So far into 2025, we continue to see productivity from state legislatures addressing consumer privacy, with 19 new state comprehensive privacy bills introduced across 10 state legislatures. It is still early in the legislative season—most introduced bills have not begun to advance through the legislative process with hearings and work sessions yet. However, Washington’s HB 1671 stands out in this regard with the scheduling of a public hearing in Washington’s House Committee on Technology, Economic Development, & Veterans just 5 days after introduction.

The Washington proposal is also notable because the state has attempted numerous times in the past to pass a comprehensive privacy law to no avail (despite separately passing a law that protects consumer health data specifically). The hurdle in previous years was whether the law would include a private right of action. The current proposal (as it stands) does include a private right of action that is enforceable through the state’s general consumer protection statute and has already received pushback from industry groups.

Additionally, and unsurprisingly, Massachusetts and Illinois have also submitted early proposals for comprehensive privacy laws, with Massachusetts placing an impressive 6 bills on the docket since the start of its legislative session (although as we note in the last update, three of these bills are versions of the same re-introduced bill, the Massachusetts Data Privacy Act, from prior sessions). Maine has yet to introduce a new bill since the start of session, despite a fairly successful run last year for its Data Privacy and Protection Act, which passed in the House but was rejected by the Senate last April.

On the other end of the spectrum, Mississippi’s SB 2500, which adopted aspects of the Utah model with narrower substantive protections (e.g. no recognized right to correct information and no required data protection assessments), has already died in committee.

This blog posts summarizes the most notable updates with regard to state comprehensive privacy law proposals. Please follow the WilmerHale Privacy and Cybersecurity Blog to stay up to date on these developments and others.

HIGHLIGHTS FROM THIS WEEK’S UPDATE

States with existing comprehensive data privacy laws are also amending their laws. In the past weeks, the Virginia legislature has introduced several amendments to the Virginia Consumer Data Protection Act (VCDPA), such as SB 1023 that would prohibit the sale of precise geolocation data, which is a growing trend among privacy bills this year. Virginia is also seeing movement on SB 854, an amendment that adds some social media platform regulations to the VCDPA, which contrasts with other state efforts (for example, Nebraska’s LB 383, Pennsylvania’s SB 22, and South Carolina’s S 268) that propose standalone bills to regulate social media platforms with particular focus on interactions with minors. Iowa’s Consumer Data Protection Act, which just went into effect on January 1, 2025, already has a proposed amendment, SF 143, which would increase the statutory age of a “child” from 13 to 18 and add health data to the definition for “sensitive data.”

There have also been some notable features in the bills that have introduced since our last update. Mississippi’s SB 2779 joins two other bill proposals from Massachusetts and Illinois that include a CCPA-style provision creating a limited private right of action for consumers impacted by security breaches. Both of New York’s introduced bills, SB 3044 and A 974 (profiled in the last update) are re-introduced bill versions from prior legislative sessions that, among other revisions, have removed a proposed private right of action. Finally, Washington’s HB 1671 adds a new term—“consumer health data”—to the standard set of definitions, in alignment with the state’s My Health, My Data Act. The bill notes that controllers and processors that collect or process consumer health data may be subject to additional privacy requirements under the state’s My Health, My Data Act and consistently references the Act as the authority for regulating consumer health data.

NEW PROPOSALS

Unless otherwise noted, all the newly introduced comprehensive privacy bills share some common features, such as the creation of consumer privacy rights and requirements for privacy notice. The consumer privacy rights proposed in these bills typically include the right to confirm whether a controller is processing a consumer’s personal information; the rights to access, correct, or delete personal information; and the right to data portability. Although it may be phrased differently, these bills typically create a right to opt-out of the processing of personal information for purposes of selling data or targeted advertising. These introduced bills also require controllers to provide consumers with information (often via a privacy notice) that includes the categories of personal information processed; the purposes for the data processing; a description of how to exercise data rights; and information regarding any data that is sold to third parties.

The summaries below detail additional key components found in the newly introduced bills:

Massachusetts

1. Bill Title: Comprehensive Massachusetts Consumer Data Privacy Act (House Bill 4073) (Senate Bill 2520)
2. Date of Introduction: Docketed on January 15, 2025.
3. Current Status: As of February 4, these companion bills remain on the docket to be introduced.
4. Key Provisions:

