North America

Canada

BDO Local Resources

Vivek Gupta | Email | Phone

Law: The Personal Information Protection and Electronic Documents Act (PIPEDA), Privacy Act of 1985
Regulator(s): Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta, Office of the Information and Privacy Commissioner for British Columbia, Commission d’accès à l’information du Québec
Adequacy Agreement with GDPR: Yes

Summary of Canadian Privacy Laws

Overview

The primary federal Canadian privacy laws are the Personal Information Protection and Electronic Documents Act (‘PIPEDA’) and the Privacy Act. PIPEDA applies to organisations that conduct commercial activities, while the Privacy Act applies to federal government bodies. 

On 17 November 2020, Bill C-11 for the Digital Charter Implementation Act, 2020 ('DCIA') was introduced to the House of Commons. It would reform Canada's federal private sector privacy laws by enacting the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act. The passing of this law would significantly provide more protection to Canadians’ personal information. It would provide Canadians more control and greater transparency into handling their personal data by commercial organizations. The law also provides significant consequences for non-compliance, including steep financial penalties for violations.

Other relevant laws include the Bank Act 1991, Canada's Anti-Spam Legislation 2010, and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act 2000. It is also important to remember that data protection requirements vary between provinces and territories.

Data Protection Authority Focus

Under the CPPA, the Privacy Commissioner would have broad order-making powers, including forcing an organization to comply with its requirements under the CPPA and the ability to order a company to stop collecting data or using personal information. In addition, the Privacy Commissioner would also be able to recommend that the Personal Information and Data Protection Tribunal impose a fine. The legislation would provide administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. It also contains an expanded range of offences for certain severe contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million^[1].

[1] IAPP,  Federal privacy reform in Canada: The Consumer Privacy Protection Act

Cayman Islands

BDO Local Resources

Richard Carty | Email | Phone

Law: The Data Protection Act (2021 Revision), and the Data Protection Regulations, 2018 (SL 17 of 2019)

Regulator(s): Office of the Ombudsman

Adequacy Agreement with GDPR: No

Measures Announced

Overview

The Data Protection Act and the Data Protection Regulations established multiple data subject rights when it went into effect in 2019. Data subjects gained the right to access, rectification, the right to be informed, the right to file a complaint, and the right to seek compensation for violations. In September 2021, the Ombudsman issued additional guidance for data subjects to seek compensation for violations. In this guidance on monetary penalty order (‘MPO’), Section 55 grants the Ombudsman the ability to issue an MPO not exceeding $250,000. Section 56 outlines additional guidance on when the Ombudsman can seek the MPO. The direction elaborated on factors contributing to the fines – a breach severity assessment tool and a matrix for monetary penalty calculations.

On 14, July 2021 the Ombudsman released its annual report, which outlined the 87 data breaches reported in 2020 and that the number of data protection complaints doubled during 2020 compared to 2019^[1]. In the report, the Ombudsman highlighted the following.

• Data protection complaints doubled from 12 in 2019 to 25 in 2020^[2].
• The Ombudsman focused on resolving complaints about government maladministration (seven in 2019 to 18 in 2020). Government maladministration includes but is not limited to delays in action, incorrect action, failure to take action, failure to provide information, inadequate record-keeping, failure to investigate, misleading or inaccurate statements, or broken promises^[3]. 
• The first enforcement order under the DPL required the Registrar to ‘immediately collect and process personal data of non-registrable persons because there was no legal basis^[4]‘.
• Investigators and analysts obtained their certification as mediators and received other credentials to continue to enhance the ability to respond to data protection complaints.

Between 2019 and 2020 there was a reduction in overall inquiries (393 in 2019 and 332 in 2020)^[5].

Data Protection Authority Focus

Since the enforcement of the Data Protection Law in the Caymans on 18 September 2019, the Ombudsman office has been more focused on public comments and guidance. Due to the complexity of the business structures in the Cayman market and the cultural norms in the Caribbean, the Ombudsman saw greater value in supporting the business environment in their endeavors and achievements to comply with the DPL instead of issuing fines or judgement when a failure or non-compliance was identified.

[1] Ombudsman, Cayman Islands, Annual Report, 2021

[2] Ibid.

[3] Oxford Reference, Overview – Maladministration

[4] Ombudsman, Cayman Islands, Annual Report, 2021

[5] Ibid.

Mexico

BDO Local Resources

Joelys Gonzalez-Mendez | Email | Phone

Law: Federal Law on Protection of Personal Data Held by Private Parties ('FLPPDPP'), Regulations to the Federal Law on Protection of Personal Data Held by Private Parties ('the Regulations')

Regulator: National Institute for Access to Information and Protection of Personal Data ('INAI')

Adequacy Agreement with GDPR: No

Measures Announced

Overview

In the last 12 months, no changes have been made legislatively in Mexico. Mexico’s data protection regulators are focusing primarily on e-commerce and telework, considering the COVID-19 pandemic.  Recently, Congress passed several bills intending to improve the legal framework for social media platforms. However, there are currently no bills designed to modify the data privacy framework.

Data Protection Authority Focus

The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) and in some ways the Ministry of Economy (Secretaría de Economía) are both considered Mexico’s data protection authorities.

The INA’s primary purpose is the protection of personal data and individual’s right to privacy.  In light of this, INAI has the authority to conduct investigations, review, sanction data protection controllers, and authorize, oversee and revoke certifying entities. The INAI has focused on national enforcement and has not exercised its powers on businesses located in other jurisdictions.

The Ministry of Economy is also an authority responsible for informing and educating on the obligations regarding protecting personal data internationally. Part of this includes issuing guidelines on security measures, identity theft, data breaches, and how to draft a privacy notice, which usually becomes part of Mexico’s legal framework.

United States General Overview

BDO Local Resources

Karen Schuler | Email | Phone

Mark Antalik | Email | Phone

Taryn Crane | Email | Phone

Regulator: The Information Commissioner's Office ('ICO')

Adequacy Agreement with GDPR: Privacy-Shield Renegotiation^[1]

[1] Privacy Shield Framework, FAQs – EU-US Privacy Shield Program Update, 31 March 2021

Measures Announced

Federal Privacy and Data Protection Laws

There is no comprehensive privacy or data protection law for the United States of America. As of August 2021, 30 privacy bills had been introduced to the House of Representatives (‘House’) and in the Senate. While many of them are identical to one another, there are 24 unique privacy bills. Two proposed federal legislations exist for the US - Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S.2499) proposed by Senator Roger Wicker (R-Miss.). The Consumer Data Privacy and Security Act of 2021 (S.1494) presented by Senator Jerry Moran (R-Kan.) has similar expectations. 

• The right to access
• The right to correction of personal data
• The right to deletion
• The right to portability
• The ability to opt-out of processing and opt-in for sensitive processing
• Notice and transparency requirements
• The requirement for companies to hire a privacy officer
• Processors and service providers must meet and follow specific requirements

There is a myriad of sectoral laws and industry-specific frameworks at the federal level, including:

• Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’)
• Gramm-Leach-Bliley Act of 1999 (‘GLBA’)
• Children’s Online Privacy Protection Act of 1998 (‘COPPA’)
• Electronic Communications Privacy Act of 1986 (‘ECPA’)
• Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH')
• Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994 ('TCFAPA')
• Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM')
• Fair Credit Reporting Act of 1970 ('FCRA')
• Telephone Consumer Protection Act of 1991 ('TCPA')
• Privacy Act of 1974
• Fair and Accurate Credit Transactions Act of 2003 ('FACTA')
• Video Privacy Protection Act of 1988 ('VPPA')

State Privacy and Data Protection Laws

Three states passed privacy laws: California, Virginia, and Colorado. California passed the California Consumer Privacy Act and then later passed the California Privacy Rights Act of 2020; Virginia passed the Consumer Data Protection Act; Colorado passed the Consumer Data Protection Law.

