Last year, lawmakers in the U.S. Congress gave privacy professionals a glimpse into what federal comprehensive privacy legislation might look like. As one of the few holdouts without a federal standard for privacy, the industry seemed eager to embrace the simplicity offered by a federal standard. And while lawmakers got close, the American Data Privacy and Protection Act ultimately stalled, leaving companies to navigate an increasingly complex web of privacy laws across the states.
In lieu of a federal approach, 2023 has brought on not only a flurry of state laws for comprehensive privacy protections, but also a steady stream of targeted privacy laws such as age-appropriate design codes, biometric data laws, health privacy laws, and more, leaving companies with an ever-growing patchwork of privacy laws alongside an evolving list of specific privacy laws.
Comprehensive state privacy laws
On the comprehensive privacy front, Iowa, Indiana, Tennessee, Montana, and Texas, join the list of states to enact legislation. At the start of the year, there were five state privacy laws (California, Colorado, Connecticut, Utah, and Virginia) now, not even halfway through the year, and that number has doubled.
Iowa kicked off the wave of privacy laws on March 29, 2023, when the governor signed SF 262 into law. Effective January 1, 2025, organizations have ample time to position themselves for compliance—especially as businesses will find nothing new in the way of obligations. One of the less onerous state laws passed thus far, Iowa essentially cherry-picked sections from states that had come before it, offering no surprises.
Next came Indiana, another state privacy law without much imagination. Offering even more time for companies to prepare, the law becomes effective at the onset of 2026 and has no additional hurdles for companies looking to comply. It also includes a 30-day right to cure with no sunset.
Tennessee became the eighth state to join the patchwork, passing on May 11, 2023, and taking effect July 1, 2025. The final version of the bill is somewhat restrained from its original form but diverges from the existing norms in two noteworthy ways. First, companies that violate the law will have an affirmative defense if they have a “written privacy policy” that “reasonably conforms” with the NIST privacy framework or if they have documented policies and procedures to safeguard consumer privacy. It also sets a lower bar in terms of applicability, setting the scope for businesses at an annual revenue of $25 million, and either (1) control or process information of 175,000 residents (up from the standard 100,000 across the states) or (2) control or process information of 25,000 or more residents and derive over 50 percent from the sale of that data.
Montana’s governor signed the state’s Consumer Data Privacy Act May 19, 2023, and it will go into effect on October 1, 2024. Like laws in California and Connecticut, the Montana CDPA introduces additional privacy protections for children between the ages of 13 and 15 and is the first Republican-controlled legislature to require the recognition of universal opt out mechanisms. The law also bucks the 2023 trend on the never-ending right to cure, sunsetting April 1, 2026, and lowers the applicability threshold to account for the small state population. The law will apply to businesses that either (1) control or process personal data belonging to at least 50,000 residents or (2) control or process information of 25,000 or more residents and derive over 25 percent from the sale of that data.
In Texas, lawmakers worked to pass the Texas Data Privacy and Security Act just one day before the legislative calendar closed on May 29, 2023. Texas Govenor, Greg Abbott, now has ten days to sign the bill, veto it, or allow it to become law without his signature. If enacted, Texas will be the second most populated state to provide privacy protections.has
Targeted privacy laws
In addition to comprehensive consumer privacy bills, 2023 has brought a proliferation of biometric privacy bills modeled after the Illinois Biometric Privacy Act (BIPA), children’s privacy bills revolving around the UK’s age-appropriate design code, data broker bills, health data privacy bills, algorithmic discrimination bills, and others, causing even the most dedicated observer to lose count.
Of these targeted privacy bills, none has garnered more attention this year than Washington’s My Health My Data Act (MHMDA). Despite its name, the law has many saying that its scope and applicability go beyond health and beyond state borders, as the definitions expand its reach. With the inclusion of a private right of action, the law overcame hurdles that killed a comprehensive privacy bill. Could the MHMDA be a signal that we may see renewed attention to comprehensive privacy in the future? Or will this law give Washingtonians enough protections to hold a comprehensive proposal at bay? We will see.
Keeping pace with new legislation is challenging but essential for companies to mitigate legal and reputational risks. A privacy program may be compliant today, but companies need to keep an eye on the legislative calendar as compliance is getting more complex by the day—literally. Blueprint’s privacy program assessments can help you understand your current state and compare that to upcoming regulatory obligations to create a roadmap for success.
