Consumer Data Privacy Laws: 2021 State Trends

In the wake of several significant developments in the consumer data privacy law realm — including the EU’s 2018 General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) of 2018, and large-scale data breaches — individual states have begun ramping up their consumer data protection initiatives. Until now, companies in the U.S. have largely been able to operate without much oversight on what kind of personal consumer data they store and what they choose to do with it. 

With no centralized federal consumer data privacy regulations, state-level bill provisions fall into countless combinations of two main categories:

1. Business obligations: security guidelines for how businesses store consumer data to prevent third-party breaches, notice and transparency requirements (for example, disclosing whether consumer data will or has been sold to third parties), limitations on what types of data can be stored and for how long, and notification requirements in the event of a data breach.
2. Consumer rights: the right to request access to what data has been collected, to request deletion of personal data, to opt-out of data collection or marketing materials, and the creation of provisions for civil litigation where applicable.

It is clear that bipartisan support for data privacy regulation exists, but disagreements around implementation have prevented Congress from creating a federal solution so far. In the absence of a federal bill, states have created a patchwork of proposals with varying degrees of stringency. 

Data regulation is typically enforced in either the state a company conducts business in or the state a company targets for its products and services. Many of the newly proposed bills will not go into effect for several years but it is still important to stay on top of this rapidly changing landscape — many companies globally were not ready for GDPR when it went into effect in 2018 and some received hefty fines.

Interest in Data Privacy Skyrockets

In the past three months, the number of discovery alerts for “Data Privacy” in our FiscalNote platform has increased more than 1,100 percent. This indicates government relations, public affairs, and advocacy professionals like yourself, are looking to stay ahead of any new developments around this issue that could affect the way you conduct business.

FiscalNote’s easy-to-use discovery alerts allow you to track any movement on the issues you’re watching and get a heads up as soon as something happens. With our customized alerts, you can choose the specific keywords you want to monitor for when they come up or change. Plus, you can choose when you’d like to receive alerts and how often. The best part is you’ll be the first to know and you’ll never miss your window of opportunity to act, which is especially important for sensitive topics like data privacy. 

In FiscalNote, you have the option to pair several topics in your alert settings. Beyond general data privacy legislation, the COVID-19 pandemic has created concern around privacy in virtual schooling environments and telemedicine. Thirty percent of data privacy alerts in FiscalNote were paired with health-related keywords, and 15 percent of overall privacy alerts contained additional student and e-learning-related keywords. 

In addition to alerting, FiscalNote’s comprehensive data allows you to monitor and track specific legislation and regulation at the U.S. state, federal, global levels. When looking particularly at data privacy legislation, finance, health care, and advocacy organizations that use FiscalNote have shown the most interest in tracking this type of bill.

Top 5 Data Privacy Bills in the United States

Of the top 50 tracked bills and regulations in FiscalNote over the past six months, 42 percent have been related to data privacy at the state level. These are the top five ranked in order of interest:

1. Virginia SB 1392 (and its House counterpart, HB 2307)

This consumer data protection act establishes a framework for controlling and processing personal data in the Commonwealth of Virginia. The bill applies to everyone that conducts business in the state and either controls or processes personal data of at least 100,000 consumers, or derives over 50 percent of gross revenue from the sale, control, or processing of personal data of at least 25,000 consumers. 

The bill outlines responsibilities and privacy protection standards for data controllers and processors. However, it doesn’t apply to state or local governmental entities and contains exceptions for certain types of data and information governed by federal law. 

The bill grants consumers the rights to access, correct, delete, or obtain a copy of personal data, and to opt-out of the processing of personal data for targeted advertising. It also provides that the attorney general has exclusive authority to enforce violations of the law — the Consumer Privacy Fund is created to support this effort. This bill has a delayed effective date of Jan. 1, 2023.

2. Washington SB 5062

The Washington Privacy Act (WPA) integrates concepts from California’s CCPA and the EU’s GDPR. It gives Washington state residents the right to request that companies delete personal data, access the categories of personal data companies collect, and opt-out of the processing of their personal data. 

WPA would apply to companies that conduct business in the state or produce products or services that are targeted to Washington residents. It further refines its target as companies that control or process the personal data of 100,000 or more Washington residents in a calendar year, or derive over 25 percent of their gross revenue from the sale of personal data and process, or control the personal data of 25,000 or more Washington residents. The bill would exclude state agencies, HIPAA personal health information, and GLBA-regulated personal data. 

If passed, WPA would take effect on July 31, 2022, with a four-year delayed effective date for higher education institutions, nonprofits, and air carriers.

3. New York A 680

This bill enacts the New York Privacy Act (NYPA) to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared. It also gives consumers the right to have their personal data deleted, and it creates a special account to fund a new office of privacy and data protection in the state. 

NYPA applies to companies that conduct business in New York state or produce products and services that are intentionally targeted to its residents. It also introduces the concept of a “data fiduciary,” which requires companies to prioritize personal data protection over the duty they owe to their shareholders, and includes a consent requirement similar to GDPR’s in Europe for all processing activities and third-party disclosures, with no exceptions 

Unlike in other states, this data privacy bill doesn't impose minimum amounts of personal data a company must process or revenue thresholds to be subject to it. 

4. Oklahoma HB 1602

The Oklahoma Computer Data Privacy Act (OCDPA) provides consumers the right to request, delete, and opt-out of the use of their personal information. It also requires businesses that collect or sell consumers' personal information to provide notice to the consumer, among other provisions.

The Oklahoma Corporation Commission would enforce the OCDPA and any fines collected would go to the State’s General Revenue Fund. The bill also provides a private right of action for state residents allowing them to seek injunctive relief, actual damages, and statutory damages up to $7,500 for intentional violations. 

5. Minnesota HF 36

In this omnibus consumer data privacy law, consumers are given various rights regarding personal data. The proposed Minnesota Consumer Data Privacy Act (MCDPA) also places data transparency obligations on businesses and creates the private right of action. It provides enforcement authority to the attorney general with injunctive relief available, as well as civil penalties of up to $7,500 for each violation.

The bill is largely based on the proposed Washington Privacy Act (SB 5062), mentioned above. This means, the bill would apply to companies that provide products or services to Minnesota residents, so long as these companies process personal data of at least 100,000 consumers; or generate more than 25 percent of their gross revenue from the sale of personal data, while also processing the personal data of at least 25,000 consumers. 

As for the consumer rights the MCDPA would govern, the bill gives consumers the right to verify, correct, delete, access, and opt-out of processing their personal data. It also defines the time frames and other conditions for companies to respond to these consumer requests and further provides requirements for data protection assessments and consumer privacy notices.

Stay on Top of the Data Privacy Landscape Across the U.S. and Around the Globe with FiscalNote

It has never been more important for you to stay on top of the policy issues that cause you the greatest concern — especially ones that can end in fines for your business. Yet, issues are increasingly complicated at the state and federal level, and the pace can be maddening. 

FiscalNote’s legislative tracking solutions bring you the right policy information at the right time, so you can better navigate risk and maximize new opportunities. We can help you track thousands of bills seamlessly, scan legislative language, follow news about lawmakers and committees, and successfully brief your internal stakeholders on the issues that impact your organization.