California

Law: California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA')

Regulator: The California Attorney General ('AG')

The California Consumer Privacy Act ('CCPA') took effect January 1, 2020. The CCPA places limitations on collecting and selling consumer personal information and grants rights to consumers concerning their personal data.

The CCPA applies to the processing of personal information of California residents by for-profit businesses that do business in the State of California, collect personal information, and meet any of the following:

• Annual gross revenue in excess of $25 million.
• Buys, receives, sells, or shares for commercial purposes, the personal information of at least 50,000 Californians.
• Derives 50% or more of its annual revenues from selling consumers' personal information.

In November 2020, California voted to enact the California Privacy Rights Act (CPRA), significantly expanding the CCPA when CPRA takes effect on January 1, 2023. The CPRA maintains the core framework of the CCPA while introducing substantive changes inspired by the EU General Data Protection Regulation (GDPR).

Virginia

Law: Consumer Data Protection Act ('CDPA')

Regulator: The Virginia Attorney General ('AG')

Virginia passed the Consumer Data Protection Act (CDPA), effective January 1, 2023. The CDPA applies to all persons or companies conducting business in Virginia, or those which target their products and services to Virginia residents, and that either:

• control or process the personal data of at least 100,000 Virginia residents; or
• control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.

The CDPA will not apply to Virginia state agencies, non-profits, institutions of higher education, and entities governed by HIPAA or GLBA. 

Colorado

Law: Senate Bill 21-190 for the Colorado Privacy Act ('CPA')

Regulator: The Colorado Attorney General ('AG')

Colorado became the third state in the United States to pass a privacy law. The Colorado Privacy Act (‘CPA’) provides consumers the rights to opt-out of processing, access personal data, correct personal data, delete personal data, and obtain a copy of their personal data. Like the GDPR, CPA requires controllers and processors to limit the purposes they process data, minimize data, and conduct impact assessments. Colorado’s Attorney General maintains the Colorado Consumer Data Protection Laws FAQ for businesses and government agencies.

Following the invalidation of Privacy Shield by the Court of Justice of the European Union in July 2020, organizations transferring personal information from the EU now rely on other adequate means of transfer, such as Standard Contractual Clauses or Binding Corporate Rules. Further, organizations must verify on a case-by-case basis whether US law ensures adequate data protection. Some organizations also consider consent or other derogations under Article 49 of the GDPR to address adequacy.

Data Protection Authority Focus

Although there is no comprehensive law in the US, the State Attorney Generals and the Federal Trade Commission (‘FTC’) investigate and file suit against companies that encounter a data breach, mislead consumers, expose unnecessary risk to patients, or mispresent its data privacy and protection standards.

In 2020, more than 29 million healthcare records were breached, resulting in a 25% increase year-over-year in healthcare data breaches. There were 642 healthcare data breaches of 500 or more records in 2020, and one breach involved more than 10 million records, while 63 breaches experienced exposure of more than 100,000 records^[1].

In 2019 it was reported that Google and YouTube were fined $170 million for alleged violations of children’s privacy law^[2]. Google will pay $134 million and YouTube $34 million to New York^[3]. The companies collected personal information in the form of persistent identifiers that are used to track users across the Internet, from viewers of children’s related television channels, without first notifying the parents and getting their consent.

Under Section 5 of the FTC Act of 1914, the FTC takes law enforcement action against companies that violate consumers’ privacy rights^[4]. The FTC files suit against companies misleading or failing to protect sensitive consumer information that may have caused a substantial consumer injury. Additionally, the FTC sues for unfair and deceptive trade practices and enforces other federal laws relating to consumers’ privacy and security. The most notable cases that the FTC brought in 2020 and 2021 are Facebook, Kohl’s Department Store, Zoom Video, and Vivint Smart Home.

Despite the absence of federal privacy law, the US states and the federal government continue to expand their enforcement efforts for companies violating consumers' privacy and data protection.

[1] HIPAA Journal, 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020, 19 January 2021

[2] Federal Trade Commission, Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law, 04 September 2019

[3] Ibid.

[4] Federal Trade Commission, Protecting America’s Consumers, Privacy and Security Enforcement

Alabama

Measures Announced

General

The Alabama Constitution does not explicitly recognize a right to privacy; however, the state has enacted key privacy laws protecting health data, financial data, employment data, and unsolicited commercial communications. The Common Law Rights Against Invasion of Privacy ensures privacy in the following ways:

• intrusion upon another's physical solitude or seclusion;
• publicity as to private information about another which violates ordinary decency;
• placing another in a false, though not necessarily defamatory, position in the public eye; and,
• appropriation of some element of another's personality for commercial use.

Alabama courts provide that an invasion of privacy as occurring when the defendant "intrudes upon a plaintiff's physical solitude or seclusion or wrongfully intrudes into private activities in a manner that would outrage, or cause mental suffering, shame, or humiliation to, a person of ordinary sensibilities."

Notwithstanding the above, Alabama law does require physicians, dentists, medical examiners, nursing home and hospital administrators, laboratory directors, school principals, and day care center directors to report certain diseases to the proper authorities. However, this information is considered confidential and should not identify individual persons. See Alabama Code Title 22 § 22-11A-2

Alaska

Measures Announced

General

The Constitution of the State of Alaska expressly safeguards privacy rights under Article I, Section 22, whereby it states that the ‘right of people to privacy is recognized and shall not be infringed’. The Supreme Court of Alaska, in its ruling in Breese v. Smith, 501 P.2d 159, 168 (Alaska 1972), stated that “at the core of this concept [of liberty] is the notion of total personal immunity form governmental control: the right ‘to be let alone’.”

In 2009, Alaska signed the Personal Information Protection Act under §45.48.010 et seq. of Chapter 47 of Title 45 of the Alaska Statutes (‘the Act’) into law, which provides several measures to protect personal data, as well as a requirement to notify the Attorney General, subscribers, and if applicable, a credit reporting agency in the event that a breach occurs concerning personal data.

Arizona

Measures Announced

General

Arizona does not have a comprehensive privacy law; however, bills have been introduced in both the House of Representatives and the Senate. In February 2020, Senate Bill 1614 for an Act Amending Title 18, Arizona Revised Statutes, By Adding Chapter 7: Relating to Personal Data, was introduced to the Arizona State Senate that greatly expands the rights of individuals and House Bill for an Act Amending Title 18, Chapter 5, Arizona Revised Statutes, By Adding Article 5: Relating to Personal Data (‘the Bills’) was introduced.

The bill would allow consumers to request that a business that collects and/or sells personal information about the consumer disclose to the consumer the following:

• categories of sources from which personal information is collected/sold;
• business or commercial purpose for collecting or selling personal information;
• categories of third parties with whom the business shares personal information; and,
• specific personal information the business has collected/sold about the consumer.

Consumers would also have a right to request that the business delete any personal information about the consumer that the business has collected from the consumer, and they would be able to request that the business that sells personal information discontinue the sale of personal information upon request.

This bill also protects against the sale of information for individuals under the age of 16, and states that a business would not be able to discriminate against a consumer because the consumer exercised any of the consumer’s rights.

Arkansas

Measures Announced

General

The Constitution of Arkansas does not explicitly recognize the right to privacy; however, the Supreme Court of Arkansas has found that privacy is implied in its Constitution (Jegley v. Picado, 349 Ark. 600, 80 S.W.3d 332 (2002)). More explicit privacy rights are outlined in the Personal Information Protection Act (‘the Act’) under Arkansas Code Ann. § 4-110-101 et seq. whereby it intends to protection sensitive personal information of Arkansas residents and requires individuals, businesses, and state agencies that acquire, own, or license personal information about the citizens of the State of Arkansas to provide reasonable security for the information.

