-NY

Title: Relates to privacy protection policies on internet websites, online services, online applications and mobile applications that collect social security numbers

Current Status: Introduced

Introduction Date: February 07, 2023

Last Action Date: REFERRED TO INTERNET AND TECHNOLOGY. January 03, 2024

Description: Relates to privacy protection policies on internet websites, online services, online applications and mobile applications that collect social security numbers.

Location: US-NY

Title: Relates to enacting the NY data protection act

Current Status: Introduced

Introduction Date: May 19, 2023

Last Action Date: REFERRED TO CODES. January 03, 2024

Summary: This bill, the New York Privacy Act, establishes privacy rights and regulations for legal entities operating in New York or offering products and services to New York residents. The act applies to entities meeting certain thresholds, such as having annual gross revenue of $25 million or more, processing personal data of 50,000 or more consumers, or deriving over 50% of gross revenue from the sale of personal data. However, there are exemptions to the act, including personal data processed by state and local governments, certain nonprofit entities, and data regulated by federal laws like the Gramm-Leach-Bliley Act, the Driver's Privacy Protection Act, and the Family Educational Rights and Privacy Act, among others. Specifically, the act grants consumers certain rights, including the right to be notified about the processing of their personal data. Controllers must provide a notice containing information about the consumer's rights, categories of personal data processed, sources of data collection, purposes of the processing, and categories of third parties with whom the data is shared or sold. Consumers also have the right to opt out of targeted advertising, sale of personal data, and profiling that affects legal or significant decisions. Controllers must provide clear means for opting out and must not process personal data for opted-out purposes. The act also requires explicit opt-in consent for processing sensitive data, with clear disclosure and distinction between necessary and non-necessary processing purposes. In addition, this bill requires controllers to conduct regular data protection assessments for processing activities that pose a heightened risk to consumers, such as targeting advertising, selling personal data, and processing sensitive data. These assessments should consider the benefits and potential risks to consumers, as well as employ safeguards to mitigate those risks. The attorney general may request disclosure of these assessments for investigation purposes, and they should remain confidential. Controllers must not engage in unfair, deceptive, or abusive acts when obtaining consumer consent or processing personal data. They must also implement reasonable safeguards to protect the security and integrity of consumer data and limit its use and retention to what is necessary. Non-discrimination provisions prohibit controllers from discriminating against consumers who exercise their rights under the bill. Controllers must enter into written contracts with processors before disclosing personal data, ensuring confidentiality, data protection, and compliance with the controller's instructions. Processors have obligations to protect personal data and comply with consumer rights. Processors are exempt from complying with consumer requests if they have only processed data as instructed by the controller. The bill also prohibits the sale of personal data by processors unless authorized by the controller. Finally, this bill establishes enforcement mechanisms and penalties and allows consumers to exercise the rights established in this bill.

Description: Enacts the New York privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.

Location: US-NY

Title: Data privacy; Oklahoma Computer Data Privacy Act; consumer protection; civil penalties; effective date.

Current Status: Considering

Introduction Date: February 06, 2023

Last Action Date: Second Reading referred to Rules. March 29, 2023

Summary: This bill requires businesses to write privacy policies in plain language and include how the consumer may request their data be corrected or deleted, what personal information is collected and reasons it is collected, whether the information is shared or sold, and to what type of entities, consumers' right to opt into the sale of their personal information and web link to do so, and how long the data is retained. This bill also prohibits businesses from sharing personal data with third parties unless it is necessary to provide a requested good or service or for security purposes or fraud detection, and denying service or altering prices or services based on a consumer's rights granted in the measure. This bill will allow businesses to incentivize consumers to share their data by providing discounts or payments to consumers who voluntarily participate in a program that rewards consumers for repeated transactions, limit records requests to twice per 12-month period for each consumer, and charge a fee in the case of baseless or excessive verifiable consumer requests.

Location: US-OK

Title: Relating to protections for the personal data of consumers.

