Greetings from Portsmouth, New Hampshire!

It's fair to say the pot that is U.S. state privacy law is on the cusp of boiling over after a slew of developments this week. A slow start to many 2022 legislative sessions has been made up for with Indiana all of the sudden moving fast and furiously toward passing comprehensive privacy legislation while bills in Massachusetts and Washington state cleared legislative committees as well.

Indiana is naturally the talk of the town, but not because of the potential passage in general. What has people clamoring is how watered down the bill has become. The strike-all amendment brought by state Sen. Liz Brown, R-Ind., is something she said compares to Virginia's Consumer Data Protection Act, but it might actually do less than Virginia's much-scrutinized model.

The version of the bill passed by the Indiana Senate and now awaiting consideration from the Indiana House does not include a private right of action, a sunset provision for the right to cure, provisions honoring the Global Privacy Control, or rulemaking from the attorney general's office. The latest change to the effective date, now set for Jan. 1, 2025, could also make this law non-consequential if U.S. Congress can pass a law before the law takes force — not in any way a certainty, but still a possibility.

If the provisions, or lack thereof, weren't concerning enough, Brown's view on the bill and what it needs to do, speaks to a disconnect some state lawmakers have regarding balancing constituents' safety and rights, and allowing businesses to grow or be innovative. During the committee hearing on Indiana's bill, Brown said moving away from her originally drafted EU General Data Protection Regulation model to Virginia's was to avoid doubling down on companies that are already regulated in separate spaces. In plain terms, this could amount to saying we shouldn't enforce against certain malicious or deceptive harms just because an organization is already prohibited from partaking in other malicious or deceptive activities within a business model. The company is made out to be the victim, not the individual whose identity is compromised after a data breach or nonconsensual third-party data sale.

A similar situation is brewing in Maryland where Senate Bill 11 may undergo a scathing amendment process following its hearing before the Senate Finance Committee. State Sen. Susan Lee, D-Md., touted SB 11 as a California Consumer Privacy Act copycat, which opposing testimony characterized as too daunting from a compliance standpoint based on the argument that CCPA compliance was so costly and would allegedly cost the same — as in paying again on top of prior costs — to comply if Maryland passed its law. But as state Sen. Benjamin Kramer, D-Md., pointed out regarding that claim: If you're a company that already complied with CCPA and this Maryland bill calls for the same compliance measures, aren't a majority of companies subject to both laws already equipped to comply with Maryland without significantly additional costs?

Anyway, the Maryland hearing ended with agreement on revisiting the bill after a two-week working group to explore common ground on how to balance the bill. Notably, talk of common ground focused on potentially achieving a familiar model: Virginia.

So let's call it what it is here. Virginia's law is quickly becoming the belle of the ball while bills closer to CCPA, considered the model framework just a couple years ago, are outliers. This trend and the explanations behind it bare watching the rest of this year and in years to come.

Talk soon, folks.