2023 Consumer Data Privacy Legislation

Financial Services Technology

Overview

State legislatures have long been involved in regulating privacy of various types of information or of specific industry sectors. For example, laws protecting student information, individuals’ social security numbers, medical information and other types of information.

However, consumer privacy issues have grown in importance in state legislatures recently, including in 2023.

At least 25 states and Puerto Rico introduced or considered almost 140 consumer privacy bills in 2023.

Comprehensive (sometimes also called omnibus) consumer privacy legislation is a common type of bill being considered—at least 25 bills in at 25 least states.

Comprehensive legislative proposals generally regulate the collection, use and disclosure of personal information by businesses and provide an express set of consumer rights for collected data, such as the right to access, correct and delete personal information collected by businesses.

Five states have enacted comprehensive consumer privacy laws:

California Consumer Privacy Act of 2018 and California Consumer Privacy Rights Act (2020 Proposition 24) (Cal. Civil Code §1798.100 et seq.)
Colorado Privacy Act, 2021 SB 190 (Colo. Rev. Stat. §6-1-1301 et seq. – Effective July 1, 2023.)
Connecticut Personal Data Privacy and Online Monitoring, 2022 SB 6 (Effective July 1, 2023.)
Virginia Consumer Data Protection Act (Va. Code §59.1-575 et seq. – Effective Jan. 1, 2023)
Utah Consumer Privacy Act, 2022 SB 227 (Utah Code Ann. §13-61-101 et seq. – Effective Dec. 31, 2023.)

Some of the other more common types of consumer privacy legislation tracked here concern the collection of data from consumers by commercial entities, online services or commercial websites, including bills related to website privacy or children’s privacy on the internet, direct-to-consumer genetic testing, ISP and information/data broker regulation, and other consumer privacy issues.

An explanation of the categories of consumer privacy bills is included below the legislation table.

2023 Consumer Data Privacy Legislation
State	Bill Number \| Status	Bill Summary	Category
Alabama	None
Alaska	None
Arizona	SB 1238 Pending	Establishes statutory requirements for a private entity in possession of biometric identifiers or biometric information relating to the collection, retention and destruction of biomarker identifiers and information.	Biometrics or Facial Recognition
Arizona	SB 1503 Pending	Requires an individual or a commercial entity that publishes or distributes explicit sexual material on the internet from a website that contains a substantial portion of explicit sexual material to require a user of the website to provide a government-issued identification to verify that the user is at least 18 years of age before being granted access to the website. Prohibits the individual or commercial entity performing the required age verification from retaining any identifying information of the user of the website after access has been granted to the explicit sexual material.	Other Consumer Privacy
Arkansas	None
California	SB 362 Pending	Existing law requires a data broker, as defined, to register with the attorney general, pay a registration fee, and provide specified information on or before Jan. 31 following each year in which a business meets the definition of a data broker. This bill changes that date to Feb. 15.	Information Brokers
California	SCR 9 Pending	This measure would designate the week of Jan. 22, 2023, through Jan. 28, 2023, as Data Privacy Week and Jan. 28, 2023, as Data Privacy Day.	Other Consumer Privacy
Colorado	None
Connecticut	HB 5429 Pending	Prohibits the collection and commercial use of digital consumer data and personally identifying information concerning minors.	Children’s Online Privacy
Connecticut	HB 6253 Pending	Establishes an age-appropriate design code requiring businesses that provide online products and services likely to be accessed by children under 18 years of age to adopt privacy and safety measures, including, but not limited to, default privacy settings that offer the maximum level of privacy and clearly and concisely worded privacy policies and terms of service.	Children’s Online Privacy
Connecticut	HB 6393 Pending	Imposes additional consumer protections concerning businesses that provide online services, products and features that are likely to be accessed by minors; requires online platforms to include safeguards that protect the health, safety and privacy of minors, and establish default settings for minors that provide the maximum degree of privacy protection; allows consumers to opt out of the collection and use of any minor's personal information for the purposes of targeted advertising; and imposes a fiduciary duty on online platforms that collect information from minors that prioritizes the interests of minors over those of such platforms.	Children’s Online Privacy
Connecticut	SB 730 Pending	Requires that any person using facial recognition technology to identify customers and guests in a public space post a clear disclosure of such use.	Biometrics or Facial Recognition
Delaware	None
District of Columbia	None
Florida	None
Georgia	None
Guam	None
Hawaii	HB 1497 Pending SB 1110 Pending	Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes that a violation of the consumer data privacy act constitutes an unfair method of competition and unfair and deceptive acts or practices in the conduct of any trade of commerce. Authorizes a person injured by a violation of the personal consumer data act to bring a civil action against a controller or processor.	Comprehensive
Hawaii	SB 21 Pending	Proposes an amendment to the Hawaii state constitution establishing the right to own one's own data.
Hawaii	SB 974 Pending	Establishes a framework to regulate controllers and processors with access to personal consumer data. Establishes penalties. Establishes a new consumer privacy special fund. Appropriates moneys.	Comprehensive
Hawaii	SB 1085 Pending	Establishes standards for the collection, storage, retention, and destruction of biometric identifiers and biometric information by private entities.	Biometrics or Facial Recognition
Hawaii	SB 1180 Pending	Prohibits the sale of geolocation information and internet browser information without consent.	Location Privacy
Idaho	None
Illinois	HB 223 Pending	Amends the Biometric Information Privacy Act. Makes a technical change in a section concerning the short title.	Biometrics or Facial Recognition
Illinois	HB 252 Pending	Amends the Biometric Information Privacy Act. Makes a technical change in a section concerning the short title.	Biometrics or Facial Recognition
Illinois	HB 1230 Pending	Amends the Biometric Information Privacy Act. Provides that nothing in the act shall be construed to apply to any health care employer that (1) hires an employee under the Health Care Worker Background Check Act and the employee has submitted to a fingerprint-based criminal history records check, (2) uses and stores biometric information or biometric identifiers exclusively for employment, human resources, compliance, payroll, identification, authentication, safety, security, or fraud prevention purposes, (3) does not sell, lease, or trade the biometric information or biometric identifiers collected, and (4) maintains and follows a documented process to delete any biometric information or biometric identifier.	Biometrics or Facial Recognition
Illinois	HB 1381 Pending	Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the act. Provides that any waiver of the provisions of the act or any agreement that does not comply with the applicable provisions of the act shall be void and unenforceable. Provides that no provision of the act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with state or local government. Provides findings and purpose. Defines terms.	Website Privacy
Illinois	HB 2252 Pending	Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent." Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes.	Biometrics or Facial Recognition
Illinois	SB 1365 Pending	Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the act. Provides that any waiver of the provisions of the act or any agreement that does not comply with the applicable provisions of the act shall be void and unenforceable. Provides that no provision of the act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with state or local government. Provides findings and purpose. Defines terms.	Website Privacy
