Cities warned to prepare privacy programs as new state data law takes effect

Presenter (Speaker 1) warned municipal officials that HB 491 imposes broad, statewide obligations on local governments and will require operational changes to forms, contracts and employee training.

At the session the presenter said the bill’s personal-data definition is expansive — any information linked or reasonably linkable to an identifiable individual — and that cities and towns must adopt a privacy program (policies, practices and procedures for processing personal data) by 05/01/2025. Most other parts of the law will be effective on 05/01/2024, the presenter said, and will require annual reporting to the state and an annual privacy training plus a 30-day post-hire training requirement.

Municipalities should examine any contracts that involve personal data and include a clause binding contractors to the same Part 4 obligations for renewals or new contracts after May 1, 2024, the presenter advised. The law requires a personal-data-request notice at collection explaining purpose and use and either appearing on the form, linked via QR code, or placed prominently where data is collected. The statute also mandates a written process to request amendment of personal data; a governmental entity need not accept requested amendments but must create and publish the amendment procedure.

The presenter said the League is working with bill sponsors and will publish a white paper comparing HB 491 with existing GRAMA provisions when the material is finalized.

Why this matters: Local governments routinely collect personally identifiable information; HB 491 will require review and likely revision of forms, vendor agreements, training and breach-response procedures. Municipal clerks and procurement officers should inventory personal-data flows and update contracts and public-facing forms in advance of the effective dates.

What’s next: the League will continue negotiations with sponsors and issue detailed implementation guidance.