Tracker Detail
The State Data Privacy Act
Name | Type | Government | Date Initiated | Status | Last Updated |
|---|---|---|---|---|---|
The State Data Privacy Act | Model Legislation | United States | Sep 25, 2024 | Proposed | Sep 25, 2024 |
Summary
The act is a proposed model state privacy bill developed by EPIC and Consumer Reports. It incorporates additional privacy protections into the base text of the Connecticut Data Privacy Act (CTDPA), which the tech industry often cites as a model for other states to adopt.
The goals of the act are to:
- Limit ubiquitous online tracking;
- Encourage more privacy-protective methods of online advertising;
- Protect the most sensitive data, including data about kids and teens;
- Use language from existing state laws; and
- Allow for meaningful enforcement of the law to ensure compliance.
It includes several key amendments to provide meaningful privacy protections.
Data Minimization. Businesses can only collect and use data when it is “reasonably necessary” to provide the services the consumer asks for. Personal data collected in compliance with these rules may be used for most forms of advertising, providing businesses with data they desire to target ads while avoiding harmful effects stemming from the overcollection of personal data.
Sensitive Data Protections. Sensitive data (including precise geolocation, health data, data about minors, and more) cannot be sold or used for targeted advertising.
Enforcement. The act includes a private right of action by proposing a compromise that exempts small businesses from the private right of action in recognition of the fact that small businesses often collect less personal data and have fewer resources to implement new legal compliance programs.
Enhanced Protections for Children and Teens. Enhanced privacy protections for minors under 18 years of age. Targeted advertising to minors is prohibited, and the sale of minors’ personal data is also banned. Any personal data about a minor is considered sensitive data and, therefore, can only be collected and used if strictly necessary for the product or service the minor is requesting.
Removed Loopholes that Exempt Big Institutions. Narrow, data-level exemptions for the data covered by existing federal law rather than exempting an entire entity simply because some personal data they handle falls under existing law.
