Many state governments are in the thick of their legislative sessions and we continue to see a steady wave of comprehensive data privacy bills introduced. Most notably last week, Alabama representatives introduced HB 283 after a 3-year hiatus in the efforts to establish a comprehensive privacy law for the state. The bill would establish protections and impose obligations similar to the popular Virginia model (that states such as Colorado, Connecticut, Delaware, Montana, and Oregon also have adopted) and, if passed, would become effective quickly on October 1^st of this year. Some of the newly introduced bills felt familiar: Georgia’s SB 111, the Georgia Consumer Privacy Protection Act, was a reintroduced and revised version of last year’s SB 473; New York’s A 4947, the New York Privacy Act, was introduced as the companion bill to S 3044 (which we profiled in the February 7^th update).

However, there were some new features in this recent crop of bills. New Mexico’s HB 307, the Internet Privacy and Safety Act, has a notably higher number of provisions addressing children’s privacy and online platform regulations than other state comprehensive privacy laws, while Vermont’s H 208, the Data Privacy and Online Surveillance Act, proposes additional provisions around online advertising and AI disclosures.

HIGHLIGHTS FROM THIS WEEK’S UPDATE

• Legislators in New Mexico put the state back on the map with the introduction of two bills, HB 307, the Internet Privacy & Safety Act, and HB 410, the Consumer Information and Data Protection Act. HB 307 stands out for its focus on promoting online privacy and safety (hence the name), introducing requirements for online platforms in addition to establishing the more standard comprehensive provisions around consumer rights and controller obligations. For example, HB 307 contains elevated protections for minors online, such as requiring online platforms to disable notifications between the hours of 10 PM and 6 AM MT and use a “privacy-protective feed” (an algorithmic ranking system that does not use the personal data of the consumer to determine the relative prioritization of content).

• Surprisingly, four of the newly introduced eight bills—Illinois’ HB 3401, New Mexico’s HB 307, New York’s S 4276, and Vermont’s HB 208—would establish private rights of action. However, the Vermont bill provides for a limited private right of action that would permit individuals to sue under Vermont’ consumer protection law for harm caused by a data broker’s or large data holder’s violation of specific provisions in the law related to the processing and sale of sensitive data and consumer health data confidentiality.

• New Mexico’s HB 410 and Vermont’s HB 208 promote strong consumer health data protections among the other protections for personal and sensitive data. Both bills feature similar language as found in Washington’s My Health My Data Act for their definitions of “consumer health data” and lay out specific consumer health data confidentiality requirements. Under these consumer health data confidentiality provisions, businesses would be prohibited from (1) providing employees or contractors with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality; (2) providing processors with access to consumer health data, with exceptions; or (3) using a geofence to establish a virtual boundary that is within one thousand seven hundred fifty feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer's consumer health data.

UPDATES ON EXISTING PROPOSALS

Oklahoma’s two bills have both seen some movement since our last update. HB 1012, the Oklahoma Computer Data Privacy Act, passed out of the Government Modernization and Technology committee on February 6, 2025 and is now authored by Senator Howard as the principal Senate author. SB 546 was amended and passed out of the Technology and Telecommunications committee on February 13, 2025. It is now coauthored by Representative West as the principal House author and placed on General Order on February 19, 2025.

A public hearing in the House Committee on Technology, Economic Development, and Veterans was held for Washington’s HB 1671 on February 4, 2025. On February 14, 2025, the bill was passed by the majority, but not minority, and subsequently referred to Appropriations on February 18, 2025.

Finally, both of Mississippi’s introduced bills, SB 2500, the Mississippi Consumer Data Protection Act, and SB 2779, the Mississippi Consumer Data Privacy Act, have died in committee. The deadline to introduce bills in the current legislative session has already passed (January 20, 2025), so we do not expect to see more activity out of Mississippi before their session ends in March.  

NEW PROPOSALS

Unless otherwise noted, all the newly introduced comprehensive privacy bills share some common features, such as the creation of consumer privacy rights and requirements for privacy notice. The consumer privacy rights proposed in these bills typically include the right to confirm whether a controller is processing a consumer’s personal information; the rights to access, correct, or delete personal information; and the right to data portability. Although it may be phrased differently, these bills typically create a right to opt-out of the processing of personal information for purposes of selling data or targeted advertising. These introduced bills also require controllers to provide consumers with information (often via a privacy notice) that includes the categories of personal information processed; the purposes for the data processing; a description of how to exercise data rights; and information regarding any data that is sold to third parties.

