Maryland, Hawaii, and Virginia are latest states to introduce privacy legislation
Recently, Maryland, Hawaii, and Virginia introduced privacy legislation designed to strengthen consumer access and control over personal data, joining efforts by Washington and New York to pass privacy bills containing provisions that differ from those in the California Consumer Privacy Act (CCPA), which took effect January 1. (See InfoBytes coverage on Washington here, New York here, and the CCPA here.)
On January 17, Maryland introduced HB 249 to amend the state’s Commercial Law by adding a section titled “Consumer Personal Information Privacy.” Under the proposed bill, consumers would be provided the right to opt-out of the disclosure of their personal information to third parties. HB 249 defines “disclosure” as “a transfer of a consumer’s personal information by a business to a third party, including selling, renting, releasing, disseminating, making available, transferring, or otherwise communicating by any means.” The bill clarifies that disclosure does not include (i) a transfer of personal information to a service provider by a business for an operational purpose; (ii) identification of a consumer who has opted-out to alert third parties; and (iii) a transfer of personal information to a third party “as an asset that is part of a transaction in which the third party assumes control of all or part of the business.” The bill also stipulates requirements for businesses related to the consumer opt-out process, and states that a violation of the bill’s provisions would constitute an unfair or deceptive trade practice under Maryland’s Consumer Protection Act.
The same day, SB 2451 was introduced in the Hawaii Senate to add a new section to Chapter 487J of the Hawaii Revised Statutes, which stipulates that third parties cannot use or sell personal information purchased from a business unless a consumer receives explicit notice, provides express written consent, and chooses not to opt-out after given the opportunity to do so. The proposed bill also provides consumers the opportunity to, at any time, opt-out of the sale of their personal information to third parties. Among other things, the bill outlines provisions related to the sale of personal information for consumers less than 16 years of age, as well as specific compliance requirements for businesses when providing notice to consumers. SB 2451 also defines a third party as one that is (i) not a “business that collects personal information from consumers”; or (ii) not a person who receives personal information from a business for a business purpose pursuant to a written contract that restricts further use of the personal information.
Earlier, on January 3, HB 473, known as the “Virginia Privacy Act,” was introduced. Among other things, the bill requires data controllers to be transparent about their processing activities and be responsible for, upon verified request from the consumer, (i) confirming the uses of personal data; (ii) correcting inaccuracies; (iii) deleting unnecessary personal data or data for which the consumer has withdrawn consent; (iv) limiting the processing of personal data to what is required and relevant for a specified purpose; and (v) obtaining consumer consent in order to process sensitive data. HB 473 also provides consumers the right to object at any time to the processing of personal data, including the sale of data to third parties for targeted advertising, and stipulates that third parties must honor objection requests received from third-party controllers. The bill also requires controllers to conduct risk assessments for all processing activities that involve personal data, and conduct additional assessments each time a processing change occurs that “materially increases the risk to consumers.” If enacted, violations of HB 473 would “constitute a prohibited practice” pursuant to Virginia Consumer Protection Act (VCPA) Section 59-1-200 and violators would be subject to any and all of the VCPA’s enforcement provisions.