Link to bill if available: https://leg.mt.gov/bills/2023/billpdf/SB0419.pdf
Bill Summary:
AN ACT BANNING TIKTOK IN MONTANA; PROHIBITING A MOBILE APPLICATION STORE FROM
OFFERING THE TIKTOK APPLICATION TO MONTANA USERS; PROVIDING FOR PENALTIES;
PROVIDING FOR ENFORCEMENT AUTHORITY; PROVIDING DEFINITIONS; PROVIDING FOR
CONTINGENT VOIDNESS; AND PROVIDING A DELAYED EFFECTIVE DATE.
Note: this bill bans app stores from offering TikTok in the state, but doesn’t stop users from using it, so it really doesn’t protect anyone.
Also, given that law does not take effect for more than 6 months, everyone who might have considered downloading the app will do so before the law takes effect, so you might consider this a gift to TikTok since it will certainly increase downloads and usage.
Link to article(s) if available: https://www.cyberadviserblog.com/2023/05/banned-montana-residents-face-countdown-to-the-last-days-of-tiktok/
https://www.cnn.com/2023/05/17/tech/montana-governor-tiktok/index.html
Link to bill if available: https://www.legis.iowa.gov/legislation/BillBook?ba=SF%20262&ga=90
Bill Summary: Iowa’s bill is a second generation privacy bill giving consumers certain rights. The rights are more limited than California’s and similar to Utah’s. As of this writing the Governor has signed the bill and it goes into effect on January 1, 2025.
Link to article(s) if available: https://www.privacyworld.blog/2023/03/iowa-is-the-latest-state-to-pass-comprehensive-privacy-legislation/
Link to AG’s Regulations if available: https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf
Bill Summary: The law goes into effect on July 1, 2023 and the regulations are now final
Link to article(s) if available: https://www.mondaq.com/unitedstates/privacy-protection/1298642/colorado-finalizes-regulations-for-colorado-privacy-act
Link to bill if available: https://www.cga.ct.gov/asp/CGABillStatus/cgabillstatus.asp?selBillType=Bill&bill_num=SB6
Bill Summary:
On May 4, 2022, Connecticut became the fifth U.S. state with comprehensive consumer privacy legislation following the enactment of Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring. Most provisions of the law will go into effect alongside the Colorado Privacy Act July 1, 2023, giving organizations just under 14 months to come into compliance.
The law includes many of the same rights, obligations and exceptions as the consumer privacy laws already on the books in California, Colorado, Utah and Virginia. It draws heavily from the CPA and the Virginia Consumer Data Protection Act — with many of the law’s provisions either mirroring or falling somewhere between the Colorado and Virginia laws — but contains a few notable distinctions that should be factored into an entity’s compliance efforts.
There is no annual revenue exemption, so everyone who meets the data requirements are in scope.
There are exemptions for government entities, nonprofits, higher education and several types of regulated entities (GLBA, HIPAA).
Consumer rights are pretty similar to the other state laws.
Link to article(s) if available:
https://iapp.org/news/a/connecticut-enacts-comprehensive-consumer-data-privacy-law/
https://www.natlawreview.com/article/connecticut-general-assembly-passes-comprehensive-privacy-bill
ADCG Connecticut Law Explainer
Link to bill if available: https://le.utah.gov/~2022/bills/static/SB0227.html
Bill Summary:
The Utah House of Representatives unanimously passed a consumer privacy bill which the Senate passed earlier this year. The governor is expected to sign it and has 20 days to veto it.
This bill has a higher threshold – it targets businesses who target Utah residents, have an annual gross revenue of over $25 million and either control or process data on at least 100,000 residents.
It exempts higher education, nonprofits, and HIPAA and GLBA covered entities.
It is scheduled to take effect December 31, 2023.
Other features of the bill are similar to other states –
Link to article(s) if available: https://www.natlawreview.com/article/utah-poised-to-enact-consumer-privacy-law
Link to bill if available: Wisconsin Legislature: 2021 Wisconsin Act 73
Bill Summary:
Wisconsin joins 11 other states to enact their version of the National Association of Insurance Commissioners model cybersecurity law.
It requires most companies who are licensed by the Office of the Commissioner of Insurance to implement a cybersecurity program with administrative, technical and physical safeguards and which includes a risk assessment and mitigation based on that assessment, an incident response program and timely notification of a breach.
The bill includes exemptions for companies regulated under HIPAA and GLBA.
