2024 State Elections Toolkit
image/svg+xml Skip to main content
Search image/svg+xml

Key Takeaways:

  • Comprehensive privacy legislation in Florida, Oklahoma, and Washington had momentum towards passage, but stalled out and died this past month.
  • Differences over whether legislation should include a private right of action was a major sticking point.
  • There are currently privacy bills in 17 states that are still in legislative session.

Earlier this year, Virginia became the second state to pass a comprehensive privacy law, joining California’s Consumer Privacy Act (CCPA) in 2018. It appeared more states would join them in April, with momentum building for bills in Florida, Oklahoma, and Washington, but ultimately legislation fell short of the finish line in each state. 

Florida

Privacy legislation has typically been pushed by lawmakers in more liberal states, but it has become a recent cause célèbre among conservatives as well as a way to put the tech industry in their crosshairs. Florida Governor Ron DeSantis (R) made a big push for privacy legislation this session and House Speaker Chris Sprowls (R) had plans to “check these companies’ unfettered ability to profit off our data.” Representative Fiona McFarland (R) sponsored legislation that would have given consumers a right to access, correct, and delete personal information collected about them and a right to opt-out of the sale or sharing of that personal information. The bill sailed through the House, passing on a vote of 118-1.

The Senate had its own version that differed in significant ways from the House version. Most notably, the Senate version stripped a private right of action provision in committee. This left the bill to be enforced solely through the state attorney general, due to concerns that a private right of action would lead to a flurry of lawsuits. The Senate version was also more vague in definitions, differing with the House in how it defined “sales” and how it defined “personal information.” The Senate version also had a different threshold for which entities would be subject to the law and a later effective date than the House version. The Senate struck the language of the House bill and inserted language from their own version. That bill, described as “one of the most aggressive privacy laws in the U.S.,” passed the Senate on a 29-11 vote, but left only the final day of the legislative session to work out differences with the House version. 

Ultimately, the two chambers were unable to come to an agreement before the session adjourned. While the two sides were able to come to agreement to strike the private right of action, an exemption in the Senate version for large companies became a sticking point. Senate President Wilton Simpson also intimated that the issue was better suited for federal action, although Congress has not had much traction in any legislation. The bill also faced large opposition from industries, who pointed to estimates that compliance would cost billions. McFarland lamented this is “the nature of the legislative process” and indicated she will raise the issue again next year.

Oklahoma

There was an unexpected push for privacy legislation in the Sooner State with a bipartisan effort behind House Bill 1602. Unlike the California privacy law, the proposed Oklahoma Computer Data Privacy Act would have required consumers to opt-in to the sale of their personal information to third parties, rather than only allowing them to opt-out. Bill sponsor Rep. Collin Walke (R) was a fervent advocate for the legislation and it passed the House on an 85-11 vote.

But the bill faced opposition among not only businesses but Senate Republicans. Senate Judiciary Committee Chair Julie Daniels (R) sat on the bill, effectively killing it when the bill failed to pass out by the April 8 legislative deadline. She voiced concerns over the unintended consequences of the bill while Walke accused her of deciding “that profits are more important than privacy.” 

Walke has already stated plans to introduce more privacy legislation next year, including a bill that prohibits the state from doing business with companies that do not obtain opt-in consent from consumers before collecting personal information.

Washington

After coming close to passing privacy legislation in each of the last two sessions, it seemed the third time might be the charm for bill sponsor Senator Reuven Carlyle (D).  The issue of a private right of action was a sticking point when privacy legislation failed in 2020- with the House voting for a version that allowed consumers to sue, while the Senate kept enforcement with the state attorney general. Carlyle shepherded the Washington Privacy Act through the Senate without a private right of action but with added funding for enforcement through the state attorney general’s office.

But the House had its own privacy legislation, the People’s Privacy Act, retaining the private right of action and requiring consumers to opt-in to having their personal information collected. When House Speaker Laura Jinkins held firm on not allowing privacy legislation to be heard unless it included a private right of action, a compromise was sought that would have amended the Senate bill to have a watered-down private right of action that provided only injunctive relief, not monetary damages. This failed to appeal to business interests nor public interest groups like the ACLU, which had pushed for the People’s Privacy Act. The bill failed to pass out by the April 11 deadline and ultimately died when the session adjourned on April 25.

Other states

Currently, there are still privacy bills active in 17 states. A Connecticut bill passed out of committee this week and could get a Senate floor vote soon. The sponsors of a bill in Colorado have proposed changes after hearing industry concerns and held a hearing this week. Maine came out with a new bill this week that would require data broker registration and allow consumers to opt-out of the sale of their personal information.