State Privacy News - 3/7

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement from across the U.S. states. Round these here parts, writing about state privacy bills does not imply endorsing or opposing state privacy bills. On to the updates:??

1. California Makes Data Broker News - Twice!

We have two big updates out of California regarding data brokers, both of which occurred on February 27.

First, the Enforcement Division of the California Privacy Protection Agency (CPPA) announced a settlement with Background Alert, a California based company for failure to register as a data broker pursuant to the Delete Act. This is the seventh action by the CPPA in recent months against a company for not registering. Notably, Background Alert was given a choice under the settlement to either (1) cease operation in California for three years or (2) pay an administrative fine of $50,000.? One additional interesting wrinkle first spotted by the IAPP’s eagle-eyed Cobun Zweifel-Keegan, J.D., CIPP/US, CIPM - the settlement implies that inferences can constitute regulated personal information in California, even if based on publicly available information. This is largely consistent with a 2022 advisory opinion from the California Attorney General, but has become a contested issue in the state privacy context (particularly during the Colorado AG’s 2022 rulemaking process) given that state laws typically carve out publicly available information entirely.?

Second, our readers will know that the California Delete Act requires that businesses register as data brokers with the state if they (1) sell the personal information of consumers (2) with whom they do not have a direct relationship. In December, 2024 the CPPA finalized rules that arguably defined “direct relationship” somewhat narrowly, broadening the number and types of organizations that may need to register as data brokers (and ultimately be subject to bulk deletion requests) under the law.?However, the California Privacy Protection Agency has now released a new set of proposed regulations pursuant to the Delete Act that appears to broaden the definition of “direct relationship”:

Of particular importance:

• The Agency proposes striking the provision that would turn a business into a data broker if they sell personal information and do not interact with any customer for three years.
• The Agency proposes to put greater emphasis on distinguishing between information that an individual has affirmatively provided to a business in first-party contexts versus information that may have been collected directly from consumers but without an intentional interaction (and thus subject to regulation as brokered data). We expect this is motivated by background tracking technologies such as SDKs that individuals may not be aware of as they browse the web or use apps.
• The Agency proposes to distinguish between brokered data and intentionally shared data, narrowing the scope of data that will be subject to future bulk deletion requests, a shift that will likely be in line with consumer expectations.

The CPPA Board will meet this afternoon and may vote to move towards formal rulemaking on this new set of regulations, which would (following additional procedural steps) initiate a 45-day public comment period.

2. One Contender Remains in Washington State Following Fiscal Deadline

The deadline for bills to clear finance committees in Washington State has passed, which has probably killed the EPIC/CR-style People’s Privacy Act (HB 1671) and two California-style Gen AI transparency bills (HB 1168 and HB 1170) for the year. We say “probably” because long time state privacy watchers still carry the trauma of presumed-dead bills being resurrected in Washington through the “Necessary to Implement Budget” mechanism.

However, one significant privacy bill remains alive and kicking in the Evergreen State - SB 5708 / HB 1834, an act relating to protecting Washington children online. This is a tough bill to describe, but the best shorthand for a summary is that it’s a mashup of the currently enjoined California Age-Appropriate Design Code Act and the New York “Addictive Feeds” law currently awaiting rulemaking.?

Of course, things are never quite that simple. Similar to some newer versions of AADCs, the bill lacks requirements to conduct either data protection impact assessments or to obtain third party compliance audits. Furthermore, Section 3 appears to accidentally ban any collection or use of minors (under age 13) data unless used for age assurance, rather than the likely intent of limiting the use of data collected for age assurance to that purpose:

SB 5708 has received support from both the Governor and Attorney General. Session closes on April 27.

3. New Mexico Moves on Multiple Fronts

New Mexico has arguably emerged as 2025’s biggest surprise state for activity on privacy legislation. With the close of session looming on March 22, here’s a snapshot of where things currently stand:?

• Comprehensive: A modified EPIC/CR-style comprehensive privacy bill (HB 307) with strict data minimization standards, child safety/design elements, and a private right of action had early momentum in Santa Fe, but it appears that efforts at enacting a comprehensive privacy law now are now focused on HB 410, the Consumer Info & Data Protection Act. HB 410 is a more traditional Connecticut-style bill and passed the House Commerce and Economic Development Committee unanimously on March 3. Note, however, that Section 13 of HB 410 as amended seeks to restrict the ability of third parties to receive, use, and disseminate sensitive personal information from government entities - a novel provision likely drafted in response to concerns about the federal Department of Government Efficiency (DOGE).??
• Health: The Health Data Privacy Act (HB 430) is a sweeping bill in the nature of Washington State’s MHMD or New York’s passed but not yet enacted NYHIPA. HB 430 was last seen advancing from the Health & Human Services Committee on February 24 by a 5-4 vote and now resides with the Judiciary Committee. The bill contains a “strictly necessary” OR opt-in consent approach to processing covered health data and an explicit private right of action with $2,500 in statutory damages per each negligent violation.?
• Artificial Intelligence: Finally we have HB 60, which focuses on consequential decisionmaking systems in a similar manner to Colorado SB 205 but contains various unique elements. For example, it defines an "artificial intelligence system" to include anything marketed as using AI or machine learning. The bill has passed two committees and is eligible for a vote in the House.

4. Arkansas tries Everything, Everywhere, All At Once

It is not often that we have the opportunity to discuss an entirely novel state approach to data privacy, so it is with significant interest that we raise The Arkansas Digital Responsibility, Safety, and Trust Act (SB 258). This is a?Texas-style comprehensive privacy bill with numerous additions including standalone Colorado SB205-style provisions governing high-risk automated decisionmaking systems, biometric data requirements reminiscent of BIPA,?and a GDPR-style lawful basis approach to processing, complete with a “legitimate interests” prong.

At a March 3 hearing before the Senate Transportation, Technology & Legislative Affairs Committee, lawmakers appeared open to the proposal, but expressed concerns with its breadth. In response, lead sponsor Penzo (R) indicated that he would split the bill into two pieces of legislation - one on comprehensive privacy and one on AI, and bring the bills back before the committee this session.

5. Utah Session Closes

Tonight, Utah will become the third state to close its doors on the 2025 legislative session (following Virginia and Wyoming). As usual, Utah remains a key mover and shaker on tech policy. The top bill we’ve followed is HB 418 the Utah Digital Choice Act which passed the House 73-0 and the Senate 20-5. This bill is primarily focused on requiring social media companies to establish interoperability between each others’ services providing for (a) data sharing (including social graphs) between covered entities and (b) enabling third parties to view and be notified of new user generated content on a social media platform - both subject to user consent.

That’s pretty significant! But tucked away in HB 418 is an amendment to Utah’s fourth-in-the-nation consumer privacy law to create an individual right to correct inaccurate information (taking into account the nature of the data and purposes of processing). If enacted by Governor Cox, HB 418 will render Iowa the sole state with a comprehensive consumer privacy law that lacks a consumer right to correct inaccurate information.?

Separately, Utah became the first state to pass an App Store Age Verification bill, SB 142.

As always, thanks for stopping by.

Keir Lamont is Senior Director at the Future of Privacy Forum