Senior Content Marketing Manager II
July 10, 2023•1 min read
Every two weeks, we'll look to publish a snapshot on what's moving at the U.S. state level when it comes to privacy bills, to help inform your own privacy project prioritization.
A lot has transpired over the past two weeks!
Both the Colorado and Connecticut privacy bills went into effect on July 1, and the Oregon and Delaware comprehensive privacy bills were passed and are sitting on their respective governors’ desks waiting to be signed into law.
The Colorado Privacy Act provides Colorado consumers the right to access, correct, and delete personal data and the right to opt out not only o the sale of personal data but also of the collection and use of personal data.
The bill imposes an obligation upon companies to safeguard personal data, to provide clear, understandable, and transparent information to consumers about how their personal data are used, and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data.
Finally, the bill empowers the Attorney General and District Attorneys to access and evaluate a company's data protection assessments, to impose penalties where violations occur, and to prevent future violations.
The Connecticut Personal Data Privacy and Online Monitoring Act establishes a framework for controlling and processing personal data, and sets responsibilities and privacy protection standards for data controllers and processors.
It also grants consumers the right to access, correct, delete and obtain a copy of personal data, and opt out of the processing of personal data for the purposes of targeted advertising, certain sales of personal data, or profiling toward decisions that significantly impact consumers.
SB 619, the Oregon Consumer Privacy Act (OCPA), passed out of the legislature and was sent to Governor Tina Kotek for her signature on June 25. As of today, the governor still has not signed the bill, but we have no reason to believe she won’t.
All for-profit organizations will be subject to the OCPA starting on July 1, 2024. The OCPA exempts only certain nonprofit organizations. For covered nonprofit organizations, the OCPA becomes effective on July 1, 2025.
HB 154, the Delaware Personal Data Privacy Act, was passed out of the legislature on June 30 and sent to Governor John Carney for his signature. The bill closely resembles the Connecticut Data Privacy Act (CTDPA) with some notable provisions on the bill’s applicability and the fact that it does not exempt non-profit organizations. Once the governor signs, the bill will take effect on January 1, 2025.
On Monday, June 26, the Massachusetts Joint Committee on Consumer Protection and Professional Licensure held a hearing allowing for public testimony on a number of bills including H 357 / S 148, The Location Shield Act. These proposals would prohibit companies from engaging in the practice of selling location data.
Privacy and human rights advocates were in support of the measure, while industry and tech groups largely opposed. No official action was taken on these bills. However, we are in the process of gathering intelligence from our local sources to understand how likely it is that these bills advance and when.
SB 255 did not advance before the legislature adjourned on June 30. The bill will now have to be reintroduced this fall to be considered for the 2024 legislative session.
North Carolina (adjourns August 31)
Massachusetts (adjourns November 15)
New Jersey (year-round)
Pennsylvania (year-round)
Senior Content Marketing Manager II