Active US State Privacy Bills

American Privacy Law.

It’s fair to say that the U.S. has long lagged behind the rest of the industrialized world when it comes to privacy law.

While some federal privacy legislation exists—like the Children’s Online Privacy Protection Act (COPPA) and the Privacy Act of 1974—such laws generally apply to a specific sector.

With a flurry of comprehensive state privacy laws emerging in the first part of this year, 2021 was billed as the year of America’s “privacy patchwork”.

The U.S. now has comprehensive privacy laws in California, Virginia, and Colorado.

And while the momentum of state privacy laws has slowed—with laws in many states failing to pass—four further states have active state privacy bills working their way through the legislature.

Let’s take a look at the four states that currently have active comprehensive privacy bills.

Massachusetts

The Massachusetts Information Privacy Act (MIPA, SD 1726) is currently at committee stage. In its current draft, the MIPA is a very strong privacy law, relative to other states.

Here are some of the MIPA’s features:

  • Consumer rights including access, rectification, deletion, restriction of processing, and data portability
  • A requirement to provide notice and obtain “opt-in” consent before collecting and processing a consumer’s personal information for the first time
  • Duties of care, loyalty, and confidentiality
  • A private right of action enabling consumers to bring legal claims under certain conditions

New York

There are currently three comprehensive privacy bills at play in the New York legislature.

  • New York Privacy Act (A 680)
  • Digital Fairness Act (A 6042)
  • “It’s Your Data” Act (SB 567)

The New York Privacy Act (NYPA) was first considered by the New York legislature in 2019, when the bill contained a “fiduciary duty” on businesses controlling a consumer’s personal data.

In its current form, the NYPA imposes two more specific duties on businesses:

  • A duty of care, requiring businesses to providing notice to consumers if they are likely to be harmed by accepting consent
  • A duty of loyalty, requiring businesses to carry out annual risk assessments of their processing activities

The Digital Fairness Act requires companies to disclose how they de-identify personal information, to safeguard the personal information they share, and to provide the identities of any third parties with whom they share consumers’ data.

The “It’s Your Data” Act borrows many provisions from California Consumer Privacy Act (CCPA) and mostly concerns consumers’ access to and control over their personal information.

North Carolina

North Carolina’s Consumer Privacy Act (CPA, SB 569) is currently in session. In its current form, the bill includes:

  • Consumer rights including access, rectification, deletion, and data portability
  • A requirement to earn opt-in consent before collecting sensitive personal information
  • An obligation to conduct a risk assessment before undertaken certain processing activities
  • A private right of action enabling consumers to bring legal claims under certain conditions

Pennsylvania

The Pennsylvania Data Privacy Act (PDPA, HB 1126) is arguably among the weaker state privacy laws currently in session. In its current form, the bill includes:

  • Consumer rights including access, deletion, and the right to opt out of certain types of data processing
  • A requirement to earn opt-in consent before collecting personal information from minors under 16 years old
  • A private right of action in respect of security provisions only

Cassie is a world-leading cookie consent and data management solution that enables organisations to meet any existing AND newly introduced privacy laws. Get in touch to learn more about how Cassie can help your business.