This blog post summarizes the most notable updates with regard to state comprehensive privacy law proposals. Please follow the WilmerHale Privacy and Cybersecurity Blog to stay up to date on these developments and others.

HIGHLIGHTS FROM THIS WEEK’S UPDATE

• The seven bills from Massachusetts, which were early additions to the state’s legislative docket and profiled in our January 28^th update, have finally moved off the docket. These seven bills can be grouped into 4 different versions of a state comprehensive privacy bill for the Bay State—the Massachusetts Data Privacy Act (S. 45, S. 29, and H. 104), the Massachusetts Information Privacy and Security Act (S. 301), the Massachusetts Consumer Data Privacy Act (H. 78), and the Massachusetts Consumer Data Privacy Act (S. 33 and H. 80). There is a joint hearing scheduled on April 9, 2025 at 1 PM for all these bills except the Massachusetts Information Privacy and Security Act (S. 301), which is progressing through the senate with the typical stages.
• As mentioned above, North Carolina and Wisconsin legislators entered the arena with the first comprehensive privacy bill introductions for their current state session. These bills follow the trends that we have seen throughout this legislative season: the typical establishment of consumer data privacy rights, statutory definitions and more regulation around “targeted advertising,” inclusion of geolocation within the definition of “sensitive data,” and the establishment of cure periods but no private rights of action. Meanwhile, Pennsylvania put forward a new companion bill (SB 112) to the current bill, HB 78, which recently passed unanimously in the House.
• Another state has joined Hawaii, Mississippi, and Washington in stalling out on efforts to pass a comprehensive bill this year. The three bills introduced by legislators in New Mexico failed to pass before the close of the legislative session on March 22, 2025.

NEW PROPOSALS

Unless otherwise noted, all the newly introduced comprehensive privacy bills share some common features, such as the creation of consumer privacy rights and requirements for privacy notice. The consumer privacy rights proposed in these bills typically include the right to confirm whether a controller is processing a consumer’s personal information; the rights to access, correct, or delete personal information; and the right to data portability. Although it may be phrased differently, these bills typically create a right to opt-out of the processing of personal information for purposes of selling data or targeted advertising. These introduced bills also require controllers to provide consumers with information (often via a privacy notice) that includes the categories of personal information processed; the purposes for the data processing; a description of how to exercise data rights; and information regarding any data that is sold to third parties.

The summaries below detail additional key components found in the newly introduced bills:

Maine

1. Bill Title: Maine Consumer Privacy Act (LD 1224)
2. Date of Introduction: March 25, 2025.
3. Current Status: As of April 6, 2025, LD 1224 has been referred to the Maine Joint Judiciary Committee (3/25/2025).
4. Key Provisions:

• From July 1, 2026, to December 31, 2027, this bill applies to persons that conduct business in this State or persons that produce products or services that are targeted to Maine residents and either: a) control or process the personal data of at least 100,000 consumers, excluding controlling or processing for the purpose of completing a transaction; or b) control or process the personal data of at least 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
• Beginning January 1, 2028, this bill will apply to businesses that control or process the personal data of at least 50,000 consumers.
• In addition to the exemptions typically found in these comprehensive privacy bills,* this bill also exempts information that originates from certain health information (e.g., HIPAA protected health information, patient identifying records) that a covered entity, business associate or program/activity relating to substance use creates, processes or maintains.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Exempts individuals “acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit organization or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit organization or government agency.”
• Defines “sale of personal data” to include exchanges of personal information “for monetary or other valuable consideration.”
• Defines “sensitive data” to include genetic or biometric data, precise geolocation data, and data concerning an individual’s status as a victim of a crime.
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Prohibits controllers from processing sensitive data without a consumer’s consent.
• Prohibits a person from using a geofence to establish a virtual perimeter within 1,750 feet of any facility that provides in-person health care services for the purpose of identifying, tracking, or collecting data from or sending any notification regarding the consumer’s health data to a consumer that enters the virtual perimeter.
• Requires the AG to provide a 30-day cure period before initiating an enforcement action.
• Creates a “Maine Privacy Fund” into which funds collected through enforcement actions under the Act will be deposited.
• Would take effect on July 1, 2026.

North Carolina

Personal Data Privacy Act

1. Bill Title: North Carolina Personal Data Privacy Act (House Bill 462)
2. Date of Introduction: March 19, 2025.
3. Current Status: As of April 4, 2025, House Bill 462 has been referred to the House Judiciary II Committee (3/20/25).
4. Key Provisions: 

