State Privacy Law Developments in 2024
As privacy concerns continue to grow, several U.S. states are actively considering or have recently enacted comprehensive data privacy laws. These initiatives aim to enhance consumer rights and establish clear guidelines for businesses handling personal data. Here's a look at the current status of privacy legislation in New York, Massachusetts, New Jersey, North Carolina, and Pennsylvania.
New York
- Current Status: New York has made significant progress with its privacy legislation. On June 3, 2024, the New York Privacy Act (Senate Bill 365B) passed the State Senate and was delivered to the Assembly for further consideration[3].
- Focus: The proposed law aims to provide robust consumer rights similar to those in California, focusing on transparency, access, and control over personal data.
Massachusetts
- Current Status: Massachusetts is considering the Massachusetts Data Privacy Act (Bill S.2770), which is currently under review by the committee on Advanced Information Technology[9].
- Focus: The bill aims to protect consumer data by establishing clear obligations for data controllers and processors, enhancing transparency and accountability.
New Jersey
- Current Status: New Jersey has adopted a comprehensive data privacy law, effective January 15, 2024[5].
- Focus: The New Jersey Privacy Act aligns with frameworks like California's, emphasizing consumer rights and business compliance, particularly in data processing and protection.
North Carolina
- Current Status: North Carolina introduced the North Carolina Consumer Privacy Act (SB 525) in the Senate on April 4, 2023[10].
- Focus: The proposed legislation seeks to establish consumer rights to access, correct, and delete personal data, along with obligations for businesses to ensure data security and transparency.
Pennsylvania
- Current Status: Pennsylvania is actively discussing comprehensive privacy regulations, with House Bill 1201 addressing consumer data privacy and the duties of data controllers and processors[7].
- Focus: The bill aims to enhance consumer rights and impose penalties for non-compliance, aligning with broader trends in state privacy legislation.
State Privacy Law Developments in 2024: North Carolina and Pennsylvania
As privacy concerns continue to grow, North Carolina and Pennsylvania are actively considering comprehensive data privacy laws. These legislative efforts aim to enhance consumer rights and establish clear guidelines for businesses handling personal data. Here's a look at the current status of privacy legislation in these states and how they might impact businesses differently.
North Carolina
- Current Status: North Carolina has proposed the North Carolina Consumer Privacy Act (SB 525), which is currently under review by the Senate Committee on Rules and Operations. The bill's fate remains uncertain, but it reflects a strong push towards comprehensive privacy regulation.
- Key Provisions:
- Applicability: Targets businesses with annual revenue of $25 million or more, processing personal data of 100,000 or more consumers, or deriving over 50% of revenue from data sales.
- Consumer Rights: Includes rights to access, delete, and obtain copies of personal data, and to opt out of data processing for targeted advertising and sales.
- Enforcement: Grants the Attorney General exclusive enforcement authority and does not provide a private right of action.
- Impact on Businesses: If enacted, businesses will need to implement robust data security practices and provide clear privacy notices. The focus on larger businesses means smaller entities may not be directly affected, but those in compliance will need to align with the law's requirements.
Pennsylvania
- Current Status: Pennsylvania's House Bill 1201 has passed the House and is under consideration. It is modeled after Connecticut's privacy framework, emphasizing consumer rights and business obligations.
- Key Provisions:
- Consumer Rights: Similar to other state laws, it grants rights to access, correct, and delete personal data, along with opt-out options for data sales and targeted advertising.
- Business Obligations: Requires businesses to safeguard personal data and comply with transparency requirements.
- Enforcement: Provides for civil penalties and requires businesses to notify consumers of data breaches.
- Impact on Businesses: Pennsylvania's proposed law would require businesses to revamp their data protection practices, particularly those with significant consumer interactions. Compliance with transparency and security measures will be crucial to avoid penalties.
The legislative efforts in North Carolina and Pennsylvania reflect a broader trend towards comprehensive state privacy laws in the U.S. While both states aim to enhance consumer protection, the specific requirements and enforcement mechanisms differ, impacting businesses in unique ways. Companies operating in these states must stay informed and adapt their compliance strategies to meet the evolving regulatory landscape. As more states consider privacy legislation, the emphasis on consumer rights and data security continues to grow, shaping the future of data privacy in the United States.
Differences in consumer rights between Pennsylvania's and North Carolina's proposed privacy laws:
Pennsylvania Consumer Data Privacy Act (PCDPA)
- Opt-Out of Profiling: Pennsylvania's law allows consumers to opt out of profiling for decisions that produce legal or significant effects, such as in financial services, housing, and employment.
- Enforcement: The Pennsylvania Attorney General exclusively enforces the law, with a 60-day cure period for violations until December 31, 2025.
- No Private Right of Action: Consumers cannot sue businesses for violations, relying on the Attorney General for enforcement.
North Carolina Consumer Privacy Act (CPA)
- Consumer Rights: North Carolina's proposed law includes rights to access, delete, and obtain copies of personal data, and to opt out of data processing for targeted advertising and sales.
- Enforcement: The North Carolina Attorney General has exclusive enforcement authority, with no private right of action for consumers.
- Focus on Business Compliance: The law emphasizes business obligations to maintain data security and transparency, similar to other state laws.
Key Differences
- Profiling Opt-Out: Pennsylvania includes specific rights to opt out of profiling for automated decisions, which may not be explicitly covered in North Carolina's proposal.
- Enforcement Mechanisms: Both states rely on their respective Attorneys General for enforcement, but Pennsylvania's law specifies a cure period that may influence compliance strategies differently.
- Scope and Applicability: While both laws target businesses with significant data processing activities, the specific thresholds and exemptions may vary, affecting which businesses are subject to the laws.
These differences highlight the need for businesses to carefully review state-specific requirements to ensure compliance with varying privacy laws.
Conclusion
The movement towards comprehensive state privacy laws reflects a growing recognition of the need to protect consumer data in an increasingly digital world. As states like New York, Massachusetts, New Jersey, North Carolina, and Pennsylvania advance their legislative efforts, businesses must prepare to navigate a complex and evolving regulatory landscape. These laws emphasize consumer rights, transparency, and accountability, setting a high standard for data privacy protection across the United States.
Citations:
[1] https://www.dataguidance.com/news/new-york-bill-privacy-act-passes-senate
[2] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240606-state-comprehensive-privacy-law-update-june-6-2024
[3] https://www.mintz.com/insights-center/viewpoints/2826/2024-04-15-new-jersey-adopts-comprehensive-data-privacy-law
[4] https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/
[5] https://www.legis.state.pa.us/cfdocs/billInfo/billInfo.cfm?bn=1201&body=H&sInd=0&sYear=2023&type=B
[6] https://www.sixfifty.com/blog/consumer-data-privacy-laws-by-state/
[7] https://malegislature.gov/Bills/193/S2770
[8] https://www.centraleyes.com/privacy-laws/north-carolina/
[9] https://pplx-res.cloudinary.com/image/upload/v1724692281/user_uploads/wsgigsbut/us-privacy-laws-by-state-infographic.jpg
[10] https://pplx-res.cloudinary.com/image/upload/v1724692282/user_uploads/honcdedsp/CTEC_Privacy2024_HeatMap_v2-scaled.jpg