Privacy Bracketology

April 10, 2023

Well, privacy fans and basketball geeks, it's that time of year when the NCAA tournaments are over – my bracket busted early! Never fear: it's time to choose our favorites and see who will come out the winners in Privacy Bracketology with a review of the consumer privacy legislation making its way through the 2023 U.S. state legislature sessions.




The dark horse in this race was Iowa - they hopped the field, passing a new consumer data privacy law already, which will go into effect in 2025. Let's break down the rest of the field below.



West Regional

In the West, Washington returns to the field for the fifth year in a row (we’ll call it our fifth-year senior). A veteran contender, the People’s Privacy Act (HB1616/SB5643) is a comprehensive consumer privacy bill with biometrics-specific provisions that would apply to both the public and privacy sectors. We'll see whether this version has the support to push through.


Oregon is a freshman contender with the new comprehensive consumer privacy bill drafted in a collaborative effort between the Oregon attorney general and a working group last fall. Oregon is also debating the Oregon Age-Appropriate Design Code, modeled after California’s recent Act.


Hawaii enters 2023 with SB 974’s Consumer Data Protection Act and SB1110/HB1497 Consumer Data Protection Act moving in parallel paths through the legislature. Both are comprehensive consumer protection versions, with the latter including the provision for private right of action.


Freshman contender Montana has matured the most this season, already progressing to cross-committee review. The Consumer Data Privacy Act (SB384) is an otherwise comprehensive approach to consumer protection which does not include private right of action.



Central Regional

Indiana is another familiar face, where Senate Bill 5 has been reintroduced after a decent showing in the 2022 legislative session. The Indiana bill is closely aligned to the Virginia Consumer Data Privacy Act (VCDPA).


Minnesota’s lawmakers are reviewing multiple bills for biometrics as well as consumer privacy. These bills are young but are expected to go far.


Illinois rebounds with a new player in the field. While other states are seeing Illinois as a model for their own Biometric Information Privacy laws, the shot clock is now running on the Illinois Data Privacy and Protection Act (HB3385). Meanwhile the Right to Know Act (HB1381) runs alongside, focused on the right to access and disclosure of personal information.


Oklahoma’s Computer Data Privacy Act (OCDPA) has a new coach sponsor and remains focused on consumer consent (opt-in) for all personal data collection.


Looking south over the state border, Texas is treating HB4 (formerly HB1844 - Texas Data Privacy and Security Act) as a priority bill. Structured similarly to VCDPA, it is riding momentum after clearing the House Business & Industry Committee with an 8-0 vote.



Southeast Regional

Kentucky and Tennessee are another pair of neighbors who return together after brief 2022 campaigns. The Kentucky Consumer Data Protection Act (SB15) and Tennessee Information Protection Act (SB73) are aligned to existing protections reflected in other states’ laws.


Another freshman, Maryland’s Online and Biometric Data Privacy Act (SB698/HB807), is a comprehensive consumer privacy bill with biometrics-specific provisions. Maryland is also considering the Biometric Data Privacy Act (HB33/SB169).


New Jersey carries a heavy bench into 2023 led by the comprehensive New Jersey Disclosure Accountability Transparency Act (SB3714/A505). Forget the details of the act: this is my winner for best acronym…do you see it? Notably, this act would establish the Office of Data Protection and Responsible Use in the NJ Division of Consumer Affairs, require affirmative consent, establish consumer rights, and regulate automated decision-making processing. The rest of the field is comprised of proposals targeting ISPs, social media and children, mobile applications and devices, and auto dealers.


Rounding out the region, Florida’s narrowly focused Technology Transparency bill (SB262) would make it illegal for government entities to make certain requests of social media platforms or establish working relationships with social media platforms under certain circumstances, require data controllers obtain affirmative consent for certain data collections, and require reasonable security measures to protect information.



Northeast Regional

Vermont’s HB121, similar to Washington’s, is a revised and seasoned comprehensive consumer privacy bill with biometrics-specific provisions.


New Hampshire’s SB255 is another freshman contender that would give consumers the right to know when their data is being collected or stored. Consumers would also have the rights to access, correction, deletion, and to opting out of sale for advertising purposes.


Massachusetts returns with the Data Privacy Protection Act (HD2281/SD745), Information Privacy and Security Act (HD3263/SD1971), and Internet Bill of Rights (HD3245) - each seeking to offer consumers control over their personal data.


The 2023 session sees Rhode Island’s slate presenting similarly to Hawaii, with Senate Bill 754, the Rhode Island Data Transparency and Privacy Protection Act, alongside House Bill 5745, the Rhode Island Personal Data and Online Privacy Protection Act. Both are similarly comprehensive consumer protection proposals, with the House version including private right of action.


New York’s roster is also crowded with several potential contenders:


  • SB3162 would grant consumer rights aligned similarly to California or Virginia’s laws.
  • SB365/A3593 New York Privacy Act would require disclosure of de-identification methods and safeguarding data sharing, as well as create a consumer right to know who their data is shared with.
  • A3308 Digital Fairness Act creates a requirement to provide notice about personal data use and establishes unlawful discriminatory practices relating to targeted advertising.
  • A2587/S4201 New York Data Protection Act focuses on data sharing by government entities or contractors.
  • SB5555 It’s Your Data Act provides for purposes of offering protections and transparency in the collection, use, retention, and sharing of personal data.



How to Prepare?

Perhaps the American Data Privacy and Protection Act will bust this bracket at the national level? While we wait, we can do more than sit back and watch. As privacy legislation continues to be debated, there are several steps companies can take to position themselves well for the future:


  • Monitor and assess privacy practices against current and forthcoming state laws – California and Virginia are here. Colorado, Utah, Connecticut, and Iowa are on the clock. Ensure your company is in compliance before enforcement dates come to pass.
  • Incorporate industry best practices – Assess your company’s readiness against common threats across U.S. and international privacy laws. Support for the individual’s (data subject’s) privacy rights, impact assessments, and application of privacy principles (such as purpose limitation, data minimization and accountability), as well as implementing Privacy by Design (new ISO 31700), will put your company in a strong position to respond as more individuals realize data privacy rights and protections.
  • Start small – Don’t have a privacy function or program in place? It’s okay. There are steps to take at any point in your company’s privacy journey to increase and right-size privacy protections for the individuals whose data you collect to prepare for the next evolution of legislation – whether that be at the state, sector, or federal level.


Stay tuned to see how this legislative session plays out. From my perspective as a privacy geek, when privacy is at the forefront of the discussion, everyone wins. Good luck to the lawmakers who face these decisions, and to the residents of these states where their representatives are working to protect their personal information.


If you have questions about this draft legislation and how it might affect your organization, click here to learn more about our offerings, or drop us a line.


Additional Resources:

Jennifer Mahoney
Jennifer Mahoney has 18 years’ regulatory compliance experience in both consulting and enterprise environments. Her experience ranges from small businesses to Fortune 50 corporations particularly in the technology, state and local, manufacturing and pharmaceutical verticals. Areas of expertise include the General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA) / California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), the Personal Information Protection and Electronic Documents Act (PIPEDA), and many others.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit