New Privacy Legislations Proposed in Several US States

As of the start of 2023, and particularly with the start of the month of February, several states across the United States have joined the data privacy landscape with new proposals of their own, bringing the total count of states with a data privacy bill up to 16, be it already active bills, bills that have been moved forward through state legislative chambers, or newly proposed bills. 

New bills that have been developed in Maryland, Minnesota, and Texas, with New York having two new bills proposed, in addition to the already existing other two. 

Maryland (Online and Biometric Data Privacy Act - SB 698)

• Application: entities that conduct business in the state, or target state residents, which in the past calendar year met the following thresholds: (1) controls or processes personal data of at least 100,000 consumers; or (2) controls or processes personal data of at least 25,000 consumers and derives more than 25% of gross revenue from sale of personal data.

• Exemption: various types of data and entities; (judicial or state political entities, data covered by HIPAA, FERPA, or certain employment information).

• Subject rights: right to access, correct, delete, to portability, to confirm the processing of their data, to opt out of the processing for purposes of targeted advertising. 

• Mandates privacy by design, purpose limitation, and appropriate security measures, as principles for compliance. 

• Imposes restrictions on sensitive data and biometric data.

• Requires DPIAs to be conducted where processing poses an increased risk of harm to the data subject.

• Enforcing authority: state Attorney General.

• Proposed effective date: October 1st, 2023.

Minnesota (HF1367)

• Application: businesses that meet the following thresholds: (1) have annual gross revenues exceeding $25 million; (2) annually buy or sell personal information of 50,000 or more individuals, households, or devices; or (3) derive 50% or more of their annual revenue from selling personal information.
• Subject rights: to access, to delete, to opt out of the sale of their information, to obtain their data in a portable format.
• Imposes the obligation for businesses to provide a “Do Not Sell My Personal Information” link.
• Offers individuals a private right of action for violations.
• Enforcing authority: state Attorney General.
• Proposed effective date: June 30th, 2024.

Texas (Texas Data Privacy and Security Act - HB 1844)

• Application: large businesses running in the state or targeting state residents, which process or sell personal data.

• Exemptions: state government entities, financial institutions, entities and information covered by HIPAA, information covered by FERPA.

• Subject rights: to access, to correct, to delete, to portability, to confirm the processing of their data, to opt out of the processing for purposes of targeted advertising, to out of the sale of their personal information, to opt out of profiling. 

• Mandates privacy by design, purpose limitation, and appropriate security measures, as principles for compliance. 

• Imposes restrictions on sensitive data processing without consent.

• Requires DPIAs to be conducted where processing poses an increased risk of harm to the data subject.

• Enforcing authority: state Attorney General.

• Proposed effective date: September 1st, 2023.

New York (New York Data Protection Act - A2587)

• Application: businesses located in NY, that collect personal information, and meet one of the following:  (1) have an annual gross revenue exceeding $50 million; (2) annually sell personal information of at least 100,000 consumers or devices; or (3) derive 50% or more of their annual revenue from selling consumers’ personal information.
• Exemptions: entities and information covered by FCRA.
• Subject rights: to know what personal information has been collected, sold, or disclosed; to opt out of the sale of personal information.
• Imposes restrictions on the sharing of personal information for government entities or contractors, based on the crucial nature of the information shared for the performance of contractual obligations.
• Enforcing authority: state Attorney General.
• Proposed effective date: one year after enactment.

New York (Senate Bill S3162)

• Application: businesses located in NY, that collect personal information, and meet one of the following: (1) have an annual gross revenue exceeding $50 million; (2) annually sell personal information of at least 100,000 consumers or devices; or (3) derive 50% or more of annual revenue from selling consumers’ personal information.
• Exemptions: entities and information covered by HIPAA or FCRA.
• Subject rights: to know what personal information has been collected, sold, or disclosed; to opt out of the sale of personal information.
• Imposes the obligation for businesses to provide a “Do Not Sell My Personal Information” link.
• Creates a private right of action for violations.
• Enforcing authority: state Attorney General.
• Proposed effective date: 180 days after enactment.