Since California’s Consumer Privacy Act (CCPA) was passed in 2018, Octillo has seen a slew of other states follow suit in proposing and enacting their own comprehensive data privacy bills. Most recently, lawmakers in Virginia, Oklahoma, and Florida have joined the growing list of states with proposed privacy bills. So far this year, New York, Washington, and Minnesota have also introduced legislation governing the ways companies collect, store, use, and share consumer data and we expect to see other laws emerging in the coming months with still no federal data privacy bill in sight.
Working with experienced privacy counsel can help build out data privacy programs that stand the test of time and contemplate emerging legislation.
Below is an overview of the Virginia and Oklahoma proposed bills, their requirements, and their potential impact on the data privacy landscape.
Virginia Consumer Data Protection Act (SB 1392)
The Virginia proposal is quickly moving through the Virginia state legislature and is likely to be the next comprehensive state data privacy law on the books. This bill passed the Virginia House of Delegates on January 29th by a wide margin and was unanimously approved in the Senate on February 3rd. Assuming Governor Northam signs it into law, the Virginia Consumer Data Protection Act is set to go into effect on January 1, 2023.
Who Does It Apply To?
Companies that conduct business in Virginia or “produce products or services that are targeted to” Virginians would have to comply with the Virginia Consumer Data Protection Act if they:
- Control or process the personal data of at least 100,000 Virginians; or
- Control or process the personal data of at least 25,000 Virginians and derive over 50% of their gross revenue from the sale of that data.
The Legislation does provide exemptions for financial institutions governed by the Gramm-Leach-Bliley Act, entities subject to HIPAA or HITECH, non-profits, and educational institutions.
What Is Included?
Included in this Bill are several requirements not covered under the CCPA or any other U.S. privacy law. One such obligation requires entities that control personal data to conduct protection assessments of any activities that use personal data for specific purposes, such as targeted advertising. These data protection assessments may be requested and evaluated by the attorney general to ensure compliance.
This Act would afford Virginia consumers with several rights regarding their personal data, including the right to opt-out of the sale or use of their information for targeted advertising or profiling. It would also allow consumers to delete their data, move their data, correct inaccuracies in their data, and confirm if their data is being processed upon request.
Notably missing is a private right of action through which consumers could seek damages for alleged violations. Instead, enforcement of the Act would be left exclusively to the attorney general, who may seek up to $7,500 per violation.
Oklahoma Computer Data Privacy Act (HB 1602)
Introduced on January 19, 2021 by Representatives Josh West (R) and Collin Walke (D), this Bill has bipartisan support in the Oklahoma House of Representatives. Its intended purpose is to give Oklahomans more online privacy by taking aim at tech companies. If passed, the Oklahoma Computer Data Privacy Act would go into effect on November 1, 2021.
Who Does It Apply To?
If passed, this act would apply to companies that operate in the state of Oklahoma and collect Oklahoman’s personal information or have information collected on their behalf, determine the purpose for and means of processing that information, and satisfy one of the following thresholds:
- Has an annual gross revenue exceeding $10 million;
- Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or
- Derives 25% or more of their annual revenue from the sale of personal data.
What Is Included?
Companies subject to this legislation would be required to disclose what personal information they hold on a consumer and allow for the deletion of that information upon the consumer’s request. This proposal also mandates consumers opt-in to providing their personal data, which differentiates it from most other state privacy laws, like the CCPA. The Oklahoma Computer Data Privacy Act also differs from the CCPA in its inclusion of a broad private right of action through which Oklahoma residents could seek damages up to $7,500 for violations.
Florida House Bill 969 (HB 969)
Introduced on February 15th by Representative Fiona McFarland (R), House Bill 969 would place several requirements on businesses that deal with Florida residents’ private information. If passed, it would go into effect on January 1, 2022.
Who Does It Apply To?
For-profit companies that do business in Florida and collect personal information about consumers, have personal information collected on their behalf, or determine the process and means of processing personal information will have to comply with this Bill’s requirements if they satisfy one of the following thresholds:
- Has an annual gross revenue exceeding $25 million;
- Buys, sells, receives, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices annually; or
- Derives 50% or more of their annual revenue from the sale of personal data.
What Is Included?
HB 969 would require that applicable businesses notify consumers about their data collection and selling practices before or at the point of data collection. Under this Bill, consumers would also have the right to request their data be disclosed, corrected, or edited and the right to opt-out of having their personal information disclosed or sold to a third party.
Applicable businesses would be required to implement reasonable security protocols to protect their consumer’s personal data. Also included is a private right of action through which a consumer “whose nonencrypted and nonredacted personal information or e-mail addresses are subject to unauthorized access” may seek damages for violations of the Bill. The Department of Legal Affairs would be authorized to bring other enforcement actions, up to $2,500 per unintentional violation and $7,500 per intentional violation.
Potential Impact
Currently, the data privacy landscape in the United States is a patchwork of enacted and proposed laws, all with their own requirements and consumer rights, creating a confusing web for companies operating in more than one jurisdiction. While advocates of these state privacy laws argue for the protection of consumers’ data in an increasingly digitally-driven world, opponents argue that the potential risk of operating within states who have enacted comprehensive privacy laws may deter businesses from expanding their operations there.
A federal privacy law that could rectify the many differences between individual state laws would simplify this landscape, making it easier for companies to protect their consumers’ data and operate efficiently while complying with regulations.
Octillo is closely monitoring these, and other emerging privacy laws. In the meantime, companies that collect personal data should start thinking about privacy compliance by conducting a baseline privacy assessment and starting to develop relevant policies and procedures. Octillo attorneys, who are also technologists and certified privacy professionals, are happy to help counsel your business on compliance with the CCPA, GDPR, and other pending and enacted privacy legislation. We work with clients of all sizes to build out data privacy programs and address compliance matters.
*Attorney advertising – prior results do not guarantee future outcomes.