Data Privacy in the United States: A Recap of 2023 Developments

2023 marked a surge in comprehensive state data privacy laws. At the beginning of the year, only five states—California, Colorado, Virginia, Utah, and Connecticut—had comprehensive data privacy legislation. By the end of the year, the number of states with privacy laws more than doubled. Seven additional states enacted comprehensive laws, and Florida passed a narrower version of a comprehensive privacy law. 

The momentum began in March when Iowa became the first state to pass a data privacy law. Subsequently, Indiana, Montana, Tennessee, and Texas governors signed their laws during the spring months. Towards the end of the legislative calendar, Oregon and Delaware also passed their privacy laws.

California: Driving Regulatory Evolution

The California Privacy Protection Agency (CPPA) was pivotal in advancing data privacy regulations. In 2023, California remained at the forefront of the movement of states with consumer privacy laws by approving the final text of the California Privacy Rights Act regulations and inviting public comments on proposed rulemaking for cybersecurity audits, risk assessments, and automated decision-making.

State Privacy Laws That Took Effect in 2023

1. California Privacy Rights Act (CPRA): Most provisions became effective on Jan. 1, 2023, with the remainder on July 1, 2023.

2. Colorado Privacy Act (CPA): Effective on July 1, 2023.

3. Connecticut Data Privacy Act (CDPA): Effective July 1, 2023.

4. Utah Consumer Privacy Act (UCPA): Effective Dec. 31, 2023.

5. Virginia Consumer Data Privacy Act (VCDPA): Became effective on Jan. 1, 2023.

Privacy-Related Legislation Enacted in 2023

A detailed list of new state privacy laws (2023) and privacy-related legislation follows. 

Arkansas – S 396: Social Media Safety Act

Arkansas’s S 396, known as the Social Media Safety Act, mandates age verification for social media use to address the growing social media concerns. The bill clarifies liability for failing to perform age verification and illegal retention of data and emphasizes parental consent. It also explores the implications for social media companies regarding responsibility and liability. 

California – A 127: State Government

California’s A 127 focuses on the California Age-Appropriate Design Code Act and the California Children’s Data Protection Working Group. Enacted to enhance child online privacy, the bill places the working group within the attorney general’s office and allocates funds for specified state programs. The emphasis is on age-appropriate design and data protection, contributing to the broader realm of Children’s Online Privacy.

California – A 352: Health Information

Enacted to safeguard health information, California’s A 352 targets businesses storing or maintaining medical information. The legislation outlines security features, including limiting user access privileges and segregating medical information related to gender-affirming care, abortion, and abortion-related services. 

Connecticut – S 3: Online Privacy and Protections

Connecticut’s S3 addresses online privacy, data, and safety protections. The legislation encompasses a comprehensive approach to safeguarding user data and online interactions, ensuring a secure online environment. This bill is categorized as Comprehensive.

Connecticut – S 1058: Attorney Generals Recommendations

Enacted to enhance consumer protection, Connecticut’s S 1058 intersects with charitable organizations, telecommunications, and the attorney general’s recommendations. It focuses on pricing transparency for places of entertainment, emphasizing disclosure on tickets to prevent deceptive practices. This legislation falls within the Comprehensive category.

Delaware – H 154: Delaware Personal Data Privacy Act

Delaware’s H 154 focuses on personal data privacy and consumer protection. The bill grants consumers the right to confirm whether a controller is processing and accessing personal data. It emphasizes transparency and control over personal information. The Delaware Personal Data Privacy Act is considered a Comprehensive privacy legislation.

Florida – S 262: Technology Transparency

Florida’s S 262 targets using governmental resources in requests to social media platforms. It prohibits certain agreements and conduct by online platforms likely accessed by children. This bill is part of a comprehensive approach to regulating technology transparency and falls within the Comprehensive category.

Florida – S 662: Student Online Personal Information Protection

Enacted to protect students’ online personal information, Florida’s S 662 establishes the Student Online Personal Information Protection Act. It prohibits operators from engaging in specified activities, outlines operator duties, and provides enforcement mechanisms. This legislation falls under Children’s Online Privacy.

Indiana – S 5: Consumer Data Protection

Indiana’s S5 allows consumers to invoke specified rights regarding personal data processing. It extends these rights to known children, empowering parents or legal guardians to act on behalf of minors. This comprehensive approach to consumer data protection categorizes the bill as Comprehensive.

Iowa – S 262: Consumer Data Protection

Iowa’s S 262 focuses on consumer data protection, providing civil penalties and specifying consumer rights. It allows consumers to invoke their rights at any time and extends these rights to known children, emphasizing protection for minors. This legislation falls under the Comprehensive category.

Louisiana – S 162: Commercial Regulations

Louisiana’s S 162 introduces the Secure Online Child Interaction and Age Limitation Act. This legislation addresses children’s online privacy and overall consumer privacy concerns, ensuring secure online interactions for minors. It falls under both Children’s Online Privacy and Other Consumer Privacy.

