Michigan, Ohio, and Pennsylvania Consider Data Privacy Legislation Modeled After California’s Sweeping Law
Insights
9.13.22
State governments are continuing to propose and adopt legislation that requires businesses to implement policies and procedures to ensure privacy rights for consumers – and businesses operating in Michigan, Ohio, and Pennsylvania should prepare for the potential dawning of a new day. While California led the way with the passage of the California Consumer Privacy Act (CCPA), a number of other states (Colorado, Connecticut, Utah, and Virginia) followed suit and passed comprehensive privacy legislation that will become fully effective in 2023. Michigan, Ohio, and Pennsylvania are now all considering bills similar to California’s strict law that would require covered businesses to implement policies and procedures providing privacy rights to consumers. While it is too early to tell which, if any, will become law, businesses operating in these states should be mindful of the requirements that may be imposed on them if any are passed. What do you need to know about these critical developments?
Michigan
The Michigan legislature is currently considering the Consumer Privacy Act (House Bill 5989). This bill was introduced by 15 Democratic lawmakers in April 2022 and currently sits in the House Committee on Communications and Technology.
The Michigan Consumer Privacy Act would apply to for-profit entities that conduct business in Michigan or produce products or services that are targeted to Michigan residents and:
- During a calendar year, control or process personal data of not less than 100,000 consumers; or
- During a calendar year, control or process personal data of not less than 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
It would provide consumers with rights including:
- Right of Access - The right to access the personal data that has been collected about them.
- Right of Rectification - The right to request that a business correct any personal data about them that is inaccurate.
- Right of Deletion - The right to request that a business delete any personal data that was collected from that consumer or about that consumer.
- Right of Restriction - The right to opt out of the processing of personal data for purposes of targeted advertising or profiling.
- Right of Portability - The right to obtain the personal data that they provided to the business in a portable and, to the extent technically feasible, readily usable format.
- Right to Opt Out of Sales - The right to opt out of the sale of the consumer’s personal data.
The Michigan Consumer Privacy Act does not provide consumers with a private right of action for violations.
Ohio
The Ohio Personal Privacy Act (House Bill 376) was introduced in July 2021, sponsored by 10 Republican lawmakers. It was then referred to the House Government Oversight Committee. On February 16, it was deemed to be “informally passed.” On February 22, the bill was re-referred to the Rules and Reference Committee, where it now sits.
The Ohio Personal Privacy Act would apply to certain for-profit entities that conduct business in Ohio or produce products or services that are targeted to consumers in Ohio, and satisfy one of the following:
- Have annual gross revenues of over $25 million generated in Ohio;
- During a calendar year, control or process personal data of 100,000 or more consumers; or
- During a calendar year, derive over 50% of gross revenue from the sale of personal data and process or control personal data of 25,000 or more consumers.
The Ohio Personal Privacy Act specifically excludes certain organizations from its coverage, including (a) state agencies, (b) financial institutions governed by Title V of the Gramm-Leach-Bliley Act, (c) entities governed by HIPAA, and (d) higher education institutions.
The Ohio Personal Privacy Act would provide consumers with rights including:
- Right of Access - The right to access the personal data that has been collected about them.
- Right of Deletion - The right to request that a business delete personal data that the business collected from the consumer for commercial purposes and that the business maintains in an electronic format.
- Right of Restriction - The right to opt out of having data processed or disseminated.
- Right of Portability - The right to request their personal data be provided electronically in a portable, readily usable format.
- Right to Opt Out of Sales - The right to opt out of the sale of the consumer’s personal data.
Like Michigan’s proposal, the Ohio Personal Privacy Act does not provide consumers with a private right of action for violations.
Pennsylvania
Pennsylvania is currently considering three pieces of privacy legislation: two bills titled Consumer Data Privacy Act (House Bill 2202 and House Bill 1126), and the Consumer Data Protection Act (House Bill 2257).
Consumer Data Privacy Act (HB 2202)
HB 2202 was introduced in December 2021 by 24 Republicans and seven Democrats. It was then referred to the Consumer Affairs Committee, where it currently sits.
It applies to for-profit entities that perform business in Pennsylvania and which satisfy one or more of the following thresholds:
- Have annual gross revenue in excess of $20 million;
- Alone, or in combination, annually buy, receive for the business’ commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers; or
- Derive 50% or more of annual revenues from selling consumers’ personal information.
HB 2202 would provide consumers with rights including:
- Right of Access - The right to access the personal data that has been collected about them.
- Right of Rectification - The right to request that a business correct any personal data about them that is inaccurate.
- Right of Deletion - The right to request that a business delete any personal data that was collected from that consumer or about that consumer.
- Right of Restriction - The right to opt out of the processing of personal data for purposes of targeted advertising or profiling.
- Right of Portability - The right to obtain the personal data that they provided to the business in a portable and, to the extent technically feasible, readily usable format.
- Right to Opt Out of Sales - The right to opt out of the sale of the consumer’s personal data.
HB 2202 does not provide consumers with a private right of action for violations.
Consumer Data Privacy Act (HB 1126)
HB 1126 was introduced in April 2021 by 15 Democrats and two Republicans. It was then referred to the Consumer Affairs Committee, where it currently sits.
It applies to for-profit entities that conduct business in Pennsylvania, and satisfies one or more of the following thresholds:
- Have annual gross revenue in excess of $10 million;
- Alone, or in combination, annually buy, receive for the business’ commercial purposes, sell or share for commercial purposes, alone or in combination, the personal information for 50,000 or more consumers, households, or devices; or
- Derive 50% or more of annual revenues from selling consumers’ personal information.
HB 1126 does not provide consumers with the same rights as HB 2202 or the Consumer Data Protection Act (HB 2257). For example, it does not include the right to correct inaccurate information, to restrict the processing of personal data for targeted advertising or profiling, or to obtain data in a portable format. It does, however, include:
- Right of Access - The right to access the personal data that has been collected about them.
- Right of Deletion - The right to request that a business delete any personal information that the business collected from the consumer.
- Right to Opt Out of Sales - The right to opt out of the sale of the consumer’s personal data.
HB 1126 provides a private right of action when a consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business’ violation of the duty to implement and maintain the reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
Consumer Data Protection Act (HB 2257)
The Consumer Data Protection Act was introduced in January 2022 by 25 Democratic lawmakers. It was then referred to the Consumer Affairs Committee, where it currently sits.
The Consumer Data Protection Act applies to for-profit entities that conduct business in Pennsylvania or produce goods, products or services that are sold or offered for sale to residents of Pennsylvania, and that satisfy one or more of the following thresholds:
- During a calendar year, control or process personal data of at least 100,000 consumers; or
- Control or process personal data or at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
The Consumer Data Protection Act specifically excludes certain organizations from its coverage, including (a) state agencies, (b) financial institutions governed by Title V of the Gramm-Leach-Bliley Act, (c) entities governed by HIPAA, and (d) higher education institutions.
The Consumer Data Protection Act would provide consumers with rights including:
- Right of Access - The right to access the personal data that has been collected about them.
- Right of Rectification - The right to correct inaccuracies in the consumer’s personal data.
- Right of Deletion - The right to delete personal data provided by the consumer or obtained by the controller about the consumer.
- Right of Restriction - The right to opt out of the processing of personal data for purposes of targeted advertising or profiling.
- Right of Portability - The right to obtain the consumer’s personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format.
- Right to Opt Out of Sales - The right to opt out of the sale of the consumer’s personal data.
The Consumer Data Privacy Act does not provide consumers with a private right of action for violations.
Next Steps for Businesses
For those businesses operating outside of Michigan, Ohio, and Pennsylvania, it is important to be mindful that state privacy legislation has been gaining an undeniable momentum across the United States. This trend will likely continue unless comprehensive federal legislation is passed preempting conflicting state laws, so be on the lookout for updates in your region in the coming months.
But for organizations conducting business in Michigan, Ohio, or Pennsylvania, the time is now for you to stay abreast of the developments on these pieces of legislation. You may want to preemptively coordinate with your data privacy counsel to begin planning possible changes you would need to consider should any of these bills get signed into law.
We will continue to monitor these developments, so make sure you are subscribed to Fisher Phillips’ Insight system to keep up with the most up-to-date information. Please contact your Fisher Phillips attorney, the author of this Insight, any attorney in our Privacy and Cyber Practice Group, or any attorney in our Detroit, Columbus, Cleveland, Philadelphia, or Pittsburgh offices should you have any questions.