State Comprehensive Privacy Law Update for 2023

State Comprehensive Privacy Law Update for 2023

Blog WilmerHale Privacy and Cybersecurity Law

The new year has already seen a flurry of state privacy law activity, with legislators in at least nine states (Indiana, Iowa, Kentucky, Massachusetts, Mississippi, New York, Oklahoma, Oregon, and Tennessee) proposing new comprehensive privacy legislation. Some states’ bills represent efforts continued from past legislative sessions, while others mark new legislative efforts. While it is unlikely that all of these bills will be enacted into law — at least in 2023 — companies already affected by the comprehensive privacy laws passed in California, Colorado, Virginia, Connecticut, and Utah should keep themselves apprised of these new legislative developments in order to anticipate potential future compliance obligations.

To that end, we have summarized these new legislative proposals below and identified trends and highlights across the various bills. Please let us know if you have questions about these bills or if any questions arise as these proposals move forward.

Key Trends and Highlights

  1. Continuation of Past Legislative Efforts: Most of these bills have been proposed in states that have recently considered comprehensive privacy legislation. It is possible that other states that considered comprehensive privacy legislation in the past (such as Florida and Wisconsin) will also consider such laws in 2023.
  2. Virginia as the Model: Similar to what we saw last year, Virginia (and not California) is generally the model for these new comprehensive privacy law proposals. These new proposals are aligning with Virginia in their terminology (e.g., using “controller” and “processor” instead of “business” and “service provider”) and in their substantive provisions (e.g., the requirements in these proposals are generally less prescriptive than what is required under the CPRA, similar to Virginia). 
  3. Common Elements: All of these bills contain certain common elements. For example, all allow for enforcement by the state Attorney General and create a set of consumer rights. In addition, the bills are also united in containing an applicability threshold, typically involving some combination of a business’s annual gross revenues, the amount of personal information they process, and the percentage of gross revenue they derive based on the sale of personal information.
  4. Exemptions for Federal Laws: Almost all of these laws include exemptions for information that is regulated under certain federal laws (such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA)). One exception to this is Mississippi, which (as of yet) does not include these federal law exemptions. Massachusetts, meanwhile, only has an exception for HIPAA but does not have one for other federal laws.
  5. Private Rights of Action: A slight majority of the proposed bills do not provide a private right of action, with New York, Massachusetts, Mississippi, and Oregon standing out as the four exceptions.
  6. Cure Period: Most of the bills (with the exceptions of Massachusetts, New York, and Oklahoma) contain “cure period” provisions that grant a business a period of time to “cure” a violation before the state AG or private individuals initiate a civil action.
  7. Data Protection Assessments: 6 of the 9 bills (Indiana, Kentucky, Massachusetts, New York, Tennessee, and Oregon) require businesses to conduct data protection assessments for data processing activities that present a “heightened risk of harm” to consumers.
  8. Privacy by Design: All 9 bills incorporate privacy by design principles, such as purpose limitations, technical safeguards, and additional notice requirements.

State Comprehensive Privacy Law Proposals

Indiana 

  1. Bill Title: Senate Bill No. 5
  2. Current Status: As of January 17, 2023, the bill had been introduced in the Senate and referred to the Committee on Commerce and Technology.
  3. Key Provisions:
  • Applies to businesses that conduct business in Indiana, produce products or services that are marketed to Indiana residents, and control or process personal data of either: a) at least 100,000 consumers during a calendar year; or b) at least 25,000 consumers during a calendar year and derive more than fifty percent of gross revenue from the sale of personal data.
  • Exempts various entities and information types, including government actors and contractors (when acting on behalf of a government actor); covered entities or business associates governed by HIPAA; personal information collected, processed, sold, or disclosed pursuant to GLBA; specified employee-related information; and credit information.
  • Covered businesses must inform consumers of the categories of personal information collected; purposes for which the information is collected or used; whether personal sensitive information is collected; the categories of personal information that are shared with third parties; the categories of third parties that will receive the personal information; and how to exercise the consumer rights created under the bill.
  • Creates individual rights for consumers, including the right to request personal information collected; the right to have personal information be deleted; the right to correct inaccurate personal information; the right to know what personal information is sold or shared; and the right to opt out of having personal information sold or shared, including for purposes such as targeted advertising and profiling.
  • Incorporates privacy by design principles, such as purpose limitation and reasonable security practices. Further, controllers cannot collect additional categories of personal information or use collected information for additional purposes without notice.
  • Requires data protection assessments for activities that present heightened risk of harm.
  • Does not create a private right of action. Violations are only enforceable by the Indiana AG’s office.
  • Imposes civil penalties of up to $7,500 for each violation. The AG may recover reasonable expenses incurred in investigating and preparing the case, including attorneys’ fees.
  • Creates a thirty-day cure period after the AG provides written notice. If entity cures violation and provides AG express written statement, no action for statutory damages will be initiated.
  • Would go into effect on January 1, 2026.

Iowa

  1. Bill Title: House Study Bill 12 
  2. Current Status: As of January 17, 2023, the bill had been introduced in the House and referred to the Economic Growth and Technology Committee.
  3. Key Provisions:
  • Applies to entities that conduct business in Iowa or produce products or services targeted to Iowa residents and do at least one of the following during a calendar year: (1) control or process personal data of at least 100,000 consumers; or (2) control or process personal data of at least 25,000 consumers and derive over 50% of gross revenue from sale of personal data.
  • Exempts various entities and information types, including state agencies; financial institutions and data subject to GLBA; covered entities, business associates, and protected health information governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by the FCRA; personal data governed by FERPA; and personal data governed by COPPA.
  • Creates rights for individual consumers, including: the right to confirm whether a controller is processing personal data and to access that data; the right to delete personal data; the right to obtain a portable and readily usable copy of personal data; and the right to opt out of targeted advertising or the sale of personal data.
  • Incorporates privacy by design principles, such as requiring data controllers to implement reasonable data security practices to protect personal data.
  • Requires that data controllers provide consumers with “clear notice and an opportunity to opt out” of the processing of sensitive data. 
  • Grants the state AG exclusive authority to enforce the Act. Prior to initiating an action, the state AG must provide a controller or processor with a thirty-day cure period.
  • State AG may seek injunctive relief and civil penalties of up to $7,500 per violation.
  • Act would take effect on January 1, 2025. 

Kentucky

  1. Bill Title: Senate Bill 15
  2. Current Status: As of January 17, 2023, the bill had been introduced in the Senate and referred to the Economic Development, Tourism, & Labor Committee.
  3. Key Provisions:
  • Applies to persons that conduct business in Kentucky or produce products or services that are targeted to Kentucky residents and that during a calendar year: a) control or process personal data of at least 25,000 consumers; or b) derive over forty percent of gross revenue from the sale of personal data.
  • Exempts various entities and information types, including state agencies; financial institutions subject to the GLBA; institutions of higher education; covered entities or business associates governed by HIPAA; and information governed by the FCRA and FERPA.
  • Exempts state and local agencies but creates requirements for agencies that request, process, or collect personal data. Agencies must provide meaningful notice and establish reasonable data security practices. State actors are limited to sharing only aggregated and de-identified data absent a showing of probable cause that the individual identified by the data has committed a criminal offense. 
  • Creates individual rights for consumers, including the right to confirm whether their data is being processed; the right to access their data; the right to delete data provided by them; the right to obtain a copy of the personal data they previously provided to the controller in a portable and readily usable format; the right to opt out of targeted advertising; the right to opt out of tracking; and the right to opt out of the sale or sharing of personal data. Opt out rights can be exercised by another on behalf of a consumer; further, opt out requirements can be satisfied through global privacy controls. 
  • Incorporates privacy by design principles, such as purpose limitation.
  • Requires controllers to conduct a data protection impact assessment.
  • Creates additional requirements for processing sensitive data.
  • Covered businesses must provide a quarterly report to both the AG and Legislative Research Commission which must include the categories of personal data processed; amount of personal information collected; and the number of identifiable consumers whose data was processed. 
  • Does not create a private right of action. Violations are only enforceable by the Kentucky AG’s office.
  • Imposes civil penalties of up to $7,500 for each violation. The AG may recover reasonable expenses incurred in investigating and preparing the case, including attorneys’ fees.
  • Creates a thirty-day cure period after the AG provides written notice. If entity cures violation and provides AG express written statement, no action for statutory damages will be initiated.
  • Would go into effect on January 1, 2025.

