State(s) of Play—July 10, 2023

Every two weeks, we'll look to publish a snapshot on what's moving at the U.S. state level when it comes to privacy bills, to help inform your own privacy project prioritization.

A lot has transpired over the past two weeks!

Both the Colorado and Connecticut privacy bills went into effect on July 1, and the Oregon and Delaware comprehensive privacy bills were passed and are sitting on their respective governors’ desks waiting to be signed into law.

Colorado

The Colorado Privacy Act provides Colorado consumers the right to access, correct, and delete personal data and the right to opt out not only o the sale of personal data but also of the collection and use of personal data.

The bill imposes an obligation upon companies to safeguard personal data, to provide clear, understandable, and transparent information to consumers about how their personal data are used, and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.

Finally, the bill empowers the Attorney General and District Attorneys to access and evaluate a company's data protection assessments, to impose penalties where violations occur, and to prevent future violations.

Connecticut

The Connecticut Personal Data Privacy and Online Monitoring Act establishes a framework for controlling and processing personal data, and sets responsibilities and privacy protection standards for data controllers and processors.

It also grants consumers the right to access, correct, delete and obtain a copy of personal data, and opt out of the processing of personal data for the purposes of targeted advertising, certain sales of personal data, or profiling toward decisions that significantly impact consumers.

Oregon 

SB 619, the Oregon Consumer Privacy Act (OCPA), passed out of the legislature and was sent to Governor Tina Kotek for her signature on June 25. As of today, the governor still has not signed the bill, but we have no reason to believe she won’t.

All for-profit organizations will be subject to the OCPA starting on July 1, 2024. The OCPA exempts only certain nonprofit organizations. For covered nonprofit organizations, the OCPA becomes effective on July 1, 2025.

Delaware

HB 154, the Delaware Personal Data Privacy Act, was passed out of the legislature on June 30 and sent to Governor John Carney for his signature. The bill closely resembles the Connecticut Data Privacy Act (CTDPA) with some notable provisions on the bill’s applicability and the fact that it does not exempt non-profit organizations. Once the governor signs, the bill will take effect on January 1, 2025.

Massachusetts

On Monday, June 26, the Massachusetts Joint Committee on Consumer Protection and Professional Licensure held a hearing allowing for public testimony on a number of bills including H 357 / S 148, The Location Shield Act. These proposals would prohibit companies from engaging in the practice of selling location data.

Privacy and human rights advocates were in support of the measure, while industry and tech groups largely opposed. No official action was taken on these bills. However, we are in the process of gathering intelligence from our local sources to understand how likely it is that these bills advance and when.

New Hampshire

SB 255 did not advance before the legislature adjourned on June 30. The bill will now have to be reintroduced this fall to be considered for the 2024 legislative session.

Active and pending state privacy laws

North Carolina (adjourns August 31)

• SB 525 (North Carolina Consumer Privacy Act)

Massachusetts (adjourns November 15)

• HD 2281 (Massachusetts Data Privacy Protection Act)
• SD 745 (Massachusetts Data Privacy Protection Act)
• HD 3263 (Massachusetts Information Privacy and Security Act)
• SD 1971 (Massachusetts Information Privacy and Security Act)
• H 1555 (Internet Bill of Rights)

New Jersey (year-round)

• SB 3714 (New Jersey Disclosure and Accountability Transparency Act)
• A 505  (New Jersey Disclosure and Accountability Transparency Act)

Pennsylvania (year-round)

• HB 1201 (Consumer Data Privacy Act)
• HB708 (Consumer Data Protection Act)