North Dakota, Utah, Washington State. .. all three have recently introduced new pieces of data privacy legislation.

UTAH

Utah State Rep. Walt Brooks, has introduced House Bill 80, which creates an “affirmative defense” for companies in lawsuits over data breaches, provided they can prove that they maintain up-to-date data security.

“It doesn’t give them immunity and it doesn’t release them from liability especially if they’re negligent,” said Brooks.

Another bill introduced in the legislature regulates the state’s use of facial recognition technology.

House Majority Leader Francis Gibson, has introduced House Bill 243, which creates a statewide “privacy officer” to look at how state and local governments use some tech and whether or not people’s personal information is protected.

Details from Fox 13 in Salt Lake City

NORTH DAKOTA

North Dakota’s new privacy bill, submitted by representatives Thomas Kading, Jim Kasper, Matthew Ruby and Nathan Toman, requires opt-in consent for sale of protected data.

The bill defines protected data as including a user’s location; screen name; website address; interests; hometown; professional history; friends or followers; shopping habits; test scores; health conditions, insurance, or interests; internet browsing history; purchases or purchase history; the number of friends or followers of the user; socioeconomic status; religious affiliation; alcohol, tobacco, or drug usage; gambling habits; banking relationships; residence details; children’s information or household information; credit; banking and insurance policies; media usage; and relationship status.

The bill sets fines for intentional and unintentional violations and allows a filing class action lawsuits.

Read the full text of the bill.

WASHINGTON

Washington State Representative Shelley Kloba has submitted HB1303, a bill to regulate regulate data brokers, joining Vermont and California (and across the ocean – the reinstated UK ICO investigation):

  • Applies to data brokers engaged within the state in the business of making sales of personal data or exchanging personal data for consideration. “Engage within the state” includes generating gross income from personal data of individuals located in the state (which is if their address is located in the state).
  • Data brokers are required to register with the state and disclose their name, principal place of business, character of business, specific type of personal information collected, sources and methods by which the information was obtained and gross income attributable to the sale of personal data. Failure to register is punishable by a fine.
  • Data brokers are required to pay 1.8% tax.

Read the full text of the legislation.