Notwithstanding, under Arkansas law any data or information pertaining to the diagnosis, treatment, or health of any enrollee or applicant obtained from the person or from any provider by any health maintenance organization shall be held in confidence and shall not be disclosed to any person except to the extent required by law. See AR Code §23-76-129.

California

Measures Announced

General

The California Constitution provides individuals with an inalienable right to pursue and obtain privacy. This right can be enforced against private entities when an individual can prove:

• they had a reasonable expectation to privacy in the given situation;
• the privacy interest is one that society recognizes; and,
• the breach of the plaintiff’s privacy is an “egregious breach of social norms”.

California Consumer Privacy Act – The California Consumer Privacy Act of 2018 (“CCPA”) under Part 4 of Division 3 of the California Civil Code became operative on January 1, 2020, which was followed by an enforcement date of July 1, 2020. CCPA introduced new obligations for covered organizations that collect personal information about consumers and grants new rights to those individuals. Covered organizations apply to those that:

• are for-profit doing business in California that collects, shares, or sells California consumers’ personal data;
• has gross annual revenues in excess of $25 million; or,
• possesses the personal information of 50,000 or more consumers, households or devices.

Businesses that control or are controlled by covered businesses or share common branding with covered businesses are also subject to the CCPA (Cal. Civ. Code §1798.140(c)(2)).

California also has the California Privacy Rights Act which intends to address specific elements of the CCPA that the law did not adequately cover. The CRPA will go into effect on 1/1/2023. The CRPA provides new consumer rights and obligations. New rights include the right to rectification, limit use of consumer’s use of sensitive personal information, and right to access of information beyond the original 12 month look back period, among others. In addition, the CRPA provides new categories of sensitive personal information, including social security number, passport, biometric data, among other categories.

The CRPA broadens data breach liability and service provider obligations, limits data retention, imposes annual security obligations, and introduces a proportionality requirement for data processing activities.

It’s important for businesses to understand the differences between the two so they know what to do to avoid compliance and litigation costs. Learn more about CCPA vs. CPRA.

Colorado

Measures Announced

General

The right to privacy is indirectly recognized in the Constitution of the State of Colorado, ‘enjoying and defending their lives and liberties; of acquiring, possessing and protecting property; and of seeking and obtaining their safety and happiness’.

The Colorado Supreme Court recognized privacy in 1970 – Ruggs v. McCarty – where it recognized three law privacy claims: (1) intrusion upon solitude or seclusion; (2) public disclosure of private facts; and, (3) appropriation of one’s name and likeness. Today, criminal charges may be filed upon violation of these claims.

On September 1, 2018, An Act Concerning Strengthening Protections for Consumer Data Privacy (‘The Act’) went into effect and strengthened existing data security provisions.

Covered entities are required to implement reasonable security measures and practices to ensure the protection of Personally Identifiable Information (“PII”) of state residents. The security measures that should be implemented, should be appropriate to the nature of the PII and size of the business and its operations.

Connecticut

Measures Announced

General

While The Constitution of the State of Connecticut does not specify protection or right to privacy, the Connecticut General Statutes contain key privacy provisions. These provisions include the Data Breach Law, the Social Security Number Law, and the Personal Information Safeguarding Law.

In addition to the general provisions stated above, the Statutes also call for specific rules for state contractors and insurance companies. These sections include the State Contractors Law, the Confidential Information Sharing Law, the Connecticut Insurance Information and Privacy Protection Act, and the Insurance Data Security Law.

The Privacy and Data Security Department of the AG enforces the state laws above and is responsible for enforcing federal laws such as Health Information Portability and Accountability Act (“HIPAA”), the Children’s online Privacy Protection Act of 1998 (“COPPA”), and the Fair Credit Reporting Act of 1970 (“FCRA”). Connecticut legislature is not currently voting on additional state privacy laws.

Delaware

Measures Announced

General

On January 1, 2016, Delaware became the second state in the U.S., joining California, to require operators of commercial websites that collect Personally Identifiable Information to post online privacy policies. The Delaware Online Privacy and Protection Act (DOPPA) applies to anyone who operates a commercial internet website, online or cloud computing service, online application, or mobile application.

The law targets three areas of compliance:

1. Advertising to Children—Under DOPPA, website and app operators that direct their services to children, must ensure that they do not advertise or market certain enumerated content that are considered by the law to be inappropriate for children’s viewing, such as alcohol, tobacco, firearms, pornography, and a host of other categories delineated by the law.
2. Privacy Policies Must be Conspicuously Posted—The DOPPA mandates that operators of websites and apps that collect personally identifiable information of Delaware residents (of any age) explicitly post a comprehensive privacy policy—and comply with the contents of the posted policy.
3. Restrictions on Disclosure of E-Book Information—The DOPPA prohibits e-book services from disclosing the personally identifiable information of readers to third parties. However, certain exception applies such as disclosure to a government entity or law enforcement due to court order.

District of Columbia

Measures Announced

General

The District of Columbia does not have a general privacy law in effect. Laws relating to the District of Columbia are arranged in the Code of the District of Columbia (‘D.C. Code’). The D.C. Code does provide certain protections for the personal information of DC residents, including those related to:

• Health information;
• Identity theft;
• Employment data, including credit information and criminal history;
• Student (pre-K through 12th grade) personal information; and
• Unsolicited commercial communications.

Consumer Protections

The 'Consumer Protection Procedures Act' ('CPPA') within the D.C. Code prohibits unfair and deceptive practices in connection with the offer, sale, and supply of consumer goods and services. Under the CPPA, organizations may be liable for any misrepresentations to consumers, either express or implied.

Breach Notification

The Breach Notification Law (2007) applies to any person or entity that conducts business in DC and provides security breach notice requirements, required contents of a notice, an 18-month identity theft prevention service for individuals affected by a breach, and cybersecurity requirements. In the event of a security breach, entities must provide notice ‘in the most expedient time possible’ to any resident whose personal information was involved and to the Office of the Attorney General for the District of Columbia’s (‘AG’) Office when the breach affects 50 or more residents.

Data Security

Both the CPPA and Breach Notification Law allow for private right of action failure to adhere to reasonable breach and security requirements. The Breach Notification Law requires entities that handle the personal information of DC residents to, 'implement and maintain reasonable security safeguards…appropriate to the nature of the personal information and the nature and size of the entity or operation'.

Florida

Measures Announced

General

Florida currently has no overarching law to offer comprehensive data privacy rights or protections to residents. SB 1670, a consumer data privacy law, was introduced to the Florida Senate in early 2020 but has been indefinitely postponed and removed from consideration. Notwithstanding, under § 501.171 et seq. of Chapter 501 of Title 33 of the Florida Statutes, residents are made aware of data breaches of electronic records that impact them. The law also required notification to the Florida Attorney General in the event of a breach. Furthermore, Section 23 of the Florida State Constitution provides residents with a general right to privacy.

Under Florida medical record law, Information disclosed to a health care practitioner by a patient in the course of the care and treatment of such patient is confidential and may be disclosed only to other health care practitioners and providers involved in the care or treatment of the patient, if allowed by written authorization from the patient, or if compelled by subpoena, evidentiary hearing, or trial.

Georgia

Measures Announced

General

Georgia has no comprehensive data privacy law in effect, nor has any bill concerning data privacy been proposed. The Supreme Court of Georgia ('the Supreme Court') has long held that Georgia citizens have a 'liberty of privacy' guaranteed by the Constitution based upon this provision.

On May 11, 2018, the Court of Appeals of Georgia held in McConnell et al. v. Georgia Department of Labor, that there is no duty under Georgia law to safeguard personal information.

The Georgia Personal Identity Protection Act under §10-1-911 et seq. of the Official Code of Georgia Annotated, requires Information brokers or data collectors to notify Georgia residents of data breaches when their unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.

Georgia is considered to have a patchwork of data privacy laws which restrict the disclosure of Georgia resident’s social security number. In addition, Student Data Privacy, Accessibility, and Transparency Act (the 'SDPAT')http://www.legis.ga.gov/Legislation/20152016/153829.pdf regulate access to and protection of students from k-12 and postsecondary student’s data.

Hawaii

Measures Announced

General

The Hawaii State Constitution recognizes a constitutional right to privacy in Article I, §6.

The Hawaii Penal Code gives individuals or personalities rights to their name, voice, signature, and likeness – this right is transferrable and survives post-mortem for 70 years.

Consumers must be notified of data breach if electronic or paper breach containing: First name or first initial and last name, plus: Social Security number; driver's license or state identification card number; or account, credit or debit card number, access code, or password that would permit access to an individual's financial account. Consumers must be notified without unreasonable delay.

Hawaii law limits access to medical records to the patient or the patient’s attorney and patient records are privileged, although there are some exceptions to this rule. Doctors are legally required to report positive tests for certain communicable diseases and conditions that may be dangerous to public health.

Idaho

Measures Announced

General

Idaho currently does not have a privacy law, but the state’s courts recognize all four common law invasion of privacy claims. Under §28-51-105 et seq. of the Idaho Statutes, breaches involving the misuse of personal information of Idaho residents, requires state agencies, individuals, or commercial entities to notify impacted residents without unreasonable delay following the discovery of a breach. In addition, states agencies are required to notify the Attorney General’s office within 24 hours of becoming aware of the breach.

Other applicable statutes in Idaho prohibit identity theft and electronic surveillance.

Illinois

Measures Announced

General

Illinois does not have a comprehensive privacy law, however there is a right to privacy under the Constitution of the State of Illinois. On January 8, 2020, the Senate Bill 2230 for the Data Transparency and Privacy Act (‘the Bill’) was introduced and provides a business that processes personal information or de-identified information must give notice to the consumer before processing begins. The Bill also creates the right to know for consumers, who would be able to request specific information from businesses, the right to request the correction of inaccurate personal information, and the right to delete personal information. This Bill would allow for the private right of action for consumers whose information was subject to a data breach, as well as authorizing the Illinois Attorney General to enforce its provisions as a violation of the Consumer Fraud and Deceptive Businesses Act.

Indiana

Measures Announced

General

Indiana does not have a comprehensive privacy law. However, Indiana has laws for: Data Disposal, Breach Notification, (Prohibition of) Social Security Number Disclosure, and Consumer Report Security Freezing. These laws include vendor-specific obligations of reporting.

Of note, the Data Disposal Law requires that “personal information” of “customers” be “disposed” in a secure manner – for which sufficiently secure methods of disposal are referred to as “… rendering information illegible or unusable.” Disposal also applies to paper records.

Personal information covers:

• Social Security Number
• First initial/name AND last name AND any one of the following:
  • Credit/Debit Card Number
  • Financial account number in combination with some form of access code that allows access to an individual’s account
  • Driver’s License Number
  • State ID Number

Exemptions exist if the data is encrypted or redacted when “disposed.”

If vendors are compromised, they must notify their controlling organization, who ultimately bears responsibility for regulatory reporting and consumer notification.

The Breach Notification Law requires disclosure “without unreasonable delay” to individuals whose unencrypted information was (or reasonably believed to have been) acquired by an unauthorized third-party. The personal information covered under this law includes:

• SSN (If more than just the last 4 digits)
• Driver’s License Number
• State ID Number
• Credit/Debit Card/Financial Account Number
• Any security/access code or password associated with a financial account

Iowa

Measures Announced

General

Iowa does not have a comprehensive privacy law. The courts do, however, recognize four common law invasions of privacy claims (Stessman v. Am. Black Hawk Broadcasting 416 N.W.2d 685 (1987)). Iowa does have a requirement to notify affected consumers of a personal data breaches under §715C.1 et seq. of Title XVI of the Iowa Code, of both electronic and paper records, as well as to the AG when the information of more than 500 residents is breached. Iowa does have applicable statues regulating the use of financial and health information as well as student data.

Kansas

Measures Announced

General

Kansas Student Data Privacy Act (SB 367), provides restrictions on what data contained in a student’s educational record can be disclosed and to whom it may be disclosed. The bill requires that any student data submitted to and maintained by a statewide longitudinal student data system may be disclosed only to individuals or organizations as outlined in the bill. Under the bill, educational agencies (school districts or the State Department of Education) must give annual written notice that student data may be disclosed as outlined in the Act. The notice must be signed and returned, and the district must keep it on file.

Crimes Involving Violations of Personal Rights 21-6101 Breach of privacy identifies the various situations and means where privacy is breached without the consent or knowledge of person or persons.

COVID-19 Contact Tracing Privacy Act (House Bill 2016 Section 16) protects the privacy of persons whose information is collected through contact tracing and the confidentiality of contact data. It prohibits the state or any municipality, or any officer or official or agent thereof, from conducting or authorizing contact tracing, except whenever the Secretary or a local health officer determines contact tracing is necessary to perform a public health duty assigned by statute to the official, the Secretary or local health officer may conduct or authorize contact tracing, as provided in the section.

Kentucky

Measures Announced

General

Kentucky does not have general privacy laws. However, the courts of Kentucky have interpreted that the Constitution of Kentucky recognizes the right of privacy. Additionally, the State has various laws related to privacy such as §367.170 of Chapter 367 of Title XXIX of the KRS (the Consumer Protection Act”, which refers to unfair, false, misleading or deceptive practices in the conduct of any trade or commerce as unlawful. Under Kentucky’s data breach notification law, §365.732 of Title XXIX of the KRS, Kentucky residents must be notified of personal data breach, and if more than 1000 Kentucky residents are affected, all consumer reporting agencies and credit bureaus must be notified.

Louisiana

Measures Announced

General

The right to privacy is protected by Article 1(5) of the Louisiana Constitution of 1974. Further, Louisiana recognizes all four common law invasion of privacy claims:

• Intrusion upon solitude or seclusion;
• Public disclosure of private facts (e.g., unreasonable publicity given to one's private life);
• False light privacy (e.g., publicity that normally places the other in a false light before the public); and
• Appropriation of one's name or likeness (Jaubert v. Crowley Post-Signal, Inc., 375 So.2d 1386 (La. 1979)).

There is also a requirement to notify data breaches under the Database Security Breach Notification Law , according to which breaches involving personal information must be communicated to the AG and to Louisiana residents whose information was breached. Failure to notify the Attorney General may result in a fine of up to $5,000 per day. In addition, various other statutes within the State create obligations regarding, for example, unsolicited marketing and the privacy of students.

Louisiana implemented a student privacy law in 2018 declaring that “all personally identifiable information is protected as a right of privacy” under RS 17:3914.

The Louisiana Department of Education has implemented guidance to ensure the privacy, security, and confidentiality of student data with the publication of Louisiana’s Data Governance and Student Privacy Guidebook PDF and data sharing agreements to govern data sharing of student data with vendors too.

