State “CCPA” Privacy Bills in Rhode Island, Hawaii and New Jersey
We have already covered a number of privacy laws being considered across the country by states (New Mexico, Washington, Massachusetts, New York and North Dakota) following the passage of the California Consumer Privacy Act. We have recently learned of privacy bills in Rhode Island, Hawaii and New Jersey that we have yet to cover. Here is a brief description of each for those that are keeping track with us:
Rhode Island S0234
The Consumer Privacy Protection Act includes the standard privacy rights from the CCPA – the right to opt out (plus opt-in for kids) from the sale of personal information, the right to access, the right to delete, and other transparency about the businesses’ privacy practices.
The definition of business requires either annual gross revenue over $5 million; personal information on 50,000 consumers, households or devices; or derives 50% of its annual revenue from selling personal information.
The enforcement section allows for consumers to file civil actions seeking actual damages or statutory damages (between $100 and $750) for data breaches resulting from violations of the duty to implement and maintain reasonable security procedures. If does not provide for enforcement by the Attorney General or specify damages for consumers for other sections of the law.
Hawaii SB 418
The proposed Hawaii privacy bill requires businesses to provide the right to access, the right to delete, and the right to opt out of the sale of personal information (plus opt-in right for kids).
– Publicly disclose categories of identifying information and purposes.
– Upon verifiable request, disclose the categories and specific pieces of identifying information collected about a consumer, as well as disclose the identity of third parties to which the business has sold or transferred identifying information.
– Upon verifiable request, delete all identifying information free of charge.
– Authorize consumers to opt out of the sale of identifying information by a business, and prohibit them from selling identifying information of an individual under sixteen unless affirmatively authorized.
– Prohibit a business from discriminating against consumers exercising their rights.
There are a few differences from the CCPA. For example, it doesn’t define a business – so there is currently no small business exemption. It also currently doesn’t specify either enforcement penalties or a private right of action.
NJ A-4902 / S2834
The New Jersey privacy law includes some of the core features of the CCPA, such as the right to opt out of the sale of personal information. However, it modifies the right to access from the one contained in the CCPA to focus on disclosures of PII to third parties. It also
It was introduced last July into the Senate and referred to the Senate Commerce Committee. The House version was introduced in January and just received a favorable recommendation from the Assembly’s Science, Innovation and Technology Committee. It has been referred to the Assembly Appropriations Committee.
The law requires website owners (called “operators”) to disclose the personally identifiable information it collects, all third parties to which it may disclose the PII, and an email address or toll free telephone number to request information be provided to the consumer. An operator that discloses PIII to a third party must make available upon request the PII disclosed and the contact information for the third parties. The response to a request shall occur within 30 days.
It also requires operators to give consumers the ability to opt-out of the sale of personal information. An operator is prohibited from discriminating against or penalizing a customer if the customer chooses to opt out.
The law would take effect immediately and it provides for the development of rules and regulations to effectuate its purposes by the Director of the Division of Consumer Affairs in the Department of Law and Public Safety.
CCPA Hearing Tomorrow
Also, there is an informational hearing scheduled tomorrow in California at the State Assembly Committee on Privacy and Consumer Protection titled “Understanding the Rights, Protections, and Obligations Established by the California Consumer Privacy Act of 2018: Where should California go from here?” Given the lobbying efforts and discussions around changes to the bill, this should be an interesting hearing which could provide insight into the developments to expect on the CCPA during the rest of the legislative session.
Other Relevant Posts:
Maine Considering LD 946 to Protect Privacy of ISP Customers
Illinois House Passes Data Transparency and Privacy Act; Senate Passes KIDS Act
Texas Considers Consumer Privacy Act and Privacy Protection Act
Update: Special Session of Appropriations Committee Saves Washington Privacy Act for Another Week
No Washington Privacy Act This Year?
Washington Privacy Act – Initial Look at the Current House Version
Summary of Connecticut SB 1108 on Data Privacy
Summary of Public Hearings on Maryland Online Consumer Protection Act
Summary of Washington Privacy Act After State Senate Passes
Florida Legislature Considers Biometric Information Privacy Act
Maryland Considering SB613 / HB0901 – Online Consumer Protection Act
With SD341, Massachusetts Joins States Considering CCPA-like Data Privacy Laws
Public Hearing on Washington Privacy Act (SSB 5376) in Senate Ways & Means – More Work to Be Done?
State CCPA Privacy Bills in Rhode Island, Hawaii and New Jersey
North Dakota Considers Study on Privacy Practices of Data Brokers