The states at the forefront of consumer privacy legislation

The California Consumer Privacy Act was approved by lawmakers in June 2018 and is set to take effect in January 2020. The law requires companies with California residents as customers to abide by heightened disclosure standards and gives consumers considerable control over how their personal data is used.

The legislature approved language in September 2018 clarifying a carve-out for financial institutions under the Gramm-Leach-Bliley Act, although it does not exempt the sector from the law entirely.

Vermont passed a law regulating data brokers in May, and it went into effect in January. Data brokers, which buy and sell consumer information, must now register with the state's attorney general, make annual disclosures regarding privacy practices and data breaches and maintain a comprehensive information security program.

Colorado passed a law in May 2018 that raises standards around data security in the state. The law, which went into effect in September, mandates that companies maintain "reasonable" security practices and appropriately dispose of documents containing consumers’ personal information and ensure data is protected when transferred to third parties. Consumers must also be notified of data breaches within a 30-day time frame.

In July 2017, New Jersey passed a bill that limits a merchant’s ability to collect information about shoppers and pass that data on to third parties; it took effect in October 2017.

New York State Sen. Brad Madison Hoylman proposed a bill in January that would give consumers the right to know what information is being collected about them from companies and how it’s being disclosed to third parties — similar to California’s new privacy law.

Meanwhile, a bill that state Sen. Reuven Carlyle of Washington introduced in January would also give consumers the ability to find out whether their personal information is being collected by companies and whether it is being sold to others.

Sen. Marco Rubio, R-Fla., introduced legislation in January that would direct the Federal Trade Commission to draft new consumer privacy restrictions that would then have to be approved by Congress.

At the same time, Sen. John Thune, R-S.D., chairman of the Senate Commerce Committee, said last fall that he plans to pursue legislation on the issue. “We’re trying to take some of the best ideas out there” and “incorporate them into a legislative package,” he told Politico in September.

Over in the House, Rep. Marsha Blackburn, R-Tenn., introduced a bill last term that would impose more consumer rights around online privacy, including limiting the ability to social media companies to share a user's personal information.

Sen. Brian Schatz, D-Hawaii, sponsored a bill in December 2018, backed by more than a dozen Democratic colleagues, that would require companies to safeguard personal consumer data online and prohibit firms from using the information in ways that would be harmful to customers.

In November 2018, Sen. Ron Wyden, D-Ore., released draft legislation that would give the FTC more power to punish companies for privacy violations, require companies to submit an annual privacy protection report and mandate the creation of a national website that would allow consumers to opt out of data sharing online.

The office of Sen. Mark Warner, D-Va., published a white paper over the summer outlining steps that could be taken to regulate social media and tech companies, including creating legislation similar to Europe’s strict privacy policy, the General Data Protection Regulation.

On the House side, Rep. Hank Johnson, D-Ga., introduced two measures last year aimed at improving consumer privacy on mobile devices and allowing consumers to opt out of big-data collection and use.