Keypoint: Last week the Connecticut legislature passed Senator Maroney’s consumer health data / children’s privacy bill.
Below is the twenty-first weekly update on the status of proposed state privacy legislation in 2023. Before we get to our update, we wanted to provide two reminders.
First, we are regularly updating our 2023 State Privacy Law Tracker, 2023 State Children’s Privacy Law Tracker, and 2023 State Biometric Privacy Law Tracker. We encourage you to bookmark the pages for easy reference.
Second, the contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn and/or Twitter.
Table of Contents
- What’s New?
- Upcoming Hearings
- Consumer Data Privacy Bills
- Biometric Privacy Bills
- Children’s Privacy Bills
- Data Broker Bills
- Health Data Privacy Bills
- Automated Employment Decision Tools Bills
- Algorithmic Discrimination Bills
1. What’s New?
The big news last week was the Connecticut legislature passing Senator James Maroney’s SB 3, which creates new data privacy rights for consumer health data and children’s personal data.
Sections 1-6 of the Act amend last year’s Connecticut Data Privacy Act (CTDPA) to create new protections for consumer health data. Among other things, the Act prohibits persons from (1) providing employees or contractors with consumer health data unless they are subject to a contractual or statutory duty of confidentiality, (2) using geofences within 1,750 feet of a mental health facility or reproductive or sexual health facility under certain circumstances, and (3) selling, or offering to sell, consumer health data without first obtaining consumer consent. The Act also adds consumer health data as a category of sensitive data under the CTDPA thereby requiring controllers to obtain consent for the collection of same. Of note, consumer health data is defined much more narrowly than in the Washington My Health My Data Act.
Sections 8-13 of the Act create new obligations for the processing of personal data of children under 18 years of age (“minors”). The obligations apply to controllers that offer any online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors. Section 9 creates a duty for controllers to use reasonable care to avoid any heightened risk of harm to minors caused by the online service, product or feature.
Section 9 also restricts the ways in which controllers can collect and use minor’s personal data. Among other things, controllers cannot (absent consent) (1) engage in targeted advertising or the sale of a minor’s personal data, (2) collect a minor’s personal data unless necessary to provide the service, product or feature, (3) retain the data for longer than is necessary to provide the service, product or feature, and (4) use the personal data for an incompatible processing purpose. Controllers also cannot use a system design feature to significantly increase or extend a minor’s use of the service, product, or feature.
Section 10 requires controllers to conduct data protection assessments to identify any heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service, product or feature to minors. If a controller identifies such risk of harm, it must establish and implement a plan to mitigate or eliminate such risk.
The children’s privacy protections go into effect October 1, 2024. They are enforceable by the Connecticut Attorney General’s office. The office must provide a right to cure until December 31, 2025. The bill will next move to the Governor for signature.
In consumer data privacy bill news, a work session was held on Oregon SB 619 while the Oklahoma legislature closed without passing HB 1030.
In children’s privacy bill news, the Louisiana House Appropriations Committee passed SB 162 by an 18-0 vote. The bill, which is a children’s social media bill, previously passed the Senate. The Louisiana legislature closes June 8.
In data broker bill news, the California Senate passed SB 362 – the California Deletion Act – by a 32-8 vote. The bill is now with the Assembly. Meanwhile, in Oregon, a work session was held on HB 2052.
2. Upcoming Hearings
June 7
Full committee work session on New Hampshire SB 255 (consumer data privacy)
3. Consumer Data Privacy Bills
The below states are considering consumer data privacy bills. These bills are also tracked on our 2023 State Privacy Law Tracker.
Delaware
Delaware lawmakers introduced HB 154 on May 12, 2023. The House Committee on Technology and Telecommunications reported out the bill on May 16, 2023. It is now assigned to the House Appropriations Committee.
Florida
The Florida legislature passed SB 262 on May 4, 2023.
Hawaii
The Hawaii legislature closed without passing SB 974, SB 1110, and HB 1497.
