Consumers across the US could gain more control over how companies collect and use their personal information through state legislative efforts to create new data privacy requirements.
Broad privacy bills filed in eight states so far this year would, if enacted, add to laws in California, Virginia, Connecticut, Utah, and Colorado that aim to safeguard consumer data online.
The legislation is part of a growing push by state lawmakers to address a range of privacy issues—such as protecting biometric identifiers and health data—in the absence of a comprehensive federal law.
The growing number of comprehensive and increasingly specific privacy bills in state legislatures carry the potential of new compliance and liability risks, attorneys said. They would target big tech and social media giants like
The greatest compliance challenges for clients doing business at a national level will come if states begin to deviate significantly from the five state privacy laws going into effect this year, said Lisa Sotto, a partner at Hunton Andrews Kurth LLP.
“It’s going to get nearly impossible to comply with the panoply of state laws that will certainly be in place in the coming years,” Sotto said.
Lawmakers in Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee propose bolstering company disclosure and consumer consent over how their information is collected and processed. New Jersey privacy legislation introduced in 2022 carries over into the second year of the state’s session.
The state bills present similar privacy rights but differ in their specific requirements, implementation, and enforcement. Several proposals mirror bills that failed to become law in previous legislative sessions.
New York’s privacy bill (S. 365)—which also includes the right to review automated decisions that affect a consumer’s access to housing, insurance, health care, or other services—is on a “very good trajectory right now,” sponsor Sen. Kevin Thomas (D) said.
The bill includes changes since its original introduction in 2019 to incorporate feedback, including limits on the private right of action that would allow consumers to sue companies, he said.
“I’m trying to balance things,” Thomas said.
Privacy bills are also back in Indiana and Iowa, where momentum in previous sessions increases their chances of becoming law, said David Stauss, a partner at Husch Blackwell LLP. Sen. Liz Brown (R), who authored Indiana’s privacy proposal (S.B. 5), said the bill is a priority this year for the Senate, leaving her “a lot more confident” in its chances of advancing.
Iowa is “bringing everyone back to the table” on a proposal (H.S.B. 12) that stalled in the Senate after the House passed it last year, said Rep. Ray Sorensen (R), who is running the bill.
“I think we’re ahead of where we were last year when this dropped,” Sorensen said. Part of the challenge last year was making sure lawmakers understood the subject and what the bill encompassed on a short timeline, Sorensen said.
Oregon’s comprehensive bill (S.B. 619) emerged this year from a privacy working group led by the attorney general with input from a variety of consumer and business participants. The bill is high priority, and the legislative process will likely include “significant discussion” on whether to keep the private right of action now included in the proposal, said Sen. Floyd Prozanski (D), a chief sponsor.
Health, Kids, Biometrics
Several states are also looking to address more specific privacy issues through proposals that have the potential to materially change attorney conversations with clients about compliance if passed into law, Stauss said.
Of note are a reproductive health privacy bill (H.B. 1155/S.B. 5351) introduced in Washington and age-appropriate design code legislation (S.B. 196) to regulate children’s privacy pending in Oregon, Stauss said.
He highlighted unanswered questions about the scope of both bills and what compliance requirements companies would have to meet. The Oregon bill includes similar requirements as the California Age-Appropriate Design Code Act passed last year that has already drawn a court challenge.
Biometric privacy bills regulating the use of identifiers such as fingerprints or facial scans have also been introduced in Maryland (H.B. 33), Mississippi (H.B. 467), and New York (A. 1362). If enacted with the ability for consumers to sue companies, they would join an Illinois law that’s generated high-dollar verdicts and settlements.
Similar proposals will likely garner interest given the “millions of dollars at stake” for companies that collect that data, Stauss said. Model legislation posed by the ACLU includes a private right of action.
“Certainly, the litigation risks are the ones that we tend to look at for ‘how are these bills going to be enforced?'—and those become hugely consequential,” Stauss said.