Illinois	SB 1506 Pending	Amends the Biometric Information Privacy Act. Changes the definitions of "biometric identifier" and “written release.” Defines "biometric lock," "biometric time clock," "electronic signature," "in writing," and "security purpose." Provides that if the biometric identifier or biometric information is collected or captured for the same repeated process, the private entity is only required to inform the subject or receive consent during the initial collection. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Provides that nothing in the act shall be construed to apply to information captured by a biometric time clock or biometric lock that converts a person's biometric identifier or biometric information to a mathematical representation. Requires the department of labor to provide information for employers regarding the requirements of the act on its website. Amends the Workers' Compensation Act. Provides that nothing in the act limits, prevents, or preempts a recovery by an employee under the Biometric Information Privacy Act.	Biometrics or Facial Recognition
Illinois	SB 1511 Pending	Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.	Biometrics or Facial Recognition
Indiana	HB 1554 Pending	Establishes in the Indiana Code a new article concerning consumer data protection, to take effect Jan. 1, 2024. Sets forth the following within the new article: (1) Definitions of terms that apply throughout the article. (2) Exemptions for certain: (A) persons; and (B) types of information and data; from the bill's requirements concerning the personal data of Indiana consumers (consumers). (3) The rights of a consumer with respect to personal data relating to the consumer. (4) The responsibilities of controllers of consumers' personal data (controllers). (5) The roles of: (A) controllers; and (B) processors of consumers' personal data (processors); with respect to a consumer's personal data. (6) Requirements for data protection assessments by controllers. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The establishment, maintenance, and publication by the attorney general's consumer protection division of a quarterly listing of electronic mail addresses of consumers who request that their personal data not be sold. (10) Requirements for brokers of consumers' personal information (data brokers) to: (A) provide notification of security breaches; and (B) register annually with the attorney general. (11) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (12) The establishment of the consumer privacy account within the state general fund to support the work of the attorney general in enforcing the new article. (13) The authority of the attorney general to: (A) to adopt rules to administer the new article; and (B) issue opinion letters and interpretive guidance to develop an operational framework for persons subject to the new article. (14) The preemption of local rules, regulation, and laws regarding the processing of personal data.	Comprehensive
Indiana	SB 5 Pending	Establishes a new article in the Indiana Code concerning consumer data protection, to take effect Jan. 1, 2026. Sets forth the following within the new article: (1) Definitions of various terms that apply throughout the article. (2) Exemptions from the bill's requirements concerning the responsibilities of controllers of consumers' personal data. (3) The rights of an Indiana consumer to do the following: (A) Confirm whether or not a controller is processing the consumer's personal data. (B) Correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller. (C) Delete the consumer's personal data held by a controller. (D) Obtain a copy or representative summary of the consumer's personal data that the consumer previously provided to the controller. (E) Opt-out of the processing of the consumer's personal data for certain purposes. (4) The responsibilities of controllers of consumers' personal data. (5) The roles of controllers and processors with respect to a consumer's personal data. (6) Requirements for data protection impact assessments by controllers of consumers' personal data. (7) Requirements for processing de-identified data or pseudonymous data. (8) Limitations as to the scope of the new article. (9) The authority of the attorney general to investigate and enforce suspected or actual violations of the new article. (10) The preemption of local rules, regulations, and laws regarding the processing of personal data.	Comprehensive
Iowa	None
Kansas	None
Kentucky	SB 15 Pending	Defines various consumer rights related to data collection; requires a data controller to comply with a consumer request to exercise those rights, including confirming whether or not a controller is processing the consumers data and providing the consumer access to his or her data, deleting his or her personal data, and providing a copy of the consumers data that he or she previously provided in a portable and usable format; provides for opting out.	Comprehensive
Louisiana	None
Maine	Me. Rev. Stat. Ann. tit. X, §
Maryland	HB 33 Pending SB 169 Pending	Regulates the use of biometric data by private entities, including by requiring certain private entities in possession of biometric data to develop a policy, made available to the public, establishing a retention schedule and destruction guidelines for biometric data; authorizes an individual alleging a violation of this Act to bring a civil action against the offending private entity under certain circumstances; makes a violation of this Act an unfair, abusive, or deceptive trade practice that is subject to enforcement and penalties under the Maryland Consumer Protection Act; and generally relates to biometric data privacy.	Biometrics or Facial Recognition
Maryland	HB 807 Pending SB 698 Pending	Establishes generally the manner in which a controller or a processor may process a consumer's personal data; authorizes a consumer to exercise certain rights regarding the consumer's personal data; requires a controller of personal data to establish a method for a consumer to exercise certain rights in regards to the consumer's personal data; regulates the use of biometric data by a controller; etc.	Biometrics or Facial Recognition
Maryland	HB 901 Pending SB 844 Pending	Requires a business that offers an online product likely to be accessed by children to complete a certain data protection impact assessment under certain circumstances; prohibits a business from offering a certain online product before completing a data protection impact assessment; requires businesses to document certain risks associated with certain online products; requires certain privacy protections for certain online products; prohibits certain data collection and sharing practices; provides certain exemptions; etc.	Children’s Online Privacy
