U.S. State Law Tracker

    U.S. State Law Tracker

    Privacy law in the United States is often described as a “patchwork” or “quilt” and nowhere is that truer than state privacy laws. From data breach notification to student privacy to biometrics, each state is unique and may regulate the same activity differently. The OneTrust privacy team actively catalogs existing state privacy laws and offers intelligent tracking of privacy-related bills moving through each state’s respective legislatures so that you can focus on what’s most important and what’s on the horizon. Read below to learn more.

    Last Updated: June 14, 2019


  • Comprehensive Consumer Privacy

    The passage of the California Consumer Privacy Act (CCPA) is widely regarded as a watershed moment in the development of privacy laws in the United States. States already have many laws on the books to regulate specific kinds of personal information (e.g. biometrics), specific kinds of industries or use cases (e.g. education, health, financial) and specific kinds of behavior (e.g. data breach notification), but the CCPA is the first comprehensive consumer privacy law to be signed into law at the state level.

    Unlike other specialized state laws, the CCPA has a much wider scope in that it applies to any business in contact with the data of a California resident. In many respects, the CCPA and the new batch of comprehensive consumer privacy bills mirror the European Union’s General Data Protection Regulation (GDPR).

    Since the passage of the CCPA, legislators in a number of states have introduced legislation similar to the CCPA as a way to offer their citizens privacy protections on par with those provided by the CCPA—which you can find summarized below. To learn more about proposed amendments to the CCPA itself—visit our CCPA Amendments Tracker.

