The world of comprehensive state privacy law is in the midst of a boom. Four states already passed laws this year — the most we've ever seen in one year — and there's still potential for more.
The legislative frenzy kicked off with Indiana, Montana and Tennessee jumped into the fray in April. Montana and Tennessee were the first states to pass
First, state lawmakers are making good on long-term privacy ambitions. Legislation in Indiana, Iowa and Tennessee are products of multiyear legislative efforts, demonstrating what can be attained when legislators dig in their heels and do their homework.
Increased interest in addressing privacy at the state level is also driven by what hasn't materialized: federal privacy legislation.
State legislators' desires for federal intervention are abundantly clear. They say, "We're moving because U.S. Congress won't" or "We'd prefer the feds take care of this, but we can't wait."
Stunningly, Congress has had more momentum than ever before, thanks to the introduction of and interest in the proposed House Bill 376, which included the exact same safe harbor provision for a privacy program following NIST's framework.
"The idea came about when I was thinking about how to define the standard without a formal rulemaking process," said Kirk Herath, CIPP/G, CIPP/US, who helped spawn the provision after being appointed cybersecurity strategic advisor to Gov. Mike DeWine, R-Ohio. "The political process was not supportive of new regulations. NIST's framework is a wonderful set of standards, relatively open source, and it will evolve organically over time without the need for revising a rule."
Under exclusive attorney general enforcement, the NIST provision in Ohio's bill would have been enforced through a complaint process Herath said would only be triggered by "what appeared to be valid complaints." He added additional attorney general resourcing to ensure compliance was not required.
And while the NIST provision diverges from state privacy norms established before Tennessee's passage, Herath does not subscribe to any notion of the nuance being problematic.
"The state laws all acknowledge that a mature sectoral privacy ecosystem already exists," he said, noting the "billions of dollars of work and investment" businesses have poured into privacy compliance "over the past several decades."
The effects of state privacy lobbying
Technology lobbying has, and will continue to, shape the state privacy patchwork for better or worse. If you watch legislative hearings as often as I have over the last three years, you learn testimony from lobbyists becomes predictable but persuasive.
There is more going on in the background of public hearings, which state Sen. Daniel Zolnikov, R-Mont., brought to light after passing Montana Senate Bill 384. When he realized a lobbyist provided recommendations on SB 384 that contradicted their testimony in another state, Zolnikov reworked his bill to move from a Virginia-style law to one closer to Connecticut's framework.
That was not an isolated incident in Montana. When a separate Big Tech representative tried to explain that language for universal opt-out mechanisms was not essential or beneficial, Zolnikov called it "an insult" and questioned why Montanans would not need the mechanisms while lawmakers in California, Colorado and Connecticut were compelled to provide for them in their privacy laws, respectively.
Both cases lent a view into "bigger picture" lobbying Zolnikov wanted no part of. He believes the goal to pass weak laws in multiple states is to set a "watered down" standard for a potential federal privacy law down the road.
New Hampshire fizzles
New Hampshire Senate Bill 255 came to a screeching halt during cross-chamber work 3 May, as the House Committee on the Judiciary voted to retain the Connecticut-style bill for six months. It is notable given the bill's initial promise and potential to be the best example of bipartisanship yet among the states.
Republicans hold the majority in the New Hampshire Senate and House by a handful of seats, respectively. The near-even party split meant final passage of SB 255 could show other states that bipartisanship on the balance between consumers and business is possible.
The committee's vote to pause consideration was highlighted by attorney general testimony regarding the inability to properly enforce the bill as written without additional resourcing.
The representative from the New Hampshire Department of Justice's Consumer Protection & Antitrust Bureau told the committee the SB 255's cure provision and general consumer redress would be hampered by current staffing and resources. A private right of action was also raised as a solution without funding, which committee members were divided on.
Interestingly, the same attorney general representative offered identical testimony at SB 255's Senate committee hearing and lawmakers were unfazed.
One committee member explained their vote to hold was to ensure "the best bill possible" and not "something that could come back to haunt us," while acknowledging the framework being considered was adopted without issue in other states.
What I'm watching
My attention is firmly on the situation in Texas, where the final text of the bill is being decided by conference committee — members from both chambers settling on amendments rather than concurrence votes on the floor. While it's unclear where the final bill will land, the Lone Star State has come a long way since a 2020 working group on a state privacy law generated