2023 State Privacy Roundup: From Momentum to Maturity
In 2023, U.S. states accelerated the evolution of privacy law, enacting new comprehensive statutes while expanding regulation of AI, children's privacy, biometrics, genetic data, and consumer rights. This roundup examines the year's most significant legislative developments.
U.S. privacy regulation is no longer waiting for Washington, D.C.
In 2023, state legislatures across the United States continued to expand the nation’s privacy landscape, demonstrating sustained momentum in the absence of comprehensive federal legislation. According to the National Conference of State Legislatures (NCSL), at least 40 states and Puerto Rico introduced or considered over 400 privacy-related bills, with a record number of comprehensive consumer privacy laws passing into law. The shift from incremental change to deliberate diversification underscored a growing truth: U.S. privacy regulation is no longer waiting for Washington, D.C.
More than a dozen states introduced — but did not enact — comprehensive privacy legislation in 2023, including Oregon, New Jersey, New Hampshire, Pennsylvania, and Hawaii. Several targeted sector-specific areas such as biometric data (New York, Illinois, Maryland), children’s online safety (Utah, Arkansas, Louisiana), and data brokers and artificial intelligence (Texas, Vermont, Colorado).
Iowa, Indiana, Tennessee, Montana, and Delaware all enacted comprehensive consumer data privacy statutes — each drawing from, but diverging from, the Virginia and California models — solidifying the role of the states as the vanguard of U.S. privacy. Each of these five statutes took effect between 2024 and 2025, creating new compliance pressures and reinforcing the divergence in state approaches.
According to the NCSL Consumer Data Privacy Legislation Report (2023):
- Iowa’s Data Privacy Act (SF 262) establishes basic consumer rights — access, deletion, and opt-out — while offering businesses generous thresholds and no private right of action.
- Indiana’s Consumer Data Protection Act (SB 5) mirrors Virginia’s VCDPA but grants the Attorney General exclusive enforcement authority.
- Tennessee’s Information Protection Act (TIPA) adds a novel twist — providing businesses a “safe harbor” if they adopt National Institute of Standards and Technology (NIST)-aligned privacy frameworks.
- Montana’s Consumer Data Privacy Act (SB 384) is broader than most, covering smaller businesses and including sensitive data protections.
- Delaware’s Personal Data Privacy Act (HB 154) is among the most expansive, applying to entities that process data of only 35,000 consumers and including minors under 18 — a significant departure from the typical 13–16 cutoff.
Across 2023’s wave of privacy legislation, common consumer rights and structural safeguards continued to converge, even as states diverged sharply on scope, enforcement, and remedies.
Common Elements include:
- Consumer rights: access, deletion, and correction.
- Opt-out rights: for targeted advertising and sale of data.
- Data protection assessments: increasingly required for high-risk processing.
- Sensitive data categories: including race, health, sexual orientation, and biometrics.
Key Divergences include:
- Applicability thresholds: ranging from Delaware’s 35,000 to Iowa’s 100,000 consumer minimum.
- Enforcement: varying from AG-led (Indiana, Iowa) to hybrid or rulemaking bodies (California).
- Private right of action: still absent from most state laws except California’s.
Meanwhile, California maintained its leadership through ongoing California Privacy Protection Agency (CPPA) rulemaking to operationalize the CCPA. The CPPA advanced detailed regulations on automated decision-making, dark patterns, and risk assessments — reinforcing California’s dual status as both benchmark and outlier: a state whose regulatory depth continues to shape national compliance expectations even beyond its borders.
As privacy statutes matured, new categories emerged at the frontier of legislative attention:
- Artificial Intelligence and Automated Decision-Making: States like Colorado and California began defining “profiling” and requiring algorithmic impact assessments.
- Children’s Privacy: Following the UK’s Age-Appropriate Design Code, several states considered laws restricting social media data collection for minors under 18.
- Interoperability and Harmonization: The Uniform Law Commission initiated work toward a Model State Privacy Act, though adoption remains aspirational.
2023 Enactments
- Arizona’s H 2066 requires banks and financial institutions to destroy a former customer’s personal information within a specified period after the business relationship ends.
- Arizona’s S 1221 allows licensed hospitals to request criminal-justice agency assistance to identify incapacitated or deceased unidentified patients.
- Arkansas’ S 396 creates the Social Media Safety Act, requiring age verification and parental consent for minors to access social-media platforms.
- California’s A 127 amends the California Age-Appropriate Design Code Act by establishing the Children’s Data Protection Working Group under the Attorney General.
- California’s A 254 revises the definition of medical information to include reproductive or sexual health application data and classifies businesses offering such digital services as health care providers under the Confidentiality of Medical Information Act.
- California’s A 352 requires businesses that electronically store or maintain medical information on behalf of health-related entities to implement, by a specified date, security policies and systems that restrict user access and segregate data related to gender-affirming care and abortion services.
- California’s S 793 codifies the Insurance Information and Privacy Protection Act, mandating clear annual privacy notices for insurance customers.
- Connecticut’s S 3 addresses online privacy, data, and safety protections.
- Connecticut’s S 1058 adopts consumer-protection recommendations requiring pricing transparency for ticketed entertainment events.
- Delaware’s HB 154 enacts a comprehensive privacy statute with particular focus on protecting minors under 18.
- Florida’s S 262 establishes the Technology Transparency Act, a comprehensive privacy law prohibiting unfair data practices and regulating digital services accessed by children.
