The world of comprehensive state privacy law is in the midst of a boom. Four states already passed laws this year — the most we've ever seen in one year — and there's still potential for more.
The legislative frenzy kicked off with Iowa in the middle of March, before Indiana, Montana and Tennessee jumped into the fray in April. Montana and Tennessee were the first states to pass comprehensive laws on the same day. If there weren't enough fireworks already, Texas is on the cusp of passing its own law, pending reconciliation between legislative chambers.
No one expected new laws to pile up like this. Simply put, it's the perfect storm.
First, state lawmakers are making good on long-term privacy ambitions. Legislation in Indiana, Iowa and Tennessee are products of multiyear legislative efforts, demonstrating what can be attained when legislators dig in their heels and do their homework.
Increased interest in addressing privacy at the state level is also driven by what hasn't materialized: federal privacy legislation.
State legislators' desires for federal intervention are abundantly clear. They say, "We're moving because U.S. Congress won't" or "We'd prefer the feds take care of this, but we can't wait."
Stunningly, Congress has had more momentum than ever before, thanks to the introduction of and interest in the proposed American Data Privacy and Protection Act during the last year. Making matters more interesting is consumer protections and business obligations states are approving may be weaker than those proposed in the ADPPA — depending on who you ask.
No states are inclined to pass their version of the ADPPA — only a handful are merely considering the framework — while Congress takes its time settling on whether its proposal checks all the boxes. In the meantime, copycat privacy laws with degrees of variation are becoming more palatable.
Let's dive into some other observations from the legislative tracking trail.
Origins of Tennessee's NIST provisions
The Tennessee Information Protection Act comes across as an outlier among comprehensive state laws for a few reasons, but most notable is the affirmative defense attached to established and recognized privacy standards. This means organizations can stave off alleged violations by proving their privacy programs conform to given standards and principles.
Specific standards called out in the statute include the U.S. National Institute of Standards and Technology Privacy Framework, the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules and the APEC Privacy Recognition for Processors System.
This is not the first time we have seen the NIST framework proposed in a state privacy law. Last year, the Ohio House of Representatives considered House Bill 376, which included the exact same safe harbor provision for a privacy program following NIST's framework.
"The idea came about when I was thinking about how to define the standard without a formal rulemaking process," said Kirk Herath, CIPP/G, CIPP/US, who helped spawn the provision after being appointed cybersecurity strategic advisor to Gov. Mike DeWine, R-Ohio. "The political process was not supportive of new regulations. NIST's framework is a wonderful set of standards, relatively open source, and it will evolve organically over time without the need for revising a rule."
Under exclusive attorney general enforcement, the NIST provision in Ohio's bill would have been enforced through a complaint process Herath said would only be triggered by "what appeared to be valid complaints." He added additional attorney general resourcing to ensure compliance was not required.
And while the NIST provision diverges from state privacy norms established before Tennessee's passage, Herath does not subscribe to any notion of the nuance being problematic.
"The state laws all acknowledge that a mature sectoral privacy ecosystem already exists," he said, noting the "billions of dollars of work and investment" businesses have poured into privacy compliance "over the past several decades."
The effects of state privacy lobbying
Technology lobbying has, and will continue to, shape the state privacy patchwork for better or worse. If you watch legislative hearings as often as I have over the last three years, you learn testimony from lobbyists becomes predictable but persuasive.
There is more going on in the background of public hearings, which state Sen. Daniel Zolnikov, R-Mont., brought to light after passing Montana Senate Bill 384. When he realized a lobbyist provided recommendations on SB 384 that contradicted their testimony in another state, Zolnikov reworked his bill to move from a Virginia-style law to one closer to Connecticut's framework.
That was not an isolated incident in Montana. When a separate Big Tech representative tried to explain that language for universal opt-out mechanisms was not essential or beneficial, Zolnikov called it "an insult" and questioned why Montanans would not need the mechanisms while lawmakers in California, Colorado and Connecticut were compelled to provide for them in their privacy laws, respectively.
Both cases lent a view into "bigger picture" lobbying Zolnikov wanted no part of. He believes the goal to pass weak laws in multiple states is to set a "watered down" standard for a potential federal privacy law down the road.
New Hampshire fizzles
New Hampshire Senate Bill 255 came to a screeching halt during cross-chamber work 3 May, as the House Committee on the Judiciary voted to retain the Connecticut-style bill for six months. It is notable given the bill's initial promise and potential to be the best example of bipartisanship yet among the states.
Republicans hold the majority in the New Hampshire Senate and House by a handful of seats, respectively. The near-even party split meant final passage of SB 255 could show other states that bipartisanship on the balance between consumers and business is possible.
The committee's vote to pause consideration was highlighted by attorney general testimony regarding the inability to properly enforce the bill as written without additional resourcing.
The representative from the New Hampshire Department of Justice's Consumer Protection & Antitrust Bureau told the committee the SB 255's cure provision and general consumer redress would be hampered by current staffing and resources. A private right of action was also raised as a solution without funding, which committee members were divided on.
Interestingly, the same attorney general representative offered identical testimony at SB 255's Senate committee hearing and lawmakers were unfazed.
One committee member explained their vote to hold was to ensure "the best bill possible" and not "something that could come back to haunt us," while acknowledging the framework being considered was adopted without issue in other states.
What I'm watching
My attention is firmly on the situation in Texas, where the final text of the bill is being decided by conference committee — members from both chambers settling on amendments rather than concurrence votes on the floor. While it's unclear where the final bill will land, the Lone Star State has come a long way since a 2020 working group on a state privacy law generated scrutiny from the privacy community.
Beyond Texas, a majority of legislative sessions are closing for the year. Notably, Michigan and Massachusetts have full-year sessions and will likely give further consideration to introduced bills modeled after the ADPPA.
This report analyzes similarities and differences between the five enacted U.S. comprehensive state privacy laws.
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
If you want to comment on this post, you need to login.