State Privacy News - 4/5

Welcome to The Patchwork Dispatch, a fortnightly newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states.

I had a great time connecting with privacy professionals during the IAPP GPS conference this week. I was honored to help deliver a training on state privacy laws with David Stauss and present on federal privacy legislative efforts at a panel organized by Austin Mooney . My gratitude to everyone who introduced themselves and said that they enjoy these updates, it means a lot.

Unfortunately, given a packed week with various IAPP commitments, this newsletter doesn't give full justice to the many major developments in state privacy that occurred over the past fortnight, but we figure that some updates are better than no updates so here they are:

1. Maine Joint Judiciary Committee Advances Comprehensive Bill with Novel Data Minimization Provisions

On March 26, Maine's Joint Judiciary committee voted to advance LD 1977, the Maine Data Privacy and Protection Act, which can now proceed to consideration in both the full House and Senate. The latest version of the bill does not yet appear to be publicly available on the legislature's website, but if you send an email we can share a recent version.

Similar to the Maryland Online Data Privacy Act (discussed last week and below), LD 1977 would represent a significant departure from existing state and global consumer privacy frameworks, particularly with respect to data minimization. Section 9605 of the Act provides that:

“A Controller Shall -

• (A) Limit the processing of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains;
• (A-1) Limit the processing of sensitive data to what is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”

It would be difficult to understate the potential significance of this provision. To date, US privacy laws have typically required that companies (and sometimes nonprofits) identify and disclose the specific purpose(s) for which they use personal data and to obtain affirmative consent from individuals for the use of inherently sensitive data categories. The Maine bill represents an effort to establish new, default protections for personal information that would not require individuals to exercise their rights on a case-by-case basis.

Nevertheless, there are open questions about how these new standards would be interpreted, implemented, and ultimately enforced. For example, the legislation currently lacks guidance as to what data practices would be permitted under the "reasonably necessary" standard but closed off under the "strictly necessary" standard. Furthermore, various industry stakeholders have raised concerns that these new standards may be overly strict and have the potential to foreclose beneficial uses of data that are consistent with their customers' reasonable expectations, like the use of data for product improvement. At the same time, higher-risk uses of personal data, such as the sale of personal information to third parties, might nevertheless be permitted despite the data minimization standard given various consent provisions that permeate the bill.

Also similar to Maryland, LD 1977 includes novel digital civil rights language that appears derived from the proposed federal American Data Privacy and Protection Act of 2022. This provision would prohibit both controllers and processors from using personal data "in a manner that discriminates against individuals, or otherwise makes unavailable the equal enjoyment of the controller's or processor's goods or services, on the basis of an individual actual or perceived race, color, sex, sexual orientation or gender identity, physical or mental disability, religion, ancestry, national origin, age or familial status." This provision would exempt certain processing conducted for the purpose of self-testing to prevent or mitigate unlawful discrimination or to diversify applicant pools.

Maine's legislative session is scheduled to close on April 17th.

2. Maryland Moves Closer Towards Adopting Comprehensive and Child Privacy Bills

Over the past week, the Maryland Online Data Privacy Act (SB 541 / HB 567 ) received minor amendments. The Maryland Age-Appropriate Design Code Act (SB 571 / HB 603 ) was also amended to push the effective date back to October, 2025. Both privacy frameworks now appear in strong position to clear the legislature by the April 8 deadline.

Maryland has the potential to dramatically alter the overall state privacy landscape in the coming days. Read the first two items in last week's edition of the Dispatch for additional context and analysis.

3. Health Privacy Developments

Washington State's My Health, My Data Act (MHMD) took full effect for the majority of regulated entities on March 31 (the effective date for small businesses is June 30). The law contains stringent and prescriptive rules for using a broadly defined range of "consumer health data." It also includes a private right of action tied to the State's Consumer Protection Act which requires a showing of injury to business or property in order to recover damages. Nevada's (often overlooked) SB 370 , a health privacy law of a similar scope to MHMD but that only provides for Attorney General enforcement also took effect on March 31.

But wait, there's more. On April 3, the Illinois House Judiciary - Civil Committee voted to advance the Protect Health Data Privacy Act (HB 4093 ). Originally introduced in May 2023, HB 4093 very closely matches the provisions of MHMD, but contains various nuances that deserve attention and in sum could make the bill even more impactful than MHMD if enacted. In particular:

• Unlike the inartfully drafted MHMD, under HB 4093, the definition of "collect" does not include any processing of consumer health data, though it does include "accessing" such information in any manner.
• HB 4093 takes a different approach to the minimization of health data. It limits collection, sharing, and storage of consumer health data to what is "strictly necessary" to provide a specifically requested product or service. In contrast, MHMD limits all processing ("collection") to what is "necessary" to provide a "requested" product or service. Under both frameworks, a businesses may avoid this 'necessity limitation' if it obtains a consumer's "express, freely given, informed, opt-in, voluntary, specific, and unambiguous" consent. See more on MHMD's 'necessity exception' from my colleagues here .
• Unlike MHMD's private right of action which requires a showing of harm, HB 4093 explicitly establishes a private right of action for violations with statutory damages of $1,000 for negligent violations and $5,000 for reckless violations.

4. It's All Biological in Colorado

In response to expanding concerns about rapidly advancing developments in neurotechnologies such as brain-computer interfaces, Colorado may be on the verge of becoming the first state to explicitly recognizing neural data as a protected class of sensitive personal data in its privacy law. HB-1058 has now passed both the House (59-3) and Senate (34-0). The Act defines "neural data" as "information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems that can be processed by or with the assistance of a device." While this would be a notable first for US state privacy law, the ultimate impact on privacy law in Colorado would likely be broader than just the use of neurotechnologies.

HB-1058 works by adding a definition of "biological" data to the Colorado Privacy Act's definition of sensitive data which is broadly defined as "data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes" and explicitly includes "neural data."

This has the potential to create complications under the Colorado Privacy Act as the existing law's regulations already define and create protections for both "biometric data" and "biometric identifiers". At the same time, another proposed amendment to the Colorado Privacy Act (HB-1130 ) would add additional Illinois BIPA-style rights and protections with respect to both "biometric identifiers" and "biometric data." HB-1130 has passed the Colorado House on a 56-3 vote and is currently awaiting a new round of amendments from the Senate sponsors.

For more on the topic, tune in to an April 16th California Judiciary Committee hearing on SB 1223 , which would add a similar definition of "neural data" to the CCPA's definition of sensitive personal information, though without nesting it in a new definition of "biological data."

5. Kentucky Enacts Comprehensive Privacy Law

On April 4, Governor Beshear signed the aptly-numbered HB 15 into law, making Kentucky the 15th state to enact comprehensive consumer privacy legislation. As previously covered, HB 15 is essentially the Virginia Consumer Data Protection Act with a broader, 'Connecticut-style' definition of biometric data.

Our state privacy patchwork quilt has been updated accordingly:

As always, thanks for stopping by.

Keir Lamont is the Director for U.S. Legislation at the Future of Privacy Forum