Maryland	SB 861 Pending	Prohibits a person from using a scanning device to scan or swipe an identification card or a driver's license of an individual to obtain personal information of the individual; prohibits a person from taking certain actions regarding information collected by scanning or swiping an individual's identification card or driver's license under certain circumstances; provides that a violation of the act is an unfair, abusive, or deceptive trade practice under the Maryland Consumer Protection Act and subject to certain penalties; etc.	Other Consumer Privacy
Massachusetts	None
Michigan	None
Minnesota	HF 846 Pending SF 943 Pending	Prohibits geolocation and smartphone monitoring of another in certain circumstances; provides a cause of action to individuals when geolocation information and other smartphone data has been recorded or shared.	Location Privacy
Minnesota	HF 1367 Pending	Relates to consumer data privacy; gives various rights to consumers regarding personal data; places data transparency obligations on businesses; creates a private right of action; provides for enforcement by the attorney general; proposes coding for new law as Minnesota Statutes, chapter 325O.	Comprehensive
Minnesota	SF 950 Pending	Requires a consumer's consent prior to collecting personal information.	Consumer Data Privacy
Minnesota	SF 954 Pending	Establishes standards for biometric privacy; establishes a right of action.	Biometrics or Facial Recognition
Minnesota	SF 1110 Pending	Relates to data privacy; establishes neurodata rights; modifies certain crimes to add neurodata elements; provides civil and criminal penalties; amends Minnesota Statutes 2022, sections 13.04, by adding a subdivision; 609.88, subdivision 2; 609.891, subdivision 3; proposes coding for new law in Minnesota Statutes, chapter 325E.	Other Consumer Privacy
Minnesota	SF 1138 Pending	Requires direct-to-consumer genetic testing companies to provide disclosure notices and obtain consent; proposes coding for new law in Minnesota Statutes, chapter 325F.	Consumer Genetic Privacy
Minnesota	SF 1442 Pending	Relates to data privacy; requires consent before providers share audio or video data with third parties; proposes coding for new law in Minnesota Statutes, chapter 325E.	Other Consumer Privacy
Mississippi	HB 467 Failed	Creates the "Biometric Identifiers Privacy Act;" provides legislative findings; defines terms relating to biometric identifiers; requires private entities in possession of biometric identifiers to develop a policy that establishes a retention schedule and guidelines for destroying the biometric identifiers of individuals; provides certain requirements and restrictions for private entities that collect biometric identifiers; provides that upon the request of an individual, a private entity that collects biometric identifiers shall disclose to the individual his or her biometric identifier and information related to the use of such biometric identifier; provides for a right of action for individuals alleging a violation of this act; provides that the attorney general may bring an action against a private entity who violates the provisions of this act; and for related purposes.	Biometrics or Facial Recognition
Mississippi	SB 2080 Failed	Creates the "Mississippi Consumer Data Privacy Act;" authorizes consumers to request that businesses disclose certain information; authorizes consumers to request that businesses delete personal information collected by businesses; requires businesses to disclose certain information to consumers, to inform consumers of their right to request that personal information be deleted, and to delete personal information collected about consumers upon request; authorizes consumers to instruct businesses to not sell the consumers' personal information; authorizes consumers to bring civil actions against businesses that violate this act; authorizes the attorney general to bring civil actions against businesses that violate this act; requires the attorney general to adopt regulations to further the purposes of this act; and for related purposes.	Comprehensive
Missouri	HB 1047 Pending	Establishes the Biometric Information Privacy Act.	Biometrics or Facial Recognition
Montana	None
Nebraska	LB 308 Pending	Adopts the Genetic Information Privacy Act.	Consumer Genetic Privacy
Nebraska	LR 20CA Pending	Proposes a constitutional amendment to protect the right of individual privacy.	Other Consumer Privacy
Nevada	Nev. Rev. Stat. §
New Hampshire	SB 255 Pending	This bill creates a new chapter detailing a consumer expectation of privacy.	Comprehensive
New Jersey	AB 505 Pending	Enacts the “New Jersey Disclosure and Accountability Transparency Act (NJ DaTA);” establishes certain requirements for disclosure and processing of personally identifiable information; establishes the office of data protection and responsible use in the division of consumer affairs.	Comprehensive
New Jersey	AB 525 Pending	Makes DNA samples and genetic information resulting from DNA analysis property of the person sampled or analyzed.	Consumer Genetic Privacy
New Jersey	AB 1399 Pending	Requires internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes internet service provider in writing to disclose information.	ISP Privacy
New Jersey	AB 1544 Pending SB 2953 Pending	Prohibits providers of commercial mobile service and developers of mobile application from disclosing customer’s global position system data to third parties under certain circumstances.	Location Privacy
New Jersey	AB 1954 Pending	Requires internet service providers to keep confidential subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing or email to disclose information; prohibits subscriber penalty.	ISP Privacy
New Jersey	AB 1971 Pending SB 332 Pending	Requires commercial internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.	Website Privacy
New Jersey	AB 2029 Pending	Requires internet service providers to keep confidential and prohibit any disclosure, sale, or unauthorized access to subscriber’s personally identifiable information unless subscriber authorizes Internet service provider in writing to disclose information.	ISP Privacy
New Jersey	AB 2951 Pending	Enacts the “Microphone-Enabled Devices Act;” requires user consent before enabling device microphone.	Connected Devices
New Jersey	AB 4723 Pending SB 2740 Pending	Requires motor vehicle dealer to delete personal information from motor vehicle computer system prior to resale or lease.	Other Consumer Privacy
