Use this button to switch between dark and light mode.

States Taking Lead on Regulating Data Privacy

January 27, 2023 (5 min read)

With so much of our world online, data privacy has become a major concern for American policymakers. But in the absence of comprehensive federal legislation addressing data privacy, states are leading the way—creating compliance headaches for businesses.

No U.S. Data Privacy LawYet

In 2016, the European Union approved the General Data Protection Regulation or GDPR, which established guidelines for collecting and processing the personal information of consumers. The law went into full effect in 2018.

Four years later, the closest the United States has come to passing a similar law was this summer, when the U.S. House of Representatives’ Energy and Commerce Committee passed the American Data Privacy and Protection Act or ADPPA.

However, a floor vote wasn’t called on the bill, mostly due to opposition from California Congressional members who feared the federal legislation would preempt California law.

Had it passed, the ADPPA would have represented landmark legislation, offering data privacy rights to all U.S. consumers and establishing privacy standards for companies on a national scale.

Instead, for now, the United States is left with a patchwork of state-level laws, some comprehensive, some not.

States Take Different Tacks on Data Privacy

Comprehensive data privacy legislation like the GDPR and ADPPA has been increasingly popular among state legislatures over the last few years. Yet only five states—California, Colorado, Virginia, Connecticut and Utah—have approved such laws, and they all go into effect this year.

Other states have taken a more piecemeal or “sectoral” approach, as attorney Cobun Zweifel-Keegan, a managing director of the International Association of Privacy Professionals (IAPP), puts it. The federal government, of course, has laws regulating health and financial data privacy, but some states have implemented additional requirements to protect their residents.

Texas, Illinois and Washington have laws specifically addressing biometric data privacy. Idaho, Kentucky, Maryland, Utah and Wyoming have laws on genetic data privacy. California is blazing a new trail in data privacy policy with its Age-Appropriate Design Code Act, which requires businesses serving web pages likely to be accessed by youths to consider the children’s best interests when designing their sites.

Whatever the approach, state lawmakers are clearly focusing more and more on data privacy. Last year, 29 states introduced or considered 60 bills to protect people’s online privacy. For Georgia, Indiana, Maine, Michigan and Vermont, 2022 represented the first year their legislatures had ever considered comprehensive privacy bills of any kind.

By now, all states have data security statutes on the books, but attorney Barbara Reece, content manager for data security and privacy on the LexisNexis Practical Guidance team, said some states have started to amend those provisions to include more stringent data breach requirements.

The biggest trend she sees, however, is more states considering comprehensive data privacy legislation, a movement that is just beginning. She said several states have already introduced such legislation in 2023, including Hawaii, Iowa, Kentucky, Mississippi and New Jersey, and she expects at least two to three comprehensive bills to be approved this year. She added that states being tossed around as ones to watch are Indiana, Massachusetts, New York and Oregon.

“There are a ton of other states that are looking to do this,” she said, which will only ratchet up the pressure on the federal government to pass comprehensive nationwide legislation.

State Regulations Posing Challenges for Businesses

Despite the flurry of state activity on data privacy, progress has been incredibly slow, even in progressive states like California. In 2018, the Golden State passed the California Consumer Privacy Act or CCPA, which established both privacy rights for Californians as well as data protection obligations for businesses.

Two years later, California voters amended the CCPA to add additional privacy protections through a ballot initiative called the California Privacy Rights Act. Under the law, the California Privacy Protection Agency was supposed to provide final regulations for enforcing the CPRA by July 2022, but the agency released a second version of its draft regulations in mid-October, severely complicating compliance for businesses when the regulations took effect on the first of this year.

“California is still in the process of implementing its regulations,” said Zweifel-Keegan of the IAPP. “There’s still some open question about how the text of the legislation will be interpreted"—a question, he noted, that probably will end up in court. “It’ll be years down the road before we have full certainty,” he said.

Businesses have plenty of incentive to get compliance with data privacy laws right, however. According to Mike Swift, chief global digital risk correspondent for LexisNexis’ MLex, an investigative news agency focused on regulatory risk around the world, the legal costs of data protection violations by U.S. businesses topped $2.5 billion last year, with “little to suggest that surge in regulatory risk and cost for companies is going to slack off at all in 2023.”

Federal Action Unlikely to Halt States

Privacy advocates are optimistic that comprehensive, federal legislation will remain in play for 2023. And indeed, there are signs of hope for that.

In October, the Biden administration published a draft AI (artificial intelligence) Bill of Rights, intended to guide the use, design and deployment of automated systems. The legislative “blueprint” enumerated five ethical principles for the use of AI, including data privacy. Essentially, the Biden administration said that in order for AI to be used ethically, protections must be in place to ensure citizens and consumers have control over how their data is used.

The blueprint is by no means binding, but it represents a sort of guide for businesses about where policymakers are looking. Meanwhile, the Federal Trade Commission also has signaled interest in regulating artificial intelligence as well as potentially cracking down on “harmful commercial surveillance and lax data security.”

Whatever happens at the federal level, data privacy will remain a focus for state legislatures, said Heather Morton, director of Financial Services, Technology and Communications for the National Conference of State Legislatures.

“Privacy for a very long time has been a fairly large focus for state legislatures, and I fully expect it to continue for 2023,” she said.

She added: “Congress has not passed comprehensive legislation.... So, states are stepping up.”

—By SNCJ Correspondent Brian Joseph

Please visit our webpage for more information on the bills mentioned in this article, or to speak with a State Net representative about how the State Net legislative and regulatory tracking solution can help you react quickly to relevant legislative and regulatory changes.



States Took Piecemeal and Comprehensive Approaches on Data Privacy in 2022

Last year lawmakers in at least 35 states considered legislation dealing with consumer data privacy, according to the National Conference of State Legislatures. Comprehensive or omnibus data privacy measures were the most common type of that legislation, considered in 25 states and enacted in two. But multiple states also considered measures targeting specific areas of concern, including biometric information, consumer genetic testing, children’s online privacy, geolocation data and information brokers.


News & Views from the 50 States

Free subscription to the Capitol Journal keeps you current on legislative and regulatory news.