2023 Data Privacy

Download the 2023 Data Privacy Map

(Download the 2022 Map)

(Download the 2021 Map)

(Download the 2020 Map)


Delaware

HB154(Griffith) This bill mirrors Colorado but requires companies to provide consumers a list of
specific third parties data is shared with as opposed to categories.


Florida

SB262(Bradley) / HB1547(McFarland) This bill, the Florida Model, requires consent for the use of geolocation data as well as information obtained through the operation of a voice recognition features. Search engines are required to provide consumers with information on how their algorithms prioritizes or deprioritizes political partisanship or ideology. Controllers are required to have a privacy policy. The bill has deletion, correction, access rights and rights to opt out of sales and sharing. The bill also bars discrimination against consumers for exercising their privacy rights. The bill would be enforced solely by the Attorney General. The Senate Commerce and Tourism Committee passed a Committee Substitute by a vote of 9 to 0 on April 4. There is also a House Committee Substitute. The bill was reported favorably out of the House Commerce Committee on April 24. The Senate Version which resembles Virginia’s law and prohibits government officials from using their position to influence removal of social media content, passed the Senate by a vote of 39 to 0 on April 28. On May 4, the Florida legislature passed an amended version of the bill.


Hawaii

SB974 (Lee) / HB1497 (Saiki) This bill mirrors the Virginia model. This bill will have a hearing in the Senate Commerce Committee on February 10. The House Higher Education & Technology Committee amended the House version in a hearing on February 1. The Senate bill was reported favorably out of the Senate Commerce and Consumer Protection Committee with amendments by a vote of 4 to 1 on February 15. The Senate Ways and Means Committee with amendments suggested passage by a vote of 13 to 1. On March 7, the Senate version passed 23 to 1.

SB21 (Rhoads) — This bill would amend Hawaii’s Constitution to grant citizens an exclusive property right on data generated on networks like the internet.

SB1180 (Lee) This bill would require consent before internet browser history is sold and places limits on geolocation data.


Illinois

HB1381 (Bucker) / SB1365 (Halpin) The Right to Know Act would require companies to disclose information sharing practices and have a data protection safety plan in place. Violations would be enforceable by a private right of action.

HB3385 (Rashid) — This bill is the Massachusetts/ADPPA model.


Indiana

SB5 (Brown) — This bill effectively mirrors Virginia’s privacy model. The Senate Commerce Committee has reported favorably the bill with amendments. This bill passed the Senate 49 to 0. On April 5, the House Judiciary Committee recommended passages 9 to 0. On April 13, the Senate concurred with the House’s version by a vote of 47 to 0. The bill was signed into law by the Governor on May 1.

HB1554 (Jeter) This bill has many similarities to SB5 in Indiana although it raises the age of children up to 18, creates a consumer request portal maintained by the Attorney General, creates a “Do Not Sell” list, and places restrictions on obtaining data from data brokers. The bill would be exclusively enforced by the Attorney General. On April 11, the bill passed the House by a vote of 98 to 0.


Iowa

HSB12 (Committee on Economic Growth & Technology) / SSB1071 (Senate Technology Committee) — This House Study Bill effectively mirrors the Utah model. The bill passed Subcommittee on January 23 by a vote of 3 to 0. The bill was reported favorably out of the House Economic Growth and Technology Committee and now has a successor, HF346. The Senate bill was passed favorably out of the Technology Committee on February 13 by a vote of 12 to 0 and renumbered SF262. SF 262 has passed the Senate by a vote on 47 to 0 on March 6 and passed the House by a vote of 97 to 0 on March 15. The bill was signed into law on March 28. The final version does not require a right to opt out of targeted advertising. For this reason, it will be referred to as the Iowa model.


Kentucky

SB15 (Westerfield) [K] — The bill mirrors the Virginia bill and its predecessor bill in the 2022 session, but does not specifically provide opt-in requirements where data is used and has legal result, and instead regulates tracking. The bill differs because it provides restrictions around targeted advertising for those under 18 years of age. Although the Attorney General is the primary enforcer, the bill provides a private right of actionThis bill passed the Senate on March 15, by a vote of 32 to 2.


Louisiana

SB199 (Womack) This bill mirrors the Utah model.


Maine

SP807/LD1973(Keim)—This bill is the Maine model. It effectively follow Colorado’s approach but has an opt-in
consent requirement for data sales, targeted advertising, and profiling.

SP646 (Brakey) A constitutional amendment has been proposed for a “natural right to personal privacy.”

LD1977/HP1270 (O’Neil)—This bill is effectively the Massachusetts/ADPPA model.


