As we approach the end of many states' legislative sessions, we're seeing more action in committees and fewer introductions of new proposals. There are no new comprehensive privacy law proposals to cover since our last update two weeks ago. However, some state legislatures appear to be focused on pushing bills through the chambers before sessions come to a close. We especially have our eye on Alabama's HB 283, which was unanimously passed by state House representatives and now has until May 15 to pass in the Senate. The introduction of HB 283 came in the wake of a 3-year break from comprehensive privacy proposal introductions in Alabama. It is similar to the business-friendly Virginia model and would impose requirements related to data protection assessments for high-risk data processing activities, consent for the processing of sensitive data, and a 60-day cure period from the state AG. We are also closely tracking Oklahoma's SB 546, which has already passed out of the state Senate and gained "do pass" recommendations from two House committees. Oklahoma's legislative session will adjourn on Friday, May 30, 2025, so there is still time for a vote in the House.
In addition to these updates for state comprehensive privacy bills, another notable development in US state privacy law was the passage of the Arkansas Children and Teens' Online Privacy Act (HB 1717), which Governor Sarah Huckabee Sanders signed into law on April 21, 2025. The law takes effect on July 1, 2026 and establishes similar requirements to the federal Children's Online Privacy Protection Act (COPPA) and new COPPA rule amendments. Among other provisions, the Arkansas law prohibits entities from collecting personal information from children and teens for the purposes of targeted advertising (if the entity has "actual knowledge" that they were collecting information from children or teens) and establishes data minimization requirements.
We have also reached the time of year when introduced bills, both for comprehensive privacy and sector-specific privacy laws, fail to progress due to missed crossover deadlines or the ending of the legislative session. For example, New Mexico's Health Data Privacy Act (HB 430), which aimed to establish more privacy protections for consumer health data, failed to progress out of committee before New Mexico's legislature adjourned on March 22, 2025. Similarly, Illinois' effort to establish a comprehensive privacy law effectively ended when it missed the crossover deadline. Still, there are still several states—Massachusetts, New York, North Carolina, Pennsylvania, and Wisconsin—that have multiple introduced comprehensive privacy bills that could continue to progress.
This blog post summarizes the most notable updates with regard to state comprehensive privacy law proposals. Please follow the WilmerHale Privacy and Cybersecurity Blog to stay up to date on these developments and others.
UPDATES ON EXISTING PROPOSALS
Committee Referrals
- Alabama's comprehensive privacy law proposal (HB 283) was referred to the state's Senate Committee on Fiscal Responsibility and Economic Development on April 24, 2025. The bill unanimously passed in the state House on April 22 and the state Senate has until May 15 to pass the bill before the legislature closes.
- North Carolina's Personal Data Privacy and Social Media Safety Act (HB 462) was re-referred to the state's House Committee on Commerce and Economic Development on April 29, 2025. This re-referral comes after the state's House Committee on Judiciary 3 offered a substitute bill,
- Oklahoma's comprehensive privacy law proposal (SB 546) received a "do pass" recommendation from the state's House Commerce and Economic Development Committee on April 24, 2025, following a 15-2 committee vote. The bill unanimously passed in the state Senate on March 26, 2025.
- Pennsylvania's Consumer Data Privacy Act (HB 78) was re-referred to the state's House Appropriations Committee on April 23, 2025, after the bill was amended earlier that day. The amended bill expanded the definition of sensitive data to include personal data that would reveal social security numbers, driver's license and state identification numbers, and financial information found in combination with any access code or password.
Bills that Failed to Pass
- Illinois' Privacy Rights Act (SB 52) and Data Privacy and Protection Act (HB 3041) did not make it out of their respective chambers before the state's April 11th crossover deadline.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