New Jersey	AB 4811 Pending	Establishes data broker registry.	Information Brokers
New Jersey	AB 4919 Pending SB 3493 Pending	Concerns social media privacy and data management for children and establishes New Jersey Children’s Data Protection Commission.	Children’s Online Privacy
New Jersey	AB 5075 Pending	Prohibits acquisition or disclosure of certain personal health information without consent.	Biometrics or Facial Recognition
New Jersey	SB 1262 Pending	Prohibits retail mercantile establishments from requiring certain consumer identification for return of merchandise.	Other Consumer Privacy
New Jersey	SB 3499 Pending	Prohibits use of facial recognition technology on consumer except for legitimate safety purpose.	Biometrics or Facial Recognition
New Mexico	None
New York	AB 48 Pending SB 2078 Pending	Relates to limitations on the use of electronic or computerized entry systems; restricts information that may be gathered on lessees, tenants, owners or guests.	Biometrics or Facial Recognition, Other Consumer Privacy
New York	AB 322 Pending SB 2478 Pending	Prohibits the use of a facial recognition system by a landlord on any residential premises.	Biometrics or Facial Recognition, Other Consumer Privacy
New York	AB 417 Pending SB 3163 Pending	Restricts the disclosure of personal information by businesses; provides that a business that retains a customer's personal information shall make available to the customer free of charge access to, or copies of, all of the customer's personal information retained by the business.	Comprehensive
New York	AB 711 Pending	Requires express and affirmative consent prior to collection, storage or transmittal of any personal information obtained from the installation or use of a smart home connected system by certain persons.	Connected Devices
New York	AB 936 Pending SB 2324 Pending	Discloses to a parent the personal information and content about a minor collected by an operator of an internet platform when a parent requests such information.	Children’s Online Privacy, Website Privacy
New York	AB 1362 Pending SB 4457 Pending	Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.	Biometrics or Facial Recognition
New York	AB 1366 Pending SB 2998 Pending	Relates to establishing the online consumer protection act; defines terms; provides that an advertising network shall post clear and conspicuous notice on the home page of its own website about its privacy policy and its data collection and use practices related to its advertising delivery activities; makes related provisions.	Website Privacy
New York	AB 1484 Pending SB 4367 Pending	Prohibits the disclosure of personally identifiable information by an internet service provider without the express written approval of the consumer.	ISP Privacy
New York	AB 1731 Pending	Restricts insurers from demanding intrusive personal, financial and tax information from insureds as a standard practice in processing ordinary theft claims where no special circumstances warranting a demand for such information exists.	Other Consumer Privacy
New York	AB 1766 Pending SB 2404 Pending	Requires retailers to post warning signs of the tracking of customers through cell phones or other electronic devices; provides for civil penalties.	Other Consumer Privacy
New York	AB 2529 Pending	Establishes a commission to study the European Union's general protection data regulation and the current state of cyber security in the state.	Studies, Task Forces or Commissions
New York	AB 2587 Pending SB 4201 Pending	Establishes the New York Data Protection Act; requires government entities and contractors to disclose certain personal information collected about individuals.	Comprehensive
New York	AB 2621 Pending	Relates to the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products; authorizes a licensee, its agent or employee to determine a person's age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device; establishes where the use of the device indicates that the person is under the age of 21, the attempted purchase of the alcoholic beverage shall be denied.	Biometrics or Facial Recognition
New York	AB 2642 Pending	Enacts the "Facial Recognition Technology Study Act" to study privacy concerns and potential regulatory approaches to the development of facial recognition technology.	Biometrics or Facial Recognition; Studies, Task Forces or Commissions
New York	AB 3308 Pending SB 2277 Pending	Enacts the "Digital Fairness Act;" requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.	Comprehensive
New York	AB 3593 Pending	Enacts the NY Privacy Act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.	Comprehensive
New York	AB 3959 Pending SB 2012 Pending	Creates an excise tax on the collection of consumer data by commercial data collectors.	Other Consumer Privacy
New York	SB 158 Pending	Creates privacy standards for electronic health products and services and permissible data brokering; requires consent to be given for the collection and/or sharing of personal health information or other personal data.	Information Brokers, Other Consumer Privacy
New York	SB 365 Pending	Enacts the New York Privacy Act to require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared.	Comprehensive
New York	SB 1298 Pending	Relates to the use of voice recognition features on certain products.	Connected Devices
New York	SB 2390 Pending	Prohibits private entities from using biometric data for any advertising, detailing, marketing, promotion, or any other activity that is intended to be used to influence business volume, sales or market share or to evaluate the effectiveness of marketing practices or marketing personnel.	Biometrics or Facial Recognition
New York	SB 3162 Pending	Grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.	Comprehensive
New York	SB 3281 Pending	Enacts the New York Child Data Privacy Protection Act to prevent the exploitation of children's data; requires data controllers to assess the impact of its products on children for review by the bureau of internet and technology; bans certain data collection and targeted advertising.	Children’s Online Privacy
New York	SB 4377 Pending	Relates to privacy protection policies on internet websites, online services, online applications and mobile applications that collect social security numbers.	Website Privacy
North Carolina	None
North Dakota	None
N. Mariana Islands	Not available
Ohio	None
Oklahoma	HB 1030 Pending	Relates to privacy of computer data; enacts the State Computer Data Privacy Act; defines terms; provides for applicability of act to certain businesses that collect consumers' personal information; provides exemptions; prescribes compliance with other laws and legal proceedings; requires act to be liberally construed to align its effects with other laws relating to privacy and protection of personal information; provides for controlling effect of federal law.	Comprehensive
Oregon	HB 2052 Pending	Provides that a data broker may not collect, sell or license brokered personal data within this state unless data broker first registers with the department of consumer and business services. Specifies the form, method and contents of the application. Specifies exemptions. Provides a civil penalty in an amount not to exceed $500 for each violation of Act or, for continuing violation, for each day in which a violation continues. Caps the amount of the civil penalty at $10,000 in calendar year.	Information Brokers
Oregon	HB 2370 Pending	Requires the attorney general to study privacy. Directs the attorney general to submit findings to interim committees of the legislative assembly related to consumer protection not later than Sept. 15, 2024.	Studies, Task Forces or Commissions
Oregon	SB 196 Pending	Requires a business that provides an online product, service or feature that a child is reasonably likely to access to identify, evaluate and mitigate risks to child from online product, service or feature. Restricts the manner in which a business may collect or use the personal information of a child. Requires a business that provides an online product, service or feature that a child is reasonably likely to access to complete and retain a data protection impact assessment. Requires a business to provide upon request the completed assessment to the attorney general. Authorizes the attorney general to bring an action for injunctive relief, civil penalties or attorney fees and enforcement costs and disbursements against a business for violations. Establishes a task force on age-appropriate design. Requires the task force to study how children access, use and are affected by online products, services and features and the methods for mitigating risks. Provides that the requirements and restrictions become operative July 1, 2024. Sunsets the task force on Jan. 2, 2025.	Children’s Online Privacy; Studies, Task Forces or Commissions
Oregon	SB 619 Pending	Permits consumers to obtain from a controller that processes consumer personal data confirmation as to whether the controller is processing the consumer’s personal data and categories of personal data the controller is processing, a list of specific third parties to which the controller has disclosed the consumer’s personal data and a copy of all of the consumer’s personal data that the controller has processed or is processing. Permits a consumer to require a controller to correct inaccuracies in personal data about the consumer, require the controller to delete personal data about the consumer or opt out from the controller’s processing of the consumer’s personal data under certain circumstances. Requires a controller to provide to consumers reasonably accessible, clear and meaningful privacy notice that lists categories of personal data the controller processes, describes the controller’s purpose for processing personal data, describes how a consumer may exercise the consumer’s rights with respect to personal data, lists the categories of personal data that a controller shares with third parties, list all categories of third parties with which the controller shares personal data and provides other information. Specifies duties of, and prohibits specified actions of, a controller and of a processor that acts at the controller’s direction. Permits the attorney general to investigate violations of the act and to bring action to seek a civil penalty of not more than $7,500 for each violation. Permits a consumer or class of consumers to bring action after a specified date for ascertainable loss of money or property resulting from violation of act.	Comprehensive
Pennsylvania	None
Puerto Rico	HB 129 Pending	Establishes the Charter of Digital Rights of Puerto Rico in order to safeguard the human rights of people in the digital sphere.
Puerto Rico	HB 262 Pending	Creates the Law for the Protection of Cyber Privacy of Our Children and Young People in order to prohibit any operator, employee or agent of an internet page classified as a social network, as defined herein, from publishing and or disclosing personal information of underage users residing in Puerto Rico, beyond the name and city where they reside, without the express consent of these and that of the father, mother or guardian with parental authority.	Children’s Online Privacy
Puerto Rico	HB 655 Pending	Establishes the Electronic Information Privacy Law in order to protect the right to privacy of individuals regarding information stored on an electronic device or transmitted to a remote computer service provider.	ISP Privacy
Puerto Rico	HB 1548 Pending	Relates to the law for the protection of data and information of the consumer, in order that the consumer must give his informed consent on the collection, use and access of the information that he provides, by virtue of a request by any resident individual of Puerto Rico who establishes a business, legal entity incorporated or organized under the laws of Puerto Rico or of any jurisdiction of the United States, or a foreign corporation that has an office or other fixed location and that operates.
Puerto Rico	SB 882 Pending	Relates to law for the protection of digital privacy; protects the personal information of consumers and guarantee the right to privacy in the digital age.
Rhode Island	HB 5354 Pending	This bill requires online service providers and commercial websites that collect, store and sell personally identifiable information to disclose what categories of personally identifiable information they collect and to what third parties they sell the information. This bill would not prohibit the collection or sale of personally identifiable information and would not require the retention or disclosure of personally identifiable information by online service providers or commercial websites. Any intentional disclosure of personal information in violation of the provisions of this act would be punishable by a fine of not less than $100 nor more than $500 per disclosure with sole enforcement of its provisions vested in the department of the attorney general. This act would take effect on Jan. 1, 2024.	Website Privacy
