COVID-19 Policy Tracker
image/svg+xml Skip to main content
Search image/svg+xml

Key Takeaways:

  • California’s landmark privacy law went into effect this year, but the state could still take additional action on privacy in 2020. 
  • Twenty-four states are considering legislation that would require some sort of consent before collecting or disclosing personal information with third parties.
  • Other trends in privacy legislation include action on facial recognition technology, connected devices, location tracking, and algorithms. 

With Congressional action on a comprehensive privacy bill still slow to materialize, states have continued to lead by taking up legislation to address how businesses handle consumer information. California’s landmark legislation went into effect in January, and lawmakers in many other states have sought to emulate that legislation. Other new technologies such as connected devices, facial recognition technology, biometrics, and algorithms have prompted state legislators to propose additional policies to protect consumers.  

Just two months into the year, lawmakers have already introduced hundreds of privacy bills in state legislatures. Here’s a look at the trending privacy issues in states so far in 2020.

The California Privacy Law (CCPA)

The new California privacy law that went into effect this year takes ideas from the European Union General Data Protection Regulations (GDPR) to create new rights for consumers in regard to personal information collected from them by businesses. California lawmakers sought to tweak the law in 2019, and will still have to resolve temporary one-year exemptions for business-to-business communications and an exemption for information collected by employees and job applicants. California lawmakers will also seek to clarify whether customer loyalty programs violate provisions that prohibit discriminating against consumers that exercise their rights. California Attorney General Xavier Becerra has also released a draft of regulations to advise businesses on how to comply with the law, with enforcement set to begin on July 1, 2020. 

An additional wrinkle: A California privacy activist, whose threat of a consumer privacy ballot measure initially convinced lawmakers to pass the CCPA, is now pushing a new privacy ballot measure that would create new rights around the use and sale of sensitive personal information, limit location tracking for target advertising, require transparency for algorithms, triple fines for violations of children’s privacy laws, allow a private right of action if online access passwords are stolen due to negligence, and establishes a California Privacy Protection Agency.

States Modeling CCPA

Other states have tried to emulate aspects of the CCPA, particularly as some companies treat the new California law as a de facto national standard. The Washington Senate passed a major privacy bill last year, only to have the bill killed in a House Committee. Consumer groups and the ACLU were concerned the bill was too business-friendly and a provision allowed controversial facial recognition technology. A new package of bills has been introduced this year by state Senator Rueben Carlyle (D), who introduced last year’s legislation. 

Other states have also introduced comprehensive privacy legislation modeled after the California law that would give consumers some rights over personal information collected by businesses. The rights provided in these bills include:

  • The right to have notice on what categories of information is being collected and who it is being shared with;

  • The right to access any personal information collected by a business in a usable form;

  • The right to correct any personal information the consumer feels is incorrect; 

  • The right to delete any personal information; 

  • The right to opt out of any collection of information or any sharing of personal information with third parties; and 

  • The right not to be discriminated against by any business for exercising any rights.

Some, though not all, of these bills give the consumer a private right of action to sue a business that either allows a breach of their personal information or violates provisions of these privacy laws. 

Other states have introduced bills that are narrower in scope. A Louisiana (LA HB 617) would give consumers the right to know what information is collected about them and allows them to opt out of having their information sold to a third party but does not offer a right to correct or delete data. Lawmakers in Kentucky, South Dakota, Vermont, and  Wyoming have all introduced bills that would apply only to a broadband internet service provider and would restrict a provider from disclosing or selling customer personal information without express consent. South Carolina lawmakers introduced a bill (SC SB 3339) that would require internet service providers to obtain consent before collecting personal information and additional legislation (SC SB 904) that would require consent from customers before a natural gas or electric public utility could disclose personal information with third parties. Bills introduced in California and Virginia would apply specifically to minors. 

Data Broker Registration

Vermont became the first state to require data brokers to register with the government, with enforcement beginning in 2019. This year, Hawaii, New York, Rhode Island, and Washington are considering bills that would require data brokers to register and provide information to consumers on how to opt out of the collection of information.

Tax on Data Sharing

California Governor Gavin Newsom has proposed a “data dividend” that would allow consumers to profit off the sale of their personal information, although he has yet to offer a concrete proposal. A proposed bill in New York (NY AB 9112) would levy a five percent tax on businesses that “derive income from the data individuals of this state share with corporations.”

Facial Recognition, Biometrics, and Genetic Information

Growing concerns about the ability to detect consumers through facial recognition technology has led to a flurry of bills. Many of these relate to the ability of law enforcement to use facial recognition technology, an issue we analyzed in detail last month, but bills in Arizona, Maryland, South Dakota, and Washington, among others, would limit or prohibit businesses from using the technology without consumer consent.

Biometric information, which includes unique human body or characteristic identifiers, has been added to the definition of protected personal information in many new proposed privacy bills. Illinois has already passed a landmark Biometric Privacy Law and many other states could follow. Finally, lawmakers in Florida, Illinois, and Tennessee are debating bills that would protect genetic information collected by certain “direct-to-consumer” genetic testing companies. 

Location Tracking

Many applications on ubiquitous smartphones use location tracking to provide navigation information or direct us to the closest coffee shop. The downside to these beneficial features is that this geo-location data could allow consumer locations to be identified. Bills in California, Hawaii, Illinois, Maryland, New Hampshire, New Jersey, and New York would prohibit cell phone providers and app developers from sharing location tracking information with third parties without first obtaining consent.

Other Potential Privacy Issues

The popularity of connected devices that range from everything from personal assistants to thermostats, known broadly as internet of things (IoT), has created convenience in many homes. However, security concerns have led many state lawmakers (e.g., Kentucky) to introduce legislation that would require such devices to implement security measures that meet industry standards. Other legislation would limit when a microphone for voice recognition can be turned on (e.g., Illinois).

Concerns about how algorithms are used have led some states (e.g., New Jersey) to prohibit the use of algorithms to make certain decisions in credit, insurance coverage, and health care. As children use more technology, lawmakers have sought to protect them from targeted advertising and obscene content. Cybersecurity has continued to be a pressing issue, with some proposed bills giving an affirmative defense for businesses that comply with cybersecurity standards, with some states proposing the creation of a task force to study the issue.