Private Right of Action, Data Minimization to Return in 2025 State Privacy Bills

“The momentum is there, particularly after the election, for states to redouble their efforts … to legislate in this area where Congress has not,” said Nancy Libin, a Davis Wright privacy attorney who was previously DOJ’s chief privacy and civil liberties officer. Twenty states now have privacy laws. Getting to all 50 states is possible, said Libin, noting that it happened with data breach notification laws. The task becomes easier as more states adopt a similar framework, she said. While it would be best for Congress to pass a national law, Libin said she isn’t “confident that we will see federal privacy legislation.”

Seven states enacted comprehensive privacy legislation last year, bringing the total number of state laws to 20, noted a Nov. 11 forecast by the National Conference of State Legislatures. “Debates over these laws will continue in 2025 as the remaining states consider how to balance the interests of industry and the privacy concerns of consumers.”

A vetoed 2024 Vermont privacy bill that included controversial enforcement and kids code provisions will return this month with changes -- and as three separate bills, state Rep. Monique Priestley (D) said in an interview. Priestley expects to reintroduce her privacy bill soon after Vermont's legislative session opens Wednesday, she said.

Vermont legislators last year failed to override a veto by Gov. Phil Scott (R), who said that the 2024 version created “an unnecessary and avoidable level of risk” and “would make Vermont a national outlier.” The bill would have made Vermont the first state with a broad private right of action (PRA). Also, Scott said he preferred waiting for the courts to resolve an industry lawsuit against California’s Age-Appropriate Design Code Act before Vermont enacted a similar kids code.

For the 2025 attempt in Vermont, Priestley said she plans to split the 2024 legislation into three separate measures: (1) comprehensive privacy rules, (2) kids code and (3) updates to the state’s data broker law. Priestley plans to introduce all three bills “at the beginning of [the] session,” she said. By separating the bills, Priestley hopes to dispel a major argument she heard that the 2024 measure “was too long and people didn’t have time to read it.” Substantively the bills will include “more or less what was passed,” with some updates to “keep in line with what some other states have enacted” and where the federal privacy legislation “was headed,” she said.

Priestley spent “all summer … checking in with a variety of stakeholders,” and plans to share redline changes with them next week, said the state rep. After they are introduced, the Vermont House Commerce Committee will be first to review the bills, she said. Priestley said she expects the Senate will introduce its own version of a privacy measure. But Priestley hasn’t spoken to Scott since the veto, she said. “I would welcome that.”

A PRA will return to the 2025 comprehensive privacy bill, though it’s “not going to be in the same form as when it passed,” said Priestley. While what it looks like remains in flux, the state legislator wants to show she has “heard concerns” with the provision that would let individuals file lawsuits under the privacy law, she said. “It’s important for us to keep a strong individual enforcement mechanism,” said Priestley, adding that she believes one appeared in every sectoral privacy law from the 1980s and 1990s. While Vermont might be the first state to include a PRA, it’s “definitely not the first to want it,” added Priestley: But politics often dictate whether the state can do it. “We would not be doing our citizens justice if we’re not at least having that conversation.”

In addition, Priestley said she's looking at targeted advertising requirements in the bill. “We do not want to be blocking small businesses from being able to market to and target their customers” when the customers are “expecting to be able to engage with the businesses,” she said. In general, “we’re trying to be in line with other states that are planning on strengthening their bills” in 2025, the legislator said.

It could be more challenging to overcome a Scott veto this year. In the November election, Republicans broke the Democratic supermajority in Vermont. “Perhaps the strategy for the new session is widening the tent of supporters to try to make clear … to the governor that there is a wide coalition of people that support this stuff,” said CR Policy Analyst Matt Schwartz. “It’s not just privacy groups.”

In Washington state, Rep. Shelley Kloba (D) will introduce “a comprehensive data privacy bill similar to her previous People’s Privacy Act,” she said in an emailed statement. “This new bill is based on a model bill by” Consumer Reports and the Electronic Privacy Information Center. CR and EPIC's model is based on Connecticut's law, with additions including a PRA, data minimization requirements and increased protections for children and sensitive data. Washington has tried and failed to pass a privacy bill for half a decade, with the House and Senate disagreeing on whether to include a PRA. Virginia’s 2021 law was based on a failed Washington Senate bill by former Sen. Reuven Carlyle (D).

