As the legislative season continues, some states, like Georgia and Oklahoma, have continued to progress in the efforts to establish a comprehensive data privacy law while others, such as Alabama, Illinois, and Massachusetts, have not seen much movement yet. Although this update article focuses on new comprehensive privacy bills introduced by state legislatures, it is worth highlighting some of the recent legislative developments and amendments in states that already have a comprehensive privacy law in place.

First, Virginia passed SB 854, which amends its comprehensive privacy law to impose regulations on social media platforms, such as using “commercially reasonable methods” to determine whether a user is younger than 16 years old and if the user is, then “limit[ing] a minor's use of such social media platform to one hour per day, per service or application, and allow[ing] a parent to increase or decrease the daily time limit.” Other notable state amendments are working their way through the chambers. Montana’s SB 297 would amend the state’s existing law to lower the law’s applicability threshold for regulated entities and add additional children’s privacy provisions. Utah’s HB 418 would add the right to correct to Utah’s comprehensive privacy bill—a move that would align the law with the consumer data rights established in most other states, but make the Utah law slightly less business-friendly. Finally, Connecticut’s SB 1356 has also generated some interest as it amends the definition of “sensitive data,” lowers the applicability threshold, revises data minimization requirements, and creates a data broker registry.

HIGHLIGHTS FROM THIS WEEK’S UPDATE

• In addition to the usual trappings of comprehensive state privacy law, Arkansas bill SB258 creates meaningful obligations for developers and deployers of “high-risk” artificial intelligence systems. The bill establishes definitions for “artificial intelligence system” and “algorithmic discrimination,” defining the latter as “a condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors an individual or group of individuals” on certain protected characteristics. These AI-specific provisions in the Arkansas bill reflect a growing trend in state privacy laws targeting algorithmic discrimination.
• This newest wave of introduced bills presented a resurgence of the cure period: four of the six bills introduced (New Mexico’s SB 420, Vermont’s S 93, West Virginia’s HB 2987, and West Virginia’s HB 2953) propose some iteration of a cure period that would allow entities under investigation to fix or “cure” an alleged violation before further enforcement action could be taken. This was most notable in New Mexico’s bill, which was otherwise the Senate’s version of HB 307, the Internet Privacy & Safety Act. Vermont’s bill proposes the cure period only during the transition period, so it would expire by December 31, 2026.
• The West Virginia legislature proposed two additional comprehensive privacy bills for consideration. Although HB 2987 also contains a “Safe Harbor for Cybersecurity Program” provision, HB 2953 presents more consumer-friendly provisions such as implementing an expansive definition for “personal information” that includes browsing history, imposing additional civil penalties for alleged violations against minor users, implementing a 30-day cure period, and granting a limited private right of action to individuals who experience a data breach.

UPDATES ON EXISTING PROPOSALS

Since our last update, there are a few—but significant—bill updates to report. On March 3, 2025, the Georgia Senate passed and adopted SB 111, the Consumer Privacy Protection Act, with a 53-2 vote split between the “yea’s” and “nay’s.” The bill now sits in the House. Oklahoma’s SB 546 was previously passed by the Senate Technology and Telecommunications committee. On February 19, 2025, it was placed on general order, which means that the bill has passed out of committee and will be considered by the whole Senate.

Earlier this week, Illinois’ HB 3041, the Data Privacy and Protection Act, was assigned to the Cybersecurity, Data Analytics, and IT Committee, while New Mexico’s HB 410, the Consumer Information and Data Protection Act, was reported by the Judiciary and Commerce and Economic Development Committees with a Do Not Pass, but also a Do Pass recommendation on Committee Substitution as amended.

NEW PROPOSALS

Unless otherwise noted, all the newly introduced comprehensive privacy bills share some common features, such as the creation of consumer privacy rights and requirements for privacy notice. The consumer privacy rights proposed in these bills typically include the right to confirm whether a controller is processing a consumer’s personal information; the rights to access, correct, or delete personal information; and the right to data portability. Although it may be phrased differently, these bills typically create a right to opt-out of the processing of personal information for purposes of selling data or targeted advertising. These introduced bills also require controllers to provide consumers with information (often via a privacy notice) that includes the categories of personal information processed; the purposes for the data processing; a description of how to exercise data rights; and information regarding any data that is sold to third parties.

The summaries below detail additional key components found in the newly introduced bills:

Arkansas

1. Bill Title: Arkansas Digital Responsibility, Safety, and Trust Act (SB258)
2. Date of Introduction: February 19, 2025
3. Current Status: As of March 6, the bill was re-referred to the Senate Committee on Transportation, Technology & Legislative Affairs (2/27/25).
4. Key Provisions:

• Applies to entities that (1) conduct business in Arkansas or offer a product or service consumed by Arkansas residents; (2) process or engage in the sale of personal data; and (3) are not considered a small business, as defined by the United States Small Business Administration. Separately, the bill’s section on AI developers' duties applies to employers who employ 60 or more full-time employees and use a person’s data to train a high-risk AI system, regardless of whether the employer meets the initial application requirements.
• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts electric utility companies governed by Arkansas law; the processing of personal data by a person in the course of a purely personal or household activity; and nonprofit organizations with annual receipts of fifteen million dollars or less over the past five years.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Defines “personal data” to include “pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”
• Defines “sensitive data” to include “precise geolocation data,” “data concerning personal or political affiliations,” and “genetic or biometric data that is processed for the purpose of uniquely identifying an individual.”
• Defines “sale of personal information” to include exchanges of personal information “for monetary or other valuable consideration.”
• Defines “algorithmic discrimination” as “a condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of the individual's or group of individuals' actual or perceived age, color, disability status, ethnicity, genetic information, national origin, race, religion, sex, veteran status, or other classification protected under the laws of this state or federal law.”
• Defines a “high-risk artificial intelligence system” as “an artificial intelligence system that, when deployed, makes, or is a substantial factor in making a decision that produces a legal or similarly significant effect concerning a consumer.”
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Prohibits small businesses and nonprofit organizations from engaging in the sale of personal data without receiving prior consent from the consumer.
• Prohibits controllers from processing sensitive data without obtaining a consumer’s consent.
• Prohibits controllers who are not considered covered entities or business associates under HIPAA from collecting or sharing consumer health data, unless the controller is acting "with consent from the consumer for cash collection for a specified purpose” or to “the extent necessary to provide a product or service that the consumer to whom the consumer health data relates has requested from the person.”
• Prohibits controllers from using dark patterns to obtain a consumer’s consent to the processing of their personal data.
• Requires controllers to provide consumers with two or more secure and reliable methods for submitting requests to exercise consumer rights. Furthermore, the bill requires controllers that operate exclusively online to provide an email address for the submission of requests to exercise consumer rights.
• Requires that controllers provide consumers with a privacy notice that includes: categories of personal information processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal information the controller sells to third parties; categories of third parties to which controller sells personal information.; and a description of the methods through which consumers can submit requests to exercise their consumer rights.
  • Requires explicit notices if the controller sells sensitive data or biometric data (e.g., “NOTICE: We may sell your sensitive personal data”).
  • Requires controllers that sell personal data or process personal data for purposes of advertising to “clearly and conspicuously disclose” that sale or process and “the manner in which a consumer may exercise the right to opt out of the sale or process.”
• Imposes requirements on processors, such as requiring that a contract governs the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”
• Requires entities in possession of biometric data to publicly publish a written policy establishing a retention schedule and guidelines for permanently destroying biometric data once the initial purpose for collecting the biometric data has been satisfied or within three years, whichever occurs first.
• Imposes requirements for developers and deployers of “high-risk” systems, including using “reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination.”
• Grants exclusive enforcement authority to the Arkansas Attorney General.
• Authorizes the State AG to seek all remedies and penalties available to the AG’s Office under the Deceptive Trade Practices Act.
• Would take effect on January 1, 2026, with the AI developers' duties taking effect on July 1, 2026.

New Mexico

1. Bill Title: Community Privacy & Safety Act (Senate Bill 420)
2. Date of Introduction: February 17, 2025
3. Current Status: As of March 7, 2025, SB 420 has been reported by the Senate Committe on Tax, Business, and Transportation with a do pass recommendation (2/28/2025).
4. Key Provisions:

[WH note: This bill was likely introduced as the companion bill to HB 307, the Internet Privacy & Safety Act (which was profiled in the February 21st update), with one exception:

• In contrast to HB 307, SB 420 would require a 60-day cure period for small businesses for a period of three years immediately following the date of enactment.]

New York

1. Bill Title: It’s Your Data Act (S5156)
2. Date of Introduction: February 19, 2025
3. Current Status: As of March 6, the bill was referred to the Senate’s Codes Committee (2/19/25).
4. Key Provisions:

• Applies to entities that do business in New York and (1) have an annual gross revenue in excess of fifty million dollars; (2) alone or in combination, annually buy, receive for business purposes, sell, or disclose for commercial purpose the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50% or more of its annual revenue from selling consumers’ personal information.
• Contains the exemptions typically found in these comprehensive privacy bills.*
• Defines “personal information” as “information that identifies or could reasonably be linked, directly or indirectly, with a particular consumer, household, or consumer device.”
• Defines “sale of personal information” to include exchanges of personal information “for monetary or other valuable consideration.”
• Requires businesses that collect consumers’ personal information to disclose the following information in its privacy policy: a description of consumers’ rights and one ore more methods for submitting a request to exercise those rights; a description of the personal information collected; categories of sources from which the personal information is collected; a description of the methods such businesses use to collect personal information; purposes for collecting, disclosing, or retaining personal information; a description of the personal information the business discloses; categories of third parties and service providers to which controller sells personal information; the length of time personal information is retained; and a description of deidentification methods (if applicable).
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to request the categories of personal information a business disclosed about a consumer and the specific third parties to whom the personal information was disclosed.
• Requires businesses to obtain affirmative consumers’ affirmative consent before collecting or sharing consumers’ personal information.
• Requires controllers to provide consumers with two or more secure and reliable methods for submitting requests to exercise consumer rights.
• Creates a private right of action.
• Creates civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation.
• Empowers the New York Attorney General, county district attorneys, and civil corporation counsels with jurisdiction to bring a civil action.
• Empowers the New York Attorney General with rulemaking authority.
• Would take effect one year after the bill becomes law.

Vermont

1. Bill Title: Vermont Data Privacy Act (Senate Bill 93)
2. Date of Introduction: February 27, 2025
3. Current Status: As of March 6, 2025, S 93 has been read 1st time & referred to the Committee on Economic Development, Housing and General Affairs (2/27/25)
4. Key Provisions:

• Applies to entities that conduct business in Vermont or produces products or services that are targeted to Vermont residents and that during the preceding calendar year: (1) controlled or processed the personal data of 100,000 or more consumers (excluding payment transactions) or (2) controlled or processed the personal data of 25,000 or more consumers and derived more than 25% of gross revenue from the sale of personal data.
• Includes all the typical exemptions found in these comprehensive privacy bills.*
  • Exempts individuals “acting in a commercial or employment context or as an employee” from its definition of “consumer.”
• Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Contains a short section toward the end of the statute, Sec. 2426 Consumer Health Data Privacy, that establishes additional protections for consumer health data. The statute also broadly defines “consumer health data,” “gender-affirming health data,” and “reproductive or sexual health data” and specifies when obligations and protections apply to this data (similar to how sensitive data is often specified).
• Defines “sale of personal data” to include exchanges of personal data from a controller to a third party “for monetary or other valuable consideration.”
• Asserts a broad definition for “sensitive data,” including "data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sex life, sexual orientation, or citizenship or immigration status;” consumer health data; personal data collected from a child; and geolocation data.
• Creates individual rights for consumers as articulated at the beginning of this section, including right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Requires consent for processing sensitive data.
• Specifies that controllers must get consent to process personal data for targeted advertising or selling of data if they have knowledge that the consumer is between 13 to 16 years old.
• If controller sells personal information or processes personal information for purposes of targeted advertising, it must provide a “clear and conspicuous description” of that processing and provide an opt-out procedure.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”
• Declares that a violation of the Act is considered an unfair and deceptive act in commerce in violation of Vermont’s Consumer Protection laws.
• Authorizes the Attorney General to enforce against alleged violations and engage in rulemaking efforts.
• Requires that the AG provide entities with a 60-day cure period before initiating an enforcement action “if the AG determines a cure is possible” for the period of July 1, 2025 to December 31, 2026.
• Goes into effect on July 1, 2026.