Maryland

HB807 (Love) / SB698 (Augustine) This bill effectively mirrors Virginia’ law but does include restrictions around the sale of biometric data.


Massachusetts

S25 (Creem) / H83 (Vargas) The “Massachusetts Data Privacy Protection Act” effectively mirrors the American Data Privacy and Protection Act of the 117th Congress. As this is the first state to introduce this model, it will be known as the Massachusetts model.

H60 (Carey) / S227 (Finegold) The “Massachusetts Information Privacy and Security Act” would, among other things, restrict the processing of data to certain lawful basis, and would give consumers the right to opt out of data sales and targeted advertising. The bill also has portability and deletion rights for consumers. The bill would also prohibit discrimination based on an consumer exercising their privacy rights. The bill would require data broker registration. Companies would be prohibited from processing data in a discriminatory manner. Data breachers would be enforced by the Attorney General and a private right of action.


Minnesota

SF2915 (Westlin) / HF2309 (Elkins) — The “Minnesota Consumer Data Act” is effectively the Colorado model.

HF1367 (Noor) — This bill is effectively the CCPA with a private right of action.


Mississippi

SB 2080 (Turner-Ford) — This bill effectively mirrors the CCPA model. This bill died in Committee on January 31.


Montana

SB384 (Zolnikov) This bill is the same as the Virginia model. This bill passed the Senate by March 2 by a vote of 50 to 0. The Senate passed an amended version of the bill by a vote of 50 to 0. The House has also passed this version 96 to 0. The bill is more like Colorado now in that it has a universal opt-out mechanism but there is no rulemaking authority. Governor Gianforte signed the bill on May 19.

New Hampshire

SB255(Carson)—This bill is effectively the Virginia model. The Judiciary Committee has recommended passage.


New Jersey

A505 (Benson) [c] / S3714 (Gopal) The “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)” would bar the processing of personal information unless there is an enumerated legitimate interest or there is opt-in consent. The bill also includes security requirements to access, correction, and transparency rights. Individuals also have the right to object to processing in certain circumstances. Consumers have the right to opt out of having decisions be made solely by automated decision making. The bill has a 72-hour data breach notification requirement. The Office of Data Protection and Responsible Use in the Division of Consumer Affairs in the Department of Law and Public Safety is responsible as a rule maker, clearinghouse, and enforcer of the Act.

A1971 (Mukherji) / S332 (Singleton) [c] — This bill is effectively a CCPA for online operators. This bill would require commercial internet website operators and online serves to provide transparency about the use, collection, and sharing of personal information. It also would require operators to honor opt out requests be provided in a manner chosen by the operator. The Senate Commerce Committee reported the bill favorably by a vote of 3 to 2 on June 9. The State recently released a reprint of the Senate version. On November 21, the Senate adopted a floor amendment by voice vote. The amendment would include publicly available data as personal information, among other things. On December 19, 2022, the Senate once again amended the bill by removing “job seekers” from the definition of consumer, as well as including third party trackers as operators. The Senate version passed the New Jersey Senate on February 2 by a vote of 27-11. The Assembly Science, Innovation, and Technology Committee on May 11th reported the bill favorably with amendments.


New York

S365 (Thomas) / A7423(Rozic) The New York Privacy Act” incorporates the amendments of the 2022 New York Privacy Act legislation. The bill would give consumers the right to notice, opt-in for data processing, access, portability, correction, and deletion. Consumers would also be given the right to appeal automated decision-making in financial services, housing, public accommodation, and insurance and health care services. The bill requires companies to honor universal opt out controls for the sale of personal information or targeted advertising. Consumers cannot be discriminated against for failure to opt in. The bill would be enforced by the Attorney General and private rights of action. Additionally, the bill imposes global opt out and impact assessments like the Colorado privacy law. On May 22, S365A was reported out of the Internet and Technology Committee. On May 23, the Assembly version was reported from the Consumer Affairs and Protection Committee.

S2277 (Kavanagh) / A3308 (Cruz) The “Digital Fairness Act” would require a short-form privacy notice and “freely given, specific, unambiguous opt-in consent” to process personal information and for any changes made to processing. The bill would bar refusal of service based on exercising privacy rights. It would require a duty of care based on adequate industry standards for things like storage and transmission. The bill would also require a written policy on technology like biometric retention, and would bar the activation of microphones and video devices without consent to obtain biometrics. The bill would also ban discrimination through data processing and targeted advertising, as well as require automated decision making impact assessments. The bill would be enforced by a private right of action.

S3163 (Hoylman) — The “Right to Know Act” would provide consumers with the ability to request information on how companies collect, use, and share personal information.

S3162 (Hoylman) — This bill effectively mirrors CCPA.