Maine

Measures Announced

General

The Maine privacy law, Act to Protect the Privacy of Online Customer information, took effect July 1, 2020. The Maine law focuses entirely on user data collected by broadband internet access service providers (BIAS). The law states that BIAS may not use, disclose, sell, or permit access to customer personal information, unless the customer gives express, affirmative consent. Customer personal information includes the customer’s name, billing information, Social Security number, demographic data, web browsing and application usage history, geolocation information, financial and health data, device identifiers, and the origin and destination of IP addresses. Past customer consent may be revoked at any time, and the service provider cannot refuse service if consent is not given. There can be no penalty if consent is not given, and likewise, no discount offered if consent is granted. Notwithstanding, broadband internet access service providers are also required to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access. The law is applicable to all broadband internet access service providers that service customers physically based and billed within the state of Maine.

Likewise, Maine has also promulgated a law relevant to the remote-learning environment many students and parents currently face today, the “Student Information Privacy Act.” Per the Maine law, an operator, in relation to the operator’s internet website, online service, online application or mobile application, may not knowingly use student data to engage in targeted advertising, use student data created or gathered by the operator to amass a profile of the student (except for K-12 school purposes), sell student data, or disclose student personally identifiable information. An operator is defined as any non-school entity which operates an internet website, online service, online application or mobile application with actual knowledge that the website, service or application is used for K-12 school purposes and is designed and marketed for K-12 school purposes, and collects, maintains or uses student personally identifiable information in a digital or electronic format.

Lastly, Maine also has on record a law protecting the confidentiality of health care records, see 22 MRS §1711-C, Confidentiality of Health Care Information. This is essentially Maine’s version of the Health Insurance Portability and Accountability Act (HIPAA). Under this law an individual's health care information is confidential and it may not be disclosed other than to the individual by the health care practitioner. A health care practitioner or facility may disclose health care information pursuant to a written authorization signed by an individual for a specific purpose stated in the authorization. A written authorization is valid whether it is in original, facsimile or electronic form.

Maryland

Measures Announced

General

Maryland does not have a law that covers general privacy.

Under the §§14-3501 et seq. of the Commercial Law of the Code of Maryland, Maryland does define ‘personal information’ and the parameters for data breach. Personal information is defined as: First name or first initial and last name, plus: Social Security number, tax identification number, passport number, or other federal government issued identification number; driver's license or state ID card number; an account number (including credit debit card number), in combination with any required security or access code or password that permits access to a financial account; health information (created by an entity subject to HIPAA); health insurance policy, certificate, or subscriber identification number, combined with a unique identifier that permits access to an individual’s health information; or unique biometric information username or email address plus password or security question/answer permitting access to an email account. Consumers must be notified as soon as practicable but no longer than 45 days after concluding investigation into the breach.

Massachusetts

Measures Announced

General

The Massachusetts Constitution does not outright address consumer privacy, however, Article XIV of Part I does contain a provision similar to the Fourth Amendment – which protects citizens against unreasonable search and seizures. This provision has been interpreted in Massachusetts courts as protection against potentially unconstitutional government actions such as tracking movements via cellphone data.

Privacy Infringements Addressed by Massachusetts:

• Unauthorized use of image for commercial purposes (with exceptions)
• Unauthorized recordings of wire or oral communications (Two-party consent)

In 2009, the Commonwealth of Massachusetts enacted the Standards for the Protection of the Personal Information of Residents of the Commonwealth under §17.00 of Title 201 of the Code of Massachusetts Regulations ('CMR') ('the Safeguards Regulation') wherein the state defined a robust set of guidance for the protection of Massachusetts resident personal information. Likewise, per Massachusetts state law, every patient or resident of a medical facility has the right to confidentiality of all medical records and communications.

Michigan

Measures Announced

General

Michigan does not currently have a comprehensive data protection law. In lieu of a data protection law, however, on December 10th 2020, the Michigan Legislatures passed the Data Breach Notification Act (HB 4186 and HB 4187). Key provisions of the new law include expansion of the definition of sensitive personally identifying information (“PII”), notification requirements to affected residents, and require businesses to maintain reasonable security measures.

Minnesota

Measures Announced

General

Minnesota Statutes, Chapter 325M, Internet Privacy, prohibits an Internet Service Provider (ISP) from knowingly disclosing personally identifiable information concerning a consumer of the Internet Service Provider, to a third party. Per the Minnesota law, personally identifiable information means information that identifies a consumer by physical or electronic address or telephone number, identifies a consumer as having requested or obtained specific materials or service from the internet service provider, or any of the contents of the consumer’s data-storage devices. Notwithstanding, an Internet Service Provider may disclose personally identifiable information concerning a consumer to any person, if the disclosure is incident to the ordinary course of business of the ISP, or to any person with the authorization of the consumer.

A consumer may bring a private right of action against any ISP violating this law. A consumer who prevails in an action brought under the Internet Privacy statute is entitled to the greater of $500 or actual damages including costs, disbursements, and attorney fees in award damages. Notwithstanding, in an action under this law, it is a defense that the defendant has established and implemented reasonable practices and procedures to prevent such violations.

Likewise, Minnesota Statutes 144.293, protects the access and disclosure of health records. Per § 144.293 Subd. 2, Patient Consent to Release of Records, a health care provider, or a person who receives health records from a provider may not release a patient's health records to another without, a signed and dated consent from the patient authorizing release. Such consent is generally valid for one year or for a period specified in the consent.

Mississippi

Measures Announced

General

Mississippi currently does not have a general privacy law in effect, but does have statutes that prohibit identity fraud, protect financial and hospital records, and regulates unsolicited commercial communications. In addition, Mississippi recognizes four of the common law privacy torts: intentional intrusion upon the solitude or seclusion of another, appropriation of another's identity for an unpermitted use, public disclosure of private facts, and holding another to the public eye in a false light.

Identity Theft

The Mississippi Annotated Code 1972 ('Miss. Code. Ann.') prohibits obtaining the personal identity information of another person with the intent to unlawfully use that information without that person's authorization, misrepresenting identity with the intent to obtain goods or services.

Consumer Protection

The Mississippi Telephone Solicitation Act (Miss. Code Ann. § 77-3-703) requires solicitors to register with the Mississippi Public Service Commission and prohibits calls attempting to sell consumer goods and services to numbers listed on the Commission’s ‘no-calls’ list.

Breach Notification

The Breach Notification Law (Miss. Code Ann. § 75-24-29(3)) requires the notification of a breach of personal information of MS residents 'without unreasonable delay' to affected individuals. Notification can be given in writing, by telephone, or electronically. Failure to comply with these requirements are enforced by the Attorney General.

Insurance Data

Mississippi's Insurance Data Security Law (Miss. Code. Ann. §83-5-801 et seq.) establishes standards for data security, the investigation of a cybersecurity event, and notification of insurance companies to the Commissioner of Insurance that they are licensed or registered in Mississippi.

Missouri

Measures Announced

General

Missouri does not have any statutes that require website privacy notices or policies. All applicable federal laws and foreign laws should be observed. Additionally, other state laws that regulate the collection of personal information collected from residents of such states should be followed, as well as any applicable required disclosures and information sharing notification requirements.

Montana

Measures Announced

General

Montana does not currently have an overarching privacy law, but it does support privacy principles through a small group of industry or data specific privacy and data security regulations. Additionally, the Montana state constitution contains Article 2(10) which provides the right of access to public records, except in cases where such access may itself infringe upon individual privacy rights.

In 2015 the Montana Governor signed into law a social media privacy law (HB 343), creating restrictions on employers requiring or requesting the disclosure of personal social media account usernames or passwords belonging to employees or applicants. The law prohibits employers from requesting that the individual access their personal social media account in the employer's presence or disclose any information from their social media account.