The summaries below detail additional key components found in the newly introduced bills:

Alabama

1. Bill Title: House Bill 283
2. Date of Introduction: February 13, 2025
3. Current Status: As of February 21, 2025, HB 283 has been referred to the House Committee on Commerce & Small Business (2/13/25).
4. Key Provisions:

• Applies to persons that conduct business in Alabama or persons that produce products or services targeted to Alabama residents and either: a) control or process the personal data of 50,000 or more consumers, excluding controlling or processing for the purpose of completing a transaction; or b) control or process the personal data of more than 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.

• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts information governed the Airline Deregulation Act; and information used for administering benefits.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”

• Defines “sale” to include exchanges of personal data “for monetary or other valuable consideration.”

• Creates individual rights for consumers as articulated at the beginning of this section, including right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

• Prohibits controllers from processing sensitive data without a consumer’s consent.

• Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared.

• If the controller sells or processes personal data for targeted advertising, it must “clearly and conspicuously disclose such processing” as well as how a consumer may exercise the right to opt out.

• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.

• Requires controllers to provide an effective mechanism for a consumer to revoke affirmative consent that is at least as easy as the mechanism by which the consumer provided their affirmative consent in the first place.

• Requires that controllers conduct data protection assessments for high-risk data processing activities, including processing of personal data for purposes of targeted advertising, sale of personal data, and specified types of profiling, as well as the processing of sensitive data.

• Grants exclusive enforcement authority to the Alabama Attorney General.

• Requires that the State AG provide entities with a 60-day cure period before initiating an enforcement action.

• Would go into effect October 1, 2025.

Georgia

1. Bill Title: Consumer Privacy Protection Act (Senate Bill 111)
2. Date of Introduction: January 23, 2025
3. Current Status: As of February 21, 2025, SB 111 has been referred to the Senate’s Economic Development and Tourism Committee (2/6/2025).
4. Key Provisions:

• Applies to entities that conduct business in Georgia, exceed $25 million in revenue and either (1) control or process personal information of at least 25,000 Georgia residents and derive more than 50% of gross revenue from sale of personal information; or (2) control or process personal information of at least 175,000 Georgia residents.

• In addition to the exemptions typically found in these comprehensive privacy bills,* this bill also exempts insurance companies.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.

• Defines “known child” as “an individual who the controller has actual knowledge is under 13 years of age.”

• Defines “sale” to include exchanges of personal data “for monetary or other valuable consideration.”

• Defines “sensitive data” to include “precise geolocation data.”

• Excludes “de-identified” information from its definition of “personal information.”

• Excludes “[i]nformation captured and converted to a mathematical representation” from its definition of “biometric data.”

• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”

• Creates individual rights for consumers as articulated at the beginning of this section, including the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

• Prohibits controllers from processing sensitive data without a consumer’s consent.

• Requires that controllers provide consumers with a privacy notice that includes: categories of personal information processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal information the controller sells to third parties; and categories of third parties to which controller sells personal information.
  • If controller sells personal information or processes personal information for purposes of targeted advertising, it must “clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.”

• Imposes requirements on processors, such as requiring that a contract governs the processor’s execution of data processing activities on behalf of the controller.

• Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”

• Grants exclusive enforcement authority to the Georgia Attorney General.

• Requires that the State AG provide entities with a 60-day cure period before initiating an enforcement action.

• Authorizes the State AG to seek civil penalties of up to $7,500 per violation, with treble damages available for knowing or willful violations.

• Creates an affirmative defense for entities that comply with a privacy policy that conforms to the NIST privacy framework (“A Tool for Improving Privacy through Enterprise Risk Management Version 1.0”) or an equivalent framework.

Illinois

1. Bill Title: Illinois Data Privacy and Protection Act (HB 3401)
2. Date of Introduction: February 6, 2025
3. Current Status: As of February 21, 2025, HB 3401 has been referred to the House’s Rules Committee (2/6/2025).
4. Key Provisions:

• Applies to covered entities, which are defined as “any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data.” This definition includes “any entity or person that controls, is controlled by, or is under common control with the covered entity.” [WH Note: the definitions for the terms “data broker,” “covered high-impact social medica companies,” and “large data holders” all contain revenue thresholds.]