Current Status: Passed

Introduction Date: January 09, 2023

Last Action Date: Effective date, January 1, 2024.. August 01, 2023

Summary: This bill permits consumers to obtain from a controller that processes consumer personal data confirmation as to whether the controller is processing the consumer's personal data and categories of the personal data the controller is processing, list of specific third parties to which the controller has disclosed consumer's personal data and copy of all of the consumer's personal data that controller has processed or is processing. This bill permits consumers to require controllers to correct inaccuracies in personal data about consumers, require controllers to delete personal data about consumers or opt-out from controllers' processing of consumers' personal data under certain circumstances. It also requires a controller to provide consumers with reasonably accessible, clear, and meaningful privacy notice that lists categories of personal data controller processes, describes the controller's purpose for processing personal data, describes how consumers may exercise consumer's rights with respect to personal data, lists categories of personal data that controller shares with third parties, list all categories of third parties with which the controller shares personal data and provides other information. The bill specifies duties of, and prohibits specified actions of, the controller and of the processor that acts at the controller's direction. This bill further permits Attorney General to investigate violations of the Act and to bring an action to seek a civil penalty of not more than $7,500 for each violation. It also permits consumers or a class of consumers to bring an action after the specified date for ascertainable loss of money or property resulting from violation of Act.

Description: Permits consumers to obtain from controller that processes consumer personal data confirmation as to whether controller is processing consumer's personal data and categories of personal data controller is processing, list of specific third parties to which controller has disclosed consumer's personal data or any personal data and copy of all of consumer's personal data that controller has processed or is processing. Permits consumer to require controller to correct inaccuracies in personal data about consumer, require controller to delete personal data about consumer or opt out from controller's processing of consumer's personal data under certain circumstances. Requires controller to provide to consumers reasonably accessible, clear and meaningful privacy notice that lists categories of personal data controller processes, describes controller's purpose for processing personal data, describes how consumer may exercise consumer's rights with respect to personal data, lists categories of....

Location: US-OR

Title: Relating to registration of business entities that qualify as data brokers; and declaring an emergency.

Current Status: Passed

Introduction Date: January 09, 2023

Last Action Date: Chapter 395, (2023 Laws): Effective date July 27, 2023.. August 04, 2023

Summary: This bill provides that a data broker may only collect, sell, or license brokered personal data if the data broker first registers with the Department of Consumer and Business Services. This bill additionally establishes application requirements and a civil penalty for a violation of this section.

Description: Provides that data broker may not collect, sell or license brokered personal data within this state unless data broker first registers with Department of Consumer and Business Services. Specifies form, method and contents of application. Specifies exemptions. Provides civil penalty in amount not to exceed $500 for each violation of Act or, for continuing violation, for each day in which violation continues. Caps amount of civil penalty at $10,000 in calendar year. Declares emergency, effective on passage.

Location: US-OR

Title: Relating to data privacy; creating new provisions; and amending ORS 276A.353, 276A.365 and 276A.374.

Current Status: Failed

Introduction Date: February 27, 2023

Last Action Date: In committee upon adjournment.. June 25, 2023

Summary: This bill directs State Chief Information Officer to appoint Chief Privacy Officer and describes the scope of duties of the Chief Privacy Officer. It directs state agencies to designate agency data officers and directs the Secretary of State and State Treasurer to adopt by rule certain data privacy requirements.

Description: Directs State Chief Information Officer to appoint Chief Privacy Officer and describes scope of duties of Chief Privacy Officer. Directs state agencies to designate agency data officer. Directs Secretary of State, and] State Treasurer and Attorney General to adopt by rule certain data privacy requirements.

Location: US-OR

Title: Relating to consumers' personally identifiable information; creating new provisions; and amending ORS 646.608.

Current Status: Failed

Introduction Date: February 27, 2023

Last Action Date: In committee upon adjournment.. June 25, 2023

Summary: This bill requires a person who operates a website or online service for commercial purposes that collects consumers' personally identifiable information to develop, maintain and implement data management practices policy and post policy or link to policy prominently on the website or online service home page. It generally specifies minimum policy requirements and makes violations of this bill unlawful practices under the Unlawful Trade Practices Act.

