2023 Data Privacy

Download the 2023 Data Privacy Map

(Download the 2022 Map)

(Download the 2021 Map)

(Download the 2020 Map)


Hawaii

SB21 (Rhoads)—This bill would amend Hawaii’s Constitution to grant citizens an exclusive property right on data generated on networks like the internet.


Indiana

SB5 (Brown)—This bill effectively mirrors Virginia’s privacy model.

HB1554 (Jeter)—This bill has many similarities to SB5 in Indiana although it raises the age of children up to 18, creates a consumer request portal maintained by the Attorney General, creates a “Do Not Sell” list and places restrictions on obtaining data from data brokers. The bill would be exclusively enforced by the Attorney General.


Iowa

HSB12(Committee on Economic Growth & Technology)—This House Study Bill effectively mirrors the Utah model.


Kentucky

SB15 (Westerfield) [K]—The bill mirrors in many ways the Virginia bill and its predecessor bill in the 2022 session but does not specifically provide opt-in requirements where data use in a way that has a legal result and instead regulates tracking. The bill differs in that it provides restrictions around targeted advertising for those under 18. Although the Attorney General is the primary enforcer, the bill provides a private right of action


Massachusetts

SD745(Creem)/HD2281(Vargas)—The “Massachusetts Data Privacy Protection Act” effectively mirrors the American Data Privacy and Protection Act of the 117th Congress. As this is the first state to introduce this model, it will be known as the Massachusetts model.


Mississippi

SB 2080 (Turner-Ford)—This bill effectively mirrors the CCPA model.


New Jersey

A505 (Benson) [c]—The “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA)” would bar the processing of personal information unless there is an enumerated legitimate interest or there is opt-in consent. The bill also provides for security requirements in addition to access, correction, and transparency rights. Individuals also have the right to object to processing in certain circumstances. Consumers have the right to opt out of having decisions be made solely by automated decision making. The bill has a 72-hour data breach notification requirement. The Office of Data Protection and Responsible Use in the Division of Consumer Affairs in the Department of Law and Public Safety is responsible as a rulemaker, clearinghouse, and enforcer of the Act.

A1971 (Mukherji) S332 (Singleton) [c]—This bill is a effectively a CCPA for online operators. This bill would require commercial internet website operators and online serves to provide transparency about the use, collection, and sharing of personal information. It also would require operators to honor opt out requests to be provided in a manner chosen by the operator. The Senate Commerce Committee reported the bill favorably by a vote of 3 to 2 on June 9. The State recently release a reprint of the Senate version. On November 21, the Senate adopted a floor amendment by voice vote which would have the effect of including publicly available data as personal information among other things.


New York

S365 (Thomas) [Co]—The “New York Privacy Act” incorporates the amendments of the 2022 New York Privacy Act legislation. The bill would give consumers the right to notice, opt-in for data processing, access, portability, correction, and deletion rights. The bill would give consumers the right to appeal automated decision-making in the financial services, housing, public accommodation, insurance and health care services. Consumers cannot be discriminated against for failure to opt in. The bill would be enforced by the Attorney General and private rights of action. Additionally, the bill imposes global opt-out and impact assessments like the Colorado privacy law.

S2277 (Kavanagh)—The “Digital Fairness Act” would require a short-form privacy notice, require “freely given, specific, unambiguous opt-in consent” to process personal information and for any changes made to the processing. The bill would bar refusal of service based on exercising privacy rights. It would require a duty of care based on adequate industry standards for things like storage and transmission. The bill would also require a written policy on things like biometric retention and bar the activation of microphones and video devices to obtain biometrics without consent. The bill would also ban discrimination through data processing and targeted advertising as well as require automated decision making impact assessments. The bill would be enforced by a private right of action.


Oklahoma

HB1030 (West) [Ok]—The “Oklahoma Computer Data Privacy Act” draws upon several requires of the California Consumer Privacy Act in that it gives consumers transparency and deletion rights as well as the ability to opt out of data sales. The Oklahoma bill though would require a strict opt in for all personal information collection and sales at enactment on January 1, 2024. The bill would be enforced by the Attorney General.


Oregon

SB 619 (Prozanski)—This bill is an Attorney General-sponsored bill and in many ways mirrors Virginia’s model to privacy with two key changes. It would require consent for processing of data regarding individuals between for whom a company has actual or constructive knowledge is between the ages of 13 and 15. The is also a similar constructive knowledge standard for sensitive data for children under 13. The bill also has a private right of action.


Tennessee

SB73 (Watson) [Tn]—The “Tennessee Information Protection Act” mirrors Virginia and Utah’s privacy laws in ways but has some differences. It would give consumers access, correction, delete, and portability rights as well as the right to opt out of data ales. Companies would be required to limit collection to what is reasonably related to purpose for which data is processed. It would also require opt-in consent for sensitive data. It also would require impact assessments but unlike Virginia would not require opt out for targeted advertising or profiling producing a legal result. The bill would be solely enforced by the Attorney General but unlike Virginia and Utah, it would require companies to maintain a privacy program compliant with the NIST privacy framework. Like Ohio’s bill in 2022, compliance with the NIST framework could be used as an affirmative defense.


Summary Designations 

Although there are multiple models indicated on C_TEC’s heat map, there are currently four models that have passed in state legislations: 

  • CCPA Model (C)—This model includes access, deletion, and opt out rights for data sales. It also includes anti-discrimination provisions for exercising consumer rights and provides a private right of action for data breach-type incidents.  
  • Colorado Model (Co)—This model is similar to the Virginia model but includes rules around dark patterns and global opt out mechanisms.  
  • Utah Model (Ut)—This model mirrors the Virginia model in several ways although it does not provide opt out rights for profiling that creates a legal result or impact. The bill also does not require impact assessments. 
  • Virginia Model (V)—This model includes access, correction, deletion and opt out rights for processing that has a legal result, targeting advertising, or data sales. Opt-in is required for sensitive data processing and there are data processing limitations. The law also requires impact assessments. There is no private right of action and the Attorney General is the primary enforcer.