720-891-1663

Privacy and Cybersecurity Laws and Pending Bills

Locale: Montana

Link to bill if available: https://leg.mt.gov/bills/2023/billpdf/SB0419.pdf

Bill Summary:

AN ACT BANNING TIKTOK IN MONTANA; PROHIBITING A MOBILE APPLICATION STORE FROM
OFFERING THE TIKTOK APPLICATION TO MONTANA USERS; PROVIDING FOR PENALTIES;
PROVIDING FOR ENFORCEMENT AUTHORITY; PROVIDING DEFINITIONS; PROVIDING FOR
CONTINGENT VOIDNESS; AND PROVIDING A DELAYED EFFECTIVE DATE.

Note: this bill bans app stores from offering TikTok in the state, but doesn’t stop users from using it, so it really doesn’t protect anyone.

Also, given that law does not take effect for more than 6 months, everyone who might have considered downloading the app will do so before the law takes effect, so you might consider this a gift to TikTok since it will certainly increase downloads and usage.

Link to article(s) if available: https://www.cyberadviserblog.com/2023/05/banned-montana-residents-face-countdown-to-the-last-days-of-tiktok/

https://www.cnn.com/2023/05/17/tech/montana-governor-tiktok/index.html

Locale: Iowa

Link to bill if available: https://www.legis.iowa.gov/legislation/BillBook?ba=SF%20262&ga=90

Bill Summary: Iowa’s bill is a second generation privacy bill giving consumers certain rights. The rights are more limited than California’s and similar to Utah’s. As of this writing the Governor has signed the bill and it goes into effect on January 1, 2025.

Link to article(s) if available: https://www.privacyworld.blog/2023/03/iowa-is-the-latest-state-to-pass-comprehensive-privacy-legislation/

Locale: Colorado

Link to AG’s Regulations if available: https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf

Bill Summary: The law goes into effect on July 1, 2023 and the regulations are now final

Link to article(s) if available: https://www.mondaq.com/unitedstates/privacy-protection/1298642/colorado-finalizes-regulations-for-colorado-privacy-act

Locale: Connecticut

Link to bill if available: https://www.cga.ct.gov/asp/CGABillStatus/cgabillstatus.asp?selBillType=Bill&bill_num=SB6

Bill Summary:

On May 4, 2022, Connecticut became the fifth U.S. state with comprehensive consumer privacy legislation following the enactment of Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring. Most provisions of the law will go into effect alongside the Colorado Privacy Act July 1, 2023, giving organizations just under 14 months to come into compliance.

The law includes many of the same rights, obligations and exceptions as the consumer privacy laws already on the books in California, Colorado, Utah and Virginia. It draws heavily from the CPA and the Virginia Consumer Data Protection Act — with many of the law’s provisions either mirroring or falling somewhere between the Colorado and Virginia laws — but contains a few notable distinctions that should be factored into an entity’s compliance efforts. 

There is no annual revenue exemption, so everyone who meets the data requirements are in scope.

There are exemptions for government entities, nonprofits, higher education and several types of regulated entities (GLBA, HIPAA).

Consumer rights are pretty similar to the other state laws.

Link to article(s) if available:

https://iapp.org/news/a/connecticut-enacts-comprehensive-consumer-data-privacy-law/

https://www.natlawreview.com/article/connecticut-general-assembly-passes-comprehensive-privacy-bill

ADCG Connecticut Law Explainer

Locale: Utah

Link to bill if available: https://le.utah.gov/~2022/bills/static/SB0227.html

Bill Summary:

The Utah House of Representatives unanimously passed a consumer privacy bill which the Senate passed earlier this year. The governor is expected to sign it and has 20 days to veto it.

This bill has a higher threshold – it targets businesses who target Utah residents, have an annual gross revenue of over $25 million and either control or process data on at least 100,000 residents.

It exempts higher education, nonprofits, and HIPAA and GLBA covered entities.

It is scheduled to take effect December 31, 2023.

Other features of the bill are similar to other states –

  • The rights of notice, access, portability and deletion
  • The right to opt out of the use of their data for things like targeted advertising
  • The concept of “non-public” information goes away. Now information that is linked or reasonably linkable to a person is covered
  • It excludes employee data and business to business CONTACT information
  • It creates a category of sensitive information such as race, ethic origin, religion, sexual orientation and a number of other categories, but rather than these categories to be opt-in, they are opt-out
  • There is no private right of action; only the AG can enforce this law
  • But it does grant the Utah Department of Commerce, Division of Consumer Protection the power to investigate complaints and refer them to the AG.

Link to article(s) if available: https://www.natlawreview.com/article/utah-poised-to-enact-consumer-privacy-law

Locale: Wisconsin

Link to bill if available: Wisconsin Legislature: 2021 Wisconsin Act 73

Bill Summary:

Wisconsin joins 11 other states to enact their version of the National Association of Insurance Commissioners model cybersecurity law.

It requires most companies who are licensed by the Office of the Commissioner of Insurance to implement a cybersecurity program with administrative, technical and physical safeguards and which includes a risk assessment and mitigation based on that assessment, an incident response program and timely notification of a breach.

