ARTICLE
23 April 2025

State Comprehensive Privacy Law Update – April 18, 2025

W
WilmerHale

Contributor

WilmerHale provides legal representation across a comprehensive range of practice areas critical to the success of its clients. With a staunch commitment to public service, the firm is a leader in pro bono representation. WilmerHale is 1,000 lawyers strong with 12 offices in the United States, Europe and Asia.
While March featured a flurry of newly introduced comprehensive privacy bills, state legislatures now appear to be primarily focused on pushing existing proposals through the chambers.
United States Georgia Massachusetts Minnesota Oklahoma Privacy

While March featured a flurry of newly introduced comprehensive privacy bills, state legislatures now appear to be primarily focused on pushing existing proposals through the chambers. Wisconsin was the only state to introduce a new comprehensive privacy bill in the past two weeks, while Minnesota recently introduced a bill that would significantly amend its current comprehensive privacy law.

Wisconsin's AB 172 is a companion bill to SB 166, which was referred to the Senate Committee on Licensing, Regulatory Reform, State and Federal Affairs on March 27. This is not Wisconsin's first attempt to pass a comprehensive data privacy law, as last year's bill passed in the Assembly but failed in the Senate. Both bills require controllers to recognize opt-out preference signals and to regularly conduct data protection assessments for a number of processing activities, such as activities that include sensitive data, personal data that presents a heightened risk of harm to consumers, or products that are likely to be accessed by a child.

Meanwhile, Minnesota's recently introduced bill (H2700) would amend its comprehensive privacy law to add several significant privacy protections for health data, reflecting some similar language and approach established by Washington's My Health My Data Act. The bill would amend the state's privacy law to broadly define "health data" and distinguish between sharing and selling data, with "share" meaning "to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, personal data." The bill proposes a tiered approach for consent requirements regarding the sharing and selling of sensitive data, which now specifically includes health data: before selling sensitive data, entities must first obtain "separate and distinct" valid authorization, which goes beyond the prior consent required for sharing sensitive data. If passed, these amendments would be enacted on July 31, 2025, when Minnesota's comprehensive privacy law is scheduled to go into effect.

In other parts of the country, legislative committees remained busy. In Massachusetts, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity held hearings for six of its comprehensive privacy proposals. Meanwhile, Oklahoma's consumer data privacy bill (SB 546) received a "do pass" vote from the Oklahoma House Government and Modernization Committee and has until May 30 to be passed by the House.

We're continuing to watch existing proposals closely, expecting that many won't make it out of chambers before the end of legislative sessions. Already, Georgia's Consumer Privacy Protection Act (SB 111) died after it failed to make it out of the House before Georgia's legislature adjourned on April 4, 2025, and Oklahoma's Computer Privacy Act (HB 1012) met a similar fate after it failed to make it out of the House before Oklahoma's crossover deadline on March 27, 2025. Similarly, Arkansas' Digital Responsibility, Safety, and Trust Act (SB 258) died after it failed to pass the Senate twice on its third reading.

This blog post summarizes the most notable updates with regard to state comprehensive privacy law proposals and a few notable amendments to existing comprehensive privacy laws. Please follow the WilmerHale Privacy and Cybersecurity Blog to stay up to date on these developments and others.

NEW PROPOSALS

Unless otherwise noted, all the newly introduced comprehensive privacy bills share some common features, such as the creation of consumer privacy rights and requirements for privacy notice. The consumer privacy rights proposed in these bills typically include the right to confirm whether a controller is processing a consumer's personal information; the rights to access, correct, or delete personal information; and the right to data portability. Although it may be phrased differently, these bills typically create a right to opt-out of the processing of personal information for purposes of selling data or targeted advertising. These introduced bills also require controllers to provide consumers with information (often via a privacy notice) that includes the categories of personal information processed; the purposes for the data processing; a description of how to exercise data rights; and information regarding any data that is sold to third parties.