West Virginia

West Virginia Consumer Credit and Protection Act

1. Bill Title: Consumer Credit and Protection Act (House Bill 2987)
2. Date of Introduction: February 26, 2025
3. Current Status: As of March 7, 2025, HB 2987 has been referred to the House Energy and Public Works Committee (2/26/2025).
4. Key Provisions:

• Applies to persons that conduct business in West Virginia or produce products or services that are targeted to West Virginia residents and that (1) during a calendar year, control or process personal data of at least 100,000 consumers; (2) control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data; or (3) have annual gross revenues generated in this state which exceed $25,000,000.
• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts information used for administering benefits and data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Defines “sale of personal data” to include exchanges of personal data “for any form of valuable consideration, including but not limited to, monetary consideration.”
• Creates individual rights for consumers as articulated at the beginning of this section, including right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Defines “sensitive data” to include “precise geolocation data.”
• Prohibits controllers from processing sensitive data without a consumer’s consent.
• Imposes transparency obligations and requires controllers to establish reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
• Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared.
• If the controller sells or processes personal data for targeted advertising, it must “clearly and conspicuously disclose such processing” as well as how a consumer may exercise the right to opt out.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal data, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”
• Grants exclusive enforcement authority to the West Virginia Attorney General.
• Requires that the State AG provide entities with a 30-day cure period before initiating an enforcement action.
• Authorizes the State AG to seek civil penalties of up to $7,500 per violation or injunctive relief. All civil penalties will be deposited in the Consumer Privacy Fund created by the Act.

West Virginia Consumer Data Protection Act

1. Bill Title: Consumer Data Protection Act (House Bill 2953)
2. Date of Introduction: February 25, 2025
3. Current Status: As of March 7, 2025, HB 2953 has been referred to the House Committee on Environment, Infrastructure, and Technology (2/26/2025).
4. Key Provisions:

• Applies to businesses (e.g., LLC, corporation, partnership, etc.) that are (1) organized or operated for the profit or financial benefit of its shareholders or owners; (2) do business or conducts sales in this state, for money or other valuable consideration; (3) collect personal information about consumers, or is the entity on behalf of which the information is collected; (4) determine the purposes and means of processing personal information about consumers alone or jointly with others; and satisfies one or more of the following thresholds:
  • (A) has global annual gross revenues in excess of $25 million, as adjusted in January of every odd-numbered year to reflect any increase in the Consumer Price Index.
  • (B) annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more consumers, households, or devices.
  • (C) derives 50 percent or more of its global annual revenues from selling or sharing personal information about consumers.
  • (D) any entity that controls or is controlled by a business and that shares common branding with the business.
• Prohibits businesses from selling or sharing the personal information of a consumer if the business has actual knowledge that the consumer is not 16 years of age or older, unless the consumer's parent or guardian has affirmatively authorized the sale or sharing.
• Defines “personal information” to include (1) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet website, application, or advertisement; (2) audio, electronic, visual, thermal, olfactory, or similar information; (3) professional or employment-related information; (4) education information that is not publicly available, personally identifiable information as defined in FEPRA; and (5) inferences drawn from personal information to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
• Defines “sale of personal information” to include exchanges of personal information “for monetary or other valuable consideration.”
• Creates individual rights for consumers as articulated at the beginning of this section and establishes procedures to fulfill consumer requests.
• Requires businesses to provide and follow a retention schedule that prohibits the use and retention of personal information after satisfaction of the initial purpose for collecting or obtaining the information, or after the duration of a contract, or one year after the consumer's last interaction with the business, whichever occurs first.
• Requires controllers to maintain an online privacy policy that includes: (1) all state-specific consumer privacy rights; (2) a list of the categories of personal information the business collects or has collected about consumers; and (3) a list that identifies which categories of personal information the business sells or shares or has sold or shared about consumers based on the categories identified.
• Contains provisions to be included in any contract between a business and service provider regarding certain processes service providers shall be prohibited from engaging in.
• Grants enforcement and rulemaking authority to the West Virginia Division of Consumer Protection.
• Requires that the Division provide entities with a 30-day cure period before initiating an enforcement action.
• Authorizes the Division to seek civil penalties of up to $2,500 per violation and up to $7,500 for each intentional violation. The Division may recover treble damages if the violation involves a consumer who is 16 years old or younger.
• Creates a limited private right of action for consumers impacted by personal information security breaches, allowing those consumers to seek the greater of actual damages or between $100 and $750 per consumer per incident, injunctive or declaratory relief.

* Unless otherwise noted in the summaries above, the following entities and data types are typically exempted from compliance with these comprehensive privacy laws: government entities; higher education institutions; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and the Driver’s Privacy Protection Act (DPPA); and certain employment-related information.