- Florida’s S 662 creates the Student Online Personal Information Protection Act, prohibiting misuse of student data and authorizing enforcement under the state’s deceptive-practices law.
- Hawaii’s S 1 protects individual privacy and bodily autonomy, including for minors, and prohibits enforcement of other states’ civil or criminal laws related to reproductive health care services.
- Indiana’s S 5 enacts a comprehensive privacy law that largely mirrors the Virginia model, granting consumer rights and imposing controller/processor duties.
- Iowa’s S 262 establishes a consumer data protection framework with no private right of action and enforcement authority limited to the Attorney General.
- Louisiana’s S 162 creates the Secure Online Child Interaction and Age Limitation Act, regulating minors’ social-media data and requiring age verification and parental consent.
- Maryland’s H 812 regulates how custodians of public records, health information exchanges, and electronic health networks disclose information related to legally protected health care, requires the Maryland Health Care Commission to limit data sharing on such patients, and establishes the Protected Health Care Commission.
- Minnesota’s S 2744 establishes a biennial budget for the Department of Commerce, regulates financial institutions and insurance, provides consumer protections and privacy measures, imposes civil and criminal penalties, and appropriates funds.
- Mississippi’s S 2346 regulates children’s exposure to pornographic media by requiring commercial entities that provide such content to implement age verification systems and establishing liability for entities that fail to do so.
- Montana’s S 154 clarifies that Montana’s constitutional right of privacy does not extend to abortion.
- Montana’s S 351 creates the Genetic Information Privacy Act, requiring notice, consent, and limits on the use of genetic data.
- Montana’s S 384 enacts the Montana Consumer Data Privacy Act, establishing consumer rights and obligations for controllers and processors of personal data.
- Montana’s S 544 imposes liability for publishing or distributing material harmful to minors online and requires age verification.
- Nevada’s S 370 requires entities that handle consumer health data to publish an online privacy policy, obtain affirmative consumer consent before collecting or sharing such data in certain cases, and fulfill specific consumer requests regarding their health information.
- New York’s A 2896 authorizes the Public Service Commission to conduct management and operations audits of gas and electric corporations, requiring the audits to evaluate customer privacy protections and classifying customer energy consumption data as confidential.
- Oregon’s H 2052 requires data brokers to register with the Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data within the state.
- Oregon’s S 619 enacts the Oregon Consumer Privacy Act, granting rights to confirm and access personal data, receive lists of third-party disclosures, and obtain copies of processed data.
- Pennsylvania’s H 739 enacts an Insurance Data Security law requiring insurers to implement cybersecurity standards consistent with NAIC’s model.
- South Dakota’s H 1240 provides that a court must grant an interested person access to a protected person’s medical or financial records if such access is found to be in the protected person’s best interest, and if denied, the court must issue written findings explaining the denial.
- South Dakota’s S 198 allows medical cannabis establishments to retain a cardholder’s personal information with written consent, solely for communicating about the cardholder’s medical needs or specific product use.
- Tennessee’s H 1181 requires data controllers to comply with authenticated consumer requests to confirm and access any personal information being processed.
- Tennessee’s H 1310 requires direct-to-consumer genetic testing companies to provide consumers with clear information and a public privacy notice about their genetic data practices and to obtain the consumer’s express consent before collecting, using, or disclosing such data.
- Texas’ H 4 enacts the Texas Data Privacy and Security Act, regulating collection, use, and processing of personal data and imposing civil penalties for violations.
- Texas’ H 18 protects minors from harmful and deceptive digital trade practices related to electronic devices and online services.
- Texas’ H 1181 requires reasonable age verification for access to pornographic materials online and establishes civil penalties for violations.
- Texas’ H 2545 establishes property rights in individuals’ genetic data and restricts its commercial use by testing companies.
- Texas’ S 2105 regulates third-party data-collection entities, requiring disclosure of data-broker status and accessible notices to the public.
- Utah’s H 492 amends the Abuse of Personal Identity Act to permit use of lawfully obtained public data in marketing, provided it does not imply endorsement.
- Utah’s S 152 requires social media companies to verify users’ ages, obtain parental consent for minors, prohibit accounts for those below legal age limits, and establish a private right of action for violations.
- Utah’s S 265 amends student data-sharing rules, prohibiting certain disclosures, restricting education entities from sharing student data with federal agencies except as required by law, and extending the state board’s deadline for integrating data with local education agencies.
- Utah’s S 287 holds commercial entities liable if they knowingly publish or distribute material harmful to minors on a website containing a substantial portion of such content and fail to perform reasonable age-verification methods for users attempting to access it.
- Vermont’s H 89 concerning legally protected health care activity exempts related tortious interference cases from SLAPP protections, prohibits civil arrests tied to abusive litigation, creates a new cause of action for tortious interference, and bars courts from compelling related testimony or statements.
- Washington’s H 1155 enacts the My Health My Data Act, regulating the collection, sharing, and sale of consumer health data.
- West Virginia’s H 2004 establishes the Governmental Access to Financial Records Act, prohibiting government access to customer financial information without written consent or specific exceptions.
- Wyoming’s H 86 prohibits requiring the disclosure of a private key related to a digital asset, digital identity, or similar right except under specified conditions, and defines a private key as a unique cryptographic element paired with a public element and necessary for executing encrypted transactions.
Resources
- NCSL Consumer Data Privacy Legislation 2023 Report
- California Privacy Protection Agency (CPPA) Rulemaking Updates, 2023
