With the close of California’s legislative session in October, there is perhaps no better time to summarize developments in state privacy law throughout 2023.
In short, state legislative activity was, at times, chaotic with numerous states considering consumer privacy bills of many different varieties. In the end, seven new states passed comprehensive consumer privacy legislation, three states passed consumer health privacy laws, at least 14 states passed children's online laws, two states passed data broker bills (with California substantially amending its existing data broker law), and lawmakers began to tackle artificial intelligence regulation. In addition, California and Colorado engaged in significant rulemaking and initiated enforcement activities under their existing privacy laws.
Comprehensive consumer privacy laws
Since the adoption of the original California Consumer Privacy Act of 2018, states had been enacting new consumer privacy laws at a rate of about one per year. However, 2023 will be remembered as the year the floodgates opened, with the enactment of seven new consumer privacy laws in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas and Delaware. Another law with broad rights and obligations, but very narrowly scoped to regulate only a few large companies in particular lines of business also passed in Florida.
The consumer privacy laws enacted this year vary significantly in applicability, consumer protections and business obligations — the Delaware and Oregon laws are the broadest, while the laws in Iowa and Tennessee are most narrow. Despite these differences, all seven laws are clearly rooted in Washington state's highly influential, but ultimately unsuccessful, efforts to enact broad-based privacy legislation dating back to 2019.
As such, these new laws share key definitions and an overarching structure that should mitigate concerns about the development of a "patchwork" of inconsistent state privacy requirements (at least for generally applicable consumer data laws).
Lawmakers considered privacy legislation modeled on different frameworks, including bills based on the California Consumer Privacy Act, the EU General Data Protection Regulation, and last year's federal American Data Privacy and Protection Act. These approaches, however, found little traction this year.
The Washington model was further solidified as the leading approach to protecting consumer data in the United States when the population of the states following this framework surpassed that of California with the enactment of the Texas Data Privacy and Security Act in June.
Despite the common ancestry of the new crop of privacy laws, states maintained their function as "laboratories of democracy," creating new consumer rights as well as novel obligations for businesses that privacy professionals should be aware of.
Texas became the first privacy law not to fully carve out small businesses, instead requiring them to obtain affirmative consent in order to sell consumers' sensitive personal information. Oregon also created a new consumer right to access a list of "specific third parties" to whom a covered organization discloses sensitive data. Finally, Delaware created protections for the data of teens under 18 years of age, raising the bar two years beyond the cut-off established by other states.
In addition, states continued to tinker with the definition of sensitive data. Perhaps most notably, Oregon added national origin, status as transgender or nonbinary and status as victim of a crime to its definition. Oregon's law also uses a broader definition of biometric data that does not require data to be used to identify individuals to be considered biometric information. California lawmakers also expanded the CCPA's definition of sensitive personal information to include a consumer's citizenship or immigration status.
State lawmakers also adopted novel provisions intended to ease compliance burdens for regulated entities. In Indiana, businesses will have the ability to offer a "representative summary" of the personal information they hold in response to requests to access their information. The Texas law will not require businesses to respond to universal opt-out mechanisms such as the Global Privacy Control if they "do not possess the ability to process the request" or do not respond to similar signals under other state laws. Lastly, Tennessee will provide businesses with an affirmative defense against enforcement actions if they voluntarily adhere to the U.S. National Institute of Standards and Technology's Privacy Framework or a similar self-governance regime.
Finally, the 2023 state legislative session was remarkable insofar as five of the seven states that enacted new consumer privacy laws are Republican-controlled (or six of eight states if including Florida). Starting the year, there were questions around whether newly-created Democratic trifectas in states like Maryland and Minnesota would lead to a run on blue state privacy laws. However, that never came to pass — at least not in 2023.
Rulemaking and enforcement
While the rest of the nation has, for the time being at least, consolidated around the "Washington model" as its basis for privacy regulation, California continues to plow ahead in refining its unique approach under the CCPA. This year, the California Privacy Protection Agency finalized its first set of privacy regulations which, following a legal challenge, will be enforceable by March 2024. Perhaps most significantly, these rules create a new data minimization principle for the CCPA at Section 7002, tying businesses' data processing purposes to the "reasonable expectations" of its customers.
Before the end of this year, the CPPA is poised to commence a new rulemaking process on topics including automated decision-making technology, cybersecurity audits and risk assessments. Of particular note, the CPPA's board has already released "conceptual language" for future regulations that take a comparatively broad view of what constitutes "automated decision-making technology" and the circumstances under which consumer rights and business obligations will kick in for the use of these systems.
California's dual privacy regulators have also initiated separate enforcement inquiries, with the CPPA investigating connected vehicles and the state attorney general's office investigating employee data.
In addition, the Colorado attorney general finalized its Colorado Privacy Act rulemaking in March. Colorado remains the only non-California state to authorize rulemaking and its rules usher in new concepts like sensitive data inferences and extensive requirements around data protection impact assessments. Colorado Attorney General Phil Weiser also announced an initial round of enforcement letters.
Health data privacy laws
In the wake of the United States Supreme Court's Dobbs decision overturning Roe v. Wade, several Democrat-controlled states considered bills to enhance consumer health data protections.
