State Privacy Legislation

In the wake of the European Union's General Data Protection Regulation (GDPR), a growing number of states across the country are considering comprehensive privacy legislation of their own. Most of the proposals aim to give residents new rights to ownership over their data and establish new transparency requirements for entities that process personal data. Individuals would have the right to access, delete, correct, and move their data, or opt-out of data collection. Some of the proposed measures could impact data maintained by colleges and universities in these states.

Capitol

Recent State Actions

Enacted Legislation

  • California Consumer Privacy Act

    The California Consumer Privacy Act (CCPA), enacted in 2018 and effective January 1, 2020, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. The law protects the personal data of "residents" of California—either by living in California or temporarily outside the state—collected by any company that does business in California for profit. CCPA applies to any business that (1) has annual gross revenue of more than 25 million, (2) buys, receives, sells, or shares the personal information of 50,000+ "residents," or (3) derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to the Health Insurance Portability and Accountability Act (HIPAA) and certain other laws are exempted from the CCPA, but data subject to the Family Educational Rights and Privacy Act (FERPA) are not included in those exemptions.

  • Nevada Privacy of Information Collected on the Internet from Consumers Act

    The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) was amended in June 2019 through SB 220 to include a requirement to allow consumers to opt-out of certain data disclosures. The amended law, effective October 1, 2019, applies only to only to operators who (1) own or operate an Internet website or online service for commercial purposes, (2) collect and maintain covered information from Nevada residents who use or visit the Internet website or online service, and (3) engage in any activity that constitutes a sufficient nexus with Nevada. Personal data subject to HIPAA and certain other laws are exempted, but data subject to FERPA are not included in those exemptions.

2020 Proposed Legislation

Washington state, Illinois, Nebraska, New Hampshire, Virginia, and Florida lawmakers unveiled legislative proposals this month to regulate personal consumer data privacy. Other states are likely to follow suit.

  • Washington Privacy Act

    The Washington Privacy Act (WPA), SB 6281, would apply to legal entities that either process personal data of 100,000+ state residents or derive more than 50 percent of their annual revenue from the sale of personal data and process or control personal data more than 25,000 state residents. Personal data subject to FERPA, HIPAA, and certain other laws are exempted from the WPA. Additionally, the law does not apply to state and local governments or municipal corporations. If approved, the Washington Privacy Act would go into effect July 31, 2021.

  • Illinois Data Transparency and Privacy Act

    The Illinois Data Transparency and Privacy Act, SB 2330, would apply to any for-profit legal entity that collects or discloses personal information of 50,000+ state residents or households or derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to HIPAA and certain other laws are exempted, but data subject to FERPA are not currently included in those exemptions. If approved, the Illinois Data Transparency and Privacy Act would go into effect July 1, 2021.

  • Nebraska Consumer Data Privacy Act

    The Nebraska Consumer Data Privacy Act, Legislative Bill 746, would apply to any for-profit legal entity that does business in Nebraska and satisfies one or more of the following: (1) has annual gross revenue of more than $10 million, (2) that collects or discloses personal information of 50,000+ state residents or households, or (3) derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to HIPAA and certain other laws are exempted, but data subject to the FERPA are not currently included in those exemptions. The proposed Nebraska Consumer Data Privacy Act does not specify an effective date.

  • New Hampshire

    New Hampshire House Bill 1680 would apply to any business that (1) has annual gross revenues of more than $25 million, (2) alone or in combination, annually buys, receives for the business’s commercial purposes sells, or shares for commercial purposes, the personal information of 50,000+ state residents, households, or devices, or (3) derives more than 50 percent of their annual revenue from the sale of personal data. Personal data subject to HIPAA and certain other laws are exempted, but data subject to FERPA are not currently included in those exemptions. If approved, New Hampshire House Bill 1680 would go into effect January 1, 2021.

  • Virginia Privacy Act

    The Virginia Privacy Act, H 473, would apply to any entity that conducts business in Virginia or targets Virginia intentionally with products and/or services and that (1) either controls or processes personal data of 100,000+ consumers or (2) derives more than 50 percent of their annual revenue from the sale of personal data and processes or controls personal data of not fewer than 25,000 customers. Personal data subject to HIPAA and certain other laws are exempted, but data subject to FERPA are not currently included in those exemptions. The Virginia Privacy Act does not specify an effective date.

  • Florida

    Florida legislators introduced companion privacy bills in both the state's Senate, SB 1670, and House of Representatives, HB 963. The measure would apply to "operators" who (1) own or operate a website or online service for commercial purposes, (2) collect and maintain covered information from Florida residents who use or visit the website or online service, and (3) purposefully direct activities toward Florida or purposefully execute a transaction or engage in any activity with Florida or a Florida resident. Personal data subject to HIPAA and certain other laws are exempted, but data subject to FERPA are not currently included in those exemptions. If approved, the Florida Senate Bill 1620 and House Bill 963 would go into effect July 1, 2020.

Updates

Sourced from AACRAO Transcript. Member login required.

Resources

State_Comp_Privacy_Law_Map
The International Association of Privacy Professionals created a State Comprehensive Privacy Law Comparison Map as a resource to stay abreast of the changing state-privacy landscape. Although many of the bills included in the table will fail to become law, comparing the key provisions in each bill can be helpful in understanding how privacy is developing in the United States.

Medium

What does the California Consumer Privacy Act Mean for Colleges and Universities?


JD Supra

A Comprehensive Review of the new Washington Privacy Act


IAPP

Comparing the new Washington Privacy Act to the CCPA 


IAPP

CCPA Amendment Tracker 


Termageddon

Nevada Privacy Law Compliance Guide


AACRAO

Implications of the General Data Protection Regulation: An Interassociation Guide