Summary of Q3 2022 Legislation Relating to ID Scanning or Identity Verification
The 2022 legislative sessions have ended in all but a handful of states.
A Michigan bill that would create the Michigan Personal Data Privacy Act was introduced. This legislation is similar to the privacy laws passed in California, Virginia, Colorado, Utah, and recently in Connecticut. However, if the Section 7(1)(a) opt-in mandate for the processing of all personal data is intentional (as opposed to requiring opt in only for sensitive personal data), the Act would represent a significant deviation from the other legislation. The Michigan Legislature remains in session through the end of the year.
In Maryland, a bill was signed into law that requires a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices. The law went into effect on October 1, 2022.
On September 15, 2022, Governor Newsom signed the California Age-Appropriate Design Code Act. a law directed at businesses that provide online services, products, or features that are likely to be accessed by children under eighteen. The Act aims to hold children’s well-being over businesses’ commercial interests and implement robust privacy protections in light of children’s increased interactions online. It will work in conjunction with the California Consumer Privacy Act of 2018 (the “CCPA”), as amended by the California Privacy Rights Act of 2020 (the “CPRA”), to govern the privacy of California residents. The Act will take effect on July 1, 2024.
Catalog of Legislative Initiatives Relating to ID Scanning or Identity Verification By State
Overview of relevant bills and statutes proposed and/or passed between July 1, 2022 and September 31, 2022.
|Arizona||H 2790||Would establish personal data and security standards.||Introduced in House and read first time, 06/23/2022|
|California||A 1711||Would require an agency to post a notice on the agency’s internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system.||Vetoed by Governor, 09/23/2022|
|California||A 2273||Prohibits a business that provides an online service, product, or feature likely to be accessed by children from taking proscribed action, including, if the end user is a child, using personal information for any reason other than a reason for which the personal information was collected.||Approved by the Governor, 09/15/2022Effective 07/01/2024|
|California||A 2677||Would revise the circumstances that may allow the disclosure of personal information in a manner that links or could link the information disclosed to the individual to whom it pertains.||Vetoed by Governor, 09/19/2022|
|Hawaii||H 1570||Would ban the sale of flavored tobacco products and mislabeled e-liquid products.||Vetoed by Governor, 07/12/2022|
|Hawaii||S 2032||Would establish the Hawaii Genetic Information Privacy Act. Requires direct-to-consumer genetic testing companies to adhere to certain requirements pertaining to the collection, use, and disclosure of genetic data. Deems any violation as an unfair or deceptive trade practice subject to associated penalties.||Vetoed by Governor, 07/12/2022|
|Massachusetts||H 4514||Would establish the Massachusetts Information Privacy and Security Act.||Accompanied a study order, see H5222, 09/15/2022|
|Maryland||S 643||Requires a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained, or licensed; and altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.||Enacted, 05/29/2022Effective 10/01/2022|
|Michigan||S 1182||Would create Michigan Personal Data Privacy Act.||Referred To Committee on Energy and Technology, 09/27/2022|
|New Jersey||S 332||Would require commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.||Senate Amendment, 08/08/2022|
|New York||S 9563||Would enact the New York child data privacy protection act to prevent the exploitation of children’s data; requires data controllers to assess the impact of its products on children for review by the bureau of internet and technology; bans certain data collection and targeted advertising.||Referred to Rules, 09/23/2022|
|Pennsylvania||S 895||Would require online marketplaces to inform consumers regarding the collection, verification, and disclosure of information.||Laid on the table, 09/21/2022|
|Pennsylvania||S 696||Would amend the Breach of Personal Information Notification Act.||Laid on the table, 09/19/2022|