U.S. Privacy Legislation: More States Put Laws on the Books
Publication | 05.14.24
State privacy law developments continued on a similar trajectory as previous years, marked by a legislative focus on data privacy issues. At the beginning of the 2023 legislative session, five states (California, Colorado, Virginia, Utah, and Connecticut) passed comprehensive privacy laws, all of which are now effective and enforceable.
By the end of 2023, seven additional states passed privacy legislation (Delaware, Indiana, Iowa, Texas, Montana, Oregon, and Tennessee). While the substance of each law varies, they share a common trend of following the broad terminology and structure set by the Colorado Privacy Act rather than the California Consumer Privacy Act—as amended by the California Privacy Rights Act (collectively the CCPA). For example, these laws use the GDPR language of controller/processors rather than the business/service provider distinction found within the CCPA.
At the federal level, while legislators continue to demonstrate an interest in creating a federal privacy framework, comprehensive privacy bills introduced in 2023 made very little traction. Though both the Data Care Act of 2023 and the Online Privacy Act of 2023 were comprehensive privacy bills, neither received the level of publicity and support seen in 2022 when the American Data Privacy and Protection Act was introduced.
Regulatory Updates
Other notable privacy developments in 2023 included the finalization of the new CCPA regulations from the California Privacy Protection Agency (CPPA) and the Colorado Privacy Act rules from the Colorado Attorney General. Originally intended to be effective on July 1, 2023, the implementation of new CCPA regulations was pushed back to March 29, 2024 due to a delay in releasing the finalized version. The new regulations provided guidance on obligations such as:
- Required disclosures to consumers;
- Business practices for handling consumer requests;
- Obligations regarding service providers, contractors, and third parties;
- Request verification;
- Rules regarding children’s data;
- Non-discrimination obligations;
- Training and record keeping; and
- Investigations and enforcement.
However, one area was notably absent from the regulations: guidance on risk assessments and automated decision-making technology. Instead, the CPPA released draft regulations on these issues separately in September 2023 and November 2023.
As previously noted, the Colorado Attorney General also finalized its rules for the Colorado Privacy Act. The Colorado Privacy Act rules provide guidance on items such as:
- Required disclosures;
- Document retention schedule obligations;
- Purpose specification and secondary data use;
- Sensitive personal data;
- The definitions of biometric data and biometric identifiers;
- User consent;
- Data protection assessment obligations;
- Providing the right to opt out (including universal opt out mechanisms);
- Dark Patterns; and
- Consumer rights.
*Former Crowell attorney Christiana State contributed to this article.