State of Privacy Legislation in OK, MD, and CT: No. No. Go!
By Kewa Jiang
Oklahoma: Computer Data Privacy Act
Status: Failed to pass.
On March 23, 2022, the Oklahoma House passed the Oklahoma Computer Data Privacy Act (HB 2969) 74-15. However, HB 2969 failed to advance past the Senate Judiciary committee in April 2022. Senator Julie Daniels (R-Bartlesville), who chaired the Senate Judiciary meeting, declined to grant the bill a hearing.
Senator Daniels called the data privacy bill “very complicated” and “much more expansive in terms of the problems I think it would create and the relationships between businesses and consumers that would be affected.” In response, House Representative Josh West (R-Grove), a co-author of HB 2969, expressed frustration that several bills, including HB 2969, died in committee.
HB 2969 is a new version of HB 1602, the Computer Data Privacy Act, which similarly was not granted a Senate Judiciary hearing in 2021 and died in committee. HB 1602 was also sponsored by HR West and HR Collin Walke (D-OKC) and would have required “internet technology companies to obtain explicit permission to collect and sell personal data.” HB 2969 would have likewise required businesses to receive consent before collecting consumer data, consumers must be informed of their right to opt-out of personalized advertising, and restricted sale of consumer data.
Maryland: Biometric Data Privacy Bill
Status: Failed to pass.
On March 19, 2022, the Biometric Data Privacy bill (HB 259) passed the Maryland House of Representative and moved to the Senate for consideration. However, by April 11, 2022, the legislature adjourned without passing the bill.
The HB 259 is the latest version of biometric privacy law introduced in Maryland by House Delegate Sara Love. Last year, HD Love withdrew a similar bill after it failed to advance past committee hearings.
HB 259 is based on the Illinois Biometric Information Privacy Act and would have limited the collection, use, retention, and sharing of covered biometric data of Maryland residents by private entities and processors. The bill defined biometric data to include fingerprints, voice print, eye retina or iris, or any unique biological patterns or characteristics that can be used to identify a specific individual. An individual alleging violation of their biometric information by a private entity would have been able to bring a civil suit.
Connecticut: An Act Concerning Personal Data Privacy and Online Monitoring
Connecticut joins the growing trend of state-level consumer privacy protection bills. On April 20, 2022, the Connecticut Senate unanimously passed Senate Bill 6. The bill then passed the House on April 28, 2022 (144-5 vote). Once signed by the governor, the bill’s provisions will go into effect on July 1, 2023.
SB 6 is sponsored by Senator James Maroney (D-Milford) and Senate Majority Leader Bob Duff (D-Norwalk). While a prior iteration of the consumer privacy bill failed to pass the House in 2021, both senators continued their efforts to push for consumer privacy protection.
SB 6 is generally based on the Colorado Privacy Act (CPA) but is comparatively less strict than California’s Consumer Privacy Act. The bill establishes a comprehensive framework that addresses a broad range of issues, such as dark patterns, data brokers, children’s online privacy, and opt-out mechanisms. The bill will impact companies that hold data on at least 100,000 Connecticut residents.
Some highlights of the consumer rights included in SB 6 are the right to access personal data, to correct inaccuracies in collected data, request to delete collected personal data, and obtain a copy of the consumer’s personal data. The bill also requires companies to provide consumers the ability to opt-out of personal data processing for targeted advertising. Any collection of “sensitive data” will require consumer consent before it is processed. Sensitive data is broadly defined to include consumer’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric information, data collected from a known child, or precise geolocation data.