In 2019 a law protecting the electronic personal information of students (Montana Pupil Online Personal Information Protection Act – HB 745) was enacted. The law applies to Montana students k-12 and the online applications (internet website, online service, cloud computing service, online application, or mobile application) that support those students. The law prohibits marketing activities based on any information, including protected information and persistent unique identifiers, that the online application obtains through use by the student.

Lastly, per Montana law a health care provider, or an individual who assists a health care provider in the delivery of health care, or an agent or employee of a health care provider may not disclose health care information about the patient to any other person without the patient's written authorization. Such health care provider shall maintain a record of each person who has received or examined, in whole or in part, the recorded health care information in question during the preceding 3 years.

Nebraska

Measures Announced

General

Nebraska currently does not have a privacy law. However, Nebraska Consumer Data Privacy Act was introduced in January 2020 to afford consumer rights and to enhance the protection of consumer online information. The bill also outlines consent requirements pertaining to minors and requires organizations to provide consumers with two or more accessible methods for submitting consumer rights requests (e.g. access and deletion requests) and outlines penalties for non-compliance.

Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act outlines breach notification requirements for consumer information. The state’s Attorney General enforces these provisions.

Nevada

Measures Announced

General

Nevada’s primary data privacy law is the Nevada Revised Statues Chapter 603A.

This law applies to anyone who owns or operates a website for business purposes and who collects and maintains personal information from Nevada residents. This law does not apply to those located in Nevada or if your businesses revenue is derived primarily from sources other than selling goods or services on a website. Under the statute, applicable businesses must disclose on their privacy policy: (1) The categories of PII collected; The categories of third parties with whom that PII is shared; A description of the process (if such process exists) for the user to review and request changes to his or her PII; Whether or not you sell the PII of Nevada consumers; A designated request address at which Nevada consumers can submit a request asking you not to sell their PII; Provide a description of the process by which you will let users to know of any changes to your Privacy Policy; If a third party collects information about the user throughout different websites (cookies); and the effective date of your Privacy Policy.

The law also allows consumers to opt-out of the sale of “covered information” collected through a website or online service, it includes: first and last name, physical address, email address, telephone number, social security number and any other PII that allows a person to be contacted physically or online. It also mandates that entities provide consumers with an email address, a toll-free telephone number, or an Internet website to submit verified opt-out requests and requires an operator to respond within 60 days.

New Hampshire

Measures Announced

General

New Hampshire does not currently have a comprehensive data protection law.

Alternatively, the State has several sector-specific laws related to privacy in addition to several newly introduced bills. The State's Insurance Data Security Law, which entered into effect on 1 January 2020, requires insurance companies licensed in New Hampshire to, among other things, implement data security programs and report cybersecurity incidents.

There is also NH Rev Stat § 332-I:1 (1996 through Reg Sess), which requires health care providers and business associates to obtain authorization from individuals before using or disclosing their protected health information ('PHI') for marketing purposes. Furthermore, operators of websites, online platforms and applications targeting students and their families are obliged to create and maintain reasonable data security procedures to protect certain information about students. Similar to California, New Hampshire introduced, among other privacy-related bills, House Bill 1680 for an Act relative to the collection of personal information by business. This bill would provide consumers with rights of access, portability and transparency in addition to a private right of action in the event that non-encrypted and non-redacted personal information is disclosed.

New Jersey

Measures Announced

General

New Jersey does not have a comprehensive privacy law. However, New Jersey has the Identity Theft Prevent Act (“ITPA”), which includes vendor-specific obligations of reporting.

Of note, any organization that conducts business operations in New Jersey, or any public entity that compiles/maintains computerized records, must notify New Jersey residents of a breach of their PI in “the most expedient time possible.” Personal information covers:

• Social Security Number
• Any account holder identifying information in combination with any password or security questions/answers that would grant access to an online account
• Financial account number in combination with some form of access code that allows access to an individual’s account
• Driver’s License Number
• State ID Number
• Linkable disassociated data if the means to linking was also compromised

If more than 1,000 individuals are involved, consumer reporting agencies must be made aware without unreasonable delay.

If vendors are compromised, they must notify their controlling organization, who ultimately bear responsibility for regulatory reporting and consumer notification.

Exemptions exist if the misuse of the illicitly obtained data is not reasonably possible.

For breaches of online account information, notification may be provided through an electronic form that provides details of the incident and instructions to change any passwords or security questions that may have been compromised.

New Mexico

Measures Announced

General

The Consumer Information Privacy Act (Senate Bill 176) establishes consumer rights; obligations for businesses that collect or use personal consumer information; providing for promulgation of rules; establishing civil causes of action; providing penalties; establishing the consumer privacy fund; and providing distributions.

New Mexico’s Electronic Communications Privacy Act expresses the government’s proscribed acts, permitted acts, warrants, information retention and emergency considerations.

New York

Measures Announced

General

New York does not recognize a constitutional nor common law right to privacy. However, in January of 2020, the New York Privacy Act S5642 was reintroduced to the New York State Senate to enhance personal data protections and afford privacy rights to residents.

In July 2019, New York State signed the Stop Hacks and Improve Electronic Data Security (SHIELD Act) into law. The Act went into effect in March 2020, providing data breach and data protection requirements. The SHIELD ACT requires businesses and individuals that own or license computerized data which includes New York residents’ private information to implement physical and technical safeguards to protect the confidentiality, security, and integrity of personal information. Per the SHIELD ACT, breach notification obligations require notice to impacted individuals without undue delay after becoming aware of the breach. However, there are exceptions to the breach notification requirement if exposure of New York residents’ private information was due to an inadvertent disclosure by persons authorized to access private information and the person or business determines that the exposure “will not likely result in misuse of such information or financial harm to the affected individuals or emotional harm in the event of unknown disclosure of online credentials.” Additionally, another exception to the breach notification requirement is if notification has been already made in accordance with other state and federal regulations (e.g. HIPAA). Nonetheless, notice must still be provided to the Attorney General, the New York Department of State (NYDOS), and the state police.

Prior to the SHIELD Act, New York state’s breach notification laws required notifications to include the contact information of the individual or business making the notification and a description of the categories of personal information that was believed to have been compromised. However, the SHIELD ACT now requires notifications to include the contact information and websites of applicable state and federal agencies that provide information on incident and breach response.

New York’s Penal Law makes efforts to outlaw the theft of personal and financial data by criminalizing the unlawful possession of personal identifying information that can be obtained from skimmer devices (e.g. devices that can obtain personal information from credit cards) – under §190.79 of the Penal Law, second degree identity theft is a class E felony with a penalty of up to four years in prison and a fine of up to $5,000 or double the amount of the gain from the theft.

The New York Department of Financial Services (NYDFS) sets cybersecurity requirements for covered financial services institutions including banks, mortgage companies, and consumer credit reporting agencies. The Cybersecurity Regulation requires each covered financial entity to assess its specific risk profile and implement a cybersecurity program that effectively protects consumers. Per the regulation, an organization’s senior management must take ownership and responsibility for its cybersecurity program and should file an annual certification confirming compliance with the Cybersecurity Regulation. Per §500.17 of the Cybersecurity Regulation, covered entities are required to notify the NYDFS within 72 hours after becoming aware of any cybersecurity event with a 'reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity' or for which notice must be provided to any government body, self-regulatory agency, or other supervisory body. Likewise, New York medical records laws delineate a patient's right to keep sensitive medical records confidential. Under the law hospitals must ensure the confidentiality of patient records. Medical records and information from records can be released only to hospital staff involved in treating the patient and individuals as permitted by State law.