• In addition to the exemptions typically found in these comprehensive privacy bills,* this bill also exempts entities acting as a service provider.

• Defines a “covered minor” as “an individual under the age of 17.”

• Defines sensitive information broadly, to include “geolocation data;” “private communications, such as such as voicemail, emails, texts, direct messages, or mail;” and “[c]alendar information, address book information, phone or text logs, photos, audio recordings, or videos, maintained for private use by an individual.”

• Creates individual rights for consumers as articulated at the beginning of this section.

• Permits covered entities to “not allow individuals to opt out of the collection, processing, or transfer of covered data” for specified business purposes and legal obligations.

• Prohibits covered entities from transferring sensitive data to a third party without an individual’s affirmative express consent.

• Requires that large data holders provide individuals with a privacy notice that details their data practices and includes an overview of an individual’s rights. The privacy notice must be “concise, clear, conspicuous, and not misleading.”

• Imposes requirements on service providers, such as requiring that a contract governs the processor’s execution of data processing activities on behalf of the controller.

• Creates a private right of action.

• This bill would go into effect 180 days after becoming law.

New Mexico

New Mexico Consumer Information and Data Protection Act

1. Bill Title: Consumer Information and Data Protection Act (House Bill 410)
2. Date of Introduction: February 12, 2025
3. Current Status: As of February 21, 2025, HB 410 has been referred to the House Committee on Commerce & Economic Development (2/12/25).
4. Key Provisions:

• Applies to persons that conduct business in New Mexico and persons that produce products or services that are targeted to New Mexico residents.

• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts information used for administering benefits.

• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”

• Defines “consumer health data” as “personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis.”

• Defines “sale” to include exchanges of personal data “for monetary or other valuable consideration.”

• Defines “sensitive data” to include consumer health data and data concerning an individual’s status as a victim of a crime.

• Creates individual rights for consumers as articulated at the beginning of this section, including right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

• Prohibits businesses from (1) providing employees or contractors with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality; (2) providing processors with access to consumer health data unless such person and processor comply with this Act; (3) using a geofence to establish a virtual boundary that is within one thousand seven hundred fifty feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer's consumer health data; or (4) selling, or offering to sell, consumer health data without first obtaining the consumer's consent.

• Prohibits controllers from processing sensitive data without a consumer’s consent.

• Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared.

• If the controller sells or processes personal data for targeted advertising, it must “clearly and conspicuously disclose such processing” as well as how a consumer may exercise the right to opt out.

• Asserts specific requirements and protections over the processing of data collected from a known child (subject to COPPA’s parental consent requirements), such as:
  • Prohibiting controllers from processing personal data collected from a known child for the purposes of targeted advertising, the sale of such personal data, or “profiling in furtherance of decisions that produce legal or similarly significant effects” concerning the child. Controllers must also implement purpose limitations in their processing and data retention best practices.
  • Prohibiting controllers from processing precise geolocation data collected from a known child unless the data is reasonably necessary for the controller to provide an online service, product or feature and the controller implements data minimization and transparency practices, such that the child knows their geolocation data is being collected.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.

• Requires that controllers conduct data protection assessments for high-risk data processing activities, including processing of personal data for purposes of targeted advertising, sale of personal data, and specified types of profiling, as well as the processing of sensitive data.

• Grants exclusive enforcement authority to the New Mexico Attorney General.

• Requires that the State AG provide entities with a 30-day cure period before initiating an enforcement action.

• AG may seek an injunction and civil penalties of up to $10,000 for each violation.

New Mexico Internet Privacy and Safety Act

1. Bill Title: Internet Privacy and Safety Act (House Bill 307)
2. Date of Introduction: February 2, 2025
3. Current Status: As of February 21, 2025, HB 307 has been referred to the House Committee on Commerce & Economic Development (2/2/25).
4. Key Provisions:

• Applies to entities (e.g., LLC, corporation, partnership, etc.) that: (1) are organized or operated for the profit or financial benefit of the entity's shareholders or other owners; (2) offer online features, products or services to consumers in New Mexico; and (3) alone or jointly with others, determine the purposes and means of:
  • (a) collecting personal data directly from consumers; advertising; or personal data;
  • (b) using personal data for targeted advertising; or
  • (c) engaging in the brokerage of personal data.

• Exempts the following information from the definition of “publicly available information”: (1) obscene visual depictions and (2) personal data derived from multiple independent sources of publicly available information that reveals sensitive personal data with respect to a consumer.

