State Privacy Updates - 1/27

Welcome to The Patchwork Dispatch, a fortnightly (maybe) newsletter that brings you the top 5 recent developments in consumer privacy legislation, regulation, and enforcement across the U.S. states. The flood of privacy proposals continues unabated and our first crop of committee hearings is getting started. But as always, this newsletter will only ever bring you the most important developments as determined by our proprietary algorithm. Nevertheless, you can find me discussing the privacy landscape more broadly in recent quotes to the Washington Post and an appearance on the Privacy Beat podcast. Alright, enough self-promotion, on to the updates!

1. Iowa Bill Passes House Subcommittee

Iowa's Consumer Data Protection Act HSB 12 / SSB 1071 became the first bill of the year to clear a legislative hurdle when it passed a through a House Economic Growth & Technology Subcommittee by a 3-0 vote on January 23rd. This bill is most closely aligned with the Utah Consumer Privacy Act, and as such it is easiest to describe by the rights and protections that it lacks. For example, the proposal contains is no right to correct personal information, no obligation to conduct risk assessments, no opt-in consent requirement to process sensitive data, and no right to opt-out of significant profiling decisions. In 2022, a prior version of this proposal passed the Iowa State House by an overwhelming 91-2 vote, so this is definitely legislation to watch.

2. Bipartisan, Bicameral Comprehensive Privacy Bill Introduced in New Hampshire

On January 19, SB 255 was introduced in New Hampshire. By virtue of being a new proposal and having both Republican and Democratic co-sponsors in the State Senate and House, this bill instantly rocketed up our watchlist. Substantively, this proposal very closely mirrors the Connecticut Privacy Act, but contains some key differences. In what would be a first for comprehensive U.S. privacy law, the proposal does not exempt small businesses from its scope of coverage. Furthermore, SB 255 contains no sunset on its right to cure. Finally, the bill's exemption for pseudonymous data extends to consumer opt-out rights (sales, targeted advertising, and certain profiling decisions).

3. Massachusetts Bill Bonanza

Three distinct comprehensive privacy proposals have been introduced in Massachusetts so far this year. First, the Massachusetts Data Privacy Protection Act which closely follows last year's federal privacy proposal, the ADPPA, with additional provisions to curtail "workplace surveillance". This proposal is the first clear evidence of recent Congressional activity on privacy legislation having a direct impact in the states, and we will be watching closely to see if this represents the start of a new trend. Second, the Internet Bill of Rights, which appears to be an effort to directly transpose Europe's General Data Protection Regulation (GDPR) into U.S. law.

However, in our view, the proposal to watch is the Massachusetts Information Privacy and Security Act (MIPSA) which adopts the GDPR's 'lawful basis for processing' model while incorporating elements from the California, Virginia, and Colorado privacy statutes as well as Ohio's data breach safeharbor. MIPSA's sponsor, Senator Finegold, chairs the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity, which moved a version of this bill in last year's session.

4. Indiana Comprehensive Bill Amended and Advances

On January 26, Indiana's SB 5 passed the Senate Commerce and Technology Committee by an 11-0 vote. While this bill is essentially the Virginia Consumer Data Protection Act (VCDPA), the Committee adopted a significant amendment to add a sunset to the proposal's right to cure. In a major development, a representative from the State Attorney General's office testified at the hearing, offering 'strong support' for the proposal. An earlier version of this legislation passed the Indiana Senate by a 49-0 vote in 2022 and conditions appear to be aligning for the bill's supporters to make a serious run at pushing SB 5 over the finish line in the coming months.

5. Governor's VCDPA Amendment Stumbles in Committee

As first reported by Bailey Sanchez, a proposal to amend the VCDPA (SB 1026) to add verifiable parental consent requirements for adolescents up to age 18 was “passed by indefinitely” on a 9-6 vote (an unfavorable outcome) in a January 25 hearing in the Senate General Laws and Technology Committee. Notably, the legislation was supported by representatives from both the Virginia Governor and Attorney General's offices, giving us a first glimpse of how the Virginia Executive Branch is responding to the VCDPA since it went into effect in January. We will watch to see whether the bill’s companion, HB 1688 fares better in Virginia’s Republican-majority House.

I'd like to wish a merry Data Privacy Day to all who celebrate and, as always, thanks for stopping by.