As U.S. state privacy law grows more compelling, stakeholders expect legislative fireworks and potential change to the regulatory landscape on an annual basis.

New laws are likely to pass this year — just as they did the past two years in response to the California Consumer Privacy Act and lack of comprehensive federal privacy legislation. Additional laws won't go unnoticed or unacknowledged, but a potential turning point is developing related to the perceived burden of a growing regulatory patchwork across states.

A growing difference between this year and the prior two is the lack of nuanced provisions states are proposing.

Comprehensive bills offered thus far in 2023 are simply not as diverse, running closer to laws passed in Colorado, Connecticut and Virginia. If state lawmakers continue with the same framework and avoid drastic divergence, organizations working across multiple states may breath easier when additional laws pass, having complied with the framework elsewhere already.

"Connecticut passing its law last year solidified the Washington Privacy Act as the prevailing model for proposed state consumer privacy bills," Husch Blackwell Partner David Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, said. "Of course, there are nuances with the existing laws and bills that companies must take into account, but as long as the new bills use the WPA framework, companies can take these nuances into account when building out compliance programs."

Stauss added current privacy proposals in Indiana, Iowa, New Hampshire and Texas are among those that take directly from the WPA model and its relative frameworks in Colorado, Connecticut and Virginia.

Legislative bones

While Washington state hasn't passed privacy legislation in four attempts, the original WPA framework proposed in 2019 became the go-to model when legislators realized the CCPA didn't fit their state.

Washington's original framework set the bar for model legislation with many of its provisions, including covered entities. The definition for covered thresholds in existing laws either started at or came around to the WPA's framing of companies carrying data on more than 100,000 consumers or banking a percentage of gross revenue from the sale of personal information of at least 25,000 consumers.

The WPA's language for data subject rights, timelines for responses to data subject request periods and risk assessments also became the norm in other states' initial proposals.

"The digital marketplace and the broader ecosystem benefit from an environment where copycat bills have a strong 'skeleton' in place," Software Information and Industry Association Senior Director, Data Policy Divya Sridhar said, adding "basic rules for the road" are being established in a "uniform and interoperable" manner.

Among the leading proponents for the original WPA proposal was Microsoft, which maintains a steady presence in state privacy committee hearings, advocating for legislation that respects balance for all affected parties.

"Interoperability across states is important, not just for companies — like Microsoft — that will need to comply with a patchwork of state laws, but also for consumers who should have the same core privacy protections in the U.S. regardless of where they live," Microsoft Assistant General Counsel, Privacy and Regulatory Affairs Cari Benn, CIPP/US, CIPM, FIP, said. "While we are seeing copycat bills, we are still in a very active period for state privacy law and we expect that to be the case for the foreseeable future."

Turning compliance tides

Colorado, Connecticut and Virginia aren't exactly alike, although each builds upon on the WPA model in some fashion. The states had their own takes — with some alignment — on handling the issues of universal opt-out signals, targeted advertising, biometric information and more.

The tweaks adopted in each law are not signs of malicious intent or ignorance toward any given company's compliance capabilities. In fact, state lawmakers are making it clear their 2023 bills are not designed to burden or hinder businesses with unsightly compliance costs.

Sen. Liz Brown, R-Ind., said in a Jan. 26 committee hearing on her Virginia-modeled privacy bill that her aim was to spare small- and medium-sized businesses while holding the big businesses that aren't already regulated in the data space accountable.

In a Feb. 14 committee hearing, Sen. Sharon Carson, D-N.H., explicitly noted a majority of covered New Hampshire businesses are likely already complying with a bulk of her privacy proposal because they comply with related legislation from which she piecemealed.

"A lawmaker may want a bill to set a higher bar on certain issues, but not at the expense of the bill being unworkable with existing laws," Husch Blackwell's Stauss said. "The privacy community learned a lot about Virginia's law when operationalizing it over the past few months, and we are learning a lot about the Colorado Privacy Act through the rulemaking process. There are good opportunities for thoughtful lawmakers to improve and clarify language and concepts, especially around the privacy policy provisions."

But the chance to improve or clarify does not always translate. Sridhar pointed to rulemaking procedures for California and Colorado's privacy laws as instances of swinging and missing on raising legal certainty.

"While the legislation may appear standard at its core for states introducing the bills, the regulations may differ considerably," Sridhar said. "We’ve seen this when it comes to Colorado and California’s regulations, which diverge considerably on the attorney general's or the (California Privacy Protection Agency's) expectations for data minimization, impact assessments, controllers’ processing or consent model for sensitive data, and much more."

Creativity still possible?

Consumer Reports Director of Technology Policy Justin Brookman is among those counting on more trailblazing to come at the state level. With the current legislative activity, Brookman said a perceived drop-off is overstated and ingenuity from state lawmakers is still on display through "aggressive approaches."

"The U.S. House Committee on Energy and Commerce passing the proposed American Data Privacy and Protection act on a strong bipartisan basis gives the states a lot more cover to enact stronger protections than the opt-out models we've seen so far," Brookman said, pointing to ADPPA-spurred bills in Illinois and Massachusetts. "And even where rights are replicated, that matters for the consumers of a state where before they didn't have much in the way of protection at all."

An obvious game-changing provision is a private right action, which states have shown a willingness to shed early in the legislative process, if it is even included at all.

Microsoft's Benn indicated a proposed duty of loyalty could similarly raise eyebrows and be a general disrupter.

"A bill that includes a duty of loyalty provision would also inject additional uncertainty, as that is not a requirement we have yet seen in state privacy legislation," Benn said. "A duty of loyalty would likely prohibit companies from engaging in self-serving activities related to personal data. Depending on how the provision is crafted, there could be tension between a duty of loyalty and the ability to innovate."

States are taking up more targeted privacy legislation so far this year as well — proposals concerning health data, children's privacy and biometric privacy among the most prevalent policy points being considered to date. Heightened attention to those topics, which are covered to varying degrees in existing state privacy laws, in a comprehensive bill could represent renewed creativity.

There's also the potential to push for more as it relates to privacy operations management.

"Bills should focus on privacy by design, putting consumers first, and baking their safety and experience into the early design of products," Sridhar said. "Bills that focus on privacy by design without handcuffing future uses of the data will ensure businesses can continue to use data for socially beneficial purposes."