Privacy Bills Cross Legislative Chambers in 4 States

A day earlier, the Oklahoma Senate unanimously supported the state's own comprehensive privacy bill. Senators voted 46-0 to pass SB-546, which is similar to the Virginia Consumer Data Protection Act. At a hearing last month, Sen. Brent Howard (R) described his privacy bill as “a little bit more business friendly” compared with other state laws (see 2502130034). SB-546 will now go to the House.

In addition, the West Virginia House voted 94-0 Wednesday to send HB-2987 to the Senate. The broad data protection bill mimics Virginia's privacy law by design (see 2503180050).

Meanwhile, the New Hampshire House voted 261-79 Wednesday for legislation (HB-195) meant to supplement the state’s comprehensive privacy law with an opt-in requirement for disclosure of personal information. It will go to the Senate.

Additional comprehensive privacy bills are nearing floor votes in Georgia (see 2503260057) and Pennsylvania (see 2503180033), following recent committee approvals.

The comprehensive privacy bill that the Vermont Senate passed was originally a copy of Democratic Rep. Monique Priestley’s H-208, which included a private right of action and strict data minimization rules. However, a Vermont Senate committee replaced the bill's text with an industry-favored proposal (S-93), which consumer privacy advocates have called weak (see 2503140056).

Now that the Senate has passed S-71, it heads to the House, where the legislation is expected to be referred to the Commerce Committee, of which Priestley is a member. If that committee were to amend it, for example, to revive the original H-208 language, and the full House were to pass that, the measure would return to the Senate. At that point, the Senate could either re-amend the bill and send it back to the House or ask for a conference with the House to deliberate on a final version.

Priestley said last week that the House “would aim to make things stronger,” setting up a situation where the House and Senate can go to conference and negotiate (see 2503180046). The bill would also then need a signature from Gov. Phil Scott (R), who last year vetoed Priestley's 2024 privacy bill due to its private right of action and other reasons. The House last year voted to override the veto, but the Senate couldn't muster enough votes to complete the maneuver.

Meanwhile, in New Hampshire, the House passed HB-195 after adopting an amendment in a voice vote. Members passed the measure despite objections at a hearing earlier this month from industry, which urged the state to stick with the 2024 comprehensive privacy law that took effect Jan. 1 (see 2503050038). The attorney general would have exclusive enforcement authority in the bill, which would take effect Jan. 1.

“An individual shall have a reasonable expectation of privacy in personal information, including content and usage, given to or held by third party providers of information and services, and not available to the public,” said the amended bill. “Unless specifically authorized by law, third party providers of information and services shall not disclose to anyone personal information of an individual that is not available to the public unless” the “individual has given explicit consent for the disclosure of such information to one or more others.”

The amended bill includes exceptions allowing sharing in emergencies or for certain other reasons like preventing crime and fraud. Also, companies could disclose information “as necessary to provide the service that the individual has requested, including disclosure to subcontractors, service providers, partners, or other vendors who are employed for the provision, maintenance, security, or support of the requested service, provided that such third parties shall not use the information for other unrelated purposes.” Companies must require those subcontractors or partners “to maintain reasonable data security measures and to restrict the use of the data to the specific purposes for which they were shared,” it said.