Montana – S 154: Right to Privacy

Montana’s S 154 defines the right to individual privacy while clarifying that this right does not include the right to abortion. 

Montana – S 351: Biometric Data

Montana’s S 351 revises privacy laws related to biometric data, introducing the Genetic Information Privacy Act. The bill addresses the collection, use, and disclosure of genetic data, providing limitations, exclusions, and enforcement authority. This legislation falls under the Genetic Privacy category.

Montana – S 384: Comprehensive Consumer Data Privacy Act

Montana’s S 384 establishes the Consumer Data Privacy Act, outlining definitions, applicability, and consumer rights to personal data. The legislation imposes requirements and limitations on controllers and processors of personal data. It encompasses data protection assessments, exemptions, and enforcement mechanisms, placing it within the Comprehensive category.

Montana – S 544: Internet Laws Related to Material Harmful to Minors

Montana’s S 544 focuses on liability for the publishing or distributing of material harmful to minors on the internet. The legislation introduces age verification methods, individual rights of action, and enforcement measures. 

Nevada – S 370: Consumer Health Data

Nevada’s S 370 addresses data privacy, requiring entities to develop policies for the privacy of consumer health data. It prohibits the collection or sharing of such data without affirmative consumer consent. 

Oregon – S 619: Consumer Personal Data Confirmation

Oregon’s S 619 empowers consumers to obtain confirmation from controllers regarding processing their personal data. The bill emphasizes transparency, allowing consumers to access data processing and disclosure information. This legislation falls within the Comprehensive category.

Tennessee – H 1181: Consumer Protection

Tennessee’s H 1181 enacts the Tennessee Information Protection Act, granting consumers the right to invoke consumer rights. The legislation emphasizes the confirmation of data processing and access to personal information, contributing to a comprehensive approach to consumer protection.

Texas – H 4: Regulation of Personal Data Collection and Use

Texas’s H4 addresses regulating personal data collection and use by certain business entities. The legislation imposes a civil penalty, emphasizing accountability and responsible data practices. This bill falls within the Comprehensive category.

Texas – H 18: Protection of Minors

Texas’s H18 protects minors from harmful, deceptive, or unfair trade practices in digital services and electronic devices. The bill emphasizes safeguards for minors using digital services and falls under Children’s Online Privacy and Other Consumer Privacy.

Utah – S 152: Social Media Regulation Amendments

Utah’s S 152, the Utah Social Media Regulation Act, mandates age verification for social media use. The bill requires parental consent for minors, prohibiting account creation for those not meeting age requirements. It establishes a private right of action, falling under both Children’s Online Privacy and Other Consumer Privacy.

Utah – S 265: Education Data Privacy Amendments

Utah’s S 265 amends provisions regarding the sharing of student data, emphasizing limitations on data sharing with federal agencies. The bill ensures privacy protection for student data, falling within the realm of Children’s Online Privacy.

Utah – S 299: Family Planning Data Privacy Amendments

While Utah’s S 299 aimed to amend provisions related to reproductive health data, unfortunately, it did not pass. The bill emphasized privacy concerns surrounding family planning data.

Washington – H 1155: Consumer Health Data

Washington’s H 1155 tackles collecting, sharing, and selling consumer health data. The legislation aims to regulate the handling of health-related information, contributing to Genetic Privacy.

A Perfect Storm of Privacy Laws Forecasted For 2024

The curtain rose in 2024, and two states have already been spotlighted.

New Jersey

In the eleventh hour of the 2022-23 legislative session, the New Jersey Assembly and Senate gave the nod to S332. Pending Governor Murphy’s signature, New Jersey is set to become the thirteenth state boasting a ‘comprehensive’ consumer privacy law and the eighth to do so in 2023. Originally a much narrower bill, S332 morphed into a full-blown comprehensive consumer privacy law.

Notably named “SaSaSaAcaAcaAa (6R),” the bill introduces distinctions in core definitions and obligations, potentially adding new compliance twists for regulated entities.

New Hampshire

The New Hampshire House made waves on January 4th, amending and passing two pivotal consumer privacy bills—SB 255 and HB 314. 

SB 255, echoing Connecticut’s privacy laws, covers contractual requirements, opt-in provisions, and opt-out rights. In contrast, HB 314 takes a unique stance, emphasizing consent by prohibiting businesses from disclosing personal information without explicit opt-in or specific exceptions.

The two bills play a privacy tug-of-war, especially on data transfers. SB 255 attempts to ease this conflict by directing compliance with the statute offering greater privacy protection. 

As the privacy saga unfolds in 2024, these updates offer a glimpse into the dynamic world of state privacy laws. Stay with us as we navigate the twists and turns, delivering insights on the ever-evolving privacy stage.