February 1, 2023

2023's U.S. state privacy bills: It's a whole thing


The U.S. states are already hemorrhaging U.S. consumer privacy bills, and it's still early 2023. With dozens of bills in the works or under consideration, it can be hard to figure out what to focus on. In a recent episode of The Privacy Beat Podcast, David Stauss, Partner at Husch Blackwell, and Keir Lamont, Director of the Future of Privacy Forum. Here's what they had to say

11 states (and counting) have introduced privacy bills

So far, there are consumer privacy bills in Kentucky, New York, Tennessee. Oklahoma, Indiana, Oregon, Mississippi, Iowa, Hawaii, Massachusetts and New York. State lawmakers have also introduced narrower privacy laws focused on specific areas, including children's, biometric, and health data. AI bills are also starting to trickle in.

That’s not as high a number as it seems. States typically propose 25-30 privacy laws every year combined, and front load legislative sessions. Most privacy laws under consideration will probably fail, and the rush of new legislation will taper off.

Additionally, nine of the states with bills on the table today have tried and failed to pass a consumer privacy bill last session. Oregon and Massachusetts, however, are working to pass comprehensive consumer privacy for the first time. It could take several more attempts for those bills to pass into law.

Watch “M” states that went blue in 2022

Privacy is an increasingly bipartisan priority. But so far, every state to pass a consumer privacy bill has been Democrat-controlled, except for Utah. Success is a strong possibility in four states that went blue in 2022: Michigan, Minnesota, Massachusetts and Marilyn.

The Michigan Consumer Privacy Act, HB 5989, first debuted in 2022, when Michigan Republicans controlled both legislative houses. That changed when the state went blue in the last election. Now, the Democrats control the House, Senate, and the offices of the Governor, attorney general, and secretary of state, making it much more likely to pass this year.

Similarly, Minnesota Democrats gained control of the Senate, while maintaining control of the House and the governor's office. Massachusetts and Maryland both elected Democratic governors, while the party retained control of state legislature.

Lamont said Massachusetts in particular is worth watching because it’s working to pass privacy legislation for the first time, without a history of privacy deadlock.

Oregon is a state to follow; features innovative approach

So far, states have used a fairly consistent approach to privacy legislation. Important details like nonprofit coverage, enforcement, definitions of sensitive data, and timelines do vary, and California is frequently an outlier. But among the other state privacy laws, there are more similarities than differences.

That makes Oregon’s SB 619 a genuinely novel bill, said Lamont. It could raise the bar for privacy rights by imposing additional disclosure requirements and higher standards for transparency. Oregon’s consumer privacy law (along with legislation in Indiana and Iowa) also allows a private right of action, giving citizens the right to sue controllers who violate their privacy rights. (So far, only California has passed a private right of action.)

Importantly, the Oregon bill introduces a constructive knowledge standard for children’s data, said Lamont. Previous privacy laws, like COPPA, have used an "actual knowledge" standard. That means children’s privacy rights kick in when the company actually knows that a particular user is a child.

Under a constructive knowledge standard, however, the company is liable to provide additional protections whenever they should know that a user is a child. If a company has good reason to believe children are using their site, they will need to perform a higher level of due diligence to find out which users are children, and apply the relevant privacy protections.

Don’t hold your breath for of these to pass, ain't likely

Consumer privacy laws are notoriously hard to predict. Connecticut failed to pass an expected privacy law in 2021 (although it passed in 2022), and last year Washington’s consumer privacy legislation fell to intra-party squabbling. The Colorado legislature pushed its Privacy Act through in 2021, when experts thought it was finished for the year. And remember, even once a privacy bill is passed into law, it can hold surprises — we’re still waiting on the CPPA rule-making that was initially slated to be finalized on July 1, 2022.

For the time being, businesses should focus on current privacy laws, while keeping an eye on bills and other developments: