Five Big Questions (and Zero Predictions) for the U.S. State Privacy Landscape in 2023
Entering 2023, the United States remains one of the only global economic powers that lacks a comprehensive, national framework governing the collection and use of consumer data throughout the economy. Congress made unprecedented progress toward enacting baseline privacy legislation in 2022. However, the apparent impasse in the efforts to move H.R. 8152, the American Data Privacy and Protection Act (“ADPPA”) over the finish line is likely to re-center the states as the locus of continued legislative activity on consumer privacy. Stakeholders are eager to learn which (if any) states will establish new privacy rights and protections in the coming year, but it remains too early in the legislative cycle to make predictions with any confidence. So instead, this post explores five big questions about the state privacy landscape that will determine whether 2023 emerges as a pivotal year for the protection of consumer data in the United States.
1. Will any state raise the bar for comprehensive privacy protections?
In four of the past five years, a new high-water mark for American privacy protections has been set through the enactment of comprehensive legislation at the state-level. In 2018, the California Consumer Privacy Act (CCPA) emerged as the nation’s first comprehensive consumer privacy law. The 2020 California Privacy Rights Act (CPRA) ballot initiative expanded California’s privacy regime, establishing heightened protections for certain sensitive personal information and providing a right to correct inaccurate data. In 2021, Virginia (VCDPA) and Colorado (CPA) enacted laws that are notable for creating ‘opt-in’ affirmative consent requirements in addition to California-style ‘opt-out’ privacy rights. Finally, in 2022, Connecticut (CACPDPOM) adopted a privacy law that improved upon prior models by creating clear protections for facial recognition data and an explicit right to revoke consent.
Will any state continue this trend by enacting a privacy law that establishes new or stronger privacy rights and protections for its citizens in the coming year? As industry groups become increasingly insistent about the dangers of a ‘patchwork’ of divergent state privacy laws raising compliance costs for businesses, it is possible that policymakers will be reluctant to explore new approaches to privacy protection and will instead advance legislation that ‘paints inside the lines’ of the five established laws.
In considering the forthcoming state privacy landscape, one of the best places to start is with the jurisdictions that came closest to adopting new privacy laws over the past year. In 2022, five states saw privacy legislation clear one chamber of their legislature: Florida (HB 9), Indiana (SB 358), Iowa (HF 2506), Oklahoma (HB 2969), and Wisconsin (AB 957). Of these, the Midwestern proposals (Indiana, Iowa, and Wisconsin) would not have meaningfully expanded privacy rights, protections, or compliance obligations beyond what is already on the books in other states (though they would have established some important privacy rights and protections for their residents).
Alternatively, last year’s bills from Oklahoma and Florida would have significantly reshaped privacy compliance programs for covered entities. Oklahoma’s Computer Data Privacy Act includes more rigorous consent requirements than any comparable state or national law, while Florida’s proposal would have required companies to adhere to strict data retention schedules and provided for enforcement mechanisms that are absent in other state laws, including a private right of action. However, there are reasons to suspect the window of opportunity for each bill may have closed. In Oklahoma, the bill’s most prominent backer, Democratic Rep. Collin Walke, has retired. As for Florida, reports indicate that the bill’s sponsor believes that leadership changes make it unlikely that the state will prioritize privacy legislation in the coming years.
Although no state appears to have an existing-privacy framework with a demonstrated record of support at the ready to move next year, history has also shown that under the right political conditions novel privacy legislation can rapidly advance in a single legislative session. Potential candidates for similar progress in 2023 include Oregon, where an Attorney General-led multi-stakeholder task force has spent months gearing up to advance a comprehensive consumer privacy bill next legislative cycle. In New York, a set of end-of-session amendments to the 2022 version of the New York Privacy Act (S6701) brought the proposal structurally closer to existing privacy laws, suggesting this legislation could see renewed momentum in the coming year. It is also worth remembering that despite privacy’s emergence as a bipartisan issue, the only states to enact comprehensive privacy legislation to date have had the same party in power in both legislative chambers and the governor’s mansion. It will therefore be worth watching four states that have previously considered privacy legislation and emerged from the November elections with newly formed Democratic Party trifectas in government: Maryland (SB 11), Massachusetts (H 4514), Michigan (SB 1182 & HB 5989), and Minnesota (HF 1492 (2021)).
2. Will there be an ‘ADPPA Effect’?
In 2022, the American Data Privacy and Protection Act (ADPPA) advanced through the House Energy and Commerce Committee by an overwhelmingly bipartisan 53-2 vote. ADPPA appears unlikely to be enacted this Congress as the bill’s backers were unable to secure the support of either Senate Commerce Chair Cantwell or outgoing Speaker Pelosi. Nevertheless, the introduction, enthusiasm, and momentum behind ADPPA represented a seismic event for the U.S. privacy landscape and may exert significant influence on state lawmakers in the coming years.
There are two (potentially competing) theories for how ADPPA’s emergence may impact state governments considering privacy legislation. First, in introducing state privacy legislation, lawmakers have routinely asserted that they are acting in the absence of Congressional action and that they would prefer to see a unified, federal approach to the protection of consumer privacy. As a result, demonstrated bipartisan cooperation on ADPPA and the potential for further progress in the next Congress may make consumer privacy a less salient issue in state legislatures.