    State& Bill No.        Status                      Latest Change        Bill Summary                         
    CA AB25
    Engrossed
    12/06/2019
    An act to amend Section 1798.140 of the Civil Code, relating to consumer privacy.
    CA AB1416
    Engrossed
    12/06/2019
    An act to amend, repeal, and add Section 1798.145 of the Civil Code, relating to consumer privacy.
    NJ A5430
    Introduced
    10/06/2019
    “New Jersey Algorithmic Accountability Act”; requires certain businesses to conduct automated decision and data protection impact assessments.
    CA AB1146
    Engrossed
    06/06/2019
    An act to amend Section 1798.145 of the Civil Code, relating to privacy.
    CA AB1202
    Engrossed
    06/06/2019
    An act to add Title 1.81.48 (commencing with Section 1798.99.80) to Part 4 of Division 3 of the Civil Code, relating to privacy.
    CA AB846
    Engrossed
    06/06/2019
    An act to add Section 1798.126 to the Civil Code, relating to consumer privacy.
    CA AB1395
    Engrossed
    06/06/2019
    An act to amend Sections 22948.20, 22948.21, and 22948.23 of, and to amend the heading of Chapter 35 (commencing with Section 22948.20) of Division 8 of, the Business and Professions Code, relating to information privacy.
    CT SB01108
    Engrossed
    05/06/2019
    To require businesses to disclose the proposed use of any personal information and to give consumers the right to discover what personal information the business possesses and to opt out of the sale of such information and to create a cause of action and penalties for violations of such requirements.
    LA HR249
    Passed
    05/06/2019
    Requests the Southern University Law Center to establish a task force to study the effects of the sale of consumer personal information by internet access service providers, social media companies, search engines, websites, and other providers of online services
    NV SB220
    Passed
    30/05/2019
    AN ACT relating to Internet privacy; prohibiting an operator of an Internet website or online service which collects certain information from consumers in this State from making any sale of certain information about a consumer if so directed by the consumer; and providing other matters properly relating thereto.
    CA AB873
    Engrossed
    29/05/2019
    An act to amend Sections 1798.140 and 1798.145 of the Civil Code, relating to consumer privacy.
    CA AB981
    Engrossed
    29/05/2019
    An act to amend Section 1798.145 of the Civil Code, and to amend Sections 791.01, 791.02, 791.04, 791.06, 791.08, 791.09, and 791.13 of, and to add Sections 791.24, 791.25, 791.30, and 791.31 to, the Insurance Code, relating to insurance.
    CA AB1564
    Engrossed
    22/05/2019
    An act to amend Section 1798.130 of the Civil Code, relating to consumer privacy.
    CA AB874
    Engrossed
    22/05/2019
    An act to amend Section 1798.140 of the Civil Code, relating to consumer privacy.
    CA AB1355
    Engrossed
    22/05/2019
    An act to amend Sections 1798.100, 1798.110, 1798.115, 1798.120, 1798.125, 1798.130, 1798.140, and 1798.185 of the Civil Code, relating to consumer privacy.
    NY A07736
    Introduced
    17/05/2019
    Establishes the “It’s Your Data Act” for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.
    VT S0110
    Enrolled
    16/05/2019
    An act relating to data privacy and consumer protection
    CA SB752
    Introduced
    16/05/2019
    An act to add and repeal Chapter 3.7 (commencing with Section 8299) of Division 1 of Title 2 of the Government Code, relating to state government.
    CA SCR44
    Engrossed
    13/05/2019
    Relative to Privacy Awareness Week.
    CA AB1281
    Engrossed
    08/05/2019
    An act to add Title 1.81.7 (commencing with Section 1798.300) to Part 4 of Division 3 of the Civil Code, relating to privacy.
    HI HCR225
    Passed
    30/04/2019
    Convening A Task Force To Examine And Recommend Laws And Regulations To Update Privacy Law.
    RI S0234
    Introduced
    30/04/2019
    Creates “Consumer Privacy Protection Act.”
    WA SB5376
    Engrossed
    28/04/2019
    Protecting consumer data.
    CA SB753
    Introduced
    23/04/2019
    An act to amend Section 1798.140 of the Civil Code, relating to privacy.
    CA AB1760
    Introduced
    23/04/2019
    An act to amend Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.120, 1798.125, 1798.130, 1798.135, 1798.140, 1798.145, 1798.155, 1798.175, 1798.185, 1798.190, 1798.192, and 1798.198 of, to amend, repeal, and add Section 1798.180 of, to add Sections 1798.100a and 1798.103 to, and to repeal and add Section 1798.196 of, the Civil Code, relating to personal information.
    CA AB288
    Introduced
    23/04/2019
    An act to add Title 1.81.24 (commencing with Section 1798.90.7) to Part 4 of Division 3 of the Civil Code, relating to privacy.
    LA HB465
    Introduced
    08/04/2019
    Provides relative to internet privacy and protection
    PA HB1049
    Introduced
    05/04/2019
    An Act providing for consumer data privacy, for rights of consumers and duties of businesses relating to the collection of personal information and for duties of the Attorney General.
    RI H5930
    Introduced
    02/04/2019
    Creates “Consumer Privacy Protection Act.”
    US HB2013
    Introduced
    01/04/2019
    Information Transparency & Personal Data Control Act
    WA HB1503
    Introduced
    21/03/2019
