This year, eight states passed new comprehensive consumer privacy laws, giving a growing number of Americans more control over their personal data.
By 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee and Texas will join California, Colorado, Connecticut, Utah and Virginia in protecting consumer privacy. The landscape of these state privacy laws is becoming clearer after the 2023 legislative session, with nearly all states agreeing on the same structural model for protecting privacy — but adjusting that model to provide different levels of substantive protections. BSA recently released a document on Models of State Privacy breaking down the 13 state comprehensive consumer privacy laws into four models of privacy legislation.
Baseline privacy protections
The first group consists of laws that create important baseline privacy protections for consumers and are modeled on Virginia's privacy law. The Virginia law, passed in 2021, creates a core set of consumer rights and imposes obligations on companies handling consumers' personal data. Virginia was the first state to adopt the legislative model prevailing in most state comprehensive privacy laws today. A total of five states — Florida, Indiana, Tennessee, Texas and Virginia — have adopted the baseline model.
Greater substantive protections
Another set of states — Colorado, Connecticut, Delaware, Montana and Oregon — have taken the structural model of Virginia's law and added substantive protections, such as requiring consent to sell children's data, requiring consent to use children's data for targeted advertising, and requiring businesses to recognize universal opt-out mechanisms.
Narrower substantive protections
Two states — Iowa and Utah — also leverage the structure of Virginia's law but adapt it to provide narrower substantive protections, such as omitting consumers' right to correct information and foregoing a requirement to conduct data protection assessments.
The California model
California is in its own group, as its privacy laws start from a different structure and create different substantive protections than other state laws. No other state has enacted a privacy bill modeled on California's law.
With states aligning around existing legislative models to protect consumer privacy, here are seven takeaways from the 2023 legislative sessions about the current state of play for comprehensive state privacy laws.
- There is strong bipartisan support for existing models of state privacy in state legislatures. All 13 state privacy laws have passed with bipartisan support. This year, both Republican and Democratic-led state legislatures passed consumer privacy bills modeled on existing state privacy laws, and five states — Indiana, Iowa, Montana, Tennessee and Texas — unanimously passed state privacy bills in both legislative chambers. This shows a growing recognition of the need to protect consumer privacy, including in ways that promote harmonization.
- There is nearly universal agreement among the states that consumers should have rights to control their data. All 13 state privacy laws provide consumers with the right to access and delete their personal data, in addition to a right to data portability. State privacy laws also create a clear set of new opt-out rights, with all 13 state laws allowing consumers to opt out of the sale of their personal data. Consumers are also given the right to opt out of targeted advertising (under 12 state laws, but not Iowa) and out of profiling (under 11 state laws, but not Iowa or Utah). Despite the widespread creation of new opt-out rights, there is a split among the states about how consumers can exercise those rights, with seven of the 13 states requiring mandatory recognition of universal opt-out mechanisms.
- Every state privacy law includes role-dependent obligations on companies. All 13 state privacy laws recognize that the obligations placed on businesses and service providers must reflect their different roles in handling consumers' personal data. For instance, they all distinguish between companies that decide how and why to collect personal data and companies that process such data at the direction of others. California's privacy law refers to these roles as "businesses" and "service providers" while the 12 other state privacy laws refer to "controllers" and "processors." The distinction between these roles (regardless of the terms used) is fundamental to privacy and data protection laws worldwide, making it a helpful point of alignment between state privacy laws and global approaches to privacy.
- All state privacy laws provide for attorney general enforcement. Every state's comprehensive privacy law recognizes the importance of protecting consumers' data by authorizing state attorneys general to enforce violations of privacy rights. State attorney general offices have an extensive history and expertise in enforcing consumer protection laws. Eleven state privacy laws provide for exclusive attorney general enforcement. Colorado's attorney general shares enforcement authority with district attorneys, and Utah's law authorizes the state's Commerce Department to refer complaints to the attorney general. California's legislative model creates a new state privacy agency with administrative enforcement authority and provides the state's attorney general with civil enforcement authority.
- A minority of states authorize privacy rulemaking. Only three states authorize rulemaking in their state consumer privacy laws. In Colorado, the attorney general finalized regulations in March 2023, to implement the state's privacy law; those regulations took effect on 1 July 2023. In California, the California Privacy Protection Agency is charged with issuing regulations on more than 20 topics. The agency finalized its first set of rules in March 2023, is working toward new rules on cybersecurity audits, risk assessments, and automated decision-making, and is expected to address remaining topics in the future. In Florida, the new privacy law also authorizes the state's attorney general to issue rules on a number of topics.
- Some state privacy laws apply to nonprofits in addition to businesses. While most states exempt nonprofits from comprehensive privacy laws, three states — Colorado, Delaware and Oregon — do not. As of 1 July 2023, nonprofits must comply with the Colorado Privacy Act. Delaware's law applies to nonprofits but exempts organizations dedicated to preventing and addressing insurance crime and those that provide services to victims of or witnesses to certain crimes. Similarly, Oregon's privacy law will apply to nonprofits after 1 July 2025, except those that detect and prevent insurance fraud and provide radio or television programming.
- States are establishing new obligations on businesses. In addition to creating new consumer rights, eight state privacy laws also include prohibitions on consent obtained through manipulative or deceptive practices that mislead consumers known as dark patterns. Ten states also prohibit businesses from processing consumers' personal data in violation of state and federal anti-discrimination laws. By providing state attorneys general with the authority to enforce violations of both provisions, state privacy laws give force to these important protections.
States may not be done for 2023. While many state legislative sessions have ended, there is potential for privacy legislation to be considered in states that remain in session, including Massachusetts, New Jersey, Ohio, Pennsylvania and Wisconsin. Looking ahead to 2024, bills that gained momentum this year in Kentucky, New Hampshire, New York and Vermont could see another push toward the finish line. As those and other conversations continue, it is clear that legislators can turn to established legislative models to create strong and workable protections for consumer privacy while adjusting the level of protections these new laws provide.