The amount of activity with state data privacy legislation during the 2022 legislative cycle was, at times, overwhelming. Lawmakers in 29 states and the District of Columbia either introduced data privacy bills or had them carry over from the 2021 legislative session. Twenty-three states held committee hearings. Fourteen states passed bills out of committee. Seven states passed a bill through one chamber. Two states passed laws.
Although the legislatures in a few states considering bills are open through the end of the year, there has not been movement with those bills for an extended period of time. Therefore, it is an ideal time as any to analyze what happened during the 2022 state legislative session and identify potential themes for the 2023 legislative session — should Congress not pass a federal preemptive privacy law.
While the 2022 legislative session brought some clarity — in particular, with the emergence of a model law — heading into 2023, the future of state data privacy legislation is unclear at best. The most notable source of uncertainty is the status of the American Data Privacy and Protection Act (House Resolution 8152), which would largely preempt state data privacy laws. Other sources of uncertainty include the upcoming election cycle, the push by business interests in 2022 to pass business-friendly data privacy bills, and the impact of the ADPPA even if it fails to pass.
The article below first analyzes the 2022 legislative cycle and identifies emerging themes and trends. It then takes an admittedly premature look at the upcoming 2023 state legislative session and identifies ways it may differ from the 2022 session.
Connecticut, Utah and the emergence of a model law in 2022
Despite the overwhelming amount of legislative activity, only two states — Connecticut and Utah — passed laws in 2022. Both laws are derived from the 2021 Washington Privacy Act (Senate Bill 5062). Last year, Virginia and Colorado also used the Washington Privacy Act as the model for their laws.
Although there are many differences between the Connecticut and Utah laws, their passage signals a growing consensus around the use of the Washington Privacy Act as the prevailing model for state data privacy legislation. Four states have now enacted laws based on the Washington Privacy Act, whereas no state has enacted a law based on the California Consumer Privacy Act either in its initial form or as amended by the California Privacy Rights Act.
In the absence of a preemptive federal privacy law, the emergence of the Washington Privacy Act as the prevailing model for state privacy legislation has important implications. Setting aside the CCPA, if states use the same model moving forward, it will help avoid the so-called “patchwork” of state privacy laws that threaten to make compliance unattainable. The emergence of a model law also would allow more states to enact data privacy legislation as lawmakers in other states could piggyback on the efforts of lawmakers in the four states who already found compromises on difficult issues.
Notwithstanding the emergence of a model law, there are significant variations between the four laws that must be considered. Lawmakers may be looking to the Washington Privacy Act as their model, but they are not simply copying and pasting it. The Utah Consumer Privacy Act (SB 227) is no doubt the most business-friendly of the four laws. The Connecticut Data Privacy Act (SB 6) and Colorado Privacy Act (SB 21-190) are unquestionably the most consumer-friendly of the four. And, the Virginia Consumer Data Protection Act (SB 1392) is somewhere in between.
For example, Utah’s privacy law does not extend all the same rights as the Connecticut, Colorado and Virginia laws and, contrary to the other three laws, does not require consent for the collection of sensitive data or require controllers to conduct data protection assessments. Conversely, the Connecticut and Colorado privacy laws require controllers to recognize opt-out signals, have rights to cure that sunset in 2025, and prohibit the use of dark patterns. Those provisions are not found in the Utah or Virginia privacy laws.
Finally, while no other state has enacted a CCPA-like bill, the CCPA still covers nearly twice as many consumers as the other four state privacy laws combined. Consequently, there is no doubt it will continue to be a dominating influence on privacy standards in this country, in particular after the California Privacy Protection Agency begins enforcement in July 2023.
The effort to enact business-friendly state data privacy laws
A perhaps unexpected twist in the 2022 legislative session was the number of states that considered business-friendly privacy bills. Those bills were essentially modified versions of Virginia’s privacy law that removed provisions of business interests considered onerous. According to reports, business lobbyists decided it was better to play offense and push business-friendly bills in receptive states than to simply defend against consumer-friendly bills in other states.
In addition to the Utah law, lawmakers in Indiana (SB 358), Iowa (House File 2506) and Wisconsin (Assembly Bill 957) considered such bills with a chamber in each state passing a bill. Similar bills were introduced in other states such as Louisiana (House Bill 987), Kentucky (HB 586), and Tennessee (HB 1467 / SB 1554). A common theme is that those states have Republican-controlled legislatures.
During committee hearings in those states, lawmakers repeatedly stated that mitigating compliance costs on businesses was a motivating factor for supporting these bills. Many lawmakers were also persuaded by a January 2022 study from the Information Technology & Innovation Foundation that estimated the costs for complying with 50 state data privacy laws at over $1 trillion over 10 years, with at least $200 billion hitting small businesses.
Whether these states — or other states with Republican-controlled legislatures — continue to pursue data privacy legislation in 2023 will be an important theme to track.
The Uniform Law Commission model act fails to catch on
In the fall of 2021, the Uniform Law Commission published its Uniform Personal Data Protection Act. The ULC touted the model act as “avoid[ing] the high compliance costs for businesses and the substantial enforcement costs for states associated with regulatory regimes modeled after the California Consumer Privacy Act and the European General Data Privacy [sic] Regulation.” While those were laudatory goals, the model act was met with a less-than-enthusiastic response from privacy advocates with professor Daniel Solove, in particular, offering a harsh critique.
