Michigan, Ohio, and Pennsylvania Consider Data Privacy Legislation

?State governments are continuing to propose and adopt legislation that requires businesses to implement policies and procedures to ensure privacy rights for consumers. Businesses operating in Michigan, Ohio, and Pennsylvania should prepare for the potential dawning of a new day.

While California led the way with the passage of the California Consumer Privacy Act (CCPA), a number of other states (Colorado, Connecticut, Utah, and Virginia) followed suit and passed comprehensive privacy legislation that will become fully effective in 2023.

Michigan, Ohio, and Pennsylvania are now considering bills similar to California’s strict law that would require covered businesses to implement policies and procedures providing privacy rights to consumers. While it is too early to tell which, if any, will become law, businesses operating in these states should be mindful of the requirements that may be imposed on them.

Michigan

The Michigan legislature is currently considering the Consumer Privacy Act (House Bill 5989). This bill was introduced by 15 Democratic lawmakers in April 2022 and currently sits in the House Committee on Communications and Technology.

The Michigan Consumer Privacy Act would apply to for-profit entities that conduct business in Michigan or produce products or services that are targeted to Michigan residents and:

  • During a calendar year, control or process personal data of not less than 100,000 consumers; or
  • During a calendar year, control or process personal data of not less than 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

The bill would provide consumers with rights, including:

  • The right to access the personal data that has been collected about them.
  • The right to request that a business correct any personal data about them that is inaccurate.
  • The right to request that a business delete any personal data that was collected from that consumer or about that consumer.
  • The right to opt out of the processing of personal data for purposes of targeted advertising or profiling.
  • The right to obtain the personal data that they provided to the business in a portable and readily usable format.
  • The right to opt out of the sale of the consumer’s personal data.

The Michigan Consumer Privacy Act does not provide consumers with a private right of action for violations.

Ohio

The Ohio Personal Privacy Act (House Bill 376) was introduced in July 2021, sponsored by 10 Republican lawmakers. It was then referred to the House Government Oversight Committee. On Feb. 16, it was deemed to be “informally passed.” On Feb. 22, the bill was re-referred to the Rules and Reference Committee, where it now sits.

The Ohio Personal Privacy Act would apply to certain for-profit entities that conduct business in Ohio or produce products or services that are targeted to consumers in Ohio, and satisfy one of the following:

  • Have annual gross revenues of over $25 million generated in Ohio;
  • During a calendar year, control or process personal data of 100,000 or more consumers; or
  • During a calendar year, derive over 50 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 or more consumers.

The Ohio Personal Privacy Act specifically excludes certain organizations from its coverage, including state agencies, financial institutions governed by Title V of the Gramm-Leach-Bliley Act, entities governed by HIPAA, and higher education institutions.

The Ohio Personal Privacy Act would provide consumers with rights, including:

  • The right to access the personal data that has been collected about them.
  • The right to request that a business delete personal data that the business collected from the consumer for commercial purposes and that the business maintains in an electronic format.
  • The right to opt out of having data processed or disseminated.
  • The right to request their personal data be provided electronically in a portable, readily usable format.
  • The right to opt out of the sale of the consumer’s personal data.

Like Michigan’s proposal, the Ohio Personal Privacy Act does not provide consumers with a private right of action for violations.

Pennsylvania

Pennsylvania is currently considering three pieces of privacy legislation: two bills titled Consumer Data Privacy Act (House Bill 2202 and House Bill 1126), and the Consumer Data Protection Act (House Bill 2257).

HB 2202 was introduced in December 2021 by 24 Republicans and seven Democrats. It was then referred to the Consumer Affairs Committee, where it currently sits. It applies to for-profit entities that perform business in Pennsylvania and satisfy one or more of the following thresholds:

  • Have annual gross revenue in excess of $20 million;
  • Alone, or in combination, annually buy, receive for commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers; or
  • Derive 50 percent or more of annual revenues from selling consumers’ personal information.

HB 2202 would provide consumers with rights, including:

  • The right to access the personal data that has been collected about them.
  • The right to request that a business correct any personal data about them that is inaccurate.
  • The right to request that a business delete any personal data that was collected from that consumer or about that consumer.
  • The right to opt out of the processing of personal data for purposes of targeted advertising or profiling.
  • The right to obtain the personal data that they provided to the business in a portable and readily usable format.
  • The right to opt out of the sale of the consumer’s personal data.

HB 2202 does not provide consumers with a private right of action for violations.

Meanwhile, HB 1126 was introduced in April 2021 by 15 Democrats and two Republicans. It was then referred to the Consumer Affairs Committee, where it currently sits. It applies to for-profit entities that conduct business in Pennsylvania and satisfy one or more of the following thresholds:

  • Have annual gross revenue in excess of $10 million;
  • Alone or in combination, annually buy, receive for commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information for 50,000 or more consumers, households, or devices; or
  • Derive 50 percent or more of annual revenues from selling consumers’ personal information.

HB 1126 does not provide consumers with the same rights as HB 2202 or the Consumer Data Protection Act (HB 2257). For example, it does not include the right to correct inaccurate information, restrict the processing of personal data for targeted advertising or profiling, or obtain data in a portable format. It does, however, include:

  • The right to access the personal data that has been collected about them.
  • The right to request that a business delete any personal information that the business collected from the consumer.
  • The right to opt out of the sale of the consumer’s personal data.

HB 1126 provides a private right of action when a consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain the reasonable security procedures and practices appropriate to the nature of the information. 

Pennsylvania’s Consumer Data Protection Act was introduced in January 2022 by 25 Democratic lawmakers. It was then referred to the Consumer Affairs Committee, where it currently sits. 

The Consumer Data Protection Act applies to for-profit entities that conduct business in Pennsylvania or produce goods, products or services that are sold or offered for sale to residents of Pennsylvania, and that satisfy one or more of the following thresholds:

  • During a calendar year, control or process personal data of at least 100,000 consumers; or
  • Control or process personal data or at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

The Consumer Data Protection Act excludes certain organizations from its coverage, including state agencies, financial institutions governed by Title V of the Gramm-Leach-Bliley Act, entities governed by HIPAA, and higher education institutions.

The Consumer Data Protection Act would provide consumers with rights, including:

  • The right to access the personal data that has been collected about them.
  • The right to correct inaccuracies in the consumer’s personal data.
  • The right to delete personal data provided by the consumer or obtained by the controller about the consumer.
  • The right to opt out of the processing of personal data for purposes of targeted advertising or profiling.
  • The right to obtain the consumer’s personal data that the consumer previously provided to the controller in a portable and readily usable format.
  • The right to opt out of the sale of the consumer’s personal data.

The Consumer Data Privacy Act does not provide consumers with a private right of action for violations.

Next Steps for Businesses

For businesses operating outside of Michigan, Ohio, and Pennsylvania, it is important to be mindful that state privacy legislation has been gaining an undeniable momentum across the United States. This trend will likely continue, unless comprehensive federal legislation is passed, preempting conflicting state laws, so be on the lookout for updates in your region in the coming months.

Organizations conducting business in Michigan, Ohio, or Pennsylvania should stay abreast of the developments on these pieces of legislation. You may want to preemptively coordinate with your data privacy counsel to begin planning possible changes you would need to consider, should any of these bills get signed into law.

Jeffrey M. Csercsevits is an attorney with Fisher Phillips in Philadelphia. © 2022. All rights reserved. Reprinted with permission. 

Leave a Reply

Your email address will not be published. Required fields are marked *