The rollercoaster ride of U.S. state privacy law is in full motion on its annual ascent to what can only be described as an unknown destination.
Forty-seven U.S. state legislatures have commenced 2023 legislative sessions and 16 introduced or reintroduced comprehensive privacy legislation. IAPP Westin Fellow Anokhy Desai, CIPP/US, CIPT, tracks the progress of those bills — along with the core provisions they share — on a weekly basis.
Tracking the state of the states is a labor of love and fascination for me. There's no shortage of intrigue between the varying political dynamics in each state, the subtle nuances the bills take on and so much more.
For most of the comprehensive bills currently under consideration, the prospects of passage will be decided over the next two or three months. A handful of proposals are on the move in their respective legislative processes, while others remain stuck in the proverbial mud of busy legislative agendas.
There's a lot of commotion out there right now, but here are the points I find most interesting with the active bills to date.
Indiana and Iowa
Indiana's Senate Bill 5 and Iowa's Senate File 262 are the two fastest moving bills out there so far this year. Provisions in both bills run parallel with those found in Virginia's comprehensive privacy law.
Indiana's proposal was the first to swap chambers for the second consecutive year after a 49-0 Senate floor vote Feb. 9. A similar bill was a final floor reading away from passage last year and Sen. Liz Brown, R-Ind., worked out of session to set the bill up for its quick moves this year.
In a Jan. 26 Senate committee hearing, Brown noted the bill is not aimed at being "a barrier to entry" for new businesses with operations relying on personal data. The only notable switch to this bill compared to last year is the addition of a 2028 sunset on the right to cure following the bill's Jan. 1, 2026 effective date.
Interestingly, the Indiana House has its own unique comprehensive proposal, House Bill 1554, meaning House lawmakers could look to reconcile two proposals and slow SB 5's current pace.
Iowa's SF 262, which started as a study bill in the Senate, is another reintroduction on the cusp of swapping chambers. A streamlined legislative process will give this bill good odds, as it's through its one required committee and could be considered and passed anytime now with a single floor reading and vote.
There are three comprehensive privacy proposals on the table in Hawaii and two have seen movement thus far. However, the bill worth tracking from the Aloha State is Senate Bill 974, which is modeled after framework for the original Washington Privacy Act proposal — the basis for laws in Colorado, Connecticut and Virginia.
SB 974 passed its first committee stop but Hawaii has a longer legislative path than most states, meaning it is far from passage.
The highlight here so far was the supporting testimony the bill received from the California Privacy Protection Agency. An agency representative submitted written and in-person testimony at a Feb. 10 committee hearing.
The CPPA touted SB 974's parallels with the California Consumer Privacy Act, while noting the bill isn't a complete match to California's landmark legislation.
This is a notable step from the agency, as it's the first known instance of cross-jurisdiction advocacy, but it's also advocating for legislation that is perceived as a step down from the CCPA. The agency previously voiced disapproval when U.S. Congress attempted to pass the proposed American Data Privacy and Protection Act, which the CPPA claimed was weaker than the CCPA.
There might not be a better bipartisan litmus test this year than New Hampshire's Senate Bill 255. The Connecticut-style proposal has bipartisan authors, but has to pass through a Republican-led Senate and House that carry the majorities by only a handful of seats.
Ushering SB 255 across the finish line with a decent bipartisan showing could spur open-mindedness in other states. States with Republican majorities have favored proposals closer to laws in Virginia and Utah, which are both viewed as less stringent than Colorado and Connecticut.
However, SB 255 already hit a snag in its first committee hearing courtesy of the New Hampshire attorney general's office. A representative from the office deemed the bill unenforceable as currently written, claiming the office didn't have sufficient resources to properly address the anticipated wave of consumer claims. The representative also floated a private right of action should be considered in the current bill to allow consumers proper redress options.
Also of note, coverage thresholds were added to the bill via amendment prior to the committee hearing. SB 255 was introduced as applying to New Hampshire businesses of all sizes, which would have made it the first bill to forego an exemption for any range of small and medium-sized businesses.
More to come
The laundry list of idle bills I did not mention presents an interesting crossroads to come. Unique proposals in Kentucky, Minnesota, Oregon and Vermont have my attention, but action is required to bring the hype of years past.
I'm in the process of drafting a report on a perceived state law simmering, courtesy of the policy piecemealing that spawned the state privacy patchwork in the first place. Check back later this month for the lowdown on this developing theory.
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
If you want to comment on this post, you need to login.