Illinois
The Illinois legislature closed without passing HB 1381, SB 1365, and HB 3385.
Indiana
On May 1, 2023, Indiana Governor Eric Holcomb signed SB 5 in law, making Indiana the seventh state to pass comprehensive consumer data privacy legislation.
Iowa
On March 28, Iowa Governor Kim Reynolds signed SF 262 into law, making Iowa the sixth state to pass comprehensive consumer data privacy legislation.
Kentucky
The Kentucky legislature closed without passing a bill.
Louisiana
Louisiana is considering SB 199. The bill is sponsored by Representative Daryl Deshotel, who sponsored HB 987 in 2022. On April 10, 2023, the bill was referred to the Senate Committee on Commerce, Consumer Protection and International Affairs.
Maine
State lawmakers are considering LD 1973 and LD 1977.
Maryland
The Maryland legislature closed without passing SB 0698 and HB 0807.
Massachusetts
Massachusetts lawmakers introduced three competing bills.
First, on January 18 and 19, 2023, the Massachusetts Data Privacy Protection Act (MDPPA) was filed in both the Senate (SD 745) by Senator Cynthia Stone Creem and in the House (HD2281) by Representatives Andres Vargas and David Rogers. That bill is based on the federal American Data Privacy Protection Act with additional provisions relating to workplace surveillance.
Second, on January 20, 2023, the Massachusetts Information Privacy and Security Act (MIPSA) was introduced in both the Senate (SD1971) by Senator Barry Finegold and in the House (HD 3263) by Representative Daniel Carey.
Third, Representative Russell Holmes introduced HD 3245 – the Internet Bill of Rights.
Minnesota
The Minnesota legislature closed without passing SF 950, HF 1892, HF 1367, HF 2309, and SF 2915.
Mississippi
The Mississippi legislature closed without passing SB 2080.
Montana
On May 22, Montana Governor Greg Gianforte signed SB 384 into law, making Montana the ninth state to pass comprehensive consumer data privacy legislation.
New Hampshire
On January 19, 2023, a bipartisan and bicameral group of lawmakers led by Senator Sharon Carson introduced SB 255. On March 16, 2023, an amended version of the bill passed the Senate.
New Jersey
On February 2, 2023, the Senate voted 27-11 to pass S332. The bill is narrow, perhaps most similar to the Nevada Online Privacy Protection Act. An amended version of the bill was reported out of the Assembly Science, Innovation and Technology Committee on May 11, 2023. The same committee also reported out a companion bill A1971. A505 remains in committee. It also is not as broad as the other bills discussed in this section. On March 13, 2023, Senator Gopal introduced S3714, which is a companion bill to A505.
New York
On January 4, 2023, Democrat Senator Kevin Thomas introduced S365. The bill was referred to the Consumer Protection Committee, which passed the bill by a 4-1 vote. On May 18, 2023, the bill was amended and recommitted to the Internet and Technology Committee, which voted out the bill on May 22, 2023. A companion bill was introduced in the Assembly (A7423) and vote out of the Assembly Consumer Affairs and Protection Committee.
On January 9, 2023, lawmakers also introduced A417, which would create consumer rights around access to and transfers of personal information. The bill was referred to the Consumer Affairs and Protection Committee.
On January 17, 2023, a group of lawmakers introduced the Online Consumer Protection Act (A1366). The bill was referred to the Consumer Affairs and Protection Committee.
On January 19, 2023, Senator Brian Kavanagh introduced the Digital Fairness Act (SB2277). The bill was referred to the Internet and Technology Committee. Both of the bills were filed in 2022.
On January 26, 2023, Assemblymember Vanel introduced the New York Data Protection Act (A 2587). The bill was referred to the Government Operations committee.
On January 30, 2023, Senator Hoylman-Sigal introduced S3162, which is a narrow bill. The bill was referred to the Consumer Protection Committee. A companion house bill also was filed under bill number A 4374.
On March 8, 2023, Senator Comrie introduced the It’s Your Data Act (S5555). The bill was referred to the Codes Committee.
On April 3, 2023, Assemblymember Solages introduced A6319, which is based on the federal American Data Privacy and Protection Act.
North Carolina
Lawmakers introduced SB 525 on April 4, 2023. The bill was referred to the Senate Committee on Rules and Operations.
Oklahoma
The Oklahoma legislature closed without passing HB 1030.
Oregon
Democrat Senator Floyd Prozanski and Democrat Representative Paul Hovley introduced SB 619 at the request of Attorney General Ellen Rosenblum. The Attorney General’s office convened a work group over the summer and fall to work on the bill. On March 7, the Senate Judiciary Committee held a public hearing on an amended version of the bill. A work group session was held on April 3, 2023. On April 12, 2023, the bill was referred to the Ways and Means Committee. A work session was held on May 24, 2023, after which the bill was returned to the full committee, which held a work session on May 31, 2023.
Pennsylvania
Pennsylvania is considering HB 708. The bill is sponsored by Representative Malcom Kenyatta, who sponsored HB 2257 in 2022.
Rhode Island
Lawmakers filed H 5354 on February 3, 2023. The bill was referred to the House Innovation, Internet & Technology Committee, which recommended that the bills be held for further study.
On March 23, a group of Senators introduced SB 754. The bill was referred to the Senate Commerce committee. On May 2, 2023, the committee recommended that the measure be held for further study.
A companion bill was filed in the House (HB 6236). On April 4, 2023, the House Innovation, Internet & Technology Committee held a hearing on HB 6236. The Committee recommended that the bill be held for further study.
Tennessee
Governor Bill Lee signed HB 1181 on May 11, 2023 making Tennessee the eighth state to pass comprehensive consumer data privacy legislation.
Texas
The Texas legislature passed Representative Capriglione’s Texas Data Privacy and Security Act (HB 4) on May 28, 2023.
Vermont
The Vermont legislature closed without passing H.121.
Washington
The Washington legislature closed without passing HB 1616.
West Virginia
The West Virginia legislature closed without passing HB 3498 and HB 3453.
4. Biometric Privacy Bills
The following states are considering BIPA-like biometric information privacy bills. The bills are also tracked on our 2023 State Biometric Privacy Law Tracker.
Arizona
The Arizona legislature is in recess. It has been considering SB1238.
Hawaii
The Hawaii legislature closed without passing SB 1085.
Kentucky
The Kentucky legislature closed without passing HB 483.
Maine
The Maine Judiciary Committee held a work session on LB1705 on May 25, 2023. The bill was not reported out.
Maryland
The Maryland legislature closed without passing HB 33 and SB0169.
Massachusetts
Representative Fernandes introduced H.63 and Senator Montigny introduced S.195. On April 6, 2023, S.195 was discharged to the committee on Advanced Information Technology, the Internet and Cybersecurity.
Mississippi
The Mississippi legislature closed without passing HB 467.
Missouri
The Missouri legislature closed without passing HB 1047.
Minnesota
The Minnesota legislature closed without passing SF 954 and HF 2532.
Nevada
A group of lawmakers introduced SB 370 on March 23, 2023. The bill was referred to the Commerce and Labor Committee. It passed the Senate on April 25. On May 26, 2023, the Assembly passed an amended version of the bill.
New York
On January 17, 2023, a group of New York lawmakers introduced the New York Biometric Privacy Act (A1362). The bill was referred to the Consumer Affairs and Protection Committee. On February 9, 2023, a companion bill (S4457) was cross-filed in the Senate and referred to the Consumer Protection Committee.
On January 20, 2023, Senator John Liu introduced S2390, which would prohibit private entities from using biometric data for any advertising, marketing or any other identified activities. The bill was referred to the Consumer Protection Committee.
Tennessee
The Tennessee legislature closed without passing SB 339 and HB 932.
Vermont
The Vermont legislature closed without passing H.121.