North Carolina

Measures Announced

General

North Carolina does not have a general privacy law or constitutional right to privacy. However, under the Identity Theft Protection Act, § 75-60 et seq. of the North Carolina General Statutes, any business that owns or licenses personal information of residents of North Carolina, or any business that conducts business in North Carolina that owns or licenses such information in any form, must notify the affected individuals.

North Dakota

Measures Announced

General

At this time North Dakota does not have a general privacy law or regulation.

North Dakota does have data breach requirements covering only the breach of electronic data. Personal information is defined as: First name or first initial and last name, plus: Social Security number; driver’s license or non-driver color photo identification card number assigned by the DOT; financial account number, credit card or debit card number in combination with any required security or access code, or password that would permit access to a financial account; date of birth; maiden name of the resident’s mother; medical information; health insurance information; Employment Identification Number in combination with any required security code, access code, or password; or digitized or other electronic signature. Consumers must be notified of such breach at the most expedient time possible and without unreasonable delay.

Ohio

Measures Announced

General

Ohio does not have a general privacy law and the Ohio state constitution does not provide any right to privacy. The right to privacy is provided by case law, which refers to the right of a person to be left alone, to be free from unwanted publicity and to live without unwarranted interference by the public in matters which are not necessary. Ohio does have specific statutory rules concerning the protection of health, financial and employment data. Ohio also has a requirement to notify consumers of a breach under §1349.19 of Title 13 of the Ohio Uniform Commercial Code of the Ohio Revised Code. This code requires notification be made to residents whose personal information was breached or reasonably believed to have been accessed and acquired by an unauthorized person, if the access and acquisition causes or is reasonably believed will cause, a material risk of identity theft or other fraud to the resident. The AG is responsible for investigating the breaches and initiates civil actions where a business has allegedly failed to comply with such requirement.

Oklahoma

Measures Announced

General

In addition to constitutional privacy protections, Oklahoma has enacted various privacy laws protecting Health Data, Financial Data, and Employment Data. Some key laws include:

• Financial Privacy Act (§§ 2201 – 2208)
• Standards for Workplace Drug and Alcohol Testing Act

Oregon

Measures Announced

General

The Oregon Consumer Information Protection Act or “OCIPA” (formerly the “Oregon Consumer Identity Theft Protection Act” or “OCITPA”) applies to any person or entity that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of business. Per the law, a covered entity and a vendor shall develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information. A covered entity is defined by the Act as a person which owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of business, vocation, occupation or volunteer activities. A vendor is defined as a person with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.

Both covered entities and vendors alike must implement reasonable safeguards which include administrative, technical, and procedural mechanisms for the protection of personal information. In the case of a security breach, a covered entity must give notice to the individuals of such breach in the most expeditious manner possible, without unreasonable delay, but not later than 45 days after discovering or receiving notification of the breach of security. Likewise, a vendor that discovers a breach of security or has reason to believe that a breach of security has occurred must notify the covered entity with which the vendor has a contract as soon as is practicable but not later than 10 days after discovery of the breach of security or having a reason to believe that the breach of security occurred.

Likewise, Oregon has on record laws protecting the privacy of health care records of an individual. Under Oregon Revised Statutes §192.533, it is the policy of the state of Oregon that an individual has the right to have protected health information of the individual safeguarded from unlawful use and disclosure.

Pennsylvania

Measures Announced

General

Pennsylvania does not currently have a general privacy law; however, it does have other legislation that includes certain privacy considerations. The Pennsylvania Constitution provides individuals with limited privacy rights, including the right to informational privacy. Pennsylvania also recognizes a common law right to privacy that individuals enforce against companies and other individuals by filing causes of action in civil court: intrusion upon seclusion, appropriation of name or likeness, publicity given to private life, and placing a person in a false light.

Consumer Protection

Pennsylvania offers consumer protection under multiple legislations. Like the FTC, the Unfair Trade Practices and Consumer Protection Law (73 Pa. Stat. § 201-1 et seq.) prohibits unfair or deceptive business practices. The Unsolicited Telecommunication Advertisement Act makes it unlawful to send an unsolicited commercial email or fax, include false or misleading information in communications, or fail to include a method for consumers to opt out of future messages.

Data Security

The Pennsylvania Code sets standards for safeguarding consumer information, including implementing safeguards to protect security, confidentiality, and integrity of consumer information; protecting against reasonably anticipated threats to security or integrity; and protecting against unauthorized access. The Consumer Protection Against Computer Spyware Act (73 Pa. Stat. § 2330.1 et seq.) prohibits the installation of software on a user's computer that deceptively modifies the computer's functions or collects personal information.

Identity Theft

(18 Pa. C.S. § 4120(a)) of the Pennsylvania Consolidated Statutes prohibits possessing or using the personal information of another person for an unlawful purpose without their consent.

Additional Considerations

The Privacy of Social Security Numbers Law (74 Pa. Stat. § 201 et seq.) offers certain protections to social security numbers, including prohibiting public display and printing on mailed materials.

The Pennsylvania Wiretapping and Electronic Surveillance Control Act ('the Wiretapping Act') (18 Pa. C.S. § 5701 et seq.) offers protection to any person whose wire, electronic, or oral communication is intercepted, or disclosed or used after interception.

Per Pennsylvania law, all medical records shall be treated as confidential. Only authorized personnel shall have access to the records. The written authorization of the patient must be presented and then maintained in the original record as authority for release of medical information.

Rhode Island

Measures Announced

General

As of March 2019, a proposed act was submitted to the Rhode Island General Assembly entitled “Consumer Privacy Protection Act – 2019 H 5930” . If enacted, the Proposed Act would place stringent requirements on the collection and retention of consumers’ personal information by companies and business.

The Proposed Act applies to all businesses, wherever located, that collect consumers’ personal information from Rhode Island residents. The Act will require such businesses to inform consumers of the categories of information to be collected and the purpose for which the information will be used prior to collecting such information. Businesses that collect personal information would also be required, upon a consumer’s request, to disclose to the consumer, specific personal information that the business has collected. In addition, businesses that receive a request from a consumer to delete that consumer’s personal information would be required to delete such information and to instruct their service providers to do the same.

South Carolina

Measures Announced

General

Currently, South Carolina does not have an overarching data privacy law. There are however elements of privacy protections and consumer rights that are provided through a handful of more specific pieces of legislation or case law. For incidents reaching the 1000 data subject threshold, breach notification to the South Carolina Consumer Protection Division of the Department of Consumer Affairs (SCDCA) is required through §39-1-90 of Chapter 1 of Title 39 of the South Carolina Code of Laws. While not specifically privacy focused, the South Carolina Insurance Data Security Act obligates insurers and agents to comply with requirements regarding risk assessments, employee training and awareness, incident response planning, vendor management and vetting, and data protection standards.

Additionally, through various case law, South Carolina supports all four torts for invasion of privacy. Moreover, the South Carolina Biometric Data Privacy Act (HB 4182) has been introduced to the South Carolina House Judiciary Committee in January of 2020, but has not advanced further.

South Dakota

Measures Announced

General

South Dakota currently does have any privacy laws affecting the private sector, however, many of its privacy provisions within the State’s laws apply to public sector organizations. For example, the State’s public-sector privacy law includes South Dakota’s wiretapping statue, D Codified Laws 23A-35A-20, considers interception of private communications without as consent a Class 5 Felony.

South Dakota’s student privacy law, SDCL § 13-3-51 (Data reporting and record systems), applies only to the Department of Education. In addition, South Dakota is also the second to last state to approve its data breach notification law, § 22-40-1 et seq. of Chapter 40 of Title 22 of the South Dakota Codified Laws, which requires organizations to notify impacted individuals within 60 days of a breach and to inform the State’s Attorney General of any breach that impacts more than 250 residents.

