State Privacy Laws

Several states have proposed new privacy bills since their sessions began.  Some of the proposed bills carry over or re-introduce bills drafted in previous legislative sessions, while others are introducing firstin-time omnibus privacy bills.  In the high-level chart below, we compare five of the key state privacy frameworks: the CPRA, VCDPA (which we blogged about here), the NYPA, the general privacy provisions of the Washington Privacy Act, and the newly introduced Washington People’s Privacy Act (HB 1433)
Continue Reading 2021 State Privacy Legislation Roundup: California, Virginia, New York, and Washington

On May 29, 2019, the Governor of Nevada signed into law Senate Bill 220 (“SB 220”), an act relating to Internet privacy and amending Nevada’s existing law requiring websites and online services to post a privacy notice.  In short, Nevada’s law will require operators of Internet websites and online services to follow a consumer’s direction not to sell his or her personal data.  The Nevada law differs from the California Consumer Privacy Act (“CCPA”) enacted last year in notable ways, and could signal the coming of a patchwork of fifty-plus different data privacy standards across the country, much like the state data breach notification laws.

Unlike the CCPA (which applies to both online and offline business operations), SB 220 applies only to operators of Internet websites and online services, and defines “operators” as people who (1) own or operate an Internet website or online service for commercial purposes; (2) collect and maintain covered information from consumers who reside in Nevada and use or visit the Internet website or online service; and (3) engage in any activity that constitutes a sufficient nexus with Nevada to satisfy the requirements of the United States Constitution.  Such activity includes purposefully directing activities toward Nevada, consummating a transaction with Nevada or a Nevada resident, or purposefully taking advantage of the privilege of conducting activity in Nevada.  SB 220 does not apply to the following entities: an entity that is regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act; a service provider to an operator; or a manufacturer of a motor vehicle or a person who services a motor vehicle who processes covered information that is either (1) retrieved from a motor vehicle in connection with a technology or service related to the motor vehicle, or (2) provided by a consumer in connection with a subscription or registration for a technology or service related to the motor vehicle.
Continue Reading Nevada’s New Consumer Privacy Law Departs Significantly From The California CCPA

The Washington Privacy Act stalled this April in the state’s House of Representatives, and will likely not reappear again for discussion until the 2020 legislative session.

The bill overwhelmingly passed the Senate, but failed to come to a floor vote in the House of Representatives before the April 17th deadline for state lawmakers to consider

On December 11, 2018, the Vermont Office of the Attorney General published new guidance on the state’s data broker law (Act 171 of 2018), which imposes new data breach notification requirements on “data brokers” and takes effect on January 1, 2019.  The new guidance clarifies the definitions of key statutory terms and the scope of the law’s various requirements.
Continue Reading Vermont Publishes New Guidance on Law Regulating “Data Brokers”