    Concerning registration and consumer protection obligations of data brokers.
    ND 1138
    Passed
    21/03/2019
    AN ACT to amend and reenact subsection 2 of section 26.1-02-27 of the North Dakota Century Code, relating to annual privacy notices.
    HI HR200
    Introduced
    14/03/2019
    Convening A Task Force To Examine And Recommend Laws And Regulations To Update Privacy Law.
    NY A03739
    Introduced
    13/03/2019
    Restricts the disclosure of personal information by businesses.
    NY S04411
    Introduced
    11/03/2019
    Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
    NY A06351
    Introduced
    06/03/2019
    Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
    CA AB950
    Introduced
    04/03/2019
    An act to add Sections 1798.91.01 and 1798.91.02 to the Civil Code, relating to consumers.
    WA HB1854
    Introduced
    01/03/2019
    Protecting consumer data.
    WA HB2046
    Introduced
    22/02/2019
    Increasing consumer data transparency.
    WA SB5377
    Introduced
    21/02/2019
    Concerning data sales and governance.
    MD HB901
    Introduced
    14/02/2019
    Requiring certain businesses that collect a consumer’s personal information to provide certain notices to the consumer at or before the point of collection; authorizing a consumer to submit a certain request for information to a certain business that collects the consumer’s personal information; requiring a certain business to comply with a certain request for information in a certain manner and within 45 days after receiving a verifiable consumer request; etc.
    MD SB613
    Introduced
    11/02/2019
    Requiring certain businesses that collect a consumer’s personal information to provide certain notices to the consumer at or before the point of collection; authorizing a consumer to submit a certain request for information to a certain business that collects the consumer’s personal information; requiring a certain business to comply with a certain request for information in a certain manner and within 45 days after receiving a verifiable consumer request; etc.
    MS HB1253
    Failed
    05/02/2019
    An Act To Create The Mississippi Consumer Privacy Act; To Authorize A Consumer To Request That A Business Disclose The Categories And Specific Pieces Of Personal Information That It Collects About The Consumer, The Categories Of Sources From Which That Information Is Collected, The Business Purposes For Collecting Or Selling The Information, And The Categories Of Third Parties With Which The Information Is Shared; To Require A Business To Make Disclosures About The Consumer’s Information And The Purposes For Which It Is Used; To Authorize A Consumer To Request That A Business Delete His Or Her Personal Information; To Require The Business To Delete The Consumer’s Information Upon Receipt Of A Verified Request; To Authorize A Consumer To Request That A Business That Sells The Consumer’s Personal Information, Or Discloses It For A Business Purpose, Disclose The Categories Of Information That It Collects And Categories Of Information And The Identity Of Third Parties To Which The Information Was Sold Or Disclosed; To Require A Business To Provide A Consumer’s Information In Response To A Verifiable Consumer Request; To Authorize A Consumer To Opt Out Of The Sale Of Personal Information By A Business; To Prohibit The Business From Discriminating Against The Consumer For Opting Out Of The Sale Of His Or Her Personal Information; To Authorize Businesses To Offer Financial Incentives For Collection Of Personal Information; To Prohibit A Business From Selling The Personal Information Of A Consumer Under 16 Years Of Age, Unless Affirmatively Authorized; To Provide Requirements For Receiving, Processing, And Satisfying Consumer Requests; To Provide Certain Definitions Regarding Consumer Information And Privacy; To Authorize The Attorney General To Enforce This Act; To Provide A Private Right Of Action In Connection With Certain Unauthorized Access And Exfiltration, Theft, Or Disclosure Of A Consumer’s Nonencrypted Or Nonredacted Personal Information; To Provide A Method For The Distribution Of Proceeds From Causes Of Action By The Attorney General; To Create The Consumer Privacy Fund, With The Moneies In The Fund, Upon Appropriation By The Legislature, To Be Applied To Support The Purposes Of This Act And Its Enforcement; To Provide For The Deposit Of Penalty Money Into The Fund; To Require The Attorney General To Solicit Public Participation For The Purpose Of Adopting Certain Regulations; To Authorize A Business, Service Provider, Or Third Party To Seek The Attorney General’s Opinion On How To Comply With The Provisions Of This Act; And For Related Purposes.
    NY A03818
    Introduced
    31/01/2019
    Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.
    NY S02323
    Introduced
    24/01/2019
    Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.
    MA S120
    Introduced
    22/01/2019
    For legislation relative to consumer data privacy. Consumer Protection and Professional Licensure.
    MA S1936
    Introduced
    22/01/2019
    For legislation to promote net neutrality and consumer protection. Telecommunications, Utilities and Energy.
    NM SB176
    Introduced
    17/01/2019
    Consumer Information Privacy Act
    NY S00224
    Introduced
    09/01/2019
    Restricts the disclosure of personal information by businesses.