Tennessee

Measures Announced

General

At this time Tennessee has no general privacy law in effect. Under §47-18-2107 of the Tennessee Code, as amended in 2017, Tennessee does require residents to be put on notice of breach of encrypted and unencrypted information. Under the Tennessee code, a breach of system security does not include the good faith acquisition of personal information by an employee if the personal information is not used or subject to further unauthorized disclosure. The majority of Tennessee’s data privacy laws are related to consumer protection under T.C.A. § 47-18- 21 Identity Theft Deterrence, including laws governing the privacy of consumer reports, security freeze requests, identity theft, and the protection of personally identifiable information of consumers of video tape sellers or service providers. Tennessee also has sector-specific laws that limit the disclosure or redisclosure and reuse of non-public personal information by insurers and agents.

Texas

Measures Announced

General

The Texas Constitution ('the Constitution') does not contain an express guarantee of a right of privacy.

Alternatively, Texas provides privacy protections through a combination of State laws and common law provisions. The Identity Theft Enforcement and Protection Act ('the Identity Theft Act'), under Chapter 521, Title 11 of the Business and Commerce Code and Chapter 33, Title 7 of the Penal Code, contain general privacy provisions focusing on the protection of personal identifying information and sensitive personal information. Further, Texas has a range of sector-specific privacy regulations governing health data, financial data, biometric data, and unsolicited commercial communications. A more comprehensive privacy law framework has also been proposed through House Bill 4518 for the Texas Privacy Protection Act. This bill would provide Texas consumers with rights such as the right to know, the right to opt out, and right to be forgotten, similar to the scope of the California Consumer Protection Act ('CCPA').

Utah

Measures Announced

General

Utah does not have a comprehensive privacy law. However, Utah has laws for: Protection of Personal Information, Identity Fraud, disclosure of personal electronic information to law enforcement without a suitable search warrant (Electronic Information or Data Privacy Act – “EIDPA”). These laws include vendor-specific obligations of reporting.

Of note, Utah’s EIDPA law made national headlines as it was the first of its kind to place restrictions on law enforcement’s ability to obtain electronic data of a Utah resident, including that controlled by a third-party such as Google, without a suitable warrant. The EIDPA further requires that law enforcement notify the target of the investigation with information regarding the warrant itself and the information collected through the warrant within 14 days.

The Protection of Personal Information Law requires breach notification and applies to any organization that owns, or licenses, computerized data that includes PI. Personal information covers:

• Social Security Number
• Credit/Debit Card Number or Financial Account Number in combination with:
  • Any security/access code or password that allows access to the account
• Driver’s License Number
• State ID Card Number

Exemptions to PI include any information (regardless of the source) contained within federal, state, or local government records – or any PI in media that was lawfully made available to the general public.

Breach notification is triggered when the data owner or “maintainer” (vendor or processor) becomes aware of a potential breach. The breached party must first conduct an investigation and determine if PI has been compromised or have the potential for misuse. If so, notification is required to each affected Utah resident without undue delay. Notice may be sent via first-class postal mail or through electronic notice, depending on what the primary method of communication with the resident is.

If vendors are compromised, they must notify their controlling organization, who ultimately bear responsibility for regulatory reporting and consumer notification.

Vermont

Measures Announced

General

Vermont does not have privacy laws. However, they have a data breach notification law. On March 5, 2020 Vermont signed into law the Bill for An Act Relating to Data Privacy and Consumer Protection (S. 110). The law went into effect on July 1, 2020 and covers the data breach notification requirements of the States of Vermont and amends the Security Breach Notice Act under § 2435 of Subchapter 2 of Chapter 62 of Title 9 of the Vermont Statutes. The law requires companies that provide security breach notification to consumers to include the type of personal information that was breached, the steps that the data controller will take to protect from future breaches, contact details that the consumer may call for further information, and the approximate date of the security breach.

The above being said, Vermont law does provide for the confidentiality of medical records. Per Vermont law, medical records are viewed as privileged and confidential. Thus, unless the patient waives the privilege or unless the privilege is waived by an express provision of law, a person authorized to practice medicine, or a registered professional or licensed practical nurse, or a mental health professional shall not be allowed to disclose any information acquired in the provision of medical care and coverage to a patient.

Virginia

Measures Announced

General

Virginia legislation has proposed the Virginia Privacy Act (HB 473) in the 2020 Session that is similar to California’s CCPA. It addresses prohibited practices committed by a supplier in connection with a consumer transaction; the scope of applicability to any legal entity conducting business in Virginia; identifies roles and responsibilities of controllers and processors; and identifies consumer rights.

Virginia has also proposed in the 2020 Session Senate Bill 641 relating to civil action for sale of personal data. It specifies requirements to which data sellers must adhere and the right of the Attorney General, attorney of Virginia or consumer to initiate a civil action against the data seller in violation of the provision.

Washington

Measures Announced

General

Washington State’s constitution recognizes an individual’s right to privacy. Privacy is also protected amongst the various Torts of Law such as public disclosure of private facts and false light privacy. In addition, the State of Washington has enacted several laws that safeguard personal information and an individual's right to privacy.

Washington Privacy Act of 2021

The draft of the Washington Privacy Act of 2021 was introduced on September 9, 2020 for review. It applies to “legal entities that conduct business in Washington or produce products or services that are targeted” to Washington residents and (1) control or process personal data of 100,000 consumers or more during a calendar year; or (2) derive more than 25% of their gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. It adds exemptions for nonprofits and institutions of higher education.

Consumer rights afforded to Washington residents under the draft bill include:

• Access
• Deletion
• Opt-Out
• Portability
• Purpose limitation
• Rectification

Business obligations include:

• Notice of transparency
• Processing limitation
• Prohibition of discrimination (exercise rights)
• Risk assessments

The draft bill also addresses privacy issues related to automated contact tracing in public health emergencies, like COVID-19.

The draft Washington Privacy Act of 2021 does not provide private rights of action.

West Virginia

Measures Announced

General

West Virginia does not have a comprehensive privacy law. However, West Virginia does recognize all four common law invasions of privacy. West Virginia does have a requirement to notify personal of unauthorized access to unencrypted computerized records of more than 1000 consumers under §46A-2A-101 et seq. of the West Virginia Code. The Attorney General has the power to sanction violations and impose penalties. West Virginia does have other legislations including the Consumer Credit and Protection Act under W. Va. Code § 46A-6-101 et seq, this provides rights of action against unfair trade practices, which include collection of personal data without adequate security measures in place. West Virginia also provides specific statutory law concerning the protection of health and financial information.

Wisconsin

Measures Announced

General

Wisconsin Lawmakers proposed three separate bills (Assembly Bill 870, Assembly Bill 871, and Assembly Bill 872) in February 2020 that would have formed the Wisconsin Data Protection Privacy Act (“WDPA”). The WDPA was based upon Europe’s General Data Protection Regulation (“GDPR”) and would grant Wisconsin residents privacy rights such as data access and deletion. However, the WDPA was never put up to a vote and is not currently being worked on.

Wyoming

Measures Announced

General

Wyoming does not have a comprehensive privacy law governing the use of personal data. However, Wyoming has updated its data breach notification statute to widen the definition of “personal identifying information” which will trigger notification to individuals. The amendment expands the definition of personal information to now include an individual’s first name or first initial and last name in combination with any of the following:

• Social Security Number
• Driver’s license Number
• Bank Account Number
• Federal or State ID
• Security Tokens
• Username, or Email Address
• Marriage or Birth Certificate
• Medical Information
• Health Insurance Information
• Biometric Data
• Taxpayer Identification Number