Description: Requires person who operates website or online service for commercial purposes that collects consumers' personally identifiable information to develop, maintain and implement data management practices policy and post policy or link to policy prominently on website or online service home page. Specifies minimum policy requirements. Makes violation of Act unlawful practice under Unlawful Trade Practices Act.

Location: US-OR

Title: An Act amending the act of December 22, 2005 (P.L.474, No.94), known as the Breach of Personal Information Notification Act, further providing for title of act, for definitions and for notification of breach; prohibiting employees of the Commonwealth from using nonsecured Internet connections; providing for data storage policy and for entities subject to the Health Insurance Portability and Accountability Act of 1996; and further providing for notice exemption and for applicability.

Current Status: Passed

Introduction Date: May 24, 2021

Last Action Date: Act No. 151 of 2022. November 03, 2022

Summary: This bill provides for the security of computerized data and for the notification of residents whose personal information data was or may have been disclosed due to a security system breach of the security system, and further imposes penalties for these breaches. The bill defines what is considered personal data and includes "State agency contractor." These "State Agency Contractors" are required to notify the appropriate authority and the governor's office for data breaches within 3 days of the breach, make appropriate state and state agency-related contract amendments and provisions that deal with data breaches, and required to report who's data was breached through an electronic list if the breach impacts any listed state and county public school or municipalities, or any individual whose account may be accessible through the use of the data that was breached. The bill also makes encryption requirements for state and state agency contractor employees.

Location: US-PA

Title: An Act providing for protection of certain personal data of consumers; imposing duties on controllers and processors of personal data of consumers; providing for enforcement; prescribing penalties; and establishing the Consumer Privacy Fund.

Current Status: Introduced

Introduction Date: March 27, 2023

Last Action Date: Referred to COMMERCE. March 27, 2023

Summary: This bill seeks to protect the personal data of consumers, impose duties on controllers and processors of consumer data, and establish the Consumer Privacy Fund. It defines various categories of personal data and provides consumer rights and controller and processor responsibilities. It outlines enforcement procedure as well as the powers and duties of the Attorney General. It also provides for a Consumer Privacy Fund and miscellaneous provisions. This bill will go into effect immediately upon enactment.

Location: US-PA

Title: An Act providing for consumer data privacy, for duties of controllers and for duties of processors; and imposing penalties.

Current Status: Considering

Introduction Date: November 15, 2023

Last Action Date: Referred to COMMUNICATIONS AND TECHNOLOGY. April 04, 2024

Summary: This bill outlines several duties for controllers and processors in relation to consumer data. It requires processors to be consistent with similar platforms or mechanisms required by federal or state laws or regulations. Processors should have the capability to accurately determine if a consumer is a resident of the Commonwealth and if they have opted out of data processing or sale. If a consumer's opt-out preference conflicts with their existing privacy settings or participation in loyalty programs, the controller must comply with the opt-out preference but may notify the consumer of the conflict and provide a choice to confirm the privacy setting or program participation. Additionally, if a controller informs a consumer of a charge for using a product or service when responding to an opt-out request, they must present terms of a loyalty program for the retention, use, sale, or sharing of personal data.

Location: US-PA

Title: An Act Relating To Commercial Law--General Regulatory Provisions -- Rhode Island Data Transparency And Privacy Protection Act (Creates The "Rhode Island Data Transparency And Privacy Protection Act" To Identify Information Collected By Online Service Providers And Commercial Websites.)

Current Status: Failed

Introduction Date: February 03, 2023

Last Action Date: Committee recommended measure be held for further study. March 02, 2023

Location: US-RI

Title: An Act Relating To Commercial Law -- General Regulatory Provisions -- Rhode Island Data Transparency And Privacy Protection Act (Provides Data Privacy Protections For The Personal Identifiable Information Of Rhode Islanders.)

