Last updated on December 4th, 2023 at 03:52 pm
Summary of Q2 2022 Legislation Relating to ID Scanning or Identity Verification
The 2022 legislative sessions have ended in all but a handful of states. Many bills relating to point-of-sale data collection have continued through the process, with several being signed into law.
A Maryland bill that would require a business that maintains personal information of an individual residing in Maryland to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information maintained was signed by the Governor. The bill is effective as of October 1, 2022.
In New York, a bill that would require the use of biometric identity verification devices was committed to the Rules Committee. The bill would authorize an agent or employee to determine a person’s age when purchasing beverages or tobacco products by use of a biometric identity verification device.
On May 10, 2022, Connecticut became the fifth state to enact the Consumer Data Privacy Act. The Act establishes a framework for controlling and processing personal data responsibilities and privacy protection standards for data controllers and processors. Additionally, it grants consumers the right to access, correct, delete, and obtain a copy of personal data. The Act will go into effect July 1, 2023, giving companies doing business in Connecticut less than two years to comply.
Alabama H 318 – Commerce and small business
Relating to commerce, online marketplaces, certain disclosures required to be made by certain high-volume third-party sellers, consumer protections provided
Forwarded to Governor, 04/07/2022
Arizona H 2790 – Data and security standards
Relates to personal data and consumer rights.
Introduced, 06/23/2022
Connecticut S 6 – Personal data privacy and online monitoring
Establishes a framework for controlling and processing personal data responsibilities and privacy protection standards for data controllers and processors. Grant consumers the right to access, correct, delete, and obtain a copy of personal data, and opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.
Signed by Governor, 05/10/2022Effective July 1, 2023
Georgia S 332 – Selling and other trade practices disclosures by third-party sellers
Relating to selling and other trade practices, to provide for certain disclosures by third-party high-volume sellers of consumer products on online marketplaces.
Signed by Governor, 05/04/2022Effective 01/01/2023
Hawaii H 1570 – Relating to the youth vaping epidemic
Would ban the sale of flavored tobacco products and mislabeled e-liquid products.
Notice of Intent to Veto, 06/27/2022
Hawaii S 2032 – Relating to genetic information privacy
Would establish the Hawaii Genetic Information Privacy Act. Requires direct-to-consumer genetic testing companies to adhere to certain requirements pertaining to the collection, use, and disclosure of genetic data. Deems any violation as an unfair or deceptive trade practice subject to associated penalties.
Notice of Intent to Veto, 06/27/2022
Illinois S 3782 – Amends the Biometric Privacy Information Act
Would amend the Biometric Privacy Information Act. Allows a private entity to collect, capture, or otherwise obtain a person’s biometric identifier or biometric information without satisfying other specified requirements if they meet certain conditions.
Changed Chief Sponsor, 04/30/2022
Illinois S 3939 – Amends the Freedom of Information Act
Would modify the exemptions from inspection and copying public records concerning cybersecurity vulnerabilities.
Approved by the Governor, 05/06/2022Effective 05/06/2022
Kansas H 2340 – Increasing minimum age to purchase cigarette and tobacco products
Would increase the minimum age to 21 to purchase or possess cigarettes and tobacco products.
Died in Senate Committee, 05/23/2022
Kansas H 2433 – Concerning consumer protection regarding online third-party marketplaces
Would protect consumers and prevent online retail crime by requiring online marketplaces to verify and authenticate the identity of third parties who sell products on their platforms.
Died in Committee, 05/23/2022
Kansas H 2731 – Concerning consumer protection regarding online third-party marketplaces
Would require online marketplaces to obtain certain information from, and to require the disclosure of certain information by, third parties that sell products on their platforms.
Died on Calendar, 05/23/2022
Louisiana S 305 – Provides for the disclosure of certain information on websites and online services
Would provide for the disclosure of certain information on websites and online services.
Signed by the Governor, 06/03/2022Effective 08/01/2022
Massachusetts H 375 – An act in the protection of personal identity
Relative to the protection of personal identity.
Accompanied a Study Order, 06/30/2022
Maryland H 962 – Revisions to the Maryland Personal Information Protection Act
Would require a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information maintained. and altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.
Enacted, 05/29/2022Effective 10/01/2022
Maryland S 643 – Revisions to the Maryland Personal Information Protection Act
Would require a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained, or licensed; and altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.
Enacted, 05/29/2022Effective 10/01/2022
New Hampshire S 311 -Relative to access to drivers’ license information for healthcare and motor vehicle related business purposes
Relates to access to drivers’ license information for legitimate business purposes. Would allow the scanning, recording, and retaining or storing of information obtained from any driver’s license or nondriver’s identification card provided that such practice was expressly disclosed to the holder.
Inexpedient to Legislate, 05/04/2022
New York S 1817 – Relates to the use of biometric identity verification devices for the purchase of alcohol and tobacco
Would relate to the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products; authorizes a licensee, its agent or employee to determine a person’s age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device; establishes where the use of the device indicates that the person is under the age of twenty-one, the attempted purchase of the alcoholic beverage shall be denied.
Committed to Senate Rules Committee, 06/03/2022
New York S 3586 – Establishes the “Its Your Data Act”
Would establish the “It’s Your Data Act” for the purposes of providing protections and transparency in the collection, use, retention, and sharing of personal information.
Referred to Cities, 05/25/2022
New York S 06701 – Requires companies to disclose their methods of de-identifying personal information
Would enact the NY privacy act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.
Amended and Recommitted to Internet and Technology, 05/31/2022
Pennsylvania S 1291 – Genetic Information Privacy Act
Would provide for genetic information privacy and setting penalties for violations.
Referred to Consumer Protection and Professional Licensure, 06/16/2022
Pennsylvania H 1594 – Amends the Unfair Trade Practices Law to cover collection, verification, and disclosure from online marketplaces
Would require online marketplaces to inform consumers regarding the collection, verification, and disclosure of information.
Approved by the Governor, 07/11/2022Effective 01/01/2023
Pennsylvania S 895 – Amends the Unfair Trade Practices Law to cover collection, verification, and disclosure from online marketplaces
Would require online marketplaces to inform consumers regarding the collection, verification, and disclosure of information.
Removed from Table, 06/20/2022
Virginia H 381 – Relating to the Consumer Data Protection Act and the data deletion request
Provides that a controller that has obtained personal data about a consumer from a third party shall be deemed in compliance with a consumer’s request to delete such data if the controller either (i) retains a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer’s personal data remains deleted and does not use such retained data for any other purpose or (ii) opts the consumer out of the processing of that data for any purpose except those purposes exempted pursuant to the Consumer Data Protection Act. Amends Va. Code § 59.1-577.
Signed by Governor, 04/11/2022Effective June 1, 2022
Virginia S 393 – Relating to the Consumer Data Protection Act and the data deletion request
Would provide for the requirements that a controller that has obtained personal data about a consumer from a third party must meet to be deemed in compliance with a consumer’s request to delete such data.
Senate Sustained Governor’s Veto, 04/27/2022
US H 8152 – To provide consumers with foundational data privacy rights
Would provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.
Ordered to be Reported, 07/20/2022
Federal Legislative Initiatives Relating to ID Scanning or Identity Verification
H.R.8152 – American Data Privacy and Protection Act
This bill establishes requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linkable to an individual.
Specifically, the bill requires most companies to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service and to other specified circumstances. It also generally prohibits companies from transferring individuals’ personal data without their affirmative express consent.
The bill establishes consumer data protections, including the right to access, correct, and delete personal data. Prior to engaging in targeted advertising, the bill requires companies to provide individuals with a means to opt out of such advertising. The bill also provides additional protections with respect to personal data of individuals under the age of 17. It further prohibits companies from using personal data to discriminate based on specified protected characteristics.
Additionally, companies must implement security practices to protect and secure personal data against unauthorized access, and the Federal Trade Commission (FTC) may issue regulations for complying with this requirement.
The bill provides for enforcement of these requirements by the FTC and state attorneys general. Beginning four years after the bill’s enactment, individuals may, subject to certain notification requirements, bring civil actions for violations of the bill.
Finally, the bill preempts state laws that are covered by the provisions of the bill except for certain categories of state laws and specified laws in Illinois and California.
Conclusion
Statewide legislation around privacy continues to be passed in states around the country.
