2023 US Privacy Landscape: Trifectas and the Age of Age-Appropriate Design Code
From promising bipartisan privacy legislation to a new U.S.-EU transatlantic data privacy framework, 2022 was an important year for the U.S. privacy landscape. At the federal level, the American Data Privacy and Protection Act (“ADPPA”) provided a workable framework to build upon for baseline privacy legislation. And at the state level, legislators have been active with sectoral and comprehensive privacy legislation as five states now have comprehensive consumer privacy laws.
With more privacy bills expected to be introduced at the federal and state level next year, this post identifies a few states for potential comprehensive legislation and a trending issue area to watch for in 2023.
States to Watch For. In 2023, California (and the California Consumer Privacy Act of 2018), Colorado, Connecticut, Virginia, and Utah will have comprehensive consumer privacy laws in place. Absent any baseline federal privacy legislation, more states are expected to renew and continue their efforts in the coming years. It is nearly impossible to determine which states will be successful in these efforts. Still, stakeholders can look to the results of the 2022 midterm elections and past legislative efforts to get a better outlook on the landscape moving forward.
The political makeup of a state’s legislature is one of many indicators that could help to identify the states likely to enact comprehensive privacy laws in 2023. One particular indicator is the emergence of “trifectas” – a state where one political party holds the governorship and a majority in both the state senate and house. Although it is not a determinative factor (there are 23 Republican trifectas, 14 Democratic trifectas, and 13 divided governments), some states’ trifectas are more notable than others. In particular, Maryland, Massachusetts, Michigan, and Minnesota emerged with newly formed Democratic Party trifectas.
In Maryland, the Democratic Party holds a trifecta after the party won the race for governor and state attorney general. Maryland legislators previously introduced several bills, such as SB 11, that would create consumer privacy laws but they have yet to progress. Expect lawmakers in Maryland to renew these efforts in the next session.
In Michigan, the state house, senate, and governorship are all Democrats. Michigan lawmakers have introduced two bills, HB 5989 and SB 1182, to create comprehensive privacy laws. Although neither has progressed further, SB 1182 diverges from other comprehensive privacy laws by including a private right of action and a data broker registry, among other requirements. Minnesota, like Michigan, holds a Democratic trifecta and retained the state attorney general position. Michigan lawmakers have attempted to introduce comprehensive and sectoral privacy bills in the past. Minnesota Rep. Steve Elkins has advocated for comprehensive privacy legislation and introduced HF 1492 during the 2021 legislative session. Although Rep. Elkins’ term will end on January 3, 2023, it will be interesting to see who else takes up this effort.
The midterm elections in Massachusetts resulted in the Democratic Party holding the state house, senate, governorship, and attorney general position. Last year, the Massachusetts Joint Advanced Information Technology, the Internet and Cybersecurity Committee voted a privacy bill out of committee but it did not advance further. Newly elected governor Maura Healey is likely to renew this effort. Healey recently co-led a bipartisan group of 33 attorney generals in comments submitted to the Federal Trade Commission on potential trade rules to address possible harms to consumers and competition stemming from commercial data privacy and security practices.
Lastly, while the state attorney general position is not a separate branch of government, the office plays an important role in the development, passing, and enforcement of state privacy laws. For example, Colorado Attorney General Philip Weiser and Connecticut Attorney General William Tong both played important roles in passing their states’ respective privacy laws.
Age-Appropriate Design Codes. Lawmakers are also looking beyond general consumer privacy legislation. Legislative proposals have targeted specific categories of data, like biometric and geolocation data, and specific technologies, such as the use of facial recognition technology or automated-decision making tools, for potential regulation. Although these efforts are tailored to address potential harms to individuals and vulnerable populations, the broadness of the bill’s language would extend beyond the listed purposes and potentially cause a wide range of harm to users and the digital ecosystem. There already are mounting compliance costs for organizations due to the patchwork of state privacy legislation and the importance of a federal privacy law is more evident with each new proposal.
But one specific issue area continues to be a focus of federal and state lawmakers – children’s online privacy.
At the federal level, lawmakers have introduced two bills that would drastically alter how children and adults access the Internet and other digital services. The Kids Online Safety Act (“KOSA”) and the Children and Teens’ Online Privacy Protection Act (“CTOPPA” or “COPPA 2.0”) each attempt to address the privacy, safety, and well-being of children online. Numerous groups have spoken against KOSA, explaining how the bill’s effect would make children less safe online and potentially create further harm for vulnerable groups. More than 90 human rights and LBTQ organizations outlined these concerns in an opposition letter to KOSA. CTOPPA as well seeks to change the privacy rules for children’s data by revising the requirements under Children’s Online Privacy Protection Rule (COPPA). The modifications include revising COPPA’s actual knowledge standard to a constructive one and extending COPPA’s consent requirement to users younger than 16.
At the state level, California led the way with the passing of its Age-Appropriate Design Code Act (“AADC”). The act is roughly modeled after the United Kingdom’s code of practice and regulates online services likely to be accessed by California users under 18 years of age, in addition to other significant regulatory requirements. The AADC also established a data protection working group tasked with developing best practices for implementation.
Other states have followed suit with New Jersey’s AB 4919 and New York’s S 9563 both regulating and possibly severely restricting how children and other users interact with online services. These age-appropriate design codes are designed to help and protect children online but it is a difficult challenge to address without raising serious concerns. For example, these codes often contain age-estimation requirements that would put companies in a difficult position for compliance, as organizations would be forced to collect more information about their users to verify their age – conflicting with the data minimization principle.
These patchwork of state and federal privacy bills will continue to mount, fatiguing consumers with more provisions to follow and burdening businesses with broad requirements. Congress has a great opportunity in 2023 to alleviate these burdens and pass meaningful federal privacy legislation to protect individuals and promote innovation.