The summaries below detail additional key components found in the newly introduced bills:

Wisconsin

  1. Bill Title: Assembly Bill (AB 172)
  2. Date of Introduction: April 9, 2025
  3. Current Status: As of April 18, 2025, AB 172 has been referred to the House Committee on Consumer Protection (4/9/2025)
  4. Key Provisions:
    [WH note: This bill was likely introduced as the companion bill to SB 166 (which was profiled in the April 7th update)]

KEY AMENDMENT PROPOSALS TO EXISTING STATE LAWS

Minnesota

  1. Bill Title: House File 2700 / Senate File 2940
  2. Date of Introduction: March 24, 2025
  3. Current Status: As of April 18, 2025, HF 2700/SF2940 has been referred to the Judiciary Finance and Civil Law (3/24/25)
  4. Key Provisions:
  • Defines "health data" broadly to mean "personal data that identifies a consumer's past, present, or future mental or physical health status" and includes "data that identifies a consumer's seeking or obtaining health care services or supplies [or information about services or supplies] in the past, present, or future."
    • Also specifies that information derived or extrapolated from personal data (including data processed via machine learning) that is not itself health data could also fall within scope.
  • Distinguishes between "sale"/ "selling" and "share"/ "sharing" (which is a newly defined term in the proposal). The bill defines "share" more broadly to mean "to release, disclose, disseminate, divulge, make available, provide access to, license, or otherwise communicate orally, in writing, or by electronic or other means, personal data."
  • Requires a consumer's prior consent to share sensitive data, which must be "separate and distinct" from any consent to process consumer health data.
  • Requires "valid authorization" before an entity may sell or offer to sell a consumer's sensitive data. This valid authorization must be "separate and distinct" from the consent to share sensitive data (outlined above).
    • In addition to many specific requirements for the authorization, a copy of the signed valid authorization must be provided to the consumer and retained by the seller and purchaser of the sensitive data for six years from the date of signature or the date when it was last in effect, whichever is later.
  • Prohibits the implementation of a geofence around a location that provides in-person health care services or supplies, where the geofence is used to identify or track a consumer seeking such care, collect health data, or send notifications or advertisements to a consumer relating to health data, health care services, or health supplies.
  • Would go into effect on July 31, 2025.

UPDATES ON EXISTING PROPOSALS

Committee Referrals

  • Illinois' Privacy Rights Act (SB 52) was re-referred to the Illinois Senate's Assignments Committee on April 11, 2025.
  • On April 9, 2025, Oklahoma's consumer data privacy bill (SB 546) received a do pass vote from the Oklahoma House Government and Modernization Committee. The bill previously passed the Oklahoma Senate and has until May 30 to be passed by the House.

Hearings, Meetings, and Work Sessions

  • On April 9, 2025, Alabama's consumer data privacy bill (HB 283) was reported out of the House Committee on Commerce and Small Business, read for the second time, and placed on the Calendar.
  • On April 9, 2025, Massachusetts' Joint Committee on Advanced Information Technology, the Internet and Cybersecurity held hearings on the Massachusetts Data Privacy Act (S 45, S 29, H 104), the Massachusetts Consumer Data Privacy Act (H 78), and the Comprehensive Massachusetts Consumer Data Privacy Act (S. 33, H. 80).

Bill Deaths

  • Arkansas' Digital Responsibility, Safety, and Trust Act (SB 258) died after it failed to pass the Senate twice on its third reading.
  • Georgia's Consumer Privacy Protection Act (SB 111) died after it failed to make it out of the House before Georgia's legislature adjourned on April 4, 2025. Previously, SB 111 passed in the Senate on March 3, 2025.
  • Oklahoma's Computer Privacy Act (HB 1012) died after it failed to make it out of the House before Oklahoma's crossover deadline on March 27, 2025.

* Unless otherwise noted in the summaries above, the following entities and data types are typically exempted from compliance with these comprehensive privacy laws: government entities; higher education institutions; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and the Driver's Privacy Protection Act (DPPA); and certain employment-related information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More