S4940 (Parker) — This bill would amend New York’s Constitution to create a right to privacy.

A4374 (Gunter) — This bill would give consumers both the right to know categories of data processed by companies and to opt out of data sales. Consumers would be able to use a private right of action to sue for damages.

S5555 (Comrie) — The “It’s Your Data Act” provides transparency, access rights, and requires opt-in consent to collect or share personal information. The bill would be enforced by the Attorney General, district attorneys, and city corporate counsel. The Attorney General would have rulemaking authority.

S5662 (Gounardes) — The “Data Economy Labor Compensation and Accountability Act” creates an Office of Consumer Data Protection governed by a seven-member board. The is empowered to promulgate any rules necessary for consumer data protection. Controllers and processors would be required to register with the State.

A6319 (Solages) — This bill is the Massachusetts model and effectively copies the “American Data Privacy and Protection Act.”


North Carolina

S525 (Salvador) — The “North Carolina Consumer Privacy Act” is a slimmed down version of the Virginia legislation. It requires a privacy policy as well as consumer rights to access, deletion, and opt out of targeted advertising. Consumers are required to be given notice of processing of sensitive data and the ability to opt out. Discrimination based on the exercising of privacy rights is prohibited. The Attorney General has exclusive authority to enforce.


Oklahoma

HB1030 (West) [Ok] The “Oklahoma Computer Data Privacy Act” draws upon several requirements of the California Consumer Privacy Act by giving consumers transparency and deletion rights, as well as the ability to opt out of data sales. However, the Oklahoma bill would require a strict opt in for all personal information collection and sales at enactment on January 1, 2024. The bill would be enforced by the Attorney General. The House Modernization and Technology Committee recommended passage. This bill passed the House by a vote of 84 to 11 on March 8.


Oregon

SB 619 (Prozanski) This bill is sponsored by the Attorney General and mirrors Virginia’s model in many ways, but with two key changes. The bill would require consent for data processing on individuals, that a company has actual or constructive knowledge of, is between the ages of 13 and 15. There is also a similar constructive knowledge standard for sensitive data for children under 13. The bill is enforced by a private right of action. The Senate Judiciary has recommended passaged with amendments.


Pennsylvania

HB708 (Kenyatta) This bill mirrors the Virginia model.

HB1201 (Neilson)The “Consumer Data Protection Act” mirrors the Colorado model.


Rhode Island

H5475 (McNamara) — The “Rhode Island Personal Data and Online Privacy Protection Act” follows the Colorado model.

H5354 (Shanley) — The “Rhode Island Data Transparency and Privacy Protection Act” would require online operators to make their data sharing practices transparent. The House Innovation Internet and Technology Committee recommended the bill be held for further study.

H6236 (Shanley) / S754 (DiPalma) — The “Rhode Island Data Transparency and Privacy Protection Act” mirrors the Virginia law, but also requires opt-in consent for processing of data for targeted advertising and sales. There is no private right of action. The House Innovation, Internet and Technology Committee recommended the bill be held for further study.


Tennessee

SB73 (Watson) / HB1181 (Garrett) — The “Tennessee Information Protection Act” mirrors Virginia and Utah’s privacy laws, but has some differences. It would give consumers access to correction, deletion, portability rights, and the right to opt out of data sales. Companies would be required to limit collection to what is reasonably related to the purpose for which data is processed. It would also require opt-in consent for sensitive data. Unlike Virginia, the bill would not require opting out for targeted advertising or profiling (with a legal result); it would require impact assessments. The bill would be solely enforced by the Attorney General but unlike Virginia and Utah, it would require companies to maintain a privacy program compliant with the NIST privacy framework. Like Ohio’s bill in 2022, compliance with the NIST framework could be used as an affirmative defense. On March 21, the Senate Commerce Committee recommended passages by a vote of 9 to 0 and is now on the Senate calendar. The House passed an amended version that effectively is the Virginia law with the NIST voluntary defense framework on April 10 by a vote of 90 to 0. The Senate has passed by a vote of 29 to 0. The bill was signed into law on May 11 by Governor Lee.


Texas

HB1844 (Capriglione) This bill is based on Virginia’s legislation but has several differences. The bill would expand the definition of personal data to include pseudonymous information and would apply to most businesses in Texas, other than those defined by the Small Business Administration as small businesses. Additionally, the bill makes changes regarding COPPA compliance, clarifies which data is required to be portable, and like CCPA, requires companies to have two methods for submitting requests. This bill is now HB4. The House Business & Industry Committee held a public hearing on March 13. On March 20, the Business & Industry Committee approved a substitute and the bill is now on the House floor schedule. This bill passed the Texas House on April 5 by a vote of 146 to 0. The substitute passed the Senate 30 to 0 on May 10 with amendments to extend the expiration to defense of liability. The bill is currently in conference. The Texas House gave final passage to a conference approved final version by a vote of 144 to 0 on May 28. The bill was sent to Governor Abbott’s desk on May 30. HB4 now more closely resembles Colorado’s law with the inclusion of universal opt-out but it differs in terms of lacking rulemaking authority as well as the definitions of “targeted advertising” and small businesses.