Massachusetts

  1. Bill Title: Massachusetts Data Privacy Protection Act (SD 757
  2. Current Status: As of January 19, 2023, the bill had been filed on the Senate docket.  
  3. Key Provisions:
  • Applies to entities that “determine[] the purposes and means of collecting, processing, or transferring covered data” and satisfy at least one of following: (1) average annual gross revenues during the preceding three calendar years exceeded $20 million; (2) collected or processed an annual average of more than 75,000 individuals’ covered data during the preceding three calendar years; or (3) part of revenue derived from transferring covered data.
  • Exempts various entities and information types, including government agencies and information subject to HIPAA. Notably, does not contain exemptions for information subject to GLBA, FCRA, FERPA, or COPPA.
  • Creates individual rights for consumers, including the right to access data collected, processed, or transferred by the covered entity; the right to access information about third parties to which the covered entity transferred personal data; the right to correct inaccurate personal data; the right to delete personal data; the right to obtain personal data in a portable format; the right to opt-out of covered data transfers; and the right to opt-out of targeted advertising.
  • Creates a duty of loyalty to consumers.
  • Imposes additional requirements on covered entities regarding sensitive data, including a prohibition on the use of sensitive data for targeted advertising purposes.
  • Incorporates privacy by design principles, including the consideration of privacy risks during product or service design, development, and implementation, as well as the implementation of reasonable training and safeguards.
  • Imposes additional requirements on data brokers, including requirements pertaining to consumer notice and registration with the state government. The bill also imposes a civil penalty of $100 for each day a data broker fails to comply with the Act’s notice and registration requirements (with total penalties capped at $10,000 for any given year).
  • Prohibits entities from using data in a manner that discriminates or imposes a disparate impact on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability. 
  • Requires large data holders that use covered algorithms in a manner that “poses a consequential risk of harm to an individual or group of individuals” to conduct annual impact assessments of these algorithms. Also requires any entity that develops a covered algorithm intended to use data “in furtherance of a consequential decision” to evaluate the algorithm’s “design, structure, and inputs” in order to reduce the risk of specified harms. These assessments and evaluations must be submitted to the state AG and a summary of their contents must be made publicly available. 
  • Requires the Massachusetts Office of Consumer Affairs and Business Regulation to establish or recognize a centralized opt-out mechanism within 18 months of the Act’s enactment.
  • Requires non-small business entities to appoint at least one privacy officer and at least one data security officer, and to implement a data privacy program and data security program.
  • Requires large data holders to conduct biennial privacy impact assessments of their data practices.
  • Provides a private right of action for individuals to bring civil actions against non-small business covered entities alleged to have violated the Act. Prevailing plaintiffs may be awarded “liquidated damages of not less than 0.15% of the annual global revenue of the covered entity or $15,000 per violation, whichever is greater,” punitive damages, and other relief (including injunctions).
  • Also allows the state AG to bring actions in response to violations of the Act. Where the defendant is found to have employed a practice “which they knew or should have known to be” a violation, the Act allows for the imposition of a civil penalty of: (1) “not less than 0.15% of the annual global revenue or $15,000, whichever is greater, per violation”; and (2) “not more than 4% of the annual global revenue of the covered entity, data processor, or third-party or $20,000,000, whichever is greater, per action if such action includes multiple violations to multiple individuals.”
  • Does not provide any cure period for violating entities. 
  • Requires covered entities to provide bi-monthly reports to the state AG and public containing aggregated information regarding received legal requests for disclosure of personal information (e.g., warrants, court orders, subpoenas).
  • Authorizes state AG to adopt, amend, and repeal regulations as needed to implement and enforce the Act.
  • Imposes restrictions on workplace surveillance. 
  • Would go into effect 12 months after the Act’s enactment, with enforcement of the non-workplace surveillance provisions delayed until 6 months after the effective date.

Mississippi

  1. Bill Title: Mississippi Consumer Data Privacy Act (Senate Bill No. 2080
  2. Current Status: As of January 17, 2023, the bill had been introduced in the Senate and referred to the Senate Judiciary, Division A Committee. 
  3. Key Provisions:
  • Applies to businesses that (1) collect consumers’ personal information; (2) determine the purpose and means of processing that information; (3) do business in Mississippi; and (4) satisfy at least one of the following: (i) have annual gross revenues exceeding $10 million; (ii) annually buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (iii) derive 50% or more of their annual revenues from selling consumers’ personal information. 
  • Does not include many of the exemptions present in other states’ bills, such as those for information governed by HIPAA, GLBA, FCRA, FERPA, and COPPA. 
  • Creates rights for individual consumers, including the right to receive information about personal information collected, disclosed, or sold by a business; the right to request that a business delete information that it has collected about a consumer; and the right to opt-out of a business’s sale of the consumer’s personal information.
  • Requires that businesses provide a “Do Not Sell My Personal Information” link on their internet homepages allowing consumers to exercise their right to opt out. 
  • Incorporates privacy by design principles, namely by imposing a duty on businesses to implement reasonable and appropriate security procedures to protect personal information. 
  • Creates a private right of action for consumers whose personal information is breached as a result of a business’s failure to maintain reasonable and appropriate security procedures. Consumers may recover damages between $100–$750 per consumer per incident or actual damages (whichever is greater), as well as injunctive and declaratory relief. 
  • State AG may bring civil actions against businesses that fail to cure violations within the thirty-day cure period, with civil penalties available up to $7,500 per violation. 
  • Individuals may also initiate actions against businesses for violations of the Act if the business fails to cure the violation within the thirty-day cure period. 
  • Would go into effect on July 1, 2024. Prior to the effective date, the state AG would solicit public input to adopt corresponding regulations. 

New York

  1. Bill Title: New York Privacy Act (S. 365)
  2. Current Status: As of January 17, 2023, the bill had been introduced in the Senate and referred to the Consumer Protection Committee.
  3. Key Provisions:
  • Applies to legal persons that conduct business in New York or produce products or services targeted to New York residents and either: a) have annual gross revenue of $25M or more; b) control or process the personal data of 100,000 or more consumers; c) control or process personal data of 500,000 natural persons or more nationwide and control or process personal data of 10,000 consumers or more; or d) derive over fifty percent of gross revenue from the sale of personal data and control or process personal data of 25,000 consumers or more.
    Exempts various entities and information types, including information collected by covered entity or business associates governed by HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act; data processed by state and local governments and municipal corporations for processes other than sale; personal data collected, processed, sold, or disclosed pursuant to GLBA; personal data regulated by FERPA; and employee information.
  • Creates individual rights for consumers, including the right to confirm whether the controller is processing the consumer’s personal information and to access the personal information; the right to correct inaccuracies in the consumer’s personal information; the right to delete personal data provided by the consumer or obtained by the controller about the consumer; the right to obtain a copy of the data in a portable and readily usable format; and the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • Consent is required to process consumers’ personal data for certain purposes, and to make changes to existing processing or processing purposes that may result in less protection of data than the processing to which a consumer has consented.
  • Incorporates privacy by design principles, such as purpose limitation and reasonable safeguards to protect consumer data.
  • Requires data protection assessments for activities that present heightened risk of harm.
  • Requires data brokers to register, pay an annual fee to the New York AG, and submit information regarding their data use practices including a description of the method of processing consumer requests.
  • Creates a private right of action. Violations are also enforceable by the New York AG’s office, and the AG can adopt rules to implement the law.
  • The New York AG can bring action to enjoin any violation, to obtain restitution and disgorgement of any money or property obtained by the violation, and to obtain civil penalties of up to $15,000 per violation.
  • Creates penalties for data brokers that fail to register or that submit false information in registration. Creates civil penalty of $1,000 for each day the data broker fails to register or correct false information, an amount equal to the fees that were due during the period it failed to register, and expenses incurred by the New York AG in the investigation and prosecution of the action.
  • Would go into effect immediately, with certain sections taking effect two years after they become law. The private right of action would take effect three years after the section becomes law.

Oklahoma

  1. Bill Title: Oklahoma Computer Data Privacy Act (House Bill 1030)
  2. Current Status: As of January 17, 2023, the bill had been introduced in the House.   
  3. Key Provisions
  • Applies to businesses that (a) do business in Oklahoma; (b) collect consumers’ personal information; (c) determine the purpose and means of processing that information; and (d) satisfy at least one of the following requirements: (1) annual gross revenue exceeding $15 million; (2) annually buying, selling, receiving, or sharing personal information for 50,000 or more consumers, households, or devices; or (3) deriving 25% or more of annual revenue from selling consumers’ personal information. 
  • Exempts various entities and information types, including: medical information governed by state health privacy law and protected information subject to HIPAA and HITECH Act requirements; information subject to the FCRA and GLBA; and financial institutions.
  • Creates rights for individual consumers, including: the right to request that a business provide information about personal information it has collected, sold, or disclosed; the right to request that a business delete personal information it has collected about the consumer; and the right to opt out of a business’s sale of the consumer’s personal information.
  • Incorporate privacy by design principles, such as by requiring businesses to implement reasonable and appropriate safeguards to protect consumers’ personal information. 
  • Requires businesses to obtain consent from consumer before collecting consumer’s personal information. Businesses are further prohibited from collecting data from consumer for purposes outside of those for which the consumer has consented. 
  • Authorizes state AG to bring actions to enforce the Act. Businesses that violate the Act are liable for injunctive relief and civil penalty of up to $2,500 for each violation and $7,500 for each intentional violation. 
  • Business that discloses consumer’s personal information to a third party or service provider in compliance with the Act is not liable for the third party or service provider’s violation of the Act if the business did not have actual knowledge or reasonable belief that the third party or service provider intended to violate the Act.
  • Act would become effective on January 1, 2024. 

Oregon

  1. Bill Title: Senate Bill 619
  2. Current Status: As of January 17, 2023, the bill had been introduced in the Senate and referred first to the Judiciary Committee, then to the Ways and Means Committee.  
  3. Key Provisions:
  • Applies to any entity that conducts business in Oregon or provides products or services to Oregon residents, and during a calendar year either (1) controls or processes personal data of 100,000 or more consumers, 100,000 or more devices linkable to one or more consumers, or a combination of 100,000 or more consumers or devices; or (2) controls or processes personal data of 25,000 or more consumers and derives 25% or more of its annual gross revenue from selling personal data.
  • Exempts various entities and information types, including state and local government bodies; financial institutions; protected health information subject to HIPAA; and information subject to FCRA, GLBA, or FERPA.
  • Creates rights for individual consumers, including: the right to obtain from a controller information about personal information that the controller has processed or disclosed; the right to obtain a portable and readily usable copy of the consumer’s personal data; the right to correct inaccuracies in personal data; the right to delete personal data; the right to opt out of the controller’s sale of personal data; and the right to opt out of the controller’s processing of personal data for purposes of targeted advertising or profiling.
  • Incorporates privacy by design principles, such as by requiring controllers to specify in their privacy notices the purpose for which they are collecting and processing personal data and to limit data collection to those specified purposes, and by requiring controllers to establish appropriate safeguards for protecting personal data.
  • Prohibits controller from processing consumer’s sensitive data without consent. 
  • Requires controller to allow for consumer use of opt-out preference signals. 
  • Requires controller to conduct data protection assessment for each processing activity that “presents a heightened risk of harm to a consumer.” 
  • State AG may bring action to seek civil penalty of up to $7,500 for each violation or to obtain injunctive or other equitable relief. 
  • Before bringing action, state AG must provide controller with thirty-day cure period. (This provision would enter into effect on July 1, 2024, but be terminated on January 1, 2025). 
  • Consumer may bring action to obtain compensatory damages and injunctive or declaratory relief if they have “suffer[ed] an ascertainable loss of money or property as a result of a controller’s violation of [the Act].” This right of action is limited to violations of Section 3, 4, and 5 of the Act, which deal primarily with consumer rights, controller responses to requests made pursuant to those rights, and controller duties. This private right of action would become operative on January 1, 2026. 
  • Subject to the exceptions outlined above, this Act would take effect on July 1, 2024. 

Tennessee 

  1. Bill Title: Tennessee Information Protection Act (Senate Bill 73)
  2. Current Status: As of January 17, 2023, the bill had been introduced in the Senate, passed on first and second consideration, and is being held pending committee appointments.
  3. Key Provisions:
  • Applies to controllers or processors that conduct business in Tennessee, produce products or services that are marketed to Tennessee residents, and control or process personal data of either: a) at least 100,000 consumers during a calendar year; or b) at least 25,000 consumers during a calendar year and derive more than 50% of gross revenue from the sale of personal information.
  • Exempts various entities and information types, including government actors and contractors; covered entities or business associates governed by HIPAA; personal information collected, processed, sold, or disclosed pursuant to GLBA; and information governed by the FCRA and FERPA.
  • Creates individual rights for consumers, including the right to confirm whether the controller is processing the consumer’s personal information and to access the personal information; the right to correct inaccuracies in the consumer’s personal information; the right to delete personal data provided by the consumer or obtained by the controller about the consumer; the right to obtain a copy of the data in a portable and readily usable format; the right to opt out of the controller’s selling personal information about the consumer; and the right to learn the categories of information sold and the third parties who purchased the personal information.
  • Incorporates privacy by design principles, such as purpose limitation and reasonable security practices. Further, controllers cannot collect additional categories of personal information or use collected information for additional purposes without notice and consent.
  • Requires data protection assessments for activities that present heightened risk of harm, including targeted advertisement and sale of personal information, among others.
  • Does not create a private right of action. Violations are only enforceable by the Tennessee Attorney General and Reporter. 
  • Imposes civil penalties of up to $15,000 for each violation. The AG may recover reasonable expenses incurred in investigating and preparing the case, including attorneys’ fees.
  • Creates a sixty-day cure period after the AG provides written notice. If entity cures violation and provides AG express written statement, no action for statutory damages will be initiated.
  • Requires that a controller or processor create, maintain, and comply with a written privacy program which reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework; a violation of this provision is considered an unfair and deceptive practice.
  • Would go into effect on January 1, 2024.

Authors

More from this series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.