The most significant of these bills — Washington's My Health My Data Act — is perhaps the most consequential privacy law passed in 2023. With broad definitions and applicability, and a private right of action, MHMD (once fully in effect) could be a transformative framework.
During committee hearings and floor debates, business interest groups repeatedly argued that MHMD's definition of "consumer health data" was broad and would apply to many types of personal data that would ordinarily not be considered health data. For example, lobbyists argued that ordinary products like food, clothes and personal hygiene supplies could be considered health data under MHMD's broad definition.
The act also applies to entities of all types and sizes, eschewing the typical monetary or consumer counting applicability thresholds found in other laws. In addition, entities subject to the MHMD will likely find the law's collection, sharing and selling provisions difficult to operationalize. Finally, the MHMD includes a private right of action under the state's consumer protection statute, although the law does not include statutory damages.
Shortly after Washington passed the MHMD, Nevada lawmakers passed SB 370. Although it borrows heavily from the MHMD, Nevada lawmakers chose not to include a private right of action and tightened up the broad definitions found in the MHMD, applying only to information that an organization uses to identify health information. Consequently, the Nevada law will likely not have the scope of impact of the MHMD but could provide a model for other states interested in passing similar legislation.
Finally, Connecticut lawmakers amended the Connecticut Data Privacy Act to require a broader array of entities to protect consumer health data. Connecticut also joined Nevada, Washington state and a new standalone law in New York in creating new restrictions on geofencing at certain health care facilities.
Children's online laws
Another significant takeaway from the 2023 state legislative session is that state lawmakers want to regulate how companies interact with children online, although they lack a clear path for how to do so. Technically, this started at the end of the 2022 legislative session with the California legislature passing the California Age-Appropriate Design Code Act — which has since been enjoined as unconstitutional by a California federal district court on First Amendment grounds.
In 2023, at least seven states considered AADC copycat bills. Though no state passed one, Maryland and Minnesota came close. Notably, Connecticut and Florida passed children's design code laws that modified the AADC framework to avoid controversial age-estimation requirements. With the AADC's unconstitutional designation in California, it is unclear if states will continue to consider AADC bills during the 2024 legislative session or seek alternative frameworks, like a recently announced legislative package in New York.
That said, it remains to be seen whether the Connecticut children's privacy law can serve as a model for other states to follow. The Connecticut law borrows some concepts from the AADC but is substantively different in many respects, including its focus on data privacy controls and avoidance of content regulation provisions that caused constitutional issues in California. It also includes a first-of-its-kind duty for controllers to "avoid any heightened risk of harm to minors caused by such online service, product or feature."
The 2023 legislative session also saw a significant push by primarily red states to pass laws focusing on social media companies, requiring age verifications and parental consent in order to open an account for a user under the age of 18. Lawmakers in Arkansas, Louisiana, Ohio, Texas and Utah passed such laws, though they differ significantly in definitions of covered social media companies and guidance on conducting age verification. Of these laws, Utah's goes the furthest, stating a child's account may not be used between 10:30 p.m. and 6:30 a.m. and, controversially, requiring social media companies to provide parents with access to their children's posts and messages.
Finally, seven states passed laws requiring commercial websites to verify users are at least 18 years old when the website contains a substantial portion of adult content. However, age verification laws have been shown to pose significant First Amendment issues and courts in Arkansas and Texas have already enjoined the laws there.
Data broker laws
In what could be a growing trend, Oregon and Texas joined California and Vermont in passing laws requiring data brokers to register with the state. In fact, California lawmakers amended their existing data broker law through the California Delete Act. California's newest privacy law shifts enforcement authority for that state's data broker registry from the state attorney general to the California Privacy Protection Agency and directs the agency to create a new one-stop deletion mechanism for consumers to effectuate deletion requests across all 500-plus data brokers registered in the state.
Artificial intelligence laws
Artificial intelligence regulation was also a hot topic over the past year. In California, lawmakers considered — but did not pass — Assembly Bill 331, which sought to regulate the use of automated decision tools used to make "consequential decisions." In Connecticut, lawmakers passed SB 1103, regulating the government's procurement and use of artificial intelligence.
At the local level, the New York City Department of Consumer and Worker Protection adopted its final rule to implement Local Law 144, which regulates and requires independent audits for the use of certain "automated employment decision tools" to screen applicants or employees in the city. Enforcement of the law started 5 July.
Biometric privacy laws
More than 10 states considered bills seeking to regulate the collection and use of biometric data. Many followed a model bill circulated by the American Civil Liberties Union that borrowed heavily from Illinois' Biometric Information Privacy Act. However, over the winter, the Illinois Supreme Court held that White Castle could face up to USD17 billion in damages under the BIPA, finding that violations accrue on a "per scan" basis. The ruling appears to have effectively quelled momentum for passing these bills.
The 2023 state legislative session was the most active to date for the passing of privacy laws. The continuing — and frustrating — absence of a federal privacy law has convinced state lawmakers they need to continue regulating in this space to remedy perceived harms to their constituents that the federal government appears unable to address. With Congress' momentum towards passing a federal privacy law appearing to have stalled, there is no reason this trend will not continue in the future.
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
This article provides a breakdown of Washington’s new health data act.
If you want to comment on this post, you need to login.