Ultimately, only lawmakers in Oklahoma (HB 3447), Nebraska (LB1188), and the District of Columbia (B24-0451) proposed bills based on the model act. Other than a hearing in Nebraska, the bills did not move. At this point, it does not appear that the ULC’s model act has gained traction in influencing the development of state data privacy laws.
An early look forward to 2023
Big changes in Washington, Oklahoma and Florida
For at least the past two years, considerable focus has been spent on privacy legislation pending in Washington, Oklahoma, and Florida. Yet, as we look forward to the 2023 legislative session, it is unclear whether those states will again warrant such attention.
In Washington, state Sen. Reuven Carlyle’s influence on the development of state data privacy legislation in this country is undeniable. For years Carlyle, D-Wash., had Washington poised to become the second state — after California — to pass data privacy legislation. Although Washington was never able to pass a bill, as discussed, Virginia and Colorado passed a modified version of Carlyle’s proposed privacy bill in 2021 and Connecticut and Utah followed suit in 2022.
In January, Carlyle announced his retirement from the Washington legislature after 13 years. During the 2022 legislative session, his Washington Privacy Act did not move nor did his companion bill SB 5813, which sought to regulate children’s data and data brokers.
In the Washington House, representatives moved forward with HB 1850 — the Washington Foundational Data Privacy Act. That bill passed out of two House committees but never received a floor vote.
There is no doubt that Washington has passionate privacy advocates, but it remains to be seen whether lawmakers will again move forward with privacy legislation in 2023 or if Washington’s role in the development of state data privacy legislation will fade with Carlyle’s retirement.
In Oklahoma, state Rep. Collin Walke, D-Okla., CIPP/US, CIPM — the author of the Oklahoma Computer Data Privacy Act (HB 2969) — announced in April that he will not seek reelection. Through Walke’s efforts, the Oklahoma House passed privacy bills in 2021 and 2022, although the bills did not advance in the Senate. It is hard to imagine Oklahoma moving forward with legislation in 2023 without Walke.
Finally, it does not appear that Florida will try to pass data privacy legislation in 2023. In 2021, the Florida House and Senate each passed data privacy bills but were not able to resolve the differences before the legislature closed. In 2022, the Florida House passed state Rep. Fiona McFarland’s HB 9, but the bill did not advance in the Senate. During an IAPP Knowledgenet meeting in June, Rep. McFarland, R-Fla., indicated that a change in leadership makes it unlikely that Florida will pass privacy legislation for at least the next two years.
What impact will the November elections have?
In November, residents of 46 states will cast their ballots for state House and Senate seats and 36 states will hold gubernatorial elections. Whatever happens with those elections, it is unlikely that the 2023 legislative session will have the same legislative dynamics as we saw in 2022. To the extent that Republicans gain control of legislatures or governorships or strengthen existing legislative majorities, we could see more Utah-like bills passed in 2023.
What about Dobbs?
The Supreme Court’s recent decision in Dobbs v. Jackson Women’s Health Organization is another wildcard. We already saw the impact on the federal level when U.S. Sen. Maria Cantwell, D-Wash., said the ADPPA “does not adequately protect” women’s data post-Roe. There is no reason to believe the same considerations will not spill into state data privacy debates, and one can certainly envision Democrat state lawmakers adding new women’s data privacy provisions to their bills in the wake of Dobbs.
Does the ADPPA, even if it does not pass, change the state conversation?
To state the obvious, if the ADPPA passes and generally preempts state data privacy laws, we will not be talking about state data privacy legislation in 2023. But what happens if the ADPPA does not pass?
One theory is that nothing changes, and state lawmakers will continue to propose dozens of bills, just as happened in 2022. Another theory is that state lawmakers might believe the federal government is close, or, perhaps, closer, to passing data privacy legislation and turn their attention to other pressing matters. State lawmakers routinely cite federal inactivity as their primary reason for pushing state bills. If it appears that the federal government may finally move forward with legislation, state lawmakers may be inclined to take a wait-and-see approach in 2023. That is particularly true if lawmakers believe there is a substantial risk that their bills, even if they pass, will be quickly preempted.
Yet another theory is that state lawmakers could use the ADPPA, or parts of it, as the model for their proposed bills. If that were to occur — and such a bill becomes law — the ADPPA could help create the very patchwork of state privacy laws that it seeks to preempt.
Which states should we watch in 2023?
It is too early to make predictions for 2023; however, at least one state has been actively engaging in workgroup meetings to draft proposed privacy legislation. The Oregon Attorney General’s office has been holding regular work group meetings over the past few months with the goal of having a bill ready to introduce in 2023.
In July, the National Conference of State Legislatures held its annual summit in Denver, Colorado. The summit included a full-day meeting of the NCSL’s Cybersecurity Task Force and Privacy Work Group and was attended by lawmakers who have spearheaded state privacy legislation in the past. Although none of the lawmakers disclosed specific plans to run legislation in 2023, a number of them indicated that they are considering doing so.