You asked, we listened. Inquiries have reached a steady hum over how the IAPP determines which bills to include in its US State Privacy Legislation Tracker. As state privacy legislation grows in number and complexity, questions arise with respect to those bills that occupy the fuzzy gray area between comprehensive and not — namely, Florida's Digital Bill of Rights and Washington state's My Health My Data Act. And to you, state tracking aficionado, we offer an explanation of our classification.

Perhaps it's best to work backward from what isn't comprehensive. As defined in the tracker, a bill is not considered comprehensive if "it does not qualify due to its scope, coverage, or rights."

A bill is narrow in scope if it applies only to a specific set of data types, like financial or health data, or data subjects, like children. A bill is narrow in coverage if its applicability includes only a single industry, like the automotive industry, or if its thresholds apply, in practice, to only a handful of companies. A bill is narrow in rights if it is targeted at providing only one or two consumer data rights, such as deletion or correction.

Florida's Digital Bill of Rights contains certain identifying features of bills included in the tracker but fails to be comprehensive in coverage due to relatively high thresholds of application that limit applicability to just a handful of controllers.

Correspondingly, Washington's MHMDA reads initially as a bill regulating digital health information — patently not comprehensive — but includes provisions that cause it to have broad coverage across industries in practice, giving it some characteristics of comprehensive state bills. However, it remains outside the tracker's purview because its scope applies only to consumer health data.

The state tracking cottage industry has arrived at a delicate consensus. Sampling seven other trackers, four do not consider Florida's bill to be comprehensive: Husch Blackwell, Future of Privacy Forum, Sourcepoint, and Transcend, while three do: Bloomberg, OneTrust and Termly. None lump MHMDA together into the morass of comprehensive legislation.

While this article represents the IAPP's current stance, it may adjust this position in the future in light of new information, bills, stakeholders or member feedback. The IAPP will annually reassess its position on the definition of "comprehensive" to best stay current with state legislation trends.

Florida

Sunshine State lawmakers made waves in June by passing Senate Bill 262, the Digital Bill of Rights, which affords new data privacy rights to Floridians, among other provisions. While at a glance the act has all the makings of a fully-fledged, comprehensive privacy law, a peek under the hood reveals that its requirements do not apply to the overwhelming majority of businesses given its significantly narrowed definition of controller.

Under the statute, a controller must make over USD1 billion in global annual revenue and any of the following:

  • Derives at least 50% of its global gross revenue from the sale of online advertising.
  • Operates a smart-speaker and voice-command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation.
  • Operates an app store or a digital distribution platform that offers at least 250,000 apps for consumers to download.

Considering the limited universe of companies operating in the smart speaker, app store or online advertising industries — an amount further reduced by the global annual revenue threshold — the list of entities that presently fall under the law's jurisdiction is not long. While the law does contain certain other obligations that apply more broadly, such as requiring consumer consent for the sale of "sensitive data" or expanding opt-out rights, its overall scope is not considered comprehensive.

Contrast the Digital Bill of Rights with the California Consumer Privacy Act or Utah's Consumer Privacy Act, which each have USD25 million gross annual revenue thresholds and do not expressly target the smart-speaker or app store industries. Or compare it to the Virginia model, which regulates controllers that process personal data for at least 100,000 consumers annually as a starting threshold. Or to the Nevada approach, which eschews numerical thresholds entirely and instead captures organizations based on their collection or use of personal information of that state's citizens. Each of these thresholds' orders of magnitude cover more businesses than does Florida's disproportionately high threshold.

Washington

Washington's MHMDA initially reads as strictly sectoral in scope, intended to expand data subject rights over their digital health data. This characterization vastly undersells the potential reach of the bill, which has been heralded as arguably "the most consequential privacy legislation enacted since the original California Consumer Privacy Act."

Key to this characterization is a sweeping definition of consumer health data that includes any personal information "linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical mental health status." A nonexhaustive list of data types follows, establishing just how far this language reaches. It includes, for example, "data that identifies a consumer seeking health care services" or "any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health." Colorable arguments can be made that, based on even the slightest relation to health services, categories like search, shopping history or any online research into topics related to health, wellness, nutrition or fitness, will fall under the MHMDA's jurisdiction.

Washington judges will have much to parse out in drawing the MHMDA's parameters when it comes into effect later this year. If its reach fulfills the extensive expectations anticipated by many, this may demand a conversation over including it on the state tracker. However, the text and intent of the bill indicate otherwise. Right now, the MHMDA stands as a digital health bill put forth to protect Washingtonians' health privacy as "part of a comprehensive pack of legislation" responding to the U.S. Supreme Court decision in Dobbs v. Jackson Women's Health Organization.

For readers outside the US

To some — especially those coming from a non-U.S. perspective — referring to any state legislation as comprehensive may feel like an affront to the language itself. That most U.S. state legislation exempts small- and medium-sized businesses from their jurisdiction via a revenue threshold or comes loaded with industry-specific exemptions for health, financial or children's personal information, to name a few, would seem disqualifying when analyzing for comprehensiveness.

For comparison, the EU General Data Protection Regulation — progenitor for the bulk of the substance comprising state bills — doesn't include any revenue threshold. Instead, a controller incurs obligation where it processes personal information, and provides goods or services accessible to consumers in the EU or European Economic Area, or monitors user behavior in the EU or EEA. Likewise, while the GDPR does exempt certain entities in certain situations, it does not exempt large sectors of its economy in the way U.S. state laws do. Other international privacy statutes lack similar revenue-based or sectoral exemptions, such as China's Personal Information Protection Law, India's Digital Personal Data Protection Act or Brazil's General Data Protection Law, to sample a few.

The American conception of comprehensiveness in a privacy context refers instead to a notion that the law applies to all consumers with respect to their relationships with larger online entities that collect and process personal information. To explain such exemptions: U.S. lawmakers generally prioritize, as a policy matter, innovation from small- and medium-sized businesses, leading to revenue thresholds. States must also contend with federal preemption from sectoral privacy laws like the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act and Gramm-Leach-Bliley Act, requiring sectoral exemptions. None of this is to mention the multidimensional policy debate around tackling Big Tech, which heavily influenced Florida's bill.

Language is, of course, constantly evolving in all directions inside the U.S. and these exemptions have not slowed the word "comprehensive" from establishing its place in the American lexicon as an apt description of the sort of privacy legislation discussed herein.

None of this is to say that businesses operating in Florida or Washington should disregard the Digital Bill of Rights or MHMDA due to their exclusion from the IAPP's tracker. Quite the opposite: privacy professionals operating in these states should keenly monitor the development of these acts, which likely will result in enforcement, litigation and new compliance obligations, and possibly spur legislative mimicry across the country. The IAPP has covered Florida's Digital Bill of Rights and Washington's MHMDA in-depth and will continue to alert the privacy community as they develop and as other states pass relevant legislation.