Rhode Island	SB 146 Pending	This bill prohibits the use of facial recognition technology and biometric recognition technology in video-lottery terminals at pari-mutuel licensees in the state or in online betting applications. This bill also prohibits the use of certain other technologies in state gaming operations. The prohibition would not apply to standardized rewards programs.	Biometrics or Facial Recognition
A. Samoa	Not available
South Carolina	HB 3547 Pending	Adds section 63-5-380 so as to prohibit the collection of personal information from children by operators of websites, online services, and online or mobile applications and to establish penalties.	Children’s Online Privacy
South Carolina	SB 156 Pending	Adds section 58-1-70 so as to prohibit natural gas or electric public utilities from disclosing customer information to a third party without the express consent of the customer.	Other Consumer Privacy
South Dakota	SB 192 Pending	Provides liability for the publishing or distributing of material harmful to minors on the internet and the wrongful retention of individually identifiable information.	Other Consumer Privacy
Tennessee	HB 932 Pending SB 339 Pending	Enacts the "Consumer Biometric Data Protection Act."	Biometrics or Facial Recognition
Tennessee	HB 965 Pending SB 1379 Pending	Prohibits a financial institution from releasing or providing the account balance or transaction activity of an account to a person without first obtaining the account holder's express permission or without a warrant issued by a judicial officer located in this state.	Other Consumer Privacy
Tennessee	HB 1181 Pending SB 73 Pending	Enacts the "Tennessee Information Protection Act."	Comprehensive
Tennessee	HB 1486 Pending SB 1353 Pending	Prohibits a business entity from retaining a copy, in an electronic or other format, of a person's identification unless the retention of that copy is specifically required by federal or state law, or the business entity obtains the express consent of the holder of that identification; prohibits a business entity from refusing to transact business with a person solely on the basis that the person refuses to provide express consent to the business entity or its agent, employee, or contractor retaining the copy; makes a violation a Class B misdemeanor that constitutes an unfair or deceptive act under the Consumer Protection Act of 1977.	Other Consumer Privacy
Texas	SB 704 Pending	Relates to the capture and use of an individual's biometric identifiers, specimen, or genetic information by a governmental body or peace officer or by a person for commercial purposes; authorizes civil penalties.	Consumer Genetic Privacy
Texas	SJR 23 Pending	Proposes a constitutional amendment establishing the right to be free from governmental intrusion or interference into an individual's private life.	Constitutional Amendment
Utah	SB 139 Pending	Enacts provisions related to motor vehicle consumer data protection.	Other Consumer Privacy
Vermont	HB 121 Pending	This bill proposes to afford data privacy protections to Vermonters.	Comprehensive
Virginia	HB 1688 Pending	Requires a controller or processor to obtain verifiable parental consent, defined in the bill, prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.	Children’s Online Privacy
Virginia	SB 419 Pending	Establishes requirements for direct-to-consumer genetic testing companies, including requirements related to information to be provided to consumers, consent requirements, requirements related to security of and consumer access to genetic information, requirements for contracts between direct-to-consumer genetic testing companies and service providers, and prohibitions on disclosure of genetic information by direct-to-consumer genetic testing companies. The bill also prohibits discrimination against a consumer based on exercise of rights related to genetic information privacy and imposes civil penalties for violations of the provisions of the bill.	Consumer Genetic Privacy
Virginia	SB 1026 Failed	Requires an operator, defined in the bill, to obtain verifiable parental consent prior to registering any child with the operator's product or service or before collecting, using, or disclosing such child's personal data and prohibits a controller from knowingly processing the personal data of a child for purposes of (i) targeted advertising, (ii) the sale of such personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. The bill also amends the definition of child for purposes of the Consumer Data Protection Act to include any natural person younger than 18 years of age.	Children’s Online Privacy
U.S. Virgin Islands	None
Washington	HB 1616 Pending SB 5643 Pending	Creates a charter of people's personal data rights.	Comprehensive
Washington	HB 1799 Pending	Concerns the registration of business entities that qualify as data brokers.	Information Brokers
Washington	HR 4607 Pending	Recognizes digital privacy day.	Other Consumer Privacy
West Virginia	HB 2460 Pending	Adds sections 46A-9-1, 46A-9-2, 46A-9-3, 46A-9-4, and 46A-9-5, all relating to online privacy protection for children; defines terms; establishes actions prohibited; creates rulemaking authority; provides safe harbor for operators; and provides for enforcement by the attorney general	Children’s Online Privacy
West Virginia	HB 2964 Pending	Adds sections 61-3F-1, 61-3F-2, and 61-3F-3, all relating to online privacy protection for children; prohibits the marketing or advertising of certain products or services to minors; specifies prohibited good and services; prohibits the collection of information about minor users for marketing purposes; requires operators of website, online services, or applications to remove personal information about a minor when the information is visible to others; and specifies limited exceptions.	Children’s Online Privacy
West Virginia	HB 3339 Pending	Adds section 55-7L-1, relating to material harmful to minors; provides for legislative intent; defines terms; provides for liability for the publishing or distribution of material harmful to minors on the internet through a private right of action together with damages, attorney fees and costs; provides for reasonable age verification; provides for liability for unlawful retention of personal identifying information together with liquidated damages, attorney fees and costs; provides for exceptions; provides an effective date; and providing for related matters.	Website Privacy
Wisconsin	None
Wyoming	SJR 9 Failed	Provides for the right of individual privacy.	Constitutional Amendment

