Since the passing of the European General Data Protection Regulation (“GDPR”), several states have introduced or passed privacy and data protection legislation. In addition to the California Consumer Privacy Act of 2018 (“CCPA”), the following state laws should be on your radar in 2019.

New Laws

  • Colorado’s H.B. 18-1128 “concerning strengthening protections for consumer data privacy,” which became effective on September 1, 2018, imposes strict obligations on businesses that maintain, own, or license personal information. Such businesses must have written policies governing the disposal of paper and electronic records containing personal information, take reasonable steps to protect such information, and provide detailed notice of a data breach to consumers and, in certain circumstances, the Attorney General.
  • Vermont’s data broker privacy law (H.B. 764), effective January 1, 2019, is the first of its kind in the United States. It regulates businesses that buy and sell personal information about consumers with whom the business does not have a relationship. The law requires data brokers to disclose what data they collect and allow customers to opt out. It also imposes registration, reporting, and security obligations on data brokers and provides for a right of action for consumers.

New Bills

  • In Illinois, the City of Chicago has introduced an ordinance on facial recognition technology (Section 4-4-308 of the Municipal Code). The bill would require a licensee to use facial recognition systems for security purposes only, to post a sign at the establishment’s entrance informing that such data is being gathered, prohibit the sale, lease or trade of such data, and establish a written policy for destruction of the data.
  • New Jersey has several pending bills addressing data privacy and cybersecurity. One bill is S.B. No. 2834, which would require operators of commercial websites or online services to notify customers of personal information collection practices, respond to customer requests, post a “Do Not Sell My Personal Information” website link, and allow customers to opt out without being discriminated against. Another bill is A.B. No. 3923, which would require operators to conspicuously post privacy policies containing certain information.
  • New Mexico kicked off 2019 by introducing the Consumer Information Privacy Act bill (S.B. No. 176). Among other things, the Act would enumerate consumers’ rights regarding their personal information being collected, place restrictions on the use and sale of personal information, prohibit businesses from discriminating against a consumer for exercising any of the consumer’s rights, and require a business to train its employees on privacy practices.
  • New York kept pace by introducing the Personal Information Protection Act bill (A.B. 465) on January 9, 2019. The Act, which includes a private right of action, would establish a privacy bill of rights, require parties who receive or maintain a resident’s personal information to ensure its security, provide for the approval of programs to secure personal information by the office of information security, direct the office of information security to establish an information sharing program to assess threats to cybersecurity, impose breach notification requirements, and establish standards for the protection of personal information.

On the Horizon

  • There are also bills in other states that have not yet been introduced or were introduced and did not pass. Maryland’s Internet Privacy and Net Neutrality Bill (H.B. No. 1654) sought to establish privacy requirements for the use, disclosure, sale, or provision of consumer data. While it did not pass the state Senate, we expect a renewed effort to pass a modified version of the bill in 2019. Additionally, several states continue to be interested in specific bills relating to biometric data.