State Legislatures

Montana Passes Amendments to Consumer Data Privacy Act

By Libbie Canter, Lindsey Tonsager, Jayne Ponder, Tian Kisch, Jessica Ke, Sierra Stubbs & Bryan Ramirez on April 22, 2025

Posted in State Privacy

On April 15, 2025, the Montana legislature unanimously passed Montana SB 297, a bill that would amend the Montana Consumer Data Privacy Act (“MTCDPA”) with provisions expanding online data protections for minors, narrowing the exemptions under the Gramm-Leach-Bliley Act, and removing a controller’s right to cure, among others. We outline some key provisions below.Continue Reading Montana Passes Amendments to Consumer Data Privacy Act

California Enacts Health AI Bill and Protections for Neural Data

By Libbie Canter & Elizabeth Brim on October 4, 2024

Posted in Uncategorized

On September 28, California’s governor signed a number of bills into law, including to regulate health care facilities’ use of artificial intelligence (“AI”). This included AB 3030, which regulates certain California-licensed health care facilities’ use of AI and SB 1223, which amends the California Consumer Privacy Act (CCPA) to cover “neural data.” We discuss each bill in turn below.

AB 3030Continue Reading California Enacts Health AI Bill and Protections for Neural Data

Maryland Enacts Age-Appropriate Design Code

By Lindsey Tonsager & Jenna Zhang on May 22, 2024

Posted in Children's Privacy

On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Age-Appropriate Design Code Act (“AADC”) into law. The AADC will go into force on October 1, 2024. This post summarizes the law’s key provisions.Continue Reading Maryland Enacts Age-Appropriate Design Code

Virginia Enacts Direct-to-Consumer Genetic Privacy Law as Numerous Other States Introduce Similar Bills

By Libbie Canter & Elizabeth Brim on March 31, 2023

Posted in Privacy & Data Security

On March 26, 2023, Virginia enacted a genetic privacy law (SB 1087) aimed at regulating the practices of direct-to-consumer (“DTC”) genetic testing companies. Virginia is not the only state interested in regulating these companies—numerous other states, including Minnesota, Texas, Tennessee, and Vermont, have introduced similar bills during this legislative session, following the enactment of similar genetic privacy laws in Arizona, California, and Utah in recent years. Virginia’s SB 1087, effective July 1, 2023, adds to the growing net of state genetic privacy protections.Continue Reading Virginia Enacts Direct-to-Consumer Genetic Privacy Law as Numerous Other States Introduce Similar Bills

Fifth Circuit Upholds Texas Law Restricting Online “Censorship”

By Terrell McSweeny, Megan Crowley & Nicholas Xenakis on September 28, 2022

Posted in State Legislatures, Technology, U.S. Federal and State Legislative Initiatives, United States

On September 16, the Fifth Circuit issued its decision in NetChoice L.L.C. v. Paxton, upholding Texas HB 20, a law that limits the ability of large social media platforms to moderate content and imposes various disclosure and appeal requirements on them. The Fifth Circuit vacated the district court’s preliminary injunction, which previously blocked the Texas Attorney General from enforcing the law. NetChoice is likely to ask the U.S. Supreme Court to review the Fifth Circuit’s decision.Continue Reading Fifth Circuit Upholds Texas Law Restricting Online “Censorship”

Colorado Attorney General Remarks on CPA Rulemaking

By Andrew Longhi, Lindsey Tonsager & Libbie Canter on April 21, 2022

Posted in Colorado Privacy Act, Dark Patterns, State Legislatures

On April 12, at the International Association of Privacy Professionals’ global privacy conference, Colorado Attorney General Phil Weiser gave remarks on his office’s approach to the rulemaking and enforcement of the Colorado Privacy Act.
Continue Reading Colorado Attorney General Remarks on CPA Rulemaking

Utah Legislature Passes Comprehensive Privacy Bill

By Lindsey Tonsager, Libbie Canter & Jayne Ponder on March 4, 2022

Posted in Internet of Things (IoT), Privacy and Data Security, State Legislatures

Utah appears poised to be the next state with a comprehensive privacy law on its books, following California, Virginia, and Colorado. On March 2nd, the Utah House of Representatives voted unanimously to approve an amended version of the legislative proposal, and the Senate concurred with the House amendment on the following day. Formalities are now being completed to send the bill to Governor Spencer Cox for signature.

The Utah Consumer Privacy Act (“UCPA”) provides for consumer rights and responsibilities for controllers and processors. Although the bill generally tracks the comprehensive privacy law passed in Virginia last year, the VCDPA, there are some notable differences. Key provisions in the bill include the following:
Continue Reading Utah Legislature Passes Comprehensive Privacy Bill

Review of U.S. State Law Developments in 2021

By Libbie Canter on January 3, 2022

Posted in California Privacy Rights Act, Data, Privacy and Data Security, State Legislatures

As we look ahead at 2022, we here provide a quick wrap-up of key developments for U.S. state privacy laws in the past year:
Continue Reading Review of U.S. State Law Developments in 2021

Illinois Enacts Protecting Household Privacy Act

By Jim Garland, Alexander Berengaut, Megan Crowley & Chloe Goodwin on November 5, 2021

Posted in Data Privacy, Electronic Surveillance and Law Enforcement Access, Internet of Things (IoT), State Legislatures

On August 27, 2021, Illinois Governor J.B. Pritzker signed into law the Protecting Household Privacy Act (“PHPA”). The law governs how, and under what conditions, Illinois law enforcement agencies may acquire and use data from household electronic devices, commonly referred to as “smart devices” or the “internet of things.” The…
Continue Reading Illinois Enacts Protecting Household Privacy Act

Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

By Lindsey Tonsager & Andrew Longhi on July 22, 2021

Posted in California Privacy Rights Act, Data Privacy, Privacy and Data Security, State Legislatures

Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider:
Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

Inside Privacy