LexisNexis Terms and Conditions

Explanation of Categories

Biometrics or Facial Recognition

May require private entities to develop a written policy regarding collection or retention of biometric identifiers or may require businesses to allow a consumer to opt out of the sale of biometric information. Some legislation may apply only to a specific type of biometric, e.g., voice recognition or facial recognition, or to all types of biometric information.
Children's Online Privacy

Generally prohibits the collection of information about minor users for marketing purposes and requires operators of website, online services, or applications to remove personal information about a minor. (Does not include legislation that references incorporation of the requirements of the federal Children's Online Privacy Protection Act, 15 USC 6501 et seq.
Comprehensive

Broad legislation that regulates the collection, use and disclosure of personal data by businesses generally. For example, provides specific consumer rights such as the right to access, delete, or correct inaccurate information, among other rights and provisions. The comprehensive nature of these bills may mean they include other categories in this list, even if not noted.
Connected Devices

Regulates smart speakers and connected devices, e.g., may prohibit collecting, using, storing, or sharing the data obtained from a connected device without an owner’s consent.
Constitutional Amendment

Proposes an amendment to the state’s constitution to add a fundamental right to privacy.
Genetic Privacy

Regulates direct-to-consumer genetic testing companies by requiring disclosure of or consent prior to a company's collection, use, and sharing of genetic data. May prohibit insurer use of consumer genetic information. (Does not include legislation prohibiting discrimination based on genetic information collected by health providers.)
Information Brokers

May create a data broker registry and/or regulate third-party data businesses who collect the personal information of a consumer (with whom the business does not have a direct relationship).
ISP Privacy

Legislation to regulate how telecommunications or internet service providers can collect or share consumer data.
Location Privacy

May prohibit the transfer or sale of consumer geolocation or GPS data without permission or prohibit disclosing a customer's geolocation data to third parties.
Other Consumer Privacy

Miscellaneous legislation, e.g., may require disclosures to consumers regarding personal information collected, or relates to privacy protections only for a specific industry or online service, etc.
Studies, Task Forces, or Commissions

Legislation requiring a study of consumer privacy issues or creating a task force, advisory body, commission or other regulatory, advisory or oversight entity.
Website Privacy

Legislation to require an operator of a commercial website or online service that collects personally identifiable information to notify customers about its personal information sharing practices or to require consent before sharing internet browser information.

Contact NCSL
For more information on this topic, use this form to reach NCSL staff.
Email
Full Name
What is your role?
Message
Captcha
Admin Email

Related Resources

Updated December 14, 2022

NCSL 50-State Searchable Bill Tracking Databases

Find the most comprehensive and complete 50-state information in NCSL's searchable bill tracking databases.

Technology

Database

Updated March 13, 2023

Supreme Court Voices Hesitation in Case Involving Speech Protections for Big Tech

In the case Gonzalez v. Google, plaintiffs argue that social media platforms can be held liable for the speech they publish. But Google claims Section 230 of the Communications Decency Act provide it immunity.

State-Federal Technology

State Legislatures News

Updated February 15, 2023

State 9-1-1 Bill Tracking Database

State 9-1-1 legislation tracking database, including bills related to e9-1-1 and Next Generation 9-1-1

Technology

Database

Summary 2023 Consumer Data Privacy Legislation

Overview

Explanation of Categories

Biometrics or Facial Recognition

Children's Online Privacy

Comprehensive

Connected Devices

Constitutional Amendment

Genetic Privacy

Information Brokers

ISP Privacy

Location Privacy

Other Consumer Privacy

Studies, Task Forces, or Commissions

Website Privacy

Contact NCSL

Related Resources

NCSL 50-State Searchable Bill Tracking Databases

Supreme Court Voices Hesitation in Case Involving Speech Protections for Big Tech

State 9-1-1 Bill Tracking Database

Contact Us

Denver

Washington, D.C.