On the other hand, it is also possible that ADPPA will substantially drive the content of privacy bills that will be considered in 2023. The majority of state privacy proposals considered in recent years have been modeled on either the California or Washington Privacy Act legislative frameworks, both of which are rooted in the traditional, narrow privacy paradigm of ‘notice and choice.’ However, ADPPA’s framework is significantly stronger and broader than any enacted state law in rights and protections, scope, and enforcement mechanisms. For example, ADPPA would broadly cover businesses and nonprofits, establish strict data minimization requirements, create new civil rights protections, and provide for enforcement by a private right of action. The prominence of ADPPA and its record of bipartisan support make it a potential third model for state privacy legislation. There is already legislation in Michigan (SB 1182) that contains shades of ADPPA in its formulation of a private right of action. What, if any, additional language or concepts from ADPPA will gain traction at the state level?
3. Have we entered the Age of the Age-Appropriate Design Code?
While ‘comprehensive’ privacy laws and proposals continue to capture the bulk of the privacy commentariat’s attention, it is likely that the most significant U.S. consumer privacy development in 2022 was not ‘comprehensive,’ but ‘sectoral’ in nature. On September 15, California Governor Newsom signed the Age-Appropriate Design Code (AB 2273) into law. The AADC is a far-reaching children’s online safety, design, and privacy statute that is loosely modeled on an existing UK code of practice. Come 2024, the AADC will govern online services likely to be accessed by Californian users under 18 years of age and create significant new obligations. Notably, the law could also run contrary to traditional privacy interests and priorities, as it contains age-estimation requirements that will likely cause many companies to collect additional personal information on all their users. California’s AADC has been divisive – lauded by some and criticized as unworkable or unconstitutional by others. But most careful readers agree that the statute leaves many key terms undefined or vague; future rulemaking or other work to bring clarity is likely.
The ‘California effect’, where activity in California is seen to catalyze others to mimicry, is well documented in the privacy context. This means that a key question for consumer privacy in the coming years is whether other states will follow California’s lead and begin to enact their own age-appropriate design laws. Supporters of the AADC certainly intend for it to serve as a model for adoption in additional jurisdictions. However, as with breach notification statutes and comprehensive privacy laws, should other states consider and enact age-appropriate design legislation, there is no guarantee that they will follow neatly in the footsteps of California.
One AADC-style proposal that has already been introduced, the New York Child Data Privacy and Protection Act (S9563), would impose significant new obligations beyond California’s AADC. Perhaps most notably, S9563 would severely limit product development by requiring a risk assessment to be completed for any new online feature of a service targeted toward children, to be reviewed and approved by the Attorney General’s Office before such feature can be made available to the public. The California AADC also contains a broad grant of rulemaking authority, meaning that even if other states adopt identical laws, the contours of the AADC’s rights and responsibilities may continue to shift over the coming years. In sum, age-appropriate design legislation has the potential to dramatically alter online experiences for all users in the coming years; however, the ultimate impact of such frameworks is likely to come into greater focus over the coming months.
4. Will state legislatures prioritize protections for health and location data?
In June, the Supreme Court’s decision in Dobbs v. Jackson Women’s Health overturned decades of precedent to hold that the U.S. Constitution does not confer a right to receive an abortion. Following this decision, dozens of states took rapid action to either criminalize or shore up protections for receiving or providing reproductive health services. For example, California enacted AB-1242, which seeks to prohibit electronic communications providers from complying with out-of-state law enforcement inquiries relating to the investigation or enforcement of laws prohibiting abortion. However, there are indications that come 2023, some Democratic state lawmakers will pursue a new legislative response by regulating the collection, processing, and transfer of health and location data by businesses.
In New York, SB 9599 would impose strict consent requirements on companies that collect or sell personal health information for data processing, geofencing, or data brokering. The Washington State Attorney General’s office has announced that it will support similar legislation, the Consumer Health Data Privacy Act, in the coming year. Stakeholders will be watching closely to learn whether these legislative efforts converge around a shared approach to key definitions, rights, and business obligations, or move forward with diverging health privacy frameworks.
5. How effective will the laws taking effect be?
No matter what happens in state legislatures this year, 2023 will hold the distinction as the year in which the new era of state privacy laws take effect. On January 1st, California’s revised regime and Virginia’s law will become operational, followed by the Colorado and Connecticut statutes on July 1st, with Utah’s statute bringing up the rear with a December 31st effective date. In the impending shift from theory to practice, how will both public and policymaker perceptions of these various laws change?
While privacy professionals have spent years debating and preparing for these impending state laws, 2023 will mark the first time that many U.S. consumers will be legally entitled to exercise new privacy rights over the businesses that collect and share their personal information. Depending on the public perception (both immediate and over time) of these new state privacy laws, legislative efforts in other jurisdictions could be impacted in a variety of ways. For example, successful rollouts of the new state laws could prompt lawmakers in other jurisdictions to move forward on similar bills, seizing upon a popular issue. On the other hand, if the new laws kick off with a whimper, lawmaker appetite to take up consumer privacy issues might wane. If these laws take effect and consumers face difficulty in exercising their rights (as Consumer Reports argues occurred following the enactment of the CCPA), perhaps lawmakers will consider statutes with stronger enforcement mechanisms and larger penalties in order to compel compliance. Alternatively, lawmakers may also consider establishing longer ‘on-ramps’ to compliance (particularly for small businesses) or seek to draft more explicit, self-executing statutory obligations.
This commentary has noted several privacy proposals already under serious consideration for the 2023 legislative calendar (particularly in New York, where many bills have already been introduced). These bills and efforts should be regarded as only the narrow, visible tip of the iceberg, lawmakers and stakeholders across the country are likely already at work on new proposals that will not be officially introduced until legislative sessions formally convene. This article has posed many questions but can offer only one clear forecast: a turbulent and exciting year in the efforts to advance and secure new consumer data privacy rights and protections is on the horizon. Be sure to follow the Future of Privacy Forum for help tracking emerging trends and key developments throughout the year.