Over the last decade there has been a reckoning over how digital companies collect personal data, what they do with it, and whether or not they’re capable of protecting it. Online data collection is still not regulated at the federal level in the U.S. But states are slowly embracing policies to ensure that digital companies protect their users—or at least introduce more transparency.
Illinois led the way in 2008 with the Biometric Information Privacy Act, a law that lets Illinois residents sue companies that collect their biometric data (face scans, fingerprints, etc.) without their consent. After Europe passed the General Data Protection Regulation in 2016, which entitles people to obtain any data collected on them and have their records deleted, California decided to use it as a framework for its own law. Two years later it introduced its version of the GDPR, called the California Consumer Privacy Act. California has since passed an amendment, called the California Privacy Rights Act, that clarifies the original law and adds a governing body called the California Privacy Protection Agency that can bring action against violators.
The original CCPA has now inspired several look-alike laws in other states, as momentum builds for state-level privacy legislation. 2021 could be the year that privacy laws become more pervasive across the country, helping Americans wrest back some of the aspects of their digital lives. Here’s a rundown of other state-level privacy laws beyond those in Illinois and California, plus the bills that could be passed into law this year.
NEVADA
Nevada adopted the Privacy of Information Collected on the Internet from Consumers Act in 2019, which allows consumers in the state to opt out of personal data collection.
VERMONT
In 2020, Vermont passed a law that requires data brokers to inform consumers when their personal information has been leaked or breached.
MAINE
Maine’s new privacy law went into effect in August 2020, after a short one-month delay. Unlike other privacy laws in the U.S., this one is aimed squarely at Internet Service Providers. It prevents them from sharing or selling personal customer data without explicit consent.
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