5. Children’s Privacy Bills
The following states are considering legislation to regulate children’s privacy. This list of bills is not intended to cover student data privacy bills. The bills are also tracked on our 2023 State Children’s Privacy Law Tracker.
Arkansas
The Arkansas legislature passed SB 396 (social media regulation) and the bill was signed by the Governor.
California
On February 2, 2023, Senator Skinner introduced SB 287. On June 1, 2023, the bill was ordered to the inactive file. On February 17, 2023, Senator Stern introduced the Let Parents Choose Protection Act of 2023 (SB 845). The bill did not make it out of committee. California lawmakers also were considering SB 764 – a social media regulation bill – that did not advance.
Connecticut
The Connecticut legislature unanimously passed SB 3 on June 3, 2023.
Florida
The Florida legislature closed without passing HB 591. However, children’s privacy protections were passed in SB 262.
Kansas
The Kansas legislature closed without passing SB22.
Illinois
The Illinois legislature closed without passing SB1739 and HB 3880.
Iowa
The Iowa legislature closed without passing HF 712.
Louisiana
The Louisiana Senate unanimously passed SB 162 on May 17, 2023. The House Appropriations Committee passed the bill 18-0 on June 2.
Maryland
The Maryland legislature closed without passing SB 844 and HB 901.
Massachusetts
Representative Rogers introduced HD 2325 (An Act Relative to Internet Privacy Rights for Children).
Minnesota
The Minnesota legislature closed without passing HF 1503, SF 2101, HF 2257, and SF 2810.
Nevada
A group of lawmakers introduced AB 320 – a bill modeled off the California Age-Appropriate Design Code Act. On April 15, the bill was marked as “no further action allowed.”
New Jersey
Democrat Assemblyman Conaway, Jr. introduced A4919 on December 5, 2022. The bill was referred to the Assembly Science, Innovation and Technology Committee. A companion bill (S3493) was introduced by Democrat Senator Vitale on January 19, 2023, and referred to the Law and Public Safety Committee. The bill appears to be based on the California Age-Appropriate Design Code law that passed in 2022.
Lawmakers also introduced A5069 and S3608, which prohibit social media platforms from using certain practices or features that cause child users to become addicted to the platform. On March 16, 2023, A5069 was referred to the Assembly Health Committee. On March 20, 2023, it was reported and referred to the Assembly Appropriations Committee.
On March 20, 2023, the Assembly Health Committee favorably reported A5069. The bill was referred to the Assembly Appropriations Committee.
New Mexico
The New Mexico legislature closed without passing SB 319.
New York
A group of lawmakers filed the New York Child Data Privacy and Protection Act (S3281) on January 30, 2023. The bill was referred to the Internet and Technology Committee. A companion bill was filed in the Assembly (A 4967). Lawmakers are also considering S6418.
North Carolina
The House Judiciary Committee favorably reported an amended version of HB 644 – the Social Media Algorithmic Control in Information Technology Act. The bill was re-referred to the House Appropriations Committee. The bill description states that it “combat[s] social media addiction by requiring that social media platforms respect the privacy of North Carolina users’ data and not use a North Carolina minor’s data for advertising or algorithmic recommendations.”
Lawmakers also are considering the Let Parents Choose Act / Sammy’s Law of 2023 (HB 773).
Oregon
Democrat Senator Chris Gorsek introduced SB196. The bill was referred to the Judiciary Committee. The bill appears to be based on the California Age-Appropriate Design Code law that passed in 2022.
South Carolina
Senator Verdin introduced S404, which would prohibit operators of internet-based applications from using automated decision systems to place content on social media platforms for users under the age of 18.
Texas
The Texas legislature passed HB 18 on May 28, 2023.
Utah
The Utah Governor signed SB 152 and HB 311 into law on March 23, 2023.
Virginia
The Virginia legislature closed without passing HB 1688 and SB 1026.
West Virginia
The West Virginia legislature closed without passing HB 2460 and HB 2964.