    Check back for more tracking information about the various comprehensive consumer privacy bills working their ways through state legislative sessions across the country.* States highlighted in red have fewer than 30 days left in their respective legislative sessions.

  • Biometrics

    The state of Illinois passed the Illinois Biometric Privacy Act (BIPA) in 2008 which requires entities to take certain measures before collecting or processing biometric information (e.g. fingerprints, voice prints, facial recognition scans, etc..) of Illinois residents. Many other states have proposed similar legislation regulating the processing of biometric information, some by private entities and others by public authorities.

    As the map indicates the legislative push is coming from the around the four corners of the United States. During the 2019 legislative session, many states have proposed bills similar to the BIPA—not to mention several amendments to the BIPA itself. Learn more below.

    Status (as of 6/13/19)

    #

    Status

    Latest change

    Description

    CA AB1215
    Engrossed
    12/06/2019
    An act to add Section 832.19 to the Penal Code, relating to law enforcement.
    CA AB1130
    Engrossed
    12/06/2019
    An act to amend Sections 1798.29, 1798.81.5, and 1798.82 of the Civil Code, relating to information privacy.
    NY S05140
    Introduced
    10/06/2019
    Directs the commissioner of education to conduct a study on the use of biometric identifying technology; prohibits the use of biometric identifying technology in schools until July 1, 2022.
    NY A06787
    Introduced
    07/06/2019
    Directs the commissioner of education to conduct a study on the use of biometric identifying technology; prohibits the use of biometric identifying technology in schools until July 1, 2022.
    NY S05125
    Introduced
    06/06/2019
    Prohibits class A multiple dwellings from requiring the use of a smart access system for means of entry for building entrances, common areas, elevators, garage gates, or apartment entry doors; restricts information that may be gathered on lessees, tenants, owners or guests.
    NY A06788
    Introduced
    04/06/2019
    Prohibits class A multiple dwellings from requiring the use of a smart access system for means of entry for building entrances, common areas, elevators, garage gates, or apartment entry doors; restricts information that may be gathered on lessees, tenants, owners or guests.
    NY S06007
    Introduced
    03/06/2019
    Relates to the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products; authorizes a licensee, its agent or employee to determine a person’s age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device; establishes where the use of the device indicates that the person is under the age of twenty-one, the attempted purchase of the alcoholic beverage shall be denied.
    NJ S3893
    Introduced
    03/06/2019
    The “Uniform Criminal Records Accuracy Act.”
    AL HB556
    Passed
    31/05/2019
    State government, boards and commission, ALEA, SBI, Alabama Justice Information Commission, criminal justice information, background checks, National Crime Prevention and Privacy Compact, Secs. 41-9-650 to 41-9-652, inclusive; Secs. 41-9-597, 41-9-599, 41-9-622, 41-9-629, 41-9-648 repealed; Secs. 41-9-590 to 41-9-596, inclusive, 41-9-598, 41-9-601, 41-9-621, 41-9-623, 41-9-625, 41-9-627, 41-9-628, 41-9-630 to 41-9-635, inclusive, 41-9-637, 41-9-643, 41-9-645, 41-9-646, 41-9-649 am’d.
    NV SB66
    Passed
    30/05/2019
    AN ACT relating to public safety; renaming the State Disaster Identification Team as the State Disaster Identification Coordination Committee; revising the membership and duties of the Committee; revising requirements relating to the regulations governing the Committee; requiring providers of health care to report to the Committee certain information regarding any person who comes or is brought in for treatment of an injury which the provider concludes was inflicted as a result of certain emergencies or disasters or an illness which the provider concludes was contracted during certain health events; and providing other matters properly relating thereto.
    US HB2821
    Introduced
    30/05/2019
    American Promise Act of 2019
    TX HB2399
    Engrossed
    22/05/2019
    Relating to the use of a biometric identity verification device to verify the age of an individual purchasing an alcoholic beverage.
    NC H143
    Introduced
    21/05/2019
    Universal Identification/Biometrics Study
    NJ A5407
    Introduced
    20/05/2019
    The “Uniform Criminal Records Accuracy Act.”
    MN SF2906
    Introduced
    17/05/2019
    Uniform Criminal Records Accuracy Act
    NY A07736
    Introduced
    17/05/2019
    Establishes the “It’s Your Data Act” for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.
    NH HB536
    Engrossed
    15/05/2019
    Adding biometric information to the consumer protection act.
    MO HB1215
    Introduced
    07/05/2019
    Requires the State Highway Patrol to host a website where the public can determine whether a serial number of a firearm has been reported stolen
    FL H1153
    Failed
    03/05/2019