• Applies to entities that conduct business in North Carolina or target products or services to North Carolina residents and either (1) control or process the personal data of at least 35,000 consumers, “excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or (2) control or process the personal data of at least 10,000 consumers and derive more than 20% of their gross revenue from the sale of personal data.
• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts personal data subject to the Airline Deregulation Act and Farm Credit Act, as well as the personal data of a survivor or witness that is collected, processed, or maintained by a nonprofit providing services for individuals impacted by child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Exempts individuals “acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency” from its definition of “consumer.”
• Defines “sale” to include exchanges of personal data “for monetary or other valuable consideration.”
  • The “sale of personal data” does not include the disclosure of personal data (a) “to a processor that processes the personal data on behalf of the controller where limited to the purpose of the processing;” (b) “to a third party for purposes of providing a product or service affirmatively requested by the consumer;” (c) “to an affiliate or the controller;” (d) “where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party; (e) “that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;” (f) “to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller's assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller's assets.”
• Defines “sensitive data” to include “genetic or biometric data” and “precise geolocation data.”
• Exempts the following advertising and processing activities from “targeted advertising:” (a) “Advertisements based on activities within a controller's own internet websites or online applications;” (b) “Advertisements based on the context of a consumer's current search query, visit to an internet website, or online application;” (c) “Advertisements directed to a consumer in direct response to the consumer's request for information or feedback;” (d) “Processing personal data solely to measure or report advertising frequency, performance, or reach.”
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to obtain a list of third parties to which the controller disclosed the consumer’s personal data and the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Allows consumers to exercise their right to opt-out of the processing of their personal data for purposes of targeted advertising and sale via opt-out preference signals.
• Prohibits controllers from processing sensitive data without obtaining a consumer’s consent.
• Requires controllers to provide consumers with a mechanism to revoke consent that “is at least as easy as the mechanism by which the consumer provided the consumer’s consent.”
• Requires controllers to provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; categories of third parties with which personal data is shared; and an email address or online mechanism the consumer can use to contact the controller.
  • Requires controllers that sell personal data or process personal data for purposes of advertising to “clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.”
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers conduct data protection assessment for high-risk data processing activities, including processing of personal data for purposes of targeted advertising, sale of personal data, and specified types of profiling, as well as the processing of sensitive data.
• Grants exclusive enforcement authority to the North Carolina Attorney General.
• Permits the North Carolina AG to provide entities with a 60-day cure period before initiating an enforcement action. In determining whether to grant an entity an opportunity to cure, the North Carolina AG will consider factors such as the number of current and previous violations, the extent of the processing activities at issue, the size and complexity of the entity, the likelihood of public harm, and whether the alleged violation was caused by human or technical errors.
• Would take effect on January 1, 2026.

Consumer Privacy Act

1. Bill Title: North Carolina Consumer Privacy Act (SB 757)
2. Date of Introduction: March 25, 2025.
3. Current Status: As of April 4, 2025, Senate Bill 757 has been referred to the Senate’s Rules and Operations Committee (3/26/25).
4. Key Provisions: 

• Applies to entities that conduct business in North Carolina or target products services to North Carolina residents, have an annual revenue of $25,000,000 or more, and either (1) control or process personal information of at least 25,000 North Carolina residents and derive more than 50% of gross revenue from sale of personal information; or (2) control or process personal information of at least 100,000 North Carolina residents.
• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts air carriers, personal information subject to the Farm Credit Act, and “an individual’s processing of personal data for purely personal or household purposes.”
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Preempts “any ordinance, resolution, rule, or other regulation adopted by a local political subdivision of the State regarding the processing of personal data by a controller or processor.”
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”

• Limits the definition of “sale” to “the exchange of personal data for monetary consideration” and excludes the following activities from its definition:
  • A controller's disclosure of personal data to (a) “a processor who processes the personal data on behalf of the controller;” (b) “an affiliate of the controller;” (c) “a third party if the purpose is consistent with a consumer's reasonable expectations;” or (d) to a third party, at the direction of the consumer.
  • “A consumer's disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child.”
  • “The disclosure of information that the consumer intentionally makes available to the general public via a channel of mass media and does not restrict to a specific audience.”
  • A controller's transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, or bankruptcy in which the third party assumes control of all or part of the controller's assets.”
• Excludes “information captured from a patient in a health care setting” from its definition of “biometric data.”
• Defines “sensitive data” to include personal data that reveals specific geolocation data and “the processing of genetic or biometric data if the processing is for the purpose of identifying a specific individual.”
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to opt out of the processing of personal data for the purposes of targeted advertising and the sale of personal data.
• Prohibits controllers from processing sensitive data without obtaining a consumer’s consent.
• Requires that controllers provide consumers with a privacy notice that includes: categories of personal information processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal information the controller sells to third parties; and categories of third parties to which controller sells personal information.
  • If controller sells personal information or processes personal information for purposes of targeted advertising, it must “clearly and conspicuously” disclose the manner in which the consumer may exercise the right to opt out of the sale or processing.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Empowers the Consumer Protection Division of the North Carolina Department of Justice to “establish and administer a system to receive consumer complaints” regarding an entity’s alleged violation of this Act.
• Grants exclusive enforcement authority to the North Carolina Attorney General.
• Requires the AG to provide a 45-day cure period before initiating an enforcement action.
• Authorizes the AG to seek civil penalties of up to $7,500 per violation.
• Creates a “Consumer Privacy Account” into which funds collected through enforcement actions under the Act will be deposited.
• Would take effect on January 1, 2026.

Pennsylvania

1. Bill Title: Senate Bill 112 (SB 112)
2. Date of Introduction: March 21, 2025.
3. Current Status: As of April 4, 2025, SB 112 has been referred to the Communications and Technology Committee (3/21/25).
4. Key Provisions:

• This bill was introduced as a companion bill to HB 78, which was previously profiled in our January 28, 2025 update.