HB4854 (Fischer) This bill would enable the Attorney General to make rules regarding consumer access, portability, and deletion rights.


Vermont

H121 (Marcotte) — This bill would require “data collectors” to minimize the use, retention, collection, and sharing of personal information.  The bill would also define a “Data broker” as a business, unit or units of a business (18 separately or together), that knowingly collects and sells licenses to third 19 parties the brokered personal information of a consumer with whom the 20 business does not have a direct relationship.

This bill would give broad rulemaking authority on personal information regulation to the Attorney General. Data collectors or brokers would be required to honor universal opt out requests for targeted advertising, predictive analytics, tracking, or the sale of personal information. The bill would also require data breach notices for data brokers. Data brokers would be required to register.  Individuals would also be able to request data brokers to stop collecting their data, delete their data, and/ or stop selling their data. The bill also has specific regulations around biometrics. The Attorney General is the sole enforcer.


Washington

SB5643 (Hasagawa) / HB1616 (Kloba) — This bill has very low thresholds for covered entities. It would only apply to companies that have $10 million in annual revenue through at least 300 transactions OR those that have the data of 1,000 or more individuals. The bill would also give consumers transparency, access, opt-out for “nonessential” data processing, correction, and deletion rights. Notice requirements include a long- and short-form privacy notice which include how data is monetized, among other things.

The bill effectively follows an opt-in consent model for “captured data.” Companies may not discriminate against individuals for exercising their opt-in consent rights. The bill would require companies to follow industry standard cybersecurity practices. Covered entities are prohibited from disclosing “captured personal information” to third parties unless there is a contract with third parties who have the same obligations as a covered entity. Covered entities are forbidden from activating devices like microphones, cameras, or sensors without notice and opt-in consent.

The bill would also bar processing data, targeted advertising, using facial recognition, or Artificial Intelligence to discriminate against protected classes in employment, insurance, finance, healthcare, credit, housing, education opportunities, or public accommodations. The bill will also require data protection assessments.

The bill authorizes private rights of action and bars contractual pre-dispute arbitration.  Children 13 and over would be able to represent their own rights under the bill.

HB1155 (Slatter) This bill has already been reported out of the House’s Civil Rights & Judiciary Committee. The legislation would require regulated entities to provide notice of data practices and would require consent for collection and sharing of consumer health data. The bill grants deletion rights for consumer health data and restricts the types of employees and processors that can have access to it. The bill also bans certain geofencing pertaining to health care services.  A violation of the Act is considered an unfair and deceptive practice under Washington law, which would subject regulated companies to a private right of action.  This bill passed the House 57 to 39, on March 4. This bill passed the Senate on April 5 27 to 21. Governor Inslee signed the bill into law on April 27.

HB1335 (Kloba) This bill would prohibit disclosing personal information with intent or knowledge of harm.


West Virginia

HB3498 (Linville) — This bill is the same as the Virginia model. This bill was reported Due Pass out of the House Technology and Infrastructure committee on February 14 and is now in front of the Finance Committee.

HB3453 (Young) — This bill effectively follows the CCPA model but has a right to correction and does not include provisions around unauthorized access like the original CCPA.


Summary Designations 

Although there are multiple models indicated on C_TEC’s heat map, there are currently five models that have passed in state legislations: 

  • CCPA Model (C) — This model includes access, deletion, and opt out rights for data sales. It also includes anti-discrimination provisions for exercising consumer rights and provides a private right of action for data breach-type incidents.  
  • Virginia Model (V) — This model includes access, correction, deletion and opt out rights for processing that has a legal result, targeting advertising, or data sales. Opt-in is required for sensitive data processing and there are data processing limitations. The law also requires impact assessments. There is no private right of action, and the Attorney General is the primary enforcer.  
  • Colorado Model (Co) This model is similar to the Virginia model but includes rules around dark patterns and global opt out mechanisms.  
  • Utah Model (Ut) — This model mirrors the Virginia model in several ways, but it does not provide profiling opt out rights that create a legal result or impact. The bill also does not require impact assessments. 
  • Iowa Model (IA) — This model mirrors the Utah model but does not have a right to opt out of targeted advertising.