Current Status: Failed

Introduction Date: March 23, 2023

Last Action Date: Committee recommended measure be held for further study. May 02, 2023

Summary: This bill enacts the "Rhode Island Data Transparency and Privacy Protection Act." The bill stipulates that an operator of a commercial website or online service that collects, stores, and sells categories of personally identifiable information must identify all categories of personally identifiable information that the operator collects; and identify all third-parties with whom the operator may disclose that personally identifiable information. Data collection must be limited to what is reasonably necessary. Operators must establish reasonable administrative, technical, and physical data security practices to protect personal data. Additionally, a customer must be allowed to revoke consent, and an operator may not process a customer's personal data for targeted advertising or sell the customer's personal data without the customer's consent. Customers have a right to confirm whether their data is being collected, make corrections, to obtain a copy of the data, and to opt out.

Location: US-RI

Title: An Act Relating To Commercial Law -- General Regulatory Provisions -- Rhode Island Data Transparency And Privacy Protection Act (Provides Data Privacy Protections For The Personal Identifiable Information Of Rhode Islanders.)

Current Status: Failed

Introduction Date: March 30, 2023

Last Action Date: Committee recommended measure be held for further study. April 04, 2023

Summary: This bill would provide data privacy protections for the personal identifiable information of Rhode Islanders. This bill outlines an operator of a commercial website or online service will, in its customer agreement or incorporated addendum or in another conspicuous location on its website or online service platform where similar notices are customarily posted, identify all categories of personally identifiable information that the operator collects through the website or online service about individual customers who use or visit its commercial website or online service, and identify all third-party persons or entities with whom the operator may disclose that personally identifiable information. An operator will limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which data is processed, as disclosed to the customer. Any controller in possession of de-identified data will process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and under the responsibility of a professional subject to confidentiality obligations under federal, state or local law. Certain health data is exempt from provisions of this bill.

Location: US-RI

Title: Social Media

Current Status: Failed

Introduction Date: December 15, 2022

Last Action Date: Member(s) request name added as sponsor: Carter. January 18, 2023

Description: A Bill To Amend The South Carolina Code Of Laws By Adding Section 63-5-380 So As To Prohibit The Collection Of Personal Information From Children By Operators Of Websites, Online Services, And Online Or Mobile Applications And To Establish Penalties.

Location: US-SC

Title: Consumer Protection - As enacted, enacts the "Tennessee Information Protection Act." - Amends TCA Title 4; Title 12; Title 43; Title 45; Title 47; Title 48; Title 50; Title 61; Title 66 and Title 67.

Current Status: Passed

Introduction Date: January 04, 2023

Last Action Date: Comp. became Pub. Ch. 408. May 24, 2023

Summary: This bill provides a consumer may invoke the consumer right at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A controller must comply with an authenticated consumer request to exercise the right to confirm whether a controller is processing the consumer's personal information and to access the personal information, correct inaccuracies in the consumer's personal information, taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information, and delete personal information provided by or obtained about the consumer. A business is not required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data in the possession of the business is not linked to a specific consumer. A controller will limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer, and not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer unless the controller obtains the consumer's consent.

Description: APPLICABILITY This bill applies to persons that conduct business in this state or produce products or services that are targeted to residents of this state and that: (1) During a calendar year, control or process personal information of at least 100,000 consumers; or (2) Control or process personal information of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal information.DATA CONTROLLER RESPONSIBILITES This bill requires the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information ("controller") to: (1) Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer; (2) Not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal informatio....

Location: US-TN

Title: Consumer Protection - As enacted, enacts the "Tennessee Information Protection Act." - Amends TCA Title 4; Title 12; Title 43; Title 45; Title 47; Title 48; Title 50; Title 61; Title 66 and Title 67.

Current Status: Passed

Introduction Date: January 31, 2023

Last Action Date: Effective date(s) 07/01/2025. May 24, 2023

Summary: This bill states that a consumer may invoke the consumer rights authorized pursuant to subdivision (a)(2) at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke and the controller must comply with this request. A controller must respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of a request submitted pursuant to subsection (a). If a controller declines to take action regarding the consumer's request, then the controller shall inform the consumer without undue delay, but in all cases and at the latest within forty-five (45) days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision pursuant to subsection (c). Information provided in response to a consumer request must be provided by a controller free of charge, up to twice annually per consumer. A controller must establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision (b)(2). This bill further outlines various data controller duties and exemptions.

