Hashed & Salted | A Privacy and Data Security Update
State Legislatures Are Increasingly Interested in Consumer Privacy
As attempts to pass federal privacy legislation failed (yet again) last year, state legislatures across the country have been actively introducing both comprehensive consumer privacy bills and more targeted privacy legislation (for example, bills focusing on areas like children’s privacy and social media platforms). By the end of February, nearly 20 state legislatures had introduced comprehensive consumer privacy legislation. Most bills include California Consumer Privacy Act (CCPA)-style rights, providing consumers with the ability to access, delete or correct their information as well as allowing consumers to opt out of “sales” and targeted advertising or requiring opt-in consent to process their sensitive information. We are starting to see different “flavors” of regulation emerging from the states, however.
The Virginia Models. While several states are looking to California’s CCPA and Consumer Privacy Rights Act (CPRA) to model their state laws, focusing on restrictions on “sale” and “share,” we are also seeing a handful of states introducing privacy legislation that more closely mirrors Virginia’s Consumer Data Protection Act (VCDPA) or Connecticut’s Data Privacy Act—privacy frameworks that are generally viewed as more business friendly (like the Texas Data Privacy and Security Act (HB 1844)). These bills include an opt-out for targeted advertising, opt-in consent for sensitive information and GDPR-like principles of purpose limitations.
The ADPPA Models. Rather than following current state law models, some legislatures are starting to introduce proposals that pull from the previous draft of the federal American Data Privacy and Protection Act (ADPPA). For example, Illinois introduced HB 3385 and Massachusetts introduced the Massachusetts Data Privacy Protection Act (SD75 and HD 2281). Notably, Massachusetts’ proposal includes prohibitions on processing sensitive covered data for purposes of targeted advertising (following a theme we have seen in recent Federal Trade Commission enforcement) as well as prohibitions on engaging in targeted advertising to a known covered minor. Massachusetts law also imposes a duty of loyalty on businesses with respect to consumer data and restrictions on automated decision-making with discriminatory effects.
The GDPR Models. Another group of states has introduced bills that more closely resemble the General Data Protection Regulation rather than other federal or state laws. States like Kentucky (SB 15), Massachusetts (SD1971 and HD 3263) and New Jersey (A 505) have introduced bills that, for example, require a legal basis to process personal information rather than focusing on opt-in or opt-out consent.
Several states, such as New York, have introduced multiple bills, making it unclear in which direction the state intends to head. Even within each state there seems to be a fractured approach to how privacy should be addressed. Regardless of the framework each state legislature ultimately decides to adopt, it will be important for legislation to be somewhat interoperable. If state privacy laws are overly prescriptive or, worse, start to directly contradict each other, it will make compliance with all nearly impossible.
Beyond comprehensive privacy laws, states are also introducing laws that are more narrowly tailored to address issues of children’s data, social media harms and biometrics.
Age-Appropriate Design Bills Are Catching On
Following California’s passage of its own version of the UK-like “Age Appropriate Design Code” last year (AB 2273), we’ve seen similar legislation introduced in a number of states this session.
The following states have introduced bills that closely resemble California’s Age-Appropriate Design Code:
- Connecticut (HB 6253)
- Illinois (HB 3880)
- Maryland (HB 901 and SB 844)
- New Jersey (A 4919)
- New Mexico (SB 319)
- New York (S 3281)
- Oregon (SB 196)
In addition to Age-Appropriate Design Code bills, states are also introducing bills that are more generally aimed at keeping children safe online. West Virginia introduced HB 2460 (Online Privacy Protection for Children), and Virginia introduced HB 1688 and SB 1026, amendments to the VCDPA that would define a child as under the age of 18 (although the two Virginia bills seem to have failed).
Notably, at the federal level, we are also starting to see some renewed interest in children’s privacy in the Senate. U.S. Senate Majority Whip Dick Durbin (D-IL), chair of the Senate Judiciary Committee, and U.S. Sens. Richard Blumenthal (D-CT) and Mazie Hirono (D-HI), recently introduced the Clean Slate for Kids Online Act, and we expect to see a version of COPPA 2.0 (spearheaded by Sen. Markey (D-MA)) to be introduced in the coming months. In the House, the Energy & Commerce Committee’s Innovation, Data, and Commerce Subcommittee held a hearing titled “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy” on March 1.
Social Media Regulation Is Resonating in the States
In lieu of federal legislation or any meaningful Section 230 reform (or U.S. Supreme Court decisions), several states have introduced legislation aimed at curtailing data collection from social media platforms. These bills attempt to create liability for social media platforms that use addictive design features or content-serving algorithms. For example, Connecticut introduced SB 405, which would impose additional transparency requirements on social media platforms and would also impose verification requirements on journalists.
Other states are taking a more tailored approach and have introduced bills mainly aimed at protecting children’s use of social media platforms. For example, California (SB 287), Maryland (HB 254), Minnesota (HF 1503), New Jersey (A 5069) and Texas (HB 2155) have all introduced bills focusing on how social media platforms treat younger users. The bills take different approaches—some invoke a “standard of care” on social media platforms, while others impose prohibitions on using or introducing certain features that may be detrimental to younger users. HB 896, introduced in Texas, would restrict the use of social media platforms by children (ages 13 – 18) altogether. And Utah appears poised to enact a law that would prohibit children and teens from using social media without parental consent. Under SB 152 users over 18 could also lose access to their accounts if they fail to confirm their ages. The bill has been sent to Gov. Spencer Cox, who has said he plans to sign it.
Biometric Data in the Spotlight
More than 15 bills have been introduced addressing biometric privacy in the states. Arizona, Massachusetts, New York and Washington are just a handful of states that have introduced biometric privacy bills alongside their comprehensive privacy efforts. Most states are modeling their bills after Illinois’ Biometric Information Privacy Act (BIPA), including strict transparency and consent requirements, as well as data retention and security obligations. These bills would impose a private right of action and damages, similar to what we have seen under BIPA.
2023 and Beyond
Although several bills are advancing through their state’s legislative process, it is still too early to predict which states will end this legislative session with a new privacy law on the books. Odds are that we will see some combination of new comprehensive privacy laws as well as data-specific laws that companies will need to address for 2024. Companies should anticipate that this trend of new laws will continue at least for the next few years and should build flexible privacy programs that will allow them to efficiently adapt to the changes in the legal landscape.