State Privacy News - 1/26

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. We'd like to wish a very happy (and traditional ) Data Privacy Day to all who celebrate. Now, here's everything you need to know since our last issue:

1. New Look 'Age-Appropriate Design Code Act' Emerges

With the California Age-Appropriate Design Code Act of 2022 (CA AADC ) determined to be likely-unconstitutional and locked up in ongoing litigation for the foreseeable future, child safety advocates have been faced with a choice between continuing to push the CA AADC template across the US or to converge on a new approach that may be better suited to survive in an American legal context.

With state legislative season in full swing, we can now safely surmise that the latter option has been chosen , as a new, substantially modified version of the Age-Appropriate Design Code Act has been introduced in various states including New Mexico (SB 68 ); South Carolina (H 4842 ); Virginia (SB 684) ; Maryland (HB 603 ); and Vermont (H.712 ). We will call this new generation of Age-Appropriate Design Codes the "AADC 2.0" until someone comes up with a better term. For an exception that proves the rule, we observe that legislation has been introduced in Hawaii (SB 2309 ) that appears to very closely match the original CA AADC.

As Dispatch readers know, District Judge Labson Freeman's order found that essentially every affirmative obligation of the CA AADC was unlikely to survive on First Amendment grounds (including many provisions that, at least conceptually, are common features of privacy laws across the country). If child safety advocates attempted to respond to each element of the CA AADC injunction, there would likely be nothing left of the AADC. Instead, the AADC 2.0's changes appear focused on modifying / removing the CA AADC provisions that most directly sought regulate expressive content, were in clearest tension with the First Amendment, and raised the greatest concerns from privacy advocates.

The following modifications are of particular significance:

• The CA AADC required businesses to estimate the age of all of their users, which would likely require the collection of additional sensitive personal data in many circumstances. This requirement is not in the AADC 2.0.
• The CA AADC gave state regulators authority to second guess whether content moderation decisions adhered to the stated policies of a business and issue penalties for divergences. This authority is not in AADC 2.0.
• The CA AADC allowed businesses to avoid certain obligations if in the "best interests of children", but did not provide a definition of what that term actually means. In contrast, AADC 2.0 does establish a definition of "best interests of children" and also requires affirmative adherence to that standard.
• The CA AADC required businesses to complete a data protection impact assessment prior to offering any new product, service, or feature and to create a "timed plan" to mitigate various risks, including that children or teens might access "potentially" "harmful content." The AADC 2.0 still requires the completion of DPIAs but their contents and use have been altered.

Despite the (at least initially) successful NetChoice litigation, Minnesota and Maryland still came within a hair's breadth of passing CA AADC bills in 2023. Stakeholders should therefore expect that multiple states will make serious runs to advance the AADC 2.0 in 2024.

2. New Jersey Makes 13...

On January 16, Governor Murphy signed Senate Bill No. 332 (Sixth Reprint) into law, making New Jersey the thirteenth state to enact comprehensive privacy legislation. S332 will take effect on January 15, 2025 (assuming the Dispatch staff understand how leap years work).

By this point, the details of this fairly unusual Connecticut-style law have been exhaustively covered both on the Dispatch and elsewhere. Our topline notes are that New Jersey will be just the third state to provide for privacy rulemaking; S332 has unique scoping for adolescent data protections and definitions of sensitive and biometric data; and will require the completion of assessments prior to engaging in certain risky data processing.

For this article, we follow up on perhaps the most contested aspect of any state privacy law: the issue of private enforcement. Between the 5th and 6th reprints of S332, language was deleted that had specified that S332 will not give rise to a private right of action under any other law (see below) - a modification that, predictably, has generated significant industry concerns about the potential for the plaintiffs' bar to seek a 'backdoor' private right of action under S332.

Governor Murphy's signing statement recognized the alarm raised by the removal of this provision and emphasized that "nothing in this bill expressly establishes such a private right of action". In response, the New Jersey Business & Industry Association argued that this change will nevertheless "encourage the filing of class action lawsuits for violations of this very technical law" and called for cleanup amendments.

