Data privacy legislative round-up

Data privacy legislative round-up

This article is part of a series providing insight and updates on the latest state data privacy legislation. Click here to learn about Virginia's data privacy law and click here to learn about Colorado's law.


Historically, consumer privacy in the United States has been a piecemeal effort left to the individual states. On June 18, 2018, the California governor signed the California Consumer Privacy Act (CCPA) into law. The statute went into effect on January 1, 2020, and led the nation with one of the most comprehensive and far reaching privacy laws. Following suit, other states began pushing their own version of the CCPA through their legislatures. For example, both Colorado and Virginia have already passed their versions. 

On March 2, 2021, Virginia enacted the Virginia Consumer Data Protection Act (CDPA). This legislation made Virginia the second state to enact comprehensive privacy legislation, following California. The law becomes effective beginning January 1, 2023. Click here for a comprehensive analysis of Virginia’s law.

Following the example of both California and Virginia, the state of Colorado enacted the Colorado Privacy Act (CPA) on July 8, 2021. The law becomes effective July 1, 2023. Click here for a comprehensive analysis of Colorado’s law. 

Utah Consumer Privacy Act

On March 15, 2022, the Utah legislature sent the Utah Consumer Privacy Act (S.B. 227) to their governor for signature. The Utah law provides consumers with the rights to access and delete personal data maintained by certain business and to opt-out of specific collection and uses of personal data. The thresholds for the applicability of the Utah law are similar to that which appear in the other similar laws: conducting business in the state that is targeted to Utah residents, having an annual revenue of $25 million or more, and either processing data 100,000 or more consumers or deriving 50% of gross revenue from the sale of persona data. In addition to rights of access and deletion, Utah consumers have the right to opt-out of the processing of their data for purposes of targeted advertising or the sale of personal data. Under the law targeted advertising means “displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.” The Utah Governor signed the bill into law on March 24, 2022. The law is effective December 31, 2023.

Florida data privacy bill

During the 2021 legislative session, the Florida legislature was very close to passing a comprehensive data privacy bill. Senate Bill 1864, which was similar to previous bills, was re-introduced during the 2022 session. It has recently been indefinitely postponed and withdrawn from consideration. Florida’s House Bill 9 was introduced in mid-January, but also was withdrawn from consideration in mid-March. Despite all of the conversation last year in Florida, this might not be the year for comprehensive data privacy legislation in that state. 

Furthermore, many other states, including Alaska, Georgia, Kentucky, Massachusetts, New York, and Washington have introduced some version of the comprehensive law which are currently under consideration.

In addition to comprehensive data privacy legislation, states continue to review and update their data breach notification laws.

Indiana breach notification law

Indiana’s House Bill 1351 passed the Indiana House in late January and the Indiana Senate in early March. The amendment requires data breach notification pursuant to Indiana law be made not more than 45-days after the discovery of the breach. The previous law required notice to be made “without unreasonable delay” but did not otherwise specify a timeframe. The bill has been signed into Public Law 171 and is effective July 2, 2022.

Hawaii amends definition of personal information

Another bill worth watching is Hawaii’s Senate Bill 1009 which seeks to amend the definition of “personal information.” The bill carried over from the end of the 2021 session to early 2022, and would change the definition of “personal information” to be an “identifier” in combination with one or more “specified data elements.”

An “identifier” is a common piece of information related specifically to an individual that is commonly used to identify that individual across technology platforms, including a first name or initial, and last name; a user name for an online account; a phone number; or an email address.

A “specified data element” means any of the following:

  1. An individual’s social security number, either in its entirety or the last four or more digits
  2. Driver's license number, federal or state identification card number, or passport number
  3. A federal individual taxpayer identification number
  4. An individual’s financial account number or credit or debit card number
  5. A security code, access code, personal identification number, or password that would allow access to an individual's account
  6. Health insurance policy number, subscriber identification number, or any other unique number used by a health insurer to identify a person
  7. Medical history, medical treatment by a health care professional, diagnosis of mental or physical condition by a health care professional, or deoxyribonucleic acid profile
  8. Unique biometric data generated from a measurement or analysis of human body characteristics used for authentication purposes, such as a fingerprint, voice print, retina or iris image, or other unique physical or digital representation of biometric data
  9. A private key that is unique to an individual and that is used to authenticate or sign an electronic record.
     
+