Use this button to switch between dark and light mode.

Regulating Big Tech: Data Privacy Legislation Accelerates in Statehouses

January 27, 2022 (6 min read)


The political mood has shifted in recent years as legislative bodies worldwide have begun taking action to more aggressively regulate major technology companies.  And while much attention has been paid to the noisy hearings conducted by U.S. Senate and House committees regarding increased federal oversight, the real action in the U.S. has been taking place in state capitals.

A number of significant pieces of legislation are being proposed and enacted at the individual state level that have the potential to rewrite the compliance manuals at big tech companies. Perhaps the most noteworthy example is in the area of data privacy, where some of the nation’s largest states have either adopted or are considering major legislation to regulate how consumer data is handled.

3 States Lead the Way

California was the first state to enact a sweeping consumer privacy law when the California Consumer Protection Act (CCPA) was passed in 2018 and took effect in January 2020. Since that time, the state’s voters approved the California Privacy Rights Act, a major expansion of the CCPA that will go into effect on Jan. 1, 2023.

The second state to lead the way with comprehensive data privacy legislation was Virginia. Gov. Ralph Northam signed the Virginia Consumer Data Protection Act in March 2021 and the law becomes effective on Jan. 1, 2023. Unlike the initial California legislation, the Virginia law garnered support from key big tech businesses such as Amazon and Microsoft.

In July 2021, Colorado Gov. Jared Polis signed into law SB 190, the Colorado Privacy Act (CPA). This makes Colorado the third state to adopt comprehensive data privacy legislation that governs how businesses collect, store, share and process consumers’ personal information. The CPA, which goes into effect on July 1, 2023, is similar — though not identical — to the two previous umbrella data privacy laws adopted at the state level.

“There are some significant differences between these measures, but all of them allow consumers greater control over the collection and use of their data,” said Richard Ehisen, managing editor of State Net Capitol Journal. “They all create a right to know if a company is collecting a consumer’s personal data, a right to access that data, a right to opt-out of having their data collected, a right to demand that stored data be deleted or corrected, and a right to non-discrimination.”

A key trend that privacy experts have observed in these state measures is that they have gradually inched closer to the robust regulations contained in the landmark General Data Protection Regulation (GDPR) that was implemented in the European Union back in 2018.

“These laws all have differences, but they all are of a piece because they closely align with the GDPR, certainly much more so than the original CCPA did,” said Reece Hirsch, partner at Morgan Lewis LLP and co-head of the firm’s privacy and cybersecurity practice.

The “New Frontier” of State Legislation

There is a growing list of more states with proposed consumer data privacy laws working their way through the legislative process. This includes some of the largest commercial markets in the U.S. for tech companies.

The most recent state to join the parade is Ohio. The Ohio Personal Privacy Act (HB 376), introduced this summer, would establish fairly standard data rights for Ohio residents and provides a safe harbor for companies that comply with the NIST Privacy Framework. The bill has the support of Gov. Mike DeWine.

“At least four other states, Massachusetts, New York, North Carolina and Pennsylvania, have serious comprehensive consumer data privacy proposals in committee right now,” reported the New York Times in September 2021.

New York

The New York Privacy Act (SB 6701) would create an expansive consumer “bill of rights” containing similar provisions as the laws enacted in California and then go further to create an even broader data privacy regime in the state. It is likely to go before the consumer protection committee when the next session begins in January 2022.


The Massachusetts Information Privacy Act (SB 46) strives to protect sensitive personal information from “unwelcome collection, use and monetization” by blending the best approaches from laws passed in other jurisdictions. The bill is in committees on both sides of the state legislature.


The Consumer Data Privacy Act (HB 1126) is modeled on the California Consumer Privacy Act and includes a limited private right of action, but the Pennsylvania bill would also apply to professional and employment-related information. The bill has been referred to the consumer affairs committee.

North Carolina

The Consumer Privacy Act of North Carolina (SB 569) primarily mirrors the Virginia law. The bill includes Attorney General enforcement powers and a private right of action for both injunctive relief and damages. It was referred to the committee on rules and operations.

In addition to these five states with active legislation, more than a dozen states have inactive consumer privacy bills that could be reintroduced in new legislative sessions. This activity is on top of the recently passed bills in Florida and Texas to regulate social media companies for perceived bias against conservatives, which are being challenged in the courts.

Government affairs and compliance executives at big tech companies are tracking this surge in activity and responding accordingly.

“Tech companies are turning their attention to state houses across the country as a wave of local bills opens a new frontier in the push to limit Silicon Valley’s power,” reported the Wall Street Journal.

Could A Model Law Expedite More Legislation?

While many professionals were on their summer vacations, a potential wild card entered the picture that could make

it easier for additional state legislatures to take action on consumer privacy regulation. The Uniform Law Commission, a non-profit organization that includes representatives from all 50 states, the District of Columbia, Puerto Rico and the

U.S. Virgin Islands, voted to approve the Uniform Personal Data Protection Act (UPDPA).

The UPDPA is a model bill that is designed to provide a template for state privacy legislation. Data privacy advocates point out it is far less comprehensive than the more ambitious CCPA and GDPR laws (e.g., no consumer right to delete personal data or request the transmission of that data to another entity), but the commission contends it would provide “a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with existing state regimes.”

The UPDPA is expected to be ready for introduction in state legislatures in January 2022. And while some states are likely to be dissuaded from adopting a consumer data privacy law that is out of sync with the laws already passed in California, Virginia and Colorado, the UPDPA could offer a more palatable political solution in other states.

“I think it could be an easy out for states that are otherwise unprepared to adopt a privacy law, or don’t have the appetite for it,” said Sheila Fitzpatrick, president and founder of Fitzpatrick and Associates, a data privacy compliance consulting firm. “For them it could be something where

they could check the box and then say ‘we have privacy regulation.’”

Key takeaway: Most of the real legislative action on data privacy is taking place in the states right now, so it is crucial for tech company executives to stay apprised of the latest developments and key legislative details. Learn more about how State Net monitors legislative activity in all 50 states to keep you updated on individual bills as they progress through committee as well as new laws that are enacted in each jurisdiction.

Be on the lookout for more thought leadership from the State Net service.


News & Views from the 50 States

Free subscription to the Capitol Journal keeps you current on legislative and regulatory news.