Description: APPLICABILITY This bill applies to persons that conduct business in this state or produce products or services that are targeted to residents of this state and that: (1) During a calendar year, control or process personal information of at least 100,000 consumers; or (2) Control or process personal information of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal information.DATA CONTROLLER RESPONSIBILITES This bill requires the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information ("controller") to: (1) Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer; (2) Not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal informatio....

Location: US-TN

Title: Relating to the regulation of the collection, use, processing, and treatment of consumers' personal data by certain business entities; imposing a civil penalty.

Current Status: Failed

Introduction Date: February 03, 2023

Last Action Date: Referred to Business & Industry. March 07, 2023

Summary: This bill states that a consumer is entitled to exercise the consumer rights authorized by this section at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to exercise and the controller must comply with the certain outlined requests. A controller will respond to the consumer request without undue delay, which may not be later than the 45th day after the date of receipt of the request. If a controller declines to take action regarding the consumer's request, the controller will inform the consumer without undue delay, which may not be later than the 45th day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Section 541.053. Further, a controller will provide information in response to a consumer request free of charge, up to twice annually per consumer. A controller will establish two or more secure and reliable methods to enable consumers to submit a request to exercise their consumer rights under this chapter aligned with certain requirements.

Location: US-TX

Title: Relating to the regulation of the collection, use, processing, and treatment of consumers' personal data by certain business entities; imposing a civil penalty.

Current Status: Passed

Introduction Date: February 16, 2023

Last Action Date: See remarks for effective date. June 18, 2023

Summary: The bill is related to consumer data privacy rights and outlines the duties and responsibilities of controllers, who collect and process consumer data. It requires controllers to establish at least two secure methods for consumers to exercise their privacy rights, limit the collection of personal data to what is necessary, and maintain reasonable administrative, technical, and physical data security practices. Controllers cannot process personal data for purposes not reasonably necessary to the disclosed purpose, discriminate against a consumer for exercising their privacy rights, or process sensitive data without obtaining the consumer's consent. The bill also mandates that controllers provide a privacy notice to consumers that includes information about the personal data processed, the purpose of processing, and the methods through which consumers can exercise their privacy rights. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must disclose such processing and provide a way for consumers to opt-out.

Location: US-TX

Title: Relating to the registration of and certain other requirements relating to data brokers; providing a civil penalty and authorizing a fee.

Current Status: Passed

Introduction Date: March 09, 2023

Last Action Date: Effective on 9/1/23. June 18, 2023

Summary: This bill states that a data broker conducting business in this state has a duty to protect personal data held by that data broker. A data broker will develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for the data broker's size, scope, and type of business, the amount of resources available to the data broker, the amount of data stored by the data broker, and the need for security and confidentiality of personal data stored by the data broker. The comprehensive information security program required by this section must incorporate safeguards that are consistent with the safeguards for protection of personal data and information of a similar character under state or federal laws and regulations applicable to the data broker. It must also include the designation of one or more employees of the data broker to maintain the program and require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal data, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks,

Location: US-TX

Title: Relating to the security of election systems.

Current Status: Failed

Introduction Date: March 10, 2023

Last Action Date: Referred to Elections. March 22, 2023

Summary: This bill requires the secretary of state to adopt rules defining classes of protected election data and establishing best practices for eliminating the risk to the electronic use, storage, and transmission of election data and the security of election systems, including methods of encrypting data at rest and during transmission and restricting access to sensitive data to only users with a specific need to access that data. The secretary must also appoint a dedicated cybersecurity expert to implement cybersecurity measures to protect all election data. The cybersecurity expert will be responsible for providing training related election cybersecurity and must investigate all data breaches. This bill also outlines the process for investigating an election-related data breach. It also prohibits an election system that is capable of being connected to the Internet or any other computer network from being used, except for the use of a visible wired connection to an isolated local area network within the building. Additionally, it requires equipment used in the operation of a voting system to have a documented chain of custody and to be stored in a locked facility with video surveillance monitoring the storage facility at all times.

