Data Privacy, Coming Soon to A State Near You: The New Year Brings New Bills in the Bid to Fill the Privacy Law Void

The process of defining the personal data that consumers share knowingly and unknowingly every day and spelling out the corresponding rights and obligations has become one of the next most concerning areas of the law.  The challenges are evident in the aftermath of California passing its Consumer Privacy Act in a number of state privacy bills introduced in the last two months.

Our blog has already covered recently introduced proposals in Washington, Florida, and Virginia.   Below, we discuss proposed bills introduced in four more states: New Hampshire, Hawaii, Maryland, and Arizona.  These proposed measures can be viewed under two lenses, first – the rights they afford the consumers, and second – the obligations they impose on defined businesses or entities.

New Hampshire
On January 8, 2020, New Hampshire introduced its privacy bill, HB1680. The new measure proposes to allow consumers the right to request access to the categories of personal information, sources from which personal information is collected, purposes of collection, categories of third parties with whom information is shared or sold, deletion of that information, portability, and the right to opt out of the sale of personal information.  Consumers under the age of 16 must expressly choose to opt in to the sharing or sale of personal information. Most significantly, for the purposes of enforcement this bill creates a private right of action in the case of a breach of any personal information.

The bill also creates specific obligations for businesses. Businesses must make available two or more designated methods for consumers to submit their data subject requests and must promptly comply with those requests.  Businesses must annually display and update their privacy policies including a description of the consumer’s rights, the categories of personal information collected, the categories of personal information sold, and the categories of personal information shared for business purposes within the last 12 months. They will be required to create and convey the right to opt out with a link to a clearly titled “Do Not Sell My Information” web page. Businesses may not discriminate against consumers who avail themselves of their rights. If incentives are offered in exchange for a consumers’ personal information, a business must notify all consumers of the financial incentives. The bill as written will only apply to companies that process data of 50,000 or more New Hampshire residents. If passed, this act would be effective on January 1, 2021.

Maryland
On January 17, 2020,  Maryland introduced HB 249, a bill meant to regulate the dissemination of the consumers’ personal information by granting a right to opt out of third-party disclosures through an opt-out setting on a browser, browser extension, or global device setting. This bill does not create a private right of action for the consumers.

Businesses would be required to provide a clear and conspicuous link on their homepage to enable the consumers to opt out, which can only be reversed by obtaining an express authorization from the consumer, comply with the consumer’s option to opt out, refrain from disclosing the information of any individual under the age of 18, and refrain from discriminating against consumers based on the exercise of their rights. This bill is applicable to those businesses that have a gross revenue in excess of $25,000,000 or annually buy, sell, receive or share for commercial purposes personal information of 100,000 or more consumers, households, or devices, or derive at least 50% of their annual revenue from selling personal data. If passed, this act would be effective on January 1, 2021.

Hawaii
On January 18, 2020, Hawaii introduced SB 2451. The purpose of this bill is to provide the consumers with an explicit option to opt out of the sale of personal information by third parties to whom their personal information has been sold.

Third parties cannot use or sell personal information unless they provide explicit notice to Hawaii consumers and the right to opt out by including on their homepage a conspicuous link titled “Do Not Sell My Information”.  Once a consumer has opted out, the third party must refrain from selling the information and respect the opt out for at least 12 months before requesting permission to again sell the consumer’s personal information. In the case of minors 16 and under, a consumer must explicitly consent. If passed, this act would be effective immediately.

Arizona
On February 5, 2020, Arizona introduced HB 2729. This bill is designed to regulate obligations of the controllers and their handling of personal information. For purposes of this bill a “controller” is defined as one that determines the purpose and means of processing personal data for a legal entity.

This bill would grant consumers the rights to access, correction, deletion, and the right to restrict data that is incorrect or no longer necessary for the purpose for which it was collected. Notably, it does not specifically provide a right to opt out.

The controllers’ obligations include notifying the consumers at or before the point of collection of the categories of personal information being collected and the purpose of collection. Controllers cannot utilize data for purposes other than those already disclosed without further notice. Upon receipt of a verified request, a controller must provide a copy of any personal information collected to the consumer. If the consumer informs controller of incorrect data, processor is obliged to restrict further processing. Controller must notify any third-party recipients of personal data of correction, deletion, or restriction of processing of data.

The bill as written would apply to a legal entity that purposely targets residents of the state, has a gross annual revenue of at least $25,000,000 and controls or processes personal data of at least 100,000 consumers or derives 35% of gross revenue from the sale personal data.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653