Link to article(s) if available:
Link to bill if available: https://www.cga.ct.gov/2021/act/Pa/pdf/2021PA-00119-R00HB-06607-PA.PDF
Bill summary:
Public law 21-119 HB 6607 – Signed into law July 6, 2021, Goes into effect October 1, 2021
The law says that if a suit is filed in state court and the entity had a compliant cybersecurity program, they court cannot award punitive damages.
Compliant programs mean the follow the NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS 18 or ISO 27001.
Businesses have a get-out-of-jail-free card (they are automatically compliant) if they are regulated by the state or the feds, covered by HIPAA, GLBA, FISMA or HITECH.
While this prohibits punitive damages, the regulators or AG can still go after violators
Link to article(s) if available: Wisconsin Governor Signs Insurance Cybersecurity Act into Law (healthitsecurity.com)
Link to bill if available: C:\190_01.txt (colorado.gov)
Signed by the governor on July 8, 2021; goes into effect July 1, 2023
Bill summary:
The CPA grants certain rights to Consumers with certain rights, namely the right to:
Organizations are also required to enter into data processing agreements with service providers before the transfer of personal data, and in some cases conduct data protection assessments prior to processing personal data.
Finally, organizations are required to provide Consumers with a “reasonably accessible, clear, and meaningful” privacy notice. This notice must contain disclosures regarding applicable data collection and sharing practices.
Link to article(s), if available: Colorado’s New Privacy Act (natlawreview.com)
How the new Colorado Privacy Act will impact your business | VentureBeat
Link to bill if available: SB0227 (utah.gov)
This law goes into effect in May, 2021
Bill Summary: GIPA looks to protect genetic data collected by direct to consumer genetic testing companies (like 23andMe, Ancestry.com). It has already been signed into law and is expected to become enforceable in May 2021. Any violations will be enforced by Utah’s attorney general, who may recover actual damages to the consumer, attorney fees, and a $2,500 penalty for each violation.
The law requires certain notices upon collection of genetic data, a security program and consumer rights. It even allows the consumer to destroy their genetic sample.
Link to articles, if available: Utah Moving on Data Privacy Laws – ADCG
NOTE THAT THIS WOULD BE A FEDERAL DATA PRIVACY LAW, IF ENACTED AND SIGNED
Link to bill, if available: HR 2013 (2021) – https://www.congress.gov/bill/116th-congress/house-bill/2013
Bill Summary: This is a pending bill, referred to the House committe on Energy and Commerce
This bill requires the Federal Trade Commission (FTC) to establish requirements for entities providing services to the public that collect, store, process, use, or otherwise control sensitive personal information. Information relating to an identifiable individual is generally considered sensitive personal information. However, information that is publicly available is not considered sensitive.
The FTC must require controllers of sensitive personal information to (1) provide consumers with a privacy and data use policy, (2) obtain affirmative consent to collect or use consumers’ sensitive data, and (3) obtain an annual privacy audit that evaluates the sufficiency of the controller’s data privacy and security controls.
Links to articles: At Last: US Proposes Federal Data Privacy Law – ADCG
Link to bill, if available: FL HB 969 . Filed 02/15/21; Effective 01/01/22
Bill Summary: The bill is very similar to California’s CCPA. Given that the governor and the legislature are all Republican and the governor has thrown his weight behind the bill, that improves its chances.
Like California, it includes a private right of action and applies to businesses with revenue more than $25 million or collect information on more than 50,000 consumers. Like CCPA it allows people to opt out of the sale or sharing of information, create a data retention schedule that prohibits the use AND RETENTION after the initial purpose for collecting the info has been satisfied, the right to get a copy of your data and other rights. We will see if Florida passes the bill.
Link to articles: Florida Throws Its Hat Into the Privacy Ring, And It’s Looking A Lot Like California | Shook, Hardy & Bacon L.L.P. – JDSupra
A Guide to Florida’s Proposed Version of CCPA – ADCG
Effective Date: Bill introduced February 2, 2021
Link to bill, if available: OK HB 1602 – OK HB1602 | 2021 | Regular Session | LegiScan
Bill Summary: Similar to CCPA; applies to companies with gross revenue greater than $10 mil, annually has data on 50,000 people or derives 25% or more of its revenue from selling consumer data. Empowers the Oklahoma Corporation Commission to adopt rules to implement: consumers’ right to information, to deletion, and to opt out of sale. It also requires businesses to notify consumers prior to collecting data.
Link to articles: Oklahoma: Oklahoma Computer Data Privacy Act introduced in Oklahoma House of Representatives | News post | DataGuidance
Effective Date: Bill introduced in Jan 13, 2021 SIGNED BY THE GOVERNOR ON MARCH 2, 2021 – IT IS NOW LAW.
Update: If adopted, the Consumer Data Protection Act would apply to entities of a certain size that do business in Virginia or have users based in Virginia. The bill enjoys broad popular support among state lawmakers; it passed 89-9 in the Virginia House and unanimously (39-0) in the state Senate, and Democratic Gov. Ralph Northam is widely expected to sign it into law without issue in the coming days.
Link to bill, if available: https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392+pdf
Bill Summary: Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill has a delayed effective date of January 1, 2023.
Link to article(s): https://www.jdsupra.com/legalnews/virginia-senate-also-passes-consumer-6341250/
Virginia is about to get a major California-style data privacy law | Ars Technica
Virginia data privacy law presents new challenges for security practitioners | Security Info Watch
Effective Date: Bill introduced in 2019; being debated in 2021
Link to bill, if available: Personal_Data_Protection_Bill,2018.pdf (meity.gov.in)
Bill Summary: Introduced in December 2019. It creates a data protection authority; creates consumer rights, requires data managers to operate as a fiduciary. It is similar but different than GDPR. Like GDPR, it proposes fines of up to 2% or 4% of the organization’s last year’s revenue.
Link to article(s):
https://iapp.org/media/pdf/resource_center/india_pdpb2019_vs_gdpr_iapp_chart.pdf
A Guide to India’s Proposed Data Privacy Law – ADCG
Effective Date: BILL Introduced January 6, 2021
Name: Biometric Privacy Act
Link to bill, if available: https://legiscan.com/NY/text/A00027/id/2224256/New_York-2021-A00027-Introduced.html
Bill summary: New York State legislators have proposed a private right to action with Assembly Bill 27–a proposed amendment to New York’s General Business Law (GBL). This amendment–also called the Biometric Privacy Act (BPA) –would allow consumers to sue companies for improperly collecting or using certain biometric data. Here’s our analysis:
This law takes GDPR’s lead in identifying biometric data as especially sensitive. That being said, BPA applies only to “biometric identifiers”– certain biometric data that can reveal the identity of its subject. The bill explicitly states that this encompasses fingerprints, voiceprints, and scans of hands, faces or eyes. It does not include samples used for valid scientific testing or screening, donated body parts, or handwriting samples.
The law doesn’t just apply to the identifiers. It also protects against the misuse of biometric information– any information based on the listed identifiers that can be used to identify the subject, regardless of how it is captured, converted, or stored.
Note that this bill, if it becomes law, will allow people to sue companies if they violate any provision of the bill.
Link to articles: https://adcg.org/new-york-state-proposes-biometric-privacy-law/?mc_cid=193a7d415d&mc_eid=90c714ac11
Effective Date: BILL INTRODUCED
Name: The Washington Privacy Act
Link to the BILL, if available: Unable to find a link
Bill Summary: Read the article below for details, but the bill gives Washington residents new rights, more transparency, reduces or eliminates the requirement for consumer consent, greatly increases the responsibilities of data controllers over data processors (those third parties you get to do the work like cloud software and vendors)
Link to articles: https://adcg.org/the-washington-privacy-act-is-back-in-play/?mc_cid=193a7d415d&mc_eid=90c714ac11
Effective Date: 01 December 2020
Name: The Privacy Act of 2018
Link to the law, if available: http://www.legislation.govt.nz/bill/government/2018/0034/latest/LMS23223.html
Law summary: The amendments, which became effective on December 1, 2020, make significant changes to New Zealand’s privacy regime. In particular, the Privacy Act 2018 (“Act”) expands the application of the privacy regime to businesses whether or not they have a legal or physical presence in New Zealand. In order to transfer personal data outside of New Zealand, an organization must reasonably believe that the receiving entity provides “comparable safeguards” to those provided by the Act (or the organization must satisfy another condition specified in the Act). In the event of a data breach, the organization must notify both the data protection authority and affected individuals. In addition, the Act provides for a number of new offenses, increased fines, and compliance notices.
Articles: https://www.mofo.com/resources/insights/201216-new-zealand-new-privacy-rules.html