Wisconsin

1. Bill Title: Senate Bill 166 (SB 166)
2. Date of Introduction: March 27, 2025.
3. Current Status: As of April 4, 2025, SB 166 has been referred to the Committee on Licensing, Regulatory Reform, State and Federal Affairs (3/27/25).
4. Key Provisions:

• Applies to persons that conduct business in Wisconsin or target products or services to Wisconsin residents that either 1) control or process personal data of at least 100,000 consumers during a calendar year or 2) control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.
• Contains the exemptions typically found in these state comprehensive privacy bills.*
• Excludes individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Defines “sale” to include exchanges of personal data “for monetary or other valuable consideration.”
• Defines “sensitive data” to include the “the personal data collected from a known child” (statutorily defined as younger than 13 years of age), “the processing of genetic or biometric data for the purpose of uniquely identifying an individual,” and “precise geolocation data.”
• Exempts the following advertising and processing activities from “targeted advertising:” (a) “Advertisements based on activities within a controller's own websites or online applications;” (b) “Advertisements based on the context of a consumer's current search query, visit to an internet website, or online application;” (c) “Advertisements directed to a consumer in response to the consumer's request for information or feedback;” (d) “Processing personal data processed solely for measuring or reporting advertising performance, reach, or frequency.”
• Creates individual rights for consumers as articulated at the beginning of this section, including right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Requires controllers to recognize opt-out preference signals by July 1, 2028 and details other requirements for the mechanism.
• Prohibits controllers from processing sensitive data without obtaining the consumer’s consent.
• Requires controllers to provide a “clear and conspicuous link” that enables the consumer to opt out of targeted advertising or sale of personal data.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers regularly conduct data protection assessments for 6 activities involving the processing of personal data for: 1) purposes of targeted advertising; 2) the sale of personal data; 3) purposes of profiling with a risk of substantial injury to consumers; 4) the processing of sensitive data; 5) “any processing activity involving personal data that present a heightened risk of harm to consumers;” and 6) goods, services, or products likely to be accessed by a child.
  • This requirement would apply to processing activities created after January 1, 2026.
• Grants exclusive enforcement authority to the Wisconsin Attorney General.
• Requires that the AG provide entities with a 30-day cure period before initiating an enforcement action.
• Creates civil penalties of up to $10,000 per violation.
• Would take effect on January 1, 2027.

UPDATES ON EXISTING PROPOSALS

Chamber Passages

• Oklahoma’s SB 546 is picking up traction. On March 26, 2025 it was amended by floor substitute in the senate and unanimously passed. Now on the house side, it was first referred to the Commerce and Economic Development Oversight Committee and then referred to the Government Modernization and Technology committee on April 1, 2025.
• Pennsylvania’s Consumer Data Privacy Act (HB 78), which had a companion bill introduced in the senate last month, passed unanimously and was laid on the table on March 18, 2025.
• On March 26, 2025, West Virginia’s Consumer Data Protection Act (HB 2987) passed the house. It was then introduced to the senate and sent to the Judiciary then Finance Committees on March 27, 2025.

Committee Referrals

• Georgia SB 111, which was previously passed by the Georgia Senate last month, was favorably reported by the House Technology and Infrastructure Innovation Committee and then withdrawn from the General Calendar and recommitted to the Judiciary by Rules Committee on March 27, 2025.
• The Illinois Privacy Rights Act (SB 52) has experienced a lot of movement since our last update. Most recently, the Senate Committee on AI and Social Media filed an amendment with the secretary on March 24, 2025 and then the amendment was referred to the Executive on April 1, 2025.
• Also in Illinois, the Data Privacy and Protection Act (HB 3041) was re-referred to the Rules Committee on March 21, 2025, after previously being referred to the House Cybersecurity, Data Analytics, & IT committee.

Hearings, Meetings, and Work Sessions

• The majority of Massachusetts’ introduced bills, the Data Privacy Act ( 45, S. 29, and H. 104), the Massachusetts Consumer Data Privacy Act (H. 78), and the Massachusetts Consumer Data Privacy Act (S. 33 and H. 80) are scheduled for a joint hearing on April 9, 2025 from 1-5 PM EST.

Bill Deaths and Other Bill Movement

• All three of New Mexico’s bills, HB 307, HB 410, and SB 420, died with the close of the state’s legislative session on March 22, 2025. Both HB 410 and SB 420 had made some progress out of committee—HB410 was last reported by committee with a Do Not Pass but with a Do Pass recommendation on Committee Substitution as amended and SB 420 was reported by committee with a Do Pass recommendation.
• On March 21, 2025, Maine’s Consumer Data Privacy Act (LD 1088 / HP 710) was carried over to the next special or regular session of the Legislature, effectively pausing progress on the current bill but allowing it to be picked up in the next session.

* Unless otherwise noted in the summaries above, the following entities and data types are typically exempted from compliance with these comprehensive privacy laws: government entities; higher education institutions; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and the Driver’s Privacy Protection Act (DPPA); and certain employment-related information.