As we’re always preaching, the data privacy landscape is ever-evolving, and 2021 appears to be the year in which many US states take the initiative to consider and/or implement state-specific data privacy regulations for their residents. In the absence of a federal data privacy framework, this has the potential to create a compliance nightmare for many companies, as there is no one-size-fits-all solution to data privacy compliance, either in the US or anywhere else in the world. We’ve compiled a list of the current state of data privacy regulations in various US states (with more in-depth links to articles about individual states about which we’ve already written), which is, of course, subject to change as the laws move through the legislative process.
How Many Bills Have Been Introduced?
As of March 1, 2021, state lawmakers have introduced bills in 18 states, with some states considering multiple bills. To make things simpler, we’ve categorized a list of the bills in these 18 states as follows:
1) Active bills: those that have made progress, such as a committee hearing, vote, or passage;
2) Introduced bills: those that have been introduced in a state legislature but have yet to see any real movement; and
3) Dead bills: those that have been introduced but have already failed.
Connecticut has introduced two data privacy bills in 2021; both bills are with the Joint General Law Committee, which held a public hearing on February 25. Strangely, one of these bills is just a one-paragraph long!
On February 10, 2021, the House Technology Committee unanimously (6-0) passed the Oklahoma Computer Data Privacy Act (“OCDPA”) but, nearly three weeks later, the bill has not moved forward. OCDPA is one of the more intriguing state laws because it adopts a GDPR-style “opt-in” framework for consent, which is dissimilar to most US data privacy laws, either implemented or introduced, which are “opt-out” jurisdictions.
The Utah introduced the Utah Consumer Privacy Act (“UCPA”) on February 16, 2021. The bill’s legislative history indicates that, as of February 26, it is on a third reading in the Senate.
As currently drafted, the Utah bill is similar to the Washington and Virginia bills. One notable difference, however, is that the bill includes a separate provision on commercial emails. Also, if passed, the law would go into effect on January 1, 2022, earlier than Virginia (January 1, 2023) and Washington (July 31, 2022).
Virginia’s governor signed the Virginia Consumer Data Privacy Act (“VCDPA”) and the law will go into effect January 1, 2023. Similar to the way California’s regime has evolved, consumer advocacy groups have already stated they intend to request that the Virginia legislature strengthen the law in its next session.
The Washington Privacy Act (“WPA”) has died twice previously in the Washington Senate, but advocates hope that the third try is the charm.
North Dakota’s HB 1330 and Mississippi’s Senate Bill 2612 have both died.