Lessons Learned in Connecticut

Connecticut state Sen. James Maroney (D) soon plans to offer a bill to tighten the 2022 Connecticut Data Privacy Act (CDPA), he said in an interview. “We were the fifth state” to pass a state privacy law, but 15 states have followed with their own laws, said the senator: Connecticut legislators learned from those other states and a Connecticut AG report (see 2402010041).

First, Maroney aims to tighten “some of the broad exemptions” in Connecticut’s law, he said. He noted that a February state AG report found that about 70% of the privacy complaints received in the first six months of the law couldn’t be acted on because it fell under one of the law’s carve-outs. One possible change would be to convert the entity-level Gramm-Leach-Bliley Act exemption to data-level, so that it would carve out only data specifically regulated by the GLBA, rather than all data possessed by a business subject to GLBA. Maroney noted that car dealers and auto manufacturers possibly planned to claim that exemption under the entity-level mechanism, “and that wasn’t intended.”

In addition, Maroney said he wants to lower the CDPA’s applicability threshold so that the law covers businesses that control or process personal data of at least 35,000 consumers, down from 100,000 in the current law. Delaware and Maryland laws also say 35,000. CDPA currently also covers companies that control or process data of at least 25,000 consumers and derive more than 25% of revenue from selling personal data.

Data minimization “will be in the bill,” said Maroney. Maryland last year became the first state to enact a law with such requirements to limit what data a company may collect from the onset. Maroney added that he will be “trying to stay in touch” with Maryland “because I think they may be working on that further as well.”

One complication with requiring data minimization is that the policy might make it harder to detect bias, which is something that Maroney is trying to tackle in an AI bill that he also plans to introduce soon, he said. “It’s not necessary when you’re providing a product to collect information on gender or race … where there may be disparate impacts of bias. However, if we want to test our algorithms to make sure that they're not biased, sometimes we need to collect that data.” Maroney said he’s still deciding whether to address that problem through an exemption or by changing how Maryland worded the requirement.

Connecticut’s session starts Wednesday. Maroney expects a vote to draft his privacy update and AI bills by Jan. 17, he said. He predicted the bills would be heard in a committee in late January or early February.

More States

Expect a “similar level of activity” to the past couple of years, with possibly a dozen states introducing comprehensive privacy bills in 2025, predicted Schwartz. “There's a handful of states that have tried and failed over the last couple of sessions and I don't see them giving up on it quite yet,” said the CR analyst: Plus, “there’s always a handful of other ones that kind of come out of left field.” Meanwhile, if Connecticut passes an update to its privacy law, there could be a “domino effect” for other states that passed law based on Connecticut’s model, he said.

“We aren’t far off” from having privacy laws in most states, said Sara Kloek, Software Information Industry Association vice president-education and children’s policy. “We might get to a majority of states before Congress does something.” Also, Kloek said she expects more states will try to pass kids’ privacy or online safety measures, plus AI bills that affect privacy.

Additional states that failed to pass comprehensive bills last year and could try again include Maine, Massachusetts, Michigan, New York and Pennsylvania. The Computer & Communications Industry Association said in an Oct. 30 report that it’s watching the remaining New England states to possibly pass bills next year (see 2410300006).

Privacy experts said more states could follow Maryland’s lead, adopting data minimization requirements, which also appeared in last year's Michigan and Vermont bills.

“That is something we are very concerned about getting replicated in other states,” said Libin. Maryland’s law might also spur some of the first 20 states with privacy laws to revisit their statutes, she added. Data minimization rules are “particularly onerous” and “concerning for innovation,” said the privacy attorney for businesses. Libin questioned the "notion" that a company can't collect personal data unless it’s reasonably necessary to provide a service. She said it's not always possible to anticipate what data will be needed, or there could be "legitimate needs to market to consumers.”

“More and more legislators are starting to embrace” data minimization, said Schwartz. “It’s just part of a recognition that Big Tech is collecting too much data and that there are very concrete harms that can come from that.” CR and EPIC included data minimization in their model state bill (see 2409250029) from September.