• Defines “sensitive personal data” to include data describing or revealing the past, present or future mental or physical health of a consumer, including: (a) diagnosis; (b) disability; (c) health care condition; or (d) treatment.

• Coins the phrase “privacy-protective feed,” which is defined as an algorithmic ranking system that does not use the personal data of a consumer to determine the order, relative prominence, relative prioritization or selection of information that is furnished to the consumer on an online feature, product or service except for expressly provided personal data.

• Creates individual rights for consumers as articulated at the beginning of this section but modifies the standard opt-out provision to an opt-in method, prohibiting entities from processing personal data for purposes of targeted advertising, first-party advertising or the brokerage of personal data without the consumer first opting in to those purposes by “clear and conspicuous means” and not through the use of dark patterns.

• Prohibits entities from engaging in or instructing third parties to engage in certain processes, including: (1) profiling consumers by default unless profiling is necessary to provide the online feature, product or service; (2) processing personal data except as necessary to provide specific online features or communication; (3) processing sensitive personal data unless the collection is strictly necessary for the covered entity to provide the online feature, product or service requested and then only for the limited time that the collection of data is necessary to provide the feature, product or service; (4) processing a consumer's precise geolocation information without providing an obvious signal to the consumer for the duration of that collection that precise geolocation information is being collected; (5) using dark patterns to cause a consumer to provide personal data beyond what is reasonably expected; (6) processing or transferring personal data in a manner that discriminates or otherwise makes unavailable the equal enjoyment of goods or services on the basis of childbirth or condition related to pregnancy or childbirth, color, disability, gender, gender identity, mental health, national origin, physical health condition or diagnosis, race, religion, sex life or sexual orientation.

• Prohibits processing of sensitive personal data for purposes of targeted advertising, first-party advertising or the brokerage of personal data.

• Requires that controllers provide consumers with access to information regarding: categories of personal data processed by the controller; purposes for such processing; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared (with a log showing when such disclosure occurred), and the period of retention of the personal data.

• Imposes requirements on entities, such as requiring each entity to permit a consumer to: (1) disable notifications or disable notifications during specific periods of time; (2) choose between a privacy-protective feed and a profile-based feed; and (3) permit a consumer to disable contact by unknown individuals unless the consumer first initiates the contact or provide a mechanism to screen contact by individuals with whom the consumer does not have a relationship.

• Requires entities with actual knowledge that a minor is using its platform to establish default settings that: (1) disable contact by unknown users unless the consumer first initiates the contact; (2) disable notifications between the hours of 10:00 p.m. and 6:00 a.m. mountain time pursuant to federal law; and (3) use a privacy-protective feed.

• Grants enforcement and rulemaking authority to the New Mexico DOJ.

• Creates a private right of action for consumers and allows for recovery of damages or equitable or injunctive relief in district court.

• Subjects entities in violation to injunctive relief to cease or correct the violation and imposes civil penalties of up to $2,500 per affected consumer for each negligent violation and up to $7,500 for each intentional violation.

New York

New York Privacy Act

1. Bill Title: New York Privacy Act (A4947)
2. Date of Introduction: February 10, 2025
3. Current Status: As of February 21, 2025 A4947 has been referred to the Consumer Affairs and Protection Committee (2/10/2025).

[WH note: This bill was introduced as the companion bill to S 3044 (which was profiled in the February 7^th update)].

New York Digital Fairness Act        

1. Bill Title: Digital Fairness Act (S4276)
2. Date of Introduction: February 3, 2025
3. Current Status: As of February 21, 2025 S4276 has been referred to the Senate’s Internet and Technology Committee (2/3/2025).
4. Key Provisions:

• Applies to covered entities, which are defined as “a legal entity that conducts business in New York state and, as part of such business, processes and maintains the personal information of five hundred or more unique individuals.

• Requires covered entities to “make persistently and conspicuously available” a short form private notice that includes: what personal information is being processed; the manner in which the personal information is being processed; how and for what purpose the covered entity processes personal information; how long personal information will be retained; whether and how the covered entity monetizes personal information; to which third parties the covered entity discloses personal information and for what purposes; and how the covered entity collects personal information, including offline practices, when the individual is not directly interacting with such covered entity.

