Several States Introduce Data Privacy Bills to Start the 2022 Legislative Session
Florida Senate Bill 1864 (the Florida Privacy Protection Act) introduces a number of requirements on companies that control personal information of Florida residents, including notice at or before the collection of personal information, consent requirements related to the collection of sensitive data, and requirements for responding to verified consumer requests, as well as minimum contractual requirements and other obligations related to those entities that process the personal information.
Like the European Union’s General Data Protection Regulation, the Florida Privacy Protection Act applies to “controllers” and “processors” of personal information. A controller is defined as a for-profit entity that does business in Florida and determines the purposes or means of processing. A controller must either (a) control the processing of personal information of 100,000 or more Florida residents (“consumers”) or (b) control or process the personal information of at least 25,000 consumers and derive 50% or more of its revenue from selling personal information. A “processor” processes personal information on behalf of, and at the direction of, a controller.
The proposed law also introduces a number of rights for Florida residents, including rights to opt out of the sales and targeted advertising, rights of access, correction and deletion. Similar to what has been enacted under both the Virginia Consumer Data Protection Act and the Colorado Privacy Act, the Florida Privacy Protection Act would not apply to personal information collected in the employment context or related to business-related transactions and communications.
Maryland Senate Bill 11 would enact the Maryland Online Consumer Protection and Child Safety Act (the “Act”) and allow the Maryland Attorney General to adopt regulations to carry out the Act. The bill would impose a number of requirements on certain businesses, including:
- Subject to certain exceptions, provide two or more methods to submit consumer rights requests (including the right to delete, right to know, and right to opt out of third-party disclosure), and respond to verifiable consumer requests.
- Provide a clear and conspicuous link on its website that allows consumers or authorized persons to opt out of the third-party disclosures of personal information.
- Not discriminate against consumers for exercising their rights under the Act.
Oklahoma House Bill 2969, known as the Oklahoma Computer Data Privacy Act of 2022, has been reintroduced in the House of Representatives, and is due to be considered on February 7, 2022 when the legislative session begins. The bill would apply to businesses that do business in Oklahoma, and that satisfy one or more of the following criteria: (a) have annual gross revenues that exceed $10 million in the preceding calendar year; (b) annually buy, receive, share, or disclose for commercial purposes the personal information of 25,000 or more consumers; or (c) derive 50% or more of its annual revenue from sharing consumers’ personal information.
The Oklahoma Computer Data Privacy Act would create new obligations for businesses, such as a requirement to implement and maintain reasonable security procedures and practices, and entering into enforceable contractual obligations with service providers.
On January 20th, Sen. Mike Flood introduced LB 1188, which is modeled off of the Uniform Law Commission’s Uniform Personal Data Protection Act. An article outlining the full scope of LB 1188 will be found in next month’s newsletter.