Our state privacy patchwork quilt has been updated accordingly:

3. ... And New Hampshire (will) Make 14

In what we can only assume is the biggest news out of New Hampshire this fortnight, the state legislature has approved SB 255 , a comprehensive privacy framework. For all practical purposes, this bill should be considered a copycat of the Connecticut Data Privacy Act, except for the following two distinctions:

• The Secretary of State is charged with developing standards for privacy notices and the exercise of consumer rights.
• The House inserted a fuse that could blow up the bill - language providing that should HB 314 (which has already passed the House) be enacted it will override significant portions of SB 255, particularly with respect to transfers of personal data. However, to date it appears that the State Senate is not striking any matches.

Our state privacy patchwork quilt will be updated accordingly when Governor Sununu enacts SB 255.

If you read anything else about SB 255, we recommend that you make it Joe Duball 's excellent interview with Senator Soucy, one of the key sponsors of the bill. This piece offers a behind-the-scenes look into the motivations and compromises that go into passing broad-based comprehensive privacy legislation.

Finally, we would be remiss not to note the consecutive enactment of state privacy laws from states beginning with "New" - so pay close attention to legislative activity in New Mexico and New York in the coming months!

4. Connecticut's Influence Grows

A widely held expectation at the outset of America's state-led approach to data privacy was that massive California, the first-mover, would be the primary influence on privacy laws in other states. This phenomena has occurred in many regulatory domains and even has it's own term - "The California Effect ." However, in practice it has been Connecticut that has set the high-water mark for commercial privacy protections that other states have tended to follow. The influence of the Connecticut Data Privacy Act (CTDPA) can be found in the furthest reaching privacy laws of Red (Montana, Texas) and Blue (Oregon, Delaware) states alike.

Last year, the CTDPA was expanded through Senate Bill 3 , establishing significant new safeguards for consumer health data and child privacy. Critically, these protections extend to a broader array of entities than the bulk of the CTDPA. For a full summary of the SB 3 amendments, see here . Entering a new round of state legislative sessions, a key question has been whether state policymakers looking to be ambitious on consumer privacy will continue to follow the original CTDPA model, or begin introducing bills that include Connecticut's recent additions.

While it is still early in the year and many of the active privacy proposals actually rolled-over from the 2023 legislative sessions, we can officially declare that the SB 3 amendments are having an influence outside of Connecticut. Of particular note:

• In Maryland, the Online Data Privacy Act (SB 541 / HB 567 ) contains CT SB 3-style heightened protections for consumer health data (though it's unclear if these provisions would be as broadly applicable).
• In Colorado, the original bipartisan sponsors of the Colorado Privacy Act (CPA) have reunited to introduce SB 24-041 , a CT SB 3-style child privacy update to the CPA.

Could it be time to coin the "Connecticut Tech Effect"?

5. New York Senate Passes Sweeping Health Privacy Legislation (Again)

On January 22, the New York State Senate passed the Health Information Privacy Act (S158) by a 61-0 vote, the second year in a row that this proposal has advanced from the Empire State's upper chamber. S158 is of a similar scale as the Washington State My Health, My Data Act (MHMD) but diverges on numerous definitional and substantive fronts. Under S158, regulated health information must be processed in connection with an individual's physical or mental health. Substantively, S158 would establish consumer rights, data security requirements, and strict data minimization requirements. The bill would also establish a unique "valid authorization" requirement that would create at least a 24-hour delay between an individual signing up for a service that uses their health data and when they can first start receiving the service. Contrary to the MHMD, S158 would not establish a private right of action, but would provide for Attorney General Rulemaking.

Should the Health Information Privacy Act be taken up in New York's Assembly this year, we are interested to observe whether it will emerge as an alternative health privacy model to MHMD. Already this year, MHMD-copycats have been introduced in Vermont (S.173 ) and Hawaii (HB 1566 ), though neither bill has seen movement yet.

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum