This year, eight states passed new comprehensive consumer privacy laws, giving a growing number of Americans more control over their personal data.
By 2026, 13 state privacy laws will have taken effect, as newly-enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas will join California, Colorado, Connecticut, Utah, and Virginia in protecting consumer privacy. The landscape of these state privacy laws is becoming clearer after the 2023 legislative session, with nearly all states agreeing on the same structural model for protecting privacy – but adjusting that model to provide different levels of substantive protections. BSA recently released a document on Models of State Privacy breaking down the 13 state comprehensive consumer privacy laws into four models of privacy legislation:
- Baseline Privacy Protections. The first group consists of laws that create important baseline privacy protections for consumers and are modeled on Virginia’s privacy law. The Virginia law, passed in 2021, creates a core set of consumer rights and imposes obligations on companies handling consumers’ personal data. Virginia was the first state to adopt the legislative model prevailing in most state comprehensive privacy laws today. A total of five states – Florida, Indiana, Tennessee, Texas, and Virginia – have adopted the baseline model.
- Greater Substantive Protections. Another set of states — Colorado, Connecticut, Delaware, Montana, and Oregon — have taken the structural model of Virginia’s law and added substantive protections, such as requiring consent to sell children’s data, requiring consent to use children’s data for targeted advertising, and requiring businesses to recognize universal opt-out mechanisms.
- Narrower Substantive Protections. Two states — Iowa and Utah — also leverage the structure of Virginia’s law but adapt it to provide narrower substantive protections, such as omitting consumers’ right to correct information and foregoing a requirement to conduct data protection assessments.
- California model. California is in its own group, as its privacy laws start from a different structure and create different substantive protections than other state laws. No other state has enacted a privacy bill modeled on California’s law.
With states aligning around existing legislative models to protect consumer privacy, here are seven takeaways from the 2023 legislative sessions about the current state of play for comprehensive state privacy laws:
- First, there is strong bipartisan support for existing models of state privacy in state legislatures. All 13 state privacy laws have passed with bipartisan support. This year, both Republican and Democratic-led state legislatures passed consumer privacy bills modeled on existing state privacy laws, and five states — Indiana, Iowa, Montana, Tennessee, and Texas — unanimously passed state privacy bills in both legislative chambers. This shows a growing recognition of the need to protect consumer privacy, including in ways that promote harmonization.
- Second, there is nearly universal agreement among the states that consumers should have rights to control their data. All 13 state privacy laws provide consumers with the right to access and delete their personal data, in addition to a right to data portability. State privacy laws also create a clear set of new opt-out rights, with all 13 state laws allowing consumers to opt out of the sale of their personal data. Consumers are also given the right to opt out of targeted advertising (under 12 state laws, but not Iowa) and the right to opt out of profiling (under 11 state laws, but not Iowa or Utah). Despite the widespread creation of new opt-out rights, there is a split among the states about how consumers can exercise those rights, with seven of the 13 states requiring mandatory recognition of universal opt-out mechanisms.
- Third, every state privacy law includes role-dependent obligations on companies. All 13 state privacy laws recognize that the obligations placed on businesses and service providers must reflect their different roles in handling consumers’ personal data. For instance, they all distinguish between companies that decide how and why to collect personal data and companies that process such data at the direction of others. California’s privacy law refers to these roles as “businesses” and “service providers” while the 12 other state privacy laws refer to “controllers” and “processors.” The distinction between these roles (regardless of the terms used) is fundamental to privacy and data protection laws worldwide, making it a helpful point of alignment between state privacy laws and global approaches to privacy.
- Fourth, all state privacy laws provide for Attorney General (AG) enforcement. Every state comprehensive privacy law recognizes the importance of protecting consumers’ data by authorizing state AGs to enforce violations of privacy rights. State AG offices have an extensive history and expertise in enforcing consumer protection laws. Eleven state privacy laws provide for exclusive AG enforcement. Colorado’s AG shares enforcement authority with district attorneys and Utah’s law authorizes the state’s Commerce Department to refer complaints to the AG. California’s legislative model creates a new state privacy agency with administrative enforcement authority and provides the state’s AG with civil enforcement authority.
- Fifth, a minority of states authorize privacy rulemaking. Only three states authorize rulemaking in their state consumer privacy laws. In Colorado, the AG finalized regulations in March 2023, to implement the state’s privacy law; those regulations took effect on July 1, 2023. In California, the California Privacy Protection Agency (CPPA) is charged with issuing regulations on more than 20 topics. The agency finalized its first set of rules in March 2023; is working toward new rules on cybersecurity audits, risk assessments, and automated decision-making; and is expected to address remaining topics in the future. In Florida, the new privacy law also authorizes the state’s AG to issue rules on a number of topics.
- Sixth, some state privacy laws apply to nonprofits, in addition to businesses. While most states exempt nonprofits from comprehensive privacy laws, three states — Colorado, Delaware, and Oregon — do not. As of July 1, 2023, nonprofits must comply with the Colorado Privacy Act. Delaware’s law applies to nonprofits but exempts organizations dedicated to preventing and addressing insurance crime and those that provide services to victims of or witnesses to certain crimes. Similarly, Oregon’s privacy law will apply to nonprofits after July 1, 2025, except for those that detect and prevent insurance fraud and those that provide radio or television programming.
- Seventh, states are establishing new obligations on businesses. In addition to creating new consumer rights, eight state privacy laws also include prohibitions on consent obtained through manipulative or deceptive practices that mislead consumers known as dark patterns. Ten states also prohibit businesses from processing consumers’ personal data in violation of state and federal anti-discrimination laws. By providing state Attorneys General with the authority to enforce violations of both provisions, state privacy laws give force to these important protections.
States may not be done for 2023. While many state legislative sessions have ended, there is potential for privacy legislation to be considered in states that remain in session, including Massachusetts, New Jersey, Ohio, Pennsylvania, and Wisconsin. Looking ahead to 2024, bills that gained momentum this year in Kentucky, New Hampshire, New York, and Vermont could see another push toward the finish line. As those and other conversations continue, it is clear that legislators can turn to established legislative models to create strong and workable protections for consumer privacy while adjusting the level of protections these new laws provide.
Learn more about BSA’s state privacy positions in our 2023 State Privacy Trends document.
This post originally appeared on IAPP here: US states leverage existing models of privacy legislation (iapp.org).