The 2024 state legislative season is drawing to a close with several notable developments on the comprehensive privacy law front. Since our last update, the Maryland Online Data Privacy Act and Minnesota Consumer Data Privacy Act were signed into law by their respective governors, while the Vermont Data Privacy Act was passed by the legislature, but has yet to be signed by the governor. (Our analysis of the Minnesota and Vermont bills is forthcoming.) Meanwhile, the New York legislature, which adjourns on June 6, is making a late-breaking attempt to pass a comprehensive privacy law of its own.
With most states’ legislative sessions having adjourned, this will be our last state comprehensive privacy law update of the year. We will continue to provide ad-hoc updates in the event of any major developments — and of course, will continue to keep our eyes on the federal proposal currently winding its way through Congress.
UPDATES ON EXISTING PROPOSALS
As discussed above, the past few weeks have seen two states (Maryland and Minnesota) formally enact comprehensive privacy laws and another (Vermont) approach enactment of one. Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act into law on May 9. Minnesota Governor Tim Walz followed suit with the Minnesota Consumer Data Privacy Act on May 24. That law was enacted as part of a broader omnibus bill (HF 4757) and contains notable provisions related to the right to challenge profiling decisions, the right to obtain lists of specific third-party data recipients, and requirements for data inventories and compliance documentation. The Vermont Data Privacy Act, meanwhile, was passed by the legislature on May 11 as part of H. 121, and is most notable for including a limited private right of action. The Vermont Act has yet to be signed into law by the governor, however, and there is some speculation that the governor may ultimately veto the bill due to its private right of action. (We will be analyzing both the Minnesota and Vermont bills in a forthcoming post.)
The other notable recent development comes from New York, where the Senate passed the New York Privacy Act (S. 365) on June 3. However, with the New York legislative session closing on June 6, the legislature will need to move quickly to achieve Assembly passage before time expires on this legislative proposal.
Active Bills That Have Cleared Legislative Chamber
- The New York Privacy Act (S. 365) was passed by the Senate on June 3 and referred to the Assembly Consumer Affairs and Protection Committee.
- New York’s legislative session closes on June 6.
- Pennsylvania HB 1201, which passed the House on March 18, was referred to the Senate Communications and Technology Committee on April 4.
- Pennsylvania’s legislature remains open until November 30.
Other Developments
- The Massachusetts Data Privacy Act (H. 4632), which replaced H. 60, H. 83, and S. 227, was reported from the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on May 13 and referred to the House Ways and Means Committee.
- The Massachusetts Data Privacy Protection Act (S. 2770), which replaced S. 25, was reported from the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on May 9 and referred to the Senate Ways and Means Committee.
Bill Deaths
- The Hawaii legislative session closed on May 3 without passage of the Hawaii Consumer Data Protection Act (SB 3018).