Use this button to switch between dark and light mode.

Data Privacy Landscape Continues to Change as States Pursue More Laws

July 28, 2023 (7 min read)

Halfway through 2023, data privacy regulation remains a high priority for state lawmakers and business leaders alike. Here’s an update on the rapidly shifting, balkanized landscape of data privacy policies.

Online Businesses Sue to Stop Arkansas Social Media Law

In late June, NetChoice, a trade group representing online businesses like Google, Meta, Yahoo! and TikTok, filed a lawsuit against the state of Arkansas to block implementation of SB 396, which requires residents of the state to verify their age before opening a new social media account.

“The Act purports to protect minors from alleged harmful effects of ‘social media’ by requiring the companies that operate these services to verify that any person seeking to create an account is at least 18 years old or has parental consent to create an account,” NetChoice writes in its complaint, filed with the U.S. District Court for the Western District of Arkansas, Fayetteville Division.

But the group contends SB 396 violates the First Amendment Rights of both adults and minors.

“By restricting the access of minors—and adults (who now have to prove their age)—to these ubiquitous online services,” its complaint states, “Arkansas has ‘with one broad stroke’ burdened access to what for many are the principal sources for speaking and listening, learning about current events, ‘and otherwise exploring the vast realms of human thought and knowledge.’”

Filed against Arkansas Attorney General Tim Griffin on June 29, the state has not yet responded in court.

Utah, incidentally, passed a similar law to Arkansas’. Utah is also one of only five states—the others being California, Colorado, Virginia and Connecticut—to pass so-called comprehensive data privacy laws, similar to the European Union’s 2016 General Data Protection Regulation, or GDPR, prior to this year.

Comprehensive Laws with Differing Opt-In or Opt-Out Requirements Going Into Effect

The comprehensive data privacy laws in Colorado, Connecticut and Virginia, all of which are now in effect, require prior opt-in consent from consumers before companies may collect and process sensitive data, such as a consumer’s racial or ethnic origin, sexual orientation, or health conditions.

Thus, businesses subject to those particular laws now need to provide their customers with clear disclosures and the customers must take some sort of active measure like checking a box or toggling a switch to indicate their consent.

California’s law, which went into effect on July 1, allows consumers to restrict companies from processing certain pieces of particularly sensitive personal information, including Social Security numbers. Under the law consumers have the right to restrict the processing of their information to only what is “necessary to perform the services or provide the goods reasonably expected by an average consumer who requests” them.

What that means in practice is that businesses that collect such sensitive personal information now need to add a standalone “Limit the Use of My Sensitive Personal Information” link to the bottom of their webpages or provide an “Alternative Opt-Out Link.” Also, businesses must optimize their websites so they don't just recognize opt-out preferences for the selling and sharing of customer data but also for requests to limit the collection of data.

Utah’s law, meanwhile, has an opt-out provision, which will require businesses subject to it to give their customers a clear opportunity to opt-out of the collection of their data.

More States Enacting Comprehensive Data Privacy Legislation This Year

Attorney Barbara Reece, content manager for data security and privacy on the LexisNexis® Practical Guidance team, said several more states have enacted comprehensive privacy laws since we last wrote about data privacy in January:

  • Oregon (SB 619, which will go into effect on January 1, 2026)
  • Texas (HB 4, which will go into effect on March 1, 2024)
  • Florida (SB 262, which will go into effect on July 1, 2024)
  • Montana (SB 384, which will go into effect on October 1, 2024)
  • Tennessee (HB 1181, which will go into effect on July 1, 2025)
  • Indiana (SB 5, which will go into effect on January 1, 2026)
  • Iowa (SB 262, which will go into effect on January 1, 2025)

Delaware’s legislature has also passed a comprehensive law but it’s awaiting the governor’s signature.

Reece also noted that this year several states have followed California’s lead in enacting “laws protecting children in the digital and/or social media contexts. These include Arkansas (social media), Florida (online platforms), Louisiana (social media), Connecticut (social media), Texas (digital services and electronic devices), and Utah (social media).”

“Another interesting development is the enactment of Washington’s My Health My Data Act, and a similar law in Nevada,” she added. “Connecticut’s children’s privacy bill...also covers health data privacy.”

Comprehensive Data Privacy Laws Now Enacted in 12 States

Seven states have enacted comprehensive consumer data privacy laws in 2023, according to attorney Barbara Reece, data security and privacy content manager for the LexisNexis Practical Guidance team. Five other states passed comprehensive data privacy laws prior to this year, starting with California in 2018.

Many More Data Privacy Bills Being Considered in Statehouses Nationwide

We reported in January that more states were expected to pursue both comprehensive data privacy legislation or more piecemeal approaches that address, say, just biometric data privacy or genetic data privacy.

Indeed, by mid-February at least 27 states had considered 100 measures relating to data privacy, according to a bill tracker compiled by the National Conference of State Legislatures.

The tracker identified 25 comprehensive measures, along with numerous proposals dealing with biometrics or facial recognition, children’s online privacy, genetic privacy and other topics.

A more recent search of the LexisNexis® State Net® legislative tracking database turned up about 300 bills in 42 states concerning some form of data privacy. These include several wide-ranging data privacy bills in Illinois, Massachusetts and Minnesota, along with robust proposals in Maine (HB 1270) and Montana (DB 4408), the latter of which was put on hold.

Federal and International Action on Data Privacy

In late April a bipartisan group of congressional lawmakers introduced the Protecting Kids on Social Media Act. The bill, if enacted, would ban anyone under the age of 13 from having social media accounts and would require anyone between the ages of 13 and 18 to receive parental consent to create a profile. The bill also would create what’s being called a “government-chaperoned” social media age verification system that would be under the jurisdiction of the head of the U.S. Department of Commerce.

“Social media platforms use powerful algorithms to hook users and keep them scrolling as long as possible,” U.S. Sens. Chris Murphy (D-CT), Brian Schatz (D-HI), Tom Cotton (R-AR) and Katie Britt (R-AL) wrote in an op-ed about their bill in the Washington Post. “The financial incentive to addict the young is clear: The more time users spend on apps such as Facebook or Snapchat, the more money those companies make from advertising—and the more targeted, and thus more valuable, those ads will become. And to meet that goal and keep children hooked, these personalized algorithms often feed kids toxic content meant to induce an emotional reaction, making them more depressed, anxious and upset. The results have been devastating: a generation of young Americans suffering from mental health issues.”

At the international level, the European Union in early July formally adopted a new agreement with the United States to better protect data moving between American companies and users in Europe.

The EU’s decision comes three years after a European court invalidated a transatlantic data transfer agreement. On July 10, the EU ruled that after the United States enacted safeguards for Europeans against U.S. surveillance the U.S. had provided enough protections of EU citizens’ data.

Under this new agreement U.S. companies are required to delete personal data when it’s no longer needed for the purpose for which it was originally collected.

“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” European Commission President Ursula von der Leyen said in a statement.

With this new international data privacy agreement, continuing action in the states and the federal government circling the issue as well, businesses have a lot to stay on top of to avoid incurring liabilities.

—By SNCJ Correspondent Brian Joseph

Please visit our webpage to connect with a State Net representative and learn how the State Net legislative and regulatory tracking solution can help you identify, track, analyze and report on relevant legislative and regulatory developments. 


News & Views from the 50 States

Free subscription to the Capitol Journal keeps you current on legislative and regulatory news.