Last updated on December 4th, 2023 at 03:53 pm

Summary of Q3 2022 legislation relating to ID scanning or identity verification

The 2022 legislative sessions have ended in all but a handful of states.

 A Michigan bill that would create the Michigan Personal Data Privacy Act was introduced. This legislation is similar to the privacy laws passed in California, Virginia, Colorado, Utah, and recently in Connecticut. However, if the Section 7(1)(a) opt-in mandate for the processing of all personal data is intentional (as opposed to requiring opt in only for sensitive personal data), the Act would represent a significant deviation from the other legislation. The Michigan Legislature remains in session through the end of the year.

In Maryland, a bill was signed into law that requires a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices. The law went into effect on October 1, 2022. 

On September 15, 2022, Governor Newsom signed the California Age-Appropriate Design Code Act. a law directed at businesses that provide online services, products, or features that are likely to be accessed by children under eighteen. The Act aims to hold children’s well-being over businesses’ commercial interests and implement robust privacy protections in light of children’s increased interactions online. It will work in conjunction with the California Consumer Privacy Act of 2018 (the “CCPA”), as amended by the California Privacy Rights Act of 2020 (the “CPRA”), to govern the privacy of California residents. The Act will take effect on July 1, 2024.

Arizona H 2790 – Relating to personal data and security

Would establish personal data and security standards.

Introduced in House and read first time, 06/23/2022

California A 1711 – Relating to disclosures of security breaches where personal data is compromised

Would require an agency to post a notice on the agency’s internet website when a person or business operating a system on behalf of the agency is required to issue a security breach notification for that system.

Vetoed by Governor, 09/23/2022

California A 2273 – Relating to online services and the collection of personal information

Prohibits a business that provides an online service, product, or feature likely to be accessed by children from taking proscribed action, including, if the end user is a child, using personal information for any reason other than a reason for which the personal information was collected.

Approved by the Governor, 09/15/2022Effective 07/01/2024

California A 2677 – Would amend the Information Practices Act of 1977

Would revise the circumstances that may allow the disclosure of personal information in a manner that links or could link the information disclosed to the individual to whom it pertains.

Vetoed by Governor, 09/19/2022

Hawaii H 1570 – Relating to the youth vaping epidemic

Would ban the sale of flavored tobacco products and mislabeled e-liquid products.

Vetoed by Governor, 07/12/2022

Hawaii S 2032 – Relating to genetic information privacy

Would establish the Hawaii Genetic Information Privacy Act. Requires direct-to-consumer genetic testing companies to adhere to certain requirements pertaining to the collection, use, and disclosure of genetic data. Deems any violation as an unfair or deceptive trade practice subject to associated penalties.

Vetoed by Governor, 07/12/2022

Massachusetts H 4514 – An act to establish the Massachusetts Information Privacy and Security Act

Would establish the Massachusetts Information Privacy and Security Act.

Accompanied a study order, see H5222, 09/15/2022

Maryland S 643 – Relating to the implementation of data security practices

Requires  a business that maintains personal information of an individual residing in the State to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information owned, maintained, or licensed; and altering certain requirements related to notifications of breaches of the security of systems, including the circumstances under which the owner or licensee of certain computerized data is required to notify certain individuals of a breach.

Enacted, 05/29/2022Effective 10/01/2022

Michigan S 1182 – Would create the Michigan Data Privacy Act

Would create Michigan Personal Data Privacy Act.

Referred To Committee on Energy and Technology, 09/27/2022

New Jersey S 332 – Relating to online customers being notified of PII data collection

Would require commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.

Senate Amendment, 08/08/2022

New York S 9563 – Enacts the New York Child Data Privacy Protection Act

Would enact the New York child data privacy protection act to prevent the exploitation of children’s data; requires data controllers to assess the impact of its products on children for review by the bureau of internet and technology; bans certain data collection and targeted advertising.

Referred to Rules, 09/23/2022

Pennsylvania S 895 – Relating to the disclosure of collection and verification of information by online marketplaces

Would require online marketplaces to inform consumers regarding the collection, verification, and disclosure of information.

Laid on the table, 09/21/2022

Pennsylvania S 696 – Relating to providing notification to residents whose PII was disclosed in a security breach

Would amend the Breach of Personal Information Notification Act.

Laid on the table, 09/19/2022

Conclusion

Statewide legislation around privacy continues to be passed in states around the country.