Location: US-TX

Title: Relating to the authority of individuals over the personal identifying information collected, processed, or maintained about the individuals and certain others by certain businesses.

Current Status: Failed

Introduction Date: March 10, 2023

Last Action Date: Referred to Business & Industry. March 23, 2023

Summary: This bill states that a business will allow an individual to promptly and reasonably obtain confirmation of whether personal identifying information concerning the individual or someone for whom the individual is a legal representative or guardian is processed by the business; a description of the categories of personal identifying information processed by the business; an explanation in plain language of the specific types of personal identifying information collected by the business; a description of the inferences the business has drawn about the individual or someone for whom the individual is a personal representative or guardian from the information collected by the business; and access to the individual's personal identifying information, including in accordance with Subsection (c), a copy of the individual's personal identifying information in a portable and transferable format. On request of an individual, a business will without undue delay provide the individual with all personal identifying information collected by the business that relates to the individual or someone for whom the individual is a legal representative or guardian. Further, an individual is entitled to request that a business delete personal identifying information collected by the business that relates to that individual or someone for whom the individual is a legal representative or guardian. A business may provide consideration in the form of money or other incentives, including as an incentive to purchase goods or services, under a contract that is reasonably related to the value of the information or access offered by the individual under the contract.

Location: US-TX

Title: An act relating to enhancing consumer privacy and the age-appropriate design code

Current Status: Considering

Introduction Date: January 26, 2023

Last Action Date: House message: House concurred in Senate proposal of amendment to House proposal of amendment. May 10, 2024

Location: US-VT

Title: Creating a charter of people's personal data rights.

Current Status: Failed

Introduction Date: January 08, 2024

Last Action Date: By resolution, reintroduced and retained in present status.. January 08, 2024

Summary: This bill establishes a consumer rights charter to their personal data, including the right to know what personal information a covered entity processes about the individual, including the categories and specific pieces of personal information the covered entity processes. A covered entity must make both a long-form privacy policy and a short-form privacy policy persistently and conspicuously available with certain information enclosed. A covered entity or Washington governmental entity that processes biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose for processing such information has been satisfied or within 1 year of the individual's last interaction with the covered entity or Washington governmental entity, whichever occurs first.

Location: US-WA

Title: Creating a charter of people's personal data rights.

Current Status: Failed

Introduction Date: January 08, 2024

Last Action Date: By resolution, reintroduced and retained in present status.. January 08, 2024

Location: US-WA

Title: Concerning the registration of business entities that qualify as data brokers.

Current Status: Failed

Introduction Date: January 08, 2024

Last Action Date: By resolution, reintroduced and retained in present status.. January 08, 2024

Location: US-WA

Title: Consumer Data Protection Act

Current Status: Failed

Introduction Date: February 14, 2023

Last Action Date: Filed for introduction. February 14, 2023

Summary: This bill stipulates that a business that collects personal information about consumers must maintain an online privacy policy and make such policy available on its Internet website, updating the information at least once every 12 months. The privacy policy must include information such as state-specific consumer privacy rights, a list of the categories of personal information the business collects or has collected about consumers, the right to opt-out of the sale or sharing to third parties and the ability to request deletion or correction of certain personal information, etc. Furthermore, a consumer has the right to request that a business that collects personal information about the consumer disclose the personal information that has been collected by the business, has a right to request the deletion or correction of that information, has the right to what information is being sold and to whom when a business sells their information, and has the right to opt-out of the sale or sharing of personal information to third parties. A business may not discriminate against a consumer who exercised any of the consumer's rights under these provisions. A business must also provide a clear and conspicuous link on the business's Internet homepage, entitled "Do Not Sell or Share My Personal Information," to an Internet webpage that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer's personal information. A business may not require a consumer to create an account in order to direct the business not to sell the consumer's personal information.

Location: US-WV

Title: Right of individual privacy-constitutional amendment.

Current Status: Failed

Introduction Date: January 17, 2023

Last Action Date: S COW:S Did not consider for COW. February 06, 2023

Description: A JOINT RESOLUTION proposing to amend the Wyoming Constitution to provide for a right of individual privacy.

Location: US-WY

Powered by