2025 Governors and Legislatures (Projected)
image/svg+xml Skip to main content
Search image/svg+xml

Key Takeaways:

  • State privacy legislation experienced a significant surge in 2023, with several states enacting comprehensive laws to protect consumer data, indicating a growing recognition of privacy rights at the state level.
  • The Virginia Consumer Data Protection Act served as a prominent model, influencing many states' privacy laws, although some states strengthened consumer protections while others introduced laws with narrower scopes and exemptions.
  • What all of the new state privacy laws have in common is the lack of a private right of action, allowing consumers to sue for any alleged violations.
  • This issue seems to transcend typical partisan lines, with progressives and conservatives alike pursuing privacy legislation.

In the absence of federal action, state legislative activity on privacy legislation went from a trickle to a flood in 2023. The number of states with a comprehensive privacy law on the books to protect consumer data more than doubled this session when Delaware, Florida, Indiana, Iowa, Montana, Oregon, and Texas all enacted laws. 

The Virginia Model

Although California was first to pass landmark privacy legislation in 2018, most states have used the Virginia Consumer Data Protection Act as a model. That law, which went into effect this past January, details a number of consumer rights over the data collected from them by businesses, including a right to know what is collected, a right to access to that data, a right to correct and delete the data, a right to move the data to another entity in a portable format, and a right to opt out of having the data used for targeted advertising, sold to a third party, or used for predictive profiling.

Other State Approaches 

Since the Virginia law was passed in 2021, states have used the model as a framework, but diverged into one of two paths. Some states, like Connecticut, Colorado, and Oregon have added to the Virginia model with more regulations to protect consumers. Colorado prohibits “dark patterns” or manipulations meant to prevent consumers from exercising their rights. Oregon adds a right allowing consumers to request a list of specific third parties to which a business had disclosed personal data.

Other states, like Florida, Iowa, and Utah, have watered down the Virginia model by narrowing the scope of businesses that are affected and adding exemptions. Florida’s law only applies to certain large companies that make over a billion dollars in global annual revenue that are either in online advertising, operate app stores, or operate a voice-controlled virtual assistant. Iowa's law does not include the right to correct or a right to opt out of profiling. Unlike many other state privacy laws, Utah’s law does not require consent from consumers before processing certain sensitive data that may include things like race, religion, sexual orientation, medical history, or geolocation, although the consumer may opt out of those processes. 

Private Right of Action? Not in These Bills 

What all of the new state privacy laws have in common is the lack of a private right of action, allowing consumers to sue for any alleged violations. Advocates early on pressed for such a right, arguing it was the only way to provide any real enforcement, while businesses pushed back contending it would create onerous litigation costs. Those battles torpedoed many early attempts to pass privacy legislation, but the roadmap to passing legislation seems to require leaving enforcement to the state, usually through the attorney general.

Partisan Dynamics

We have also seen that this issue transcends typical partisan lines. Progressives in blue states like Colorado and Connecticut pressed for consumer-friendly protections, but Republicans in Montana also passed a strong measure after being provoked by national tech industry lobbyists. The legislative process in Florida pitted Republicans targeting the tech industry against traditional business-friendly Republicans wary of opening a floodgate of litigation. Washington has come close to passing a privacy bill several times, but the business-friendly Senate has clashed with a liberal House, despite both chambers being controlled by Democrats. 

What’s Next?

We will continue to see privacy legislation evolve over the next year. Lawmakers passed bills protecting consumer health data and geolocation data near health clinics in the wake of the Dobbs decision amid concerns over reproductive rights. Stronger online privacy protections for children were a popular cause among lawmakers this session. More recently, advocates have expressed concerns over data mined by artificial intelligence models and algorithms

While there has been some movement in Congress on a national privacy law, the California delegation remains an obstacle due to concerns their state’s landmark law will be preempted by a watered-down national law. As long as there is a vacuum on this issue, states will continue to fill the void, and 2023 could be a tipping point for state action on privacy legislation. 

Sign Up for Morning MultiState

For more timely insights like this, be sure to sign up for our Morning MultiState weekly morning tipsheet. We created Morning MultiState with state government affairs professionals in mind — sign up to receive the latest from our experts in your inbox every Tuesday morning. Click here to read past issues and sign up.