• Applies to persons that conduct business in Massachusetts or produce products or services that are targeted to residents of the State and during a calendar year that: (1) control or process personal data of at least 100,000 consumers; or (2) control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data.
• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts national securities associations registered with the SEC and certain personal data processed by air carriers subject to the Airline Deregulation Act.
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Defines “sale” includes exchange of personal data for other valuable consideration as well as monetary consideration
• Creates rights for consumers, including: the right to confirm whether a controller is processing the consumer’s personal data; the right to access that personal data; the right to correct inaccuracies; the right to delete personal data; the right to data portability; and the right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions with legal (or similarly significant) effects.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires information for an active email address or other online contact information to be included in the privacy notice.
• Controllers must “clearly and conspicuously disclose” the manner in which consumers may opt out of processing for purposes of sale of personal data or targeted advertising, if the controller performs such processing.
• Incorporates privacy by design principles, such as reasonable security measures and data minimization.
• Prohibits controllers from processing sensitive data without obtaining the consumer's consent.
• Grants exclusive enforcement authority to the Massachusetts Attorney General.
• Requires that the Massachusetts AG provide entities with a sixty-day cure period before initiating an enforcement action, if the AG has determined that a cure is possible.

Mississippi

1. Bill Title: Mississippi Consumer Data Privacy Act (Senate Bill 2779)
2. Date of Introduction: January 20, 2025
3. Current Status: As of February 4, SB 2779 has been referred to the Mississippi Senate Judiciary, Division A Committee (1/20/2025).
4. Key Provisions:

• Applies to businesses that collect consumers’ personal information and determines the purposes and means of the processing, does business in Mississippi, and satisfies at least one of the following thresholds: (1) has annual gross revenue of more than $10 million; (2) annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 or more consumers; and/or (3) derives 50% or more of its annual revenue from selling consumers’ personal information.
• Defines “personal information” to include “browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement;” geolocation data; and “professional or employment-related information.”
• Establishes many of the typical consumer rights, but does not recognize a right to correct (similar to laws in Utah and Iowa) or a right to data portability. However, it imposes a lot of transparency requirements for businesses to disclose information upon consumer request.
  • Also establishes the right to opt out of the processing of personal data for purposes of targeted advertising or sale of personal data.
• Creates a limited private right of action for consumers impacted by personal information security breaches, allowing those consumers to seek the greater of actual damages or between $100 and $750 per consumer per incident.
• Imposes requirements that businesses must inform consumers how they may exercise data rights; categories of personal data shared with third parties; and an active email address or other online mechanism consumers can use to contact the controller.
  • Businesses must also “clearly and conspicuously disclose” the manner in which consumers may opt out of processing for purposes of sale of personal data or targeted advertising, if controller performs such processing.
• Imposes civil penalties of up to $7,500 per violation.

[WH Note: As of February 4, 2025, another Mississippi bill, the Mississippi Consumer Data Protection Act (Senate Bill 2500), has already died in committee. This proposed bill was modeled after Utah’s comprehensive privacy law and only required that consumers have the ability to opt out of the processing of their sensitive data (i.e. there was no affirmative consent require to process sensitive consumer data). The bill also proposed a 90-day cure period.]

New York

1. Bill Title: New York Privacy Act (Senate Bill 3044)
2. Date of Introduction: January 23, 2025
3. Current Status: As of February 4, 2025, SB 3044 has been referred to Senate’s Internet and Technology Committee (1/23/25)
4. Key Provisions:

• Applies to legal persons that conduct business in New York or produce products or services targeted to New York residents and either: a) have annual gross revenue of $25M or more; b) control or process the personal data of 50,000 or more consumers; or c) derive over fifty percent of gross revenue from the sale of personal data.
• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts personal data regulated by section 2d of the education law.
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Creates individual rights for consumers as articulated at the beginning of this section, including right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Requires consent to process consumers’ personal data for certain purposes, and to make changes to existing processing or processing purposes that may result in less protection of data than the processing to which a consumer has consented.
• Incorporates privacy by design principles, such as purpose limitation and reasonable safeguards to protect consumer data.
• Requires data protection assessments for activities that present heightened risk of harm.
• Requires data brokers to register, pay an annual fee to the New York AG, and submit information regarding their data use practices including a description of the method of processing consumer requests.
• Authorizes the Attorney General to enforce against alleged violations and engage in rulemaking efforts.
• The New York AG can bring action to enjoin any violation, to obtain restitution and disgorgement of any money or property obtained by the violation, and to obtain civil penalties of up to $20,000 per violation.
• Creates penalties for data brokers that fail to register or that submit false information in registration. Creates civil penalty of $1,000 for each day the data broker fails to register or correct false information, an amount equal to the fees that were due during the period it failed to register, and expenses incurred by the New York AG in the investigation and prosecution of the action.
• Would go into effect immediately, with certain sections taking effect one year after they become law.

Washington

1. Bill Title: House Bill 1671
2. Date of Introduction: January 28, 2025
3. Current Status: As of February 4, 2025, HB 1671 was scheduled for public hearing in the House Committee on Technology, Economic Development, & Veterans (2/4/25)
4. Key Provisions:

• Applies to persons that conduct business in Washington state or produce products or services that are targeted to resident of Washington state, and that collect or process the personal data of consumers.
• In addition to the exemptions typically found in these comprehensive privacy bills*, this bill also exempts information governed the Airline Deregulation Act; and information used for administering benefits.
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Definition of “consumer health data” includes “personal data that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status” (which is further extensively defined similarly to the My Health, My Data Act).
• Definition of “sale” includes exchange of personal data for other valuable consideration as well as monetary consideration.
• Exempts “obscene visual depictions,” “intimate images,” and “fabricated intimate images” disclosed without the consent of the depicted individual from the definition of “publicly available information.”
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to opt out of the processing of personal data for purposes of targeted advertising; the sale of personal data; or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
• If a consumer’s personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of such profiling, to be informed of the reason why the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.
  • If the decision is determined to have been based upon inaccurate personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.
• Allows consumers to exercise their right to opt-out of the processing of their personal data for purposes of targeted advertising and sale via opt-out preference signals (to be in effect no later than December 31, 2025).
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires controllers to provide an effective mechanism for a consumer to revoke affirmative consent that is at least as easy as the mechanism by which the consumer provided their affirmative consent in the first place.
• Prohibits controllers from transferring sensitive data without obtaining a consumer’s consent.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers conduct data protection assessments for high-risk data processing activities, including processing of personal data for purposes of targeted advertising, sale of personal data, and specified types of profiling, as well as the processing of sensitive data.
• A violation of this act would constitute an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act (which means that it would include a private right of action). All other enforcement is precluded.
• Section 12 of this act (outlining enforcement) would take effect on August 1, 2026.

West Virginia

1. Bill Title: Consumer Data Protection Act (House Bill 3498)
2. Date of Introduction: January 25, 2025
3. Current Status: As of February 4, 2025, HB 3498 was introduced to the House Committee on Education. [WH Note: This bill was previously introduced in 2023 and 2024 (when it passed the House). The bill introduced in 2025 is the 2023 version.]
4. Key Provisions:

• Applies to persons that (1) conduct business in West Virginia or target products or services to West Virginia residents and (2) in a calendar year, control or process the personal data of at least 100,000 West Virginia residents; or control or process data of at least 25,000 West Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
• This bill contains many of the typical exemptions found in comprehensive privacy bills.* Notably, the 2024 version of this bill also exempted insurance companies and information governed by the Controlled Substances Act Section on the Regulation of Listed Chemicals. However, the recently introduced version of the bill does not include these exemptions.
• Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Defines “sale of personal data” to include only the “exchange of personal data for monetary consideration” by the controller to any third party (i.e., exchanges for non-monetary consideration do not constitute “sales”).
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to opt-out of the processing of personal information for purposes of sale of personal information, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • The consumer rights do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.
• Incorporates privacy by design principles, such as purpose limitation and reasonable safeguards to protect consumer data.
• Prohibits controllers from processing sensitive data without a consumer’s consent.
• Requires that controllers provide consumers with a privacy notice that includes: categories of personal data processed by the controller; purposes for such processing; description of how a consumer may exercise their data rights; categories of personal data that the controller shares with a third party; and categories of third parties with which personal data is shared.
• If the controller sells personal data or processes personal data for targeted advertising, it must “clearly and conspicuously disclose such processing” as well as how a consumer may exercise the right to opt out.
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”
• Grants exclusive enforcement authority to the West Virginia AG.
• Grants the AG limited rulemaking authority in relation to specific requirements related to assisting consumers in exercising their data rights.
• Requires the AG to provide an entity with a 30-day cure period before initiating an enforcement action.
• AG may seek civil penalties of up to $7,500 for each violation. All civil penalties will be deposited in the Consumer Privacy Fund created by the Act.
• Would take effect on January 1, 2024. [WH Note: Because this bill is a re-introduced version of a previous bill, this date is likely a drafting error.]

* Unless otherwise noted in the summaries above, the following entities and data types are typically exempted from compliance with these comprehensive privacy laws: government entities; higher education institutions; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and the Driver’s Privacy Protection Act (DPPA); and certain employment-related information.

UPDATES ON EXISTING PROPOSALS

On February 4, 2025, Hawaii’s SB 1037, the Consumer Data Protection Act, was re-referred to Commerce and Consumer Protection (CPN), Ways and Means (WAM) / Judiciary Committee (JDC).