6. Data Broker Bills
The following states are considering bills that would regulate data brokers:
California
California lawmakers are considering SB 362 – the California Deletion Act. Among other things, the bill moves oversight for California’s data broker registry from the Attorney General to the California Privacy Protection Agency and requires the Agency to establish an accessible deletion mechanism that allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor. The bill was voted out of the Senate Judiciary Committee by a 9-2 vote on April 25, 2023. It was voted out of the Senate Appropriations Committee by a 5-2 vote on May 18, 2023, and ordered to a third reading on May 22, 2023. The Assembly passed the bill by a 32-8 vote on May 31, 2023.
New Jersey
Democrat Assemblyman William Moen, Jr. introduced A4811 on October 20, 2022. The bill was referred to the Assembly Science, Innovation and Technology Committee.
Democrat Assemblyman John McKeon introduced A5254 on February 28, 2023. The bill was referred to the Assembly Science, Innovation and Technology Committee.
On May 11, 2023, the two bills were combined and unanimously voted out of the Assembly Science, Innovation and Technology Committee.
Oregon
HB 2052 was introduced at the request of the Attorney General’s office. The Business and Labor Committee held a public hearing on January 18, 2023 and work session on February 6. On February 13, 2023, the bill was referred to the Ways and Means Committee, which held a work session on May 30 and returned the bill to the full committee, which held a work session on June 2, 2023.
Texas
The Texas legislature passed SB 2105 on May 24, 2023.
Vermont
The Vermont legislature closed without passing H.121.
Washington
The Washington legislature closed without passing HB1799.
7. Health Data Privacy Bills
The following states are considering bills that would create new or additional privacy protections for health data processed by private entities:
Connecticut
The Connecticut legislature unanimously passed SB 3 on June 3, 2023.
Illinois
The Illinois legislature closed without passing SB1601 and HB 4093.
Maryland
The Maryland legislature closed without passing HB 995 and SB 790.
Massachusetts
Massachusetts lawmakers filed two health data privacy companion bills – SD 2118 and HD 3855.
Maine
Lawmakers are considering LD 1902. A work session was held on May 25, 2023, and the bill was not reported out.
Nevada
A group of lawmakers introduced SB 370 on March 23, 2023. The bill was referred to the Commerce and Labor Committee. It passed the Senate on April 25. On May 26, 2023, the Assembly passed an amended version of the bill.
New York
Senator Liz Krueger filed SB 158 on January 4, 2023. The bill was referred to the Senate Internet and Technology Committee. On May 16, 2023, the bill was amended on third reading. A companion bill was filed in the Assembly (A 4983).
Virginia
The Virginia legislature closed without passing HB 2219 and SB 1432.
Washington
The My Health My Data Act (HB 1155) was signed into law on April 27, 2023. You can find our analysis of the bill as it passed the House here and as is passed the legislature here.
8. Automated Employment Decision Tools Bills
The following states are considering bills that would regulate the use of automated employment decision tools. These bills are similar to New York City Local Law 144.
New Jersey
A group of assembly members introduced A4909 on December 5, 2022. On January 19, 2023, the Assembly Labor Committee favorably reported the bill by a vote of 8-1.
An identical bill was introduced in the Senate by Senator Andrew Zwicker under bill number S1926. That bill was referred to the Senate Labor Committee.
New York
Representative Latoya Joyner introduced A567 on January 9, 2023. The bill was referred to the Labor Committee. A companion bill (S5641) was introduced in the Senate on March 10, 2023, and referred to the Labor Committee.
Vermont
The Vermont legislature closed without passing H.114.
9. Algorithmic Discrimination Bills
These bills would protect against algorithmic discrimination and promote transparency.
California
The California legislature did not pass AB 331.
Minnesota
The Minnesota legislature closed without passing SF 1441.
Washington, DC
On February 2, 2023, councilmembers introduced the Stop Discrimination by Algorithms Act of 2023 (B25-0114). The bill was referred to the Committee on Business and Economic Development, and Committee on Judiciary and Public Safety. On February 10, 2023, a notice of intent to act was published in the District of Columbia register.