The bill includes exemptions for companies regulated under HIPAA and GLBA.

Link to article(s) if available:

Locale: Connecticut

Link to bill if available: https://www.cga.ct.gov/2021/act/Pa/pdf/2021PA-00119-R00HB-06607-PA.PDF

Bill summary:

Public law 21-119 HB 6607 – Signed into law July 6, 2021, Goes into effect October 1, 2021

The law says that if a suit is filed in state court and the entity had a compliant cybersecurity program, they court cannot award punitive damages.

Compliant programs mean the follow the NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS 18 or ISO 27001.

Businesses have a get-out-of-jail-free card (they are automatically compliant) if they are regulated by the state or the feds, covered by HIPAA, GLBA, FISMA or HITECH.

While this prohibits punitive damages, the regulators or AG can still go after violators

Link to article(s) if available: Wisconsin Governor Signs Insurance Cybersecurity Act into Law (healthitsecurity.com)

Locale: Colorado

Link to bill if available: C:\190_01.txt (colorado.gov)

Signed by the governor on July 8, 2021; goes into effect July 1, 2023

Bill summary:

The CPA grants certain rights to Consumers with certain rights, namely the right to:

  • Opt-out of the processing of personal data;
  • Authorize another person to act on their behalf to opt-out of the processing of personal data for purposes of targeted advertising or the sale of the Consumer’s data;
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format;
  • Correct inaccurate personal data;
  • Delete personal data; and
  • Obtain consent before collection of certain sensitive personal data (personal data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status)

Organizations are also required to enter into data processing agreements with service providers before the transfer of personal data, and in some cases conduct data protection assessments prior to processing personal data.

Finally, organizations are required to provide Consumers with a “reasonably accessible, clear, and meaningful” privacy notice. This notice must contain disclosures regarding applicable data collection and sharing practices.

Link to article(s), if available: Colorado’s New Privacy Act (natlawreview.com)

Colorado Becomes Third State to Pass Comprehensive Privacy Legislation | Moore & Van Allen PLLC – JDSupra

How the new Colorado Privacy Act will impact your business | VentureBeat

Locale: Utah

Link to bill if available: SB0227 (utah.gov)

This law goes into effect in May, 2021

Bill Summary: GIPA looks to protect genetic data collected by direct to consumer genetic testing companies (like 23andMe, Ancestry.com). It has already been signed into law and is expected to become enforceable in May 2021. Any violations will be enforced by Utah’s attorney general, who may recover actual damages to the consumer, attorney fees, and a $2,500 penalty for each violation.

The law requires certain notices upon collection of genetic data, a security program and consumer rights. It even allows the consumer to destroy their genetic sample.

Link to articles, if available: Utah Moving on Data Privacy Laws – ADCG

Locale: United States

NOTE THAT THIS WOULD BE A FEDERAL DATA PRIVACY LAW, IF ENACTED AND SIGNED

Link to bill, if available: HR 2013 (2021) – https://www.congress.gov/bill/116th-congress/house-bill/2013

Bill Summary: This is a pending bill, referred to the House committe on Energy and Commerce

This bill requires the Federal Trade Commission (FTC) to establish requirements for entities providing services to the public that collect, store, process, use, or otherwise control sensitive personal information. Information relating to an identifiable individual is generally considered sensitive personal information. However, information that is publicly available is not considered sensitive.

The FTC must require controllers of sensitive personal information to (1) provide consumers with a privacy and data use policy, (2) obtain affirmative consent to collect or use consumers’ sensitive data, and (3) obtain an annual privacy audit that evaluates the sufficiency of the controller’s data privacy and security controls.

Links to articles: At Last: US Proposes Federal Data Privacy Law – ADCG

Locale: Florida

Link to bill, if available: FL HB 969 . Filed 02/15/21; Effective 01/01/22

Bill Summary: The bill is very similar to California’s CCPA. Given that the governor and the legislature are all Republican and the governor has thrown his weight behind the bill, that improves its chances.

Like California, it includes a private right of action and applies to businesses with revenue more than $25 million or collect information on more than 50,000 consumers. Like CCPA it allows people to opt out of the sale or sharing of information, create a data retention schedule that prohibits the use AND RETENTION after the initial purpose for collecting the info has been satisfied, the right to get a copy of your data and other rights. We will see if Florida passes the bill.

Link to articles: Florida Throws Its Hat Into the Privacy Ring, And It’s Looking A Lot Like California | Shook, Hardy & Bacon L.L.P. – JDSupra

A Guide to Florida’s Proposed Version of CCPA – ADCG

Locale: Oklahoma

Effective Date: Bill introduced February 2, 2021

Link to bill, if available: OK HB 1602 – OK HB1602 | 2021 | Regular Session | LegiScan

Bill Summary: Similar to CCPA; applies to companies with gross revenue greater than $10 mil, annually has data on 50,000 people or derives 25% or more of its revenue from selling consumer data. Empowers the Oklahoma Corporation Commission to adopt rules to implement: consumers’ right to information, to deletion, and to opt out of sale. It also requires businesses to notify consumers prior to collecting data.

Link to articles: Oklahoma: Oklahoma Computer Data Privacy Act introduced in Oklahoma House of Representatives | News post | DataGuidance

Oklahoma: Oklahoma Computer Data Privacy Act introduced in Oklahoma House of Representatives | News post | DataGuidance

Locale: Virginia

Effective Date: Bill introduced in Jan 13, 2021 SIGNED BY THE GOVERNOR ON MARCH 2, 2021 – IT IS NOW LAW.

Update: If adopted, the Consumer Data Protection Act would apply to entities of a certain size that do business in Virginia or have users based in Virginia. The bill enjoys broad popular support among state lawmakers; it passed 89-9 in the Virginia House and unanimously (39-0) in the state Senate, and Democratic Gov. Ralph Northam is widely expected to sign it into law without issue in the coming days.

Link to bill, if available: https://lis.virginia.gov/cgi-bin/legp604.exe?211+ful+SB1392+pdf

Bill Summary: Establishes a framework for controlling and processing personal data in the Commonwealth. The bill applies to all persons that conduct business in the Commonwealth and either (i) control or process personal data of at least 100,000 consumers or (ii) derive over 50 percent of gross revenue from the sale of personal data and control or process personal data of at least 25,000 consumers. The bill outlines responsibilities and privacy protection standards for data controllers and processors. The bill does not apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. The bill grants consumer rights to access, correct, delete, obtain a copy of personal data, and to opt out of the processing of personal data for the purposes of targeted advertising. The bill has a delayed effective date of January 1, 2023.

Link to article(s): https://www.jdsupra.com/legalnews/virginia-senate-also-passes-consumer-6341250/

Virginia is about to get a major California-style data privacy law | Ars Technica

Virginia data privacy law presents new challenges for security practitioners | Security Info Watch

Locale: India

Effective Date: Bill introduced in 2019; being debated in 2021

Link to bill, if available: Personal_Data_Protection_Bill,2018.pdf (meity.gov.in)

Bill Summary: Introduced in December 2019. It creates a data protection authority; creates consumer rights, requires data managers to operate as a fiduciary. It is similar but different than GDPR. Like GDPR, it proposes fines of up to 2% or 4% of the organization’s last year’s revenue.

Link to article(s):

https://iapp.org/media/pdf/resource_center/india_pdpb2019_vs_gdpr_iapp_chart.pdf

A Guide to India’s Proposed Data Privacy Law – ADCG

Locale: New York State

Effective Date: BILL Introduced January 6, 2021

Name: Biometric Privacy Act

Link to bill, if available: https://legiscan.com/NY/text/A00027/id/2224256/New_York-2021-A00027-Introduced.html

Bill summary: New York State legislators have proposed a private right to action with Assembly Bill 27–a proposed amendment to New York’s General Business Law (GBL). This amendment–also called the Biometric Privacy Act (BPA) –would allow consumers to sue companies for improperly collecting or using certain biometric data. Here’s our analysis: 

This law takes GDPR’s lead in identifying biometric data as especially sensitive. That being said, BPA applies only to “biometric identifiers”– certain biometric data that can reveal the identity of its subject. The bill explicitly states that this encompasses fingerprints, voiceprints, and scans of hands, faces or eyes. It does not include samples used for valid scientific testing or screening, donated body parts, or handwriting samples.

The law doesn’t just apply to the identifiers. It also protects against the misuse of biometric information– any information based on the listed identifiers that can be used to identify the subject, regardless of how it is captured, converted, or stored.  

Note that this bill, if it becomes law, will allow people to sue companies if they violate any provision of the bill.

Link to articles: https://adcg.org/new-york-state-proposes-biometric-privacy-law/?mc_cid=193a7d415d&mc_eid=90c714ac11


Locale: Washington State

Effective Date: BILL INTRODUCED

Name: The Washington Privacy Act

Link to the BILL, if available: Unable to find a link

Bill Summary: Read the article below for details, but the bill gives Washington residents new rights, more transparency, reduces or eliminates the requirement for consumer consent, greatly increases the responsibilities of data controllers over data processors (those third parties you get to do the work like cloud software and vendors)

Link to articles: https://adcg.org/the-washington-privacy-act-is-back-in-play/?mc_cid=193a7d415d&mc_eid=90c714ac11


Locale: New Zealand

Effective Date: 01 December 2020

Name: The Privacy Act of 2018

Link to the law, if available: http://www.legislation.govt.nz/bill/government/2018/0034/latest/LMS23223.html

Law summary: The amendments, which became effective on December 1, 2020, make significant changes to New Zealand’s privacy regime. In particular, the Privacy Act 2018 (“Act”) expands the application of the privacy regime to businesses whether or not they have a legal or physical presence in New Zealand. In order to transfer personal data outside of New Zealand, an organization must reasonably believe that the receiving entity provides “comparable safeguards” to those provided by the Act (or the organization must satisfy another condition specified in the Act). In the event of a data breach, the organization must notify both the data protection authority and affected individuals. In addition, the Act provides for a number of new offenses, increased fines, and compliance notices.

Articles: https://www.mofo.com/resources/insights/201216-new-zealand-new-privacy-rules.html