State Privacy Legislation in 2023: What to Expect

With 45 state legislatures back in session, many lawmakers fresh off wins last November are eager to put their stamp on public policy. Recent sessions have seen more proposals to regulate data privacy, and that trend should continue this year. Here is what to expect with privacy legislation in 2023.

Expect More Efforts to Pass Comprehensive Legislation

Congress fell short of passing a federal comprehensive privacy law last year, in part because California House members objected to federal preemption of their state law. House Republicans have made children's privacy part of their Commitment to America, but it remains to be seen how much can get done within a divided Congress. Without federal action, states will again fill the vacuum, and we have already seen a few states introduce legislation that grants certain rights to consumers over the personal information collected from them.

• Indiana SB 5 is the reintroduction of a comprehensive privacy bill that unanimously passed the Senate last year. Senator Liz Brown sponsored the bill, which is similar to the privacy law passed in Virginia.

• Iowa House Study Bill 12 is similar to legislation that passed in Utah last year, giving consumers a right to access data, delete the data, obtain a copy of the data, or to opt out of targeted advertising or the sale of the data to a third party, but does not provide a right to correct or to opt out of profiling like other bills.

• Kentucky SB 15 includes a consumer right to access collected data, a right to delete, a right to data portability, and a right to opt out of targeted advertising, tracking, the sale or sharing of data to third parties using global privacy controls. It is similar to legislation filed last year by Senator Whitney Westerfield (R). 

• Massachusetts SD 745 is a sprawling privacy bill that among other things, includes consumer rights, provides for a “duty of loyalty” to consumers, prohibits targeted advertising at minor, requires data broker registration, requires algorithm impact and evaluation, and prohibits electronic monitoring of employees. 

• Mississippi SB 2080 is similar to a bill introduced last session. In addition to giving consumers certain rights, it would prohibit the sale of information of consumers less than 16 without consent and provide a limited private right of action for security breaches.

• New York SB 365 provides similar rights to consumers, including a right to opt out of targeted advertising, the sale of data, and profiling, but requires opt-in consent for certain sensitive data. It is also similar to legislation filed in the last few sessions that failed to move.

• Oklahoma HB 1030 is a more onerous bill that requires affirmative consumer consent before the collection of data. The bill was sponsored by Rep. Josh West (R) who co-sponsored legislation last session that passed the House. 

• Oregon SB 619 is the product of years of deliberation by a task force created by the Attorney General's Office. The legislation would give consumers the right to opt out of targeted advertising, the sale of the data to a third party, or profiling. There is also a separate bill that would require data brokers to register with the Department of Consumer and Business Services.

• Tennessee SB 73 would allow consumers to opt out of the sale of information to third parties and would require a privacy program that conforms to a National Institute of Standards and Technology (NIST) privacy framework.

Most of these bills avoid a private right of action, after similar provisions derailed legislation in Florida, Oklahoma, and Washington in recent sessions. But bills in Massachusetts, New York, and Oregon grant consumers a right to sue, so we could see our first privacy law with a private right of action if any of those bills make headway this session.

Momentum towards Children’s Privacy Protections

Even if there is disagreement on how to proceed with privacy laws in general, there is momentum growing to at least do more to protect children's online privacy. Connecticut, New Jersey, Oregon, South Carolina, and Virginia have all introduced bills that would restrict the collection of information from children. Bills in Minnesota and New Hampshire would create a "parental bill of rights" requiring parental consent before a biometric scan of a child or a record of the child's blood or DNA is created, shared, or stored.  

There has also been a trend of legislation giving parents more tools to filter access to the internet for their children. Lawmakers in Arkansas, Iowa, Mississippi, Missouri, Montana, New York, Oregon, South Carolina, Tennessee, Texas, and West Virginia have all filed legislation for this session that would require age authentication to access certain websites or require certain parental filters. 

Privacy Protections for Abortion Rights

In the wake of the Dobbs Supreme Court decision, many Democratic lawmakers vowed to introduce privacy legislation to protect women seeking an abortion in their state. One example early in this session is Washington HB 1155 known as the "My Health My Data Act," filed in conjunction with the state attorney general's office. The bill would require businesses to have a consumer health data privacy policy with certain disclosures, prohibit collecting or sharing consumer health data without consent, and prohibit implementing a "geofence" to identify, track, or collect data from a consumer that enters a virtual perimeter.

Context: Several Previously Enacted Privacy Laws Go Into Effect This Year

Several bills passed in previous sessions go into effect this year, bringing the number of states with comprehensive privacy laws up to five.

• On January 1, the Virginia Consumer Data Protection Act went into effect.   

• On July 1, privacy laws in Colorado and Connecticut go into effect. The Colorado Attorney General has already begun the rulemaking process to carry out the law, and the Connecticut Data Privacy Task Force has held meetings to discuss any further recommendations on privacy law.

• On December 31, the Utah Consumer Privacy Act goes into effect.

Lawmakers could try to tweak some of these laws as issues arise upon implementation. The Connecticut Task Force is also expected to present policy recommendations early this year that could result in legislation. California lawmakers may also wish to extend the exemptions in privacy law for data collected from business-to-business transactions, and data collected on employees that expired on January 1.

State Legislative Tracking for Privacy Legislation

Privacy legislation such as this has broad implications for businesses, and tracking this legislation as it moves through state legislatures should be a priority. If your organization needs assistance tracking privacy legislation, or understanding how bills such as these impact operations, schedule time to talk with one of our experts.