ComplianceUpdate | State Privacy Laws

Updated: Jun 4, 2019

As federal privacy bill proposals make their way through the legal pipeline, states are getting impatient and taking matters into their own hands. With the exception of the CCPA, which quickly passed in the fall of 2018, the following bills are currently under review.

California - California Consumer Privacy Act (CCPA)

* See our CCPA resources *

Connecticut - Senate Bill 1108

  • Closely follows original CCPA text

  • Proposed to take effect on Jan 1, 2020

  • Referred to Joint Committee on Government Administration and Elections on 3/20

Nevada -

New Jersey - Senate Bill 2834

  • Modeled after CCPA

  • Requires commercial Internet websites and online service providers to notify customers of collection and disclosure of personally identifiable information (PII) and allows customers to opt out

  • Businesses must notify customer of all third parties with whom they might share PII

  • Allows for data access requests, including information on third-party access

  • Introduced in the Senate, 7/23/18

New Mexico - Senate Bill 199 "Electronic Communications Privacy Act" - Sen. Peter Wirth

  • Requires law enforcement to obtain a warrant or wiretap order to access certain electronic data

  • Signed by Governor, 1/30/19

New York - New York Senate Bill 224

  • Allows consumers to access their personal information held by a business

  • Requires businesses to disclose information about third parties with whom they share consumer data

  • 12-month look-back period

  • Creates private right of action for violations of its provisions

  • Referred to Senate Consumer Affairs and Protection Committee on 1/9/19

New York - New York Senate Bill 5642

  • Requires companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared

  • Creates a "fidicuary-like" duty for businesses to protect consumer data

  • Sweeping definition of personal data

  • Creates private right of action for violations of its provisions

  • Applies to businesses that conduct business in New York

  • Referred to Consumer Protection on 5/9/19

North Dakota - House Bill 1485 - Rep. Jim Kasper

  • Prohibits the disclosure of personal information without express written consent

  • Creates private right of action for violations of its provisions

  • Signed by Governor, 3/28/19

Texas - House Bill 4390 "Texas Privacy Protection Act"

  • Regulates collection and processing of personal identifying information

  • Requires businesses to implement data security program, disclose how they collects, processes, and discloses personal identifying information, make their privacy policy publicly available, allow consumers access to their personal identifying information, delete consumers’ personal identifying information, and create an accountability program to ensure compliance

  • Regulates consumer information that businesses share with third parties

  • Civil penalties of not more than $10k per violation, not to exceed a total of $1M

  • No private cause of action

  • Proposed to take effect September 1, 2019 if enacted

  • Pending in committee 5/16/19

Texas - House Bill 4518 "Texas Consumer Privacy Act"

  • Similar to CCPA

  • Gives consumers right to disclosure of personal information collected by a business, right to deletion of certain personal information, right to disclosure of certain personal information sold or disclosed, right to opt-out of sale of personal information

  • Requires businesses to provide notification to consumer of categories of personal information collected and purposes for collection; provide online privacy policy or private notice; provide methods to submit verified consumer requests; and disclose certain information in response to verifiable consumer request

  • $2,500 penalty per violation, $7,500 per intentional violation

  • No private cause of action

  • Proposed to take effect September 1, 2020 if enacted

  • Pending in committee 4/2/19

Utah - House Bill 57 "Electronic Information or Data Privacy Act" - Rep. Craig Hall

  • Requires a search warrant to obtain certain electronic data and notifies individual that data was obtained

  • Individual who transmits data is the presumed owner and maintains a reasonable expectation of privacy of the data stored by the remote computing service

  • Signed by Governor 3/27/19; in Lieutenant Governor's office for filing

Washington - Senate Bill 5376 "Washington Privacy Act"

  • Gives consumers visibility into the information collected about them and how their information is shared with third parties

  • Gives consumers the right to correct inaccurate information, delete their personal data, and object to their personal data being used in marketing

  • Requires consent for the use of facial recognition technology on consumers

  • Proposed to take effect Jan 1, 2020 if enacted

  • Recently supported by Microsoft's General Counsel for Privacy and Regulatory Affairs

  • Third reading 4/28/19

Overwhelmed by the wave of data privacy & cybersecurity regulations? Jordan Lawrence can help. Learn more about our Data Governance Services - Data Inventories, Data Minimization, and Vendor Risk Profiling.


Contact Us

© 2019 Jordan Lawrence. No legal representation made.

Jordan Lawrence is not a law firm and does not provide legal advice.