    Establishes requirements & restrictions on private entities as to use, collection, & maintenance of biometric identifiers & biometric information.
    FL S1270
    Failed
    03/05/2019
    Creating the “Florida Biometric Information Privacy Act”; establishing requirements and restrictions on private entities as to the use, collection, and maintenance of biometric identifiers and biometric information; creating a private cause of action for relief for violations of the act, etc.
    MT HB645
    Failed
    25/04/2019
    Establish the Montana Biometric Information Privacy Act
    MA H287
    Introduced
    23/04/2019
    For legislation to protect the privacy and security of biometric information. Consumer Protection and Professional Licensure.
    MA S98
    Introduced
    23/04/2019
    For legislation to protect biometric information under the security breach law. Consumer Protection and Professional Licensure.
    AR HB1943
    Passed
    15/04/2019
    To Amend The Personal Information Protection Act; And To Revise The Definition Of “personal Information” In The Personal Information Protection Act.
    RI H5945
    Introduced
    03/04/2019
    Prohibits collection of biometric identifiers without consent.
    US HB1729
    Introduced
    01/04/2019
    OBIM Authorization Act of 2019 Office of Biometric Identity Management Authorization Act of 2019
    IL HB3024
    Introduced
    29/03/2019
    Amends the Biometric Information Privacy Act. Includes in the definition of “biometric identifier” an electrocardiography result from a wearable device. Effective immediately.
    IL SB2134
    Introduced
    28/03/2019
    Amends the Biometric Information Privacy Act. Deletes language creating a private right of action. Provides instead that any violation that results from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes is subject to the enforcement authority of the Department of Labor. Provides that an employee or former employee may file a complaint with the Department alleging a violation, within one year from the date of the violation, by submitting a signed, completed complaint form. Provides that any violation of the Act constitutes a violation of the Consumer Fraud and Deceptive Business Practices Act and may be enforced by the Attorney General. Makes a corresponding change in the Consumer Fraud and Deceptive Business Practices Act. Effective immediately.
    UT SB0164
    Passed
    22/03/2019
    Student Data Privacy Amendments
    UT SB0143
    Passed
    21/03/2019
    Public Education Vision Screening
    OR SB284
    Introduced
    19/03/2019
    Makes it unlawful employment practice for employer to collect biometric data from employees. Requires Commissioner of Bureau of Labor and Industries to establish rules regarding biometric data collected by employer before effective date of Act.
    UT HB0438
    Introduced
    14/03/2019
    Law Enforcement Use of Biometric Information
    TX SB1767
    Introduced
    14/03/2019
    Relating to the use of a biometric identity verification device to comply with certain alcohol related laws.
    UT SB0183
    Introduced
    14/03/2019
    Uniform Criminal Records Accuracy Act
    NM HB267
    Passed
    10/03/2019
    Criminal Justice Reforms
    TX SB1051
    Introduced
    07/03/2019
    Relating to the capture and retention of certain biometric identifiers by certain governmental entities.
    AZ HB2478
    Introduced
    19/02/2019
    Biological characteristics; biometric identifiers
    NY A05757
    Introduced
    14/02/2019
    Relates to the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products; authorizes a licensee, its agent or employee to determine a person’s age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device; establishes where the use of the device indicates that the person is under the age of twenty-one, the attempted purchase of the alcoholic beverage shall be denied.
    TX SB485
    Introduced
    14/02/2019
    Relating to the capture of a biometric identifier by a governmental entity; providing civil penalties.
    NY A02830
    Introduced
    25/01/2019
    Establishes the Medicaid identification and anti-fraud biometric technology pilot program; appropriates money therefor.
    NY S02500
    Introduced
    25/01/2019
    Relates to prohibiting private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.
    MA H1538
    Introduced
    22/01/2019
    For legislation to provide for the regulation of face recognition and emerging biometric surveillance technologies. The Judiciary.
    MA S1385
    Introduced
    22/01/2019
    For legislation to establish a moratorium on face recognition and other remote biometric surveillance systems. Public Safety and Homeland Security.
    MA H588
    Introduced
    22/01/2019
    Relative to requiring privacy protections and supporting safer technology in schools. Education.
    NY A01911
    Introduced
    17/01/2019
    Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.
    NY S01203
    Introduced
    11/01/2019
    Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual’s last interaction with the private entity, whichever occurs first.
    NY A00235
    Introduced
    09/01/2019
    Relates to prohibiting private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.

     

Want to learn more? Login to the full DataGuidance platform.