• Requires covered entities to obtain affirmative consent before (1) processing an individual's personal information and (2) making any changes in the processing of such individual's information that necessitate a change to the entity's short-form privacy notice.

• Requires covered entities to ensure that the option to withhold consent is displayed as clearly and prominently as the option to provide consent.

• Creates individual rights for consumers as articulated at the beginning of this section.

• Imposes requirements on processors, such as requiring that a contract governs the processor’s execution of data processing activities on behalf of the controller.

• Creates a private right of action, with liquated or actual damages up to $10,000.

• Creates civil penalties of up to $25,000 per violation, or up to four percent of annual revenue of the covered entity, or third party.

• Goes into effect immediately, with exceptions for specific sections that are set to go into effect one to two years later after the bill becomes law.

Vermont

1. Bill Title: Vermont Data Privacy and Online Surveillance Act (House Bill 208)
2. Date of Introduction: February 12, 2025
3. Current Status: As of February 21, 2025, H 208 has been referred to the Committee on Commerce and Economic Development (2/12/25)
4. Key Provisions:

• Applies to entities that conduct business in Vermont or produces products or services that are targeted to Vermont residents and that during the preceding calendar year: (1) controlled or processed the personal data of 25,000 or more consumers (excluding payment transactions or (2) controlled or processed the personal data of 12,500 or more consumers and derived more than 25% of gross revenue from the sale of personal data.

• Includes all the typical exemptions found in these comprehensive privacy bills* except higher education institutions, employment information, and most nonprofits (i.e. nonprofit organizations established to detect and prevent insurance fraud are still exempt from compliance with this bill, but all other nonprofits are not).
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements. 

• Exempts individuals “acting in a commercial context” from its definition of “consumer.” 

• Contains a short section toward the end of the statute, Sec. 2425 Confidentiality of Consumer Health Data, that establishes additional protections for consumer health data. The statute also broadly defines “consumer health data,” “gender-affirming health data,” and “reproductive or sexual health data” and specifies when obligations and protections apply to this data (similar to how sensitive data is often specified).

• Defines “sale of personal data” to include exchanges of personal data from a controller to a third party “for monetary or other valuable consideration.”  

• Asserts a pretty expansive definition for “sensitive data,” including personal data that concerns “consumer health data that describes or reveals a past, present, or future mental or physical health condition,” and personal data collected from a minor, precise geolocation data, keystrokes, driving behavior, and “online activities of a consumer over time and across devices, websites,…and mobile applications that do not share common branding, or data generated by, profiling performed on such data.”

• Specifies what data a controller may use to display a contextual advertisement, which generally has lower protections and associated privacy obligations than targeted advertisements.

• Prohibits the processing of personal data of a minor for purposes of targeted advertising or sale.

• Creates individual rights for consumers as articulated at the beginning of this section, including right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. 

• Uniquely, the Act also establishes a consumer’s right to know whether their personal data “will be used in any artificial intelligence system and for what purpose.”  

• Prohibits controllers from selling sensitive data.

• Requires that controllers provide consumers with a privacy notice that includes: categories of personal information processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal information the controller sells to third parties; and categories of third parties to which controller sells personal information. 

• Uniquely, the Act also requires that the notice contain a description of “any collection, processing, selling, or sharing or personal data for training or use of artificial intelligence systems,” if applicable.

• If controller sells personal information or processes personal information for purposes of targeted advertising, it must provide a “clear and conspicuous description” of that processing and provide an opt-out procedure.

• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller. 

• Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”  

• Declares that a violation of the Act is considered an unfair and deceptive act in commerce in violation of Vermont’s Consumer Protection laws.
• Authorizes the Attorney General to enforce against alleged violations and engage in rulemaking efforts.

• Grants discretion to the AG to provide entities with a 60-day cure period before initiating an enforcement action.  

• Establishes a limited private right of action for individuals to sue under Vermont’ consumer protection law for equitable relief and damages. Specifically, this private right of action can only be used by “a consumer who is harmed by a data broker’s or large data holder’s violation” of subsections within the act that address prohibitions around the processing and sale of sensitive data and requirements for consumer health data confidentiality.

• Contains staggered effective dates, but the majority of provisions would go into effect on July 1, 2026.

* Unless otherwise noted in the summaries above, the following entities and data types are typically exempted from compliance with these comprehensive privacy laws: government entities; higher education institutions; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and